Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
125 tokens/sec
GPT-4o
47 tokens/sec
Gemini 2.5 Pro Pro
43 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
47 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Attacking Bayes: On the Adversarial Robustness of Bayesian Neural Networks (2404.19640v1)

Published 27 Apr 2024 in cs.LG, cs.AI, cs.CV, stat.ME, and stat.ML

Abstract: Adversarial examples have been shown to cause neural networks to fail on a wide range of vision and language tasks, but recent work has claimed that Bayesian neural networks (BNNs) are inherently robust to adversarial perturbations. In this work, we examine this claim. To study the adversarial robustness of BNNs, we investigate whether it is possible to successfully break state-of-the-art BNN inference methods and prediction pipelines using even relatively unsophisticated attacks for three tasks: (1) label prediction under the posterior predictive mean, (2) adversarial example detection with Bayesian predictive uncertainty, and (3) semantic shift detection. We find that BNNs trained with state-of-the-art approximate inference methods, and even BNNs trained with Hamiltonian Monte Carlo, are highly susceptible to adversarial attacks. We also identify various conceptual and experimental errors in previous works that claimed inherent adversarial robustness of BNNs and conclusively demonstrate that BNNs and uncertainty-aware Bayesian prediction pipelines are not inherently robust against adversarial attacks.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (80)
  1. Generating natural language adversarial examples. In Ellen Riloff, David Chiang, Julia Hockenmaier, and Jun’ichi Tsujii, editors, Proceedings of the 2018 Conference on Empirical Methods in Natural Language Processing, Brussels, Belgium, October 31 - November 4, 2018, pages 2890–2896. Association for Computational Linguistics, 2018.
  2. Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In Jennifer G. Dy and Andreas Krause, editors, Proceedings of the 35th International Conference on Machine Learning, ICML 2018, Stockholmsmässan, Stockholm, Sweden, July 10-15, 2018, volume 80 of Proceedings of Machine Learning Research, pages 274–283. PMLR, 2018a.
  3. Synthesizing robust adversarial examples. In Jennifer G. Dy and Andreas Krause, editors, Proceedings of the 35th International Conference on Machine Learning, ICML 2018, Stockholmsmässan, Stockholm, Sweden, July 10-15, 2018, volume 80 of Proceedings of Machine Learning Research, pages 284–293. PMLR, 2018b.
  4. Benchmarking Bayesian Deep Learning on Diabetic Retinopathy Detection Tasks. 2021.
  5. Bayesian adversarial spheres: Bayesian inference and adversarial examples in a noiseless setting. arXiv preprint arXiv:1811.12335, 2018.
  6. The effect of prior lipschitz continuity on the adversarial robustness of Bayesian neural networks. arXiv preprint arXiv:2101.02689, 2021.
  7. Arno C Blaas. On the adversarial robustness of Bayesian machine learning models. PhD thesis, University of Oxford, 2021.
  8. Weight uncertainty in neural networks. volume 37 of Proceedings of Machine Learning Research, pages 1613–1622, Lille, France, 07–09 Jul 2015. PMLR.
  9. On the robustness of Bayesian neural networks to adversarial attacks. arXiv preprint arXiv:2207.06154, 2022.
  10. Robustness of Bayesian neural networks to gradient-based attacks. In H. Larochelle, M. Ranzato, R. Hadsell, M.F. Balcan, and H. Lin, editors, Advances in Neural Information Processing Systems, volume 33, pages 15602–15613. Curran Associates, Inc., 2020.
  11. Robustness guarantees for Bayesian inference with gaussian processes. In Proceedings of the AAAI Conference on Artificial Intelligence, volume 33, pages 7759–7768, 2019.
  12. Adversarial examples are not easily detected: Bypassing ten detection methods. In Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security, AISec ’17, page 3–14, New York, NY, USA, 2017a. Association for Computing Machinery.
  13. Towards evaluating the robustness of neural networks. In 2017 IEEE Symposium on Security and Privacy, SP 2017, San Jose, CA, USA, May 22-26, 2017, pages 39–57. IEEE Computer Society, 2017b.
  14. On evaluating adversarial robustness. arXiv preprint arXiv:1902.06705, 2019a.
  15. On evaluating adversarial robustness. CoRR, abs/1902.06705, 2019b.
  16. ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In Bhavani M. Thuraisingham, Battista Biggio, David Mandell Freeman, Brad Miller, and Arunesh Sinha, editors, Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security, AISec@CCS 2017, Dallas, TX, USA, November 3, 2017, pages 15–26. ACM, 2017.
  17. Scaling hamiltonian monte carlo inference for Bayesian neural networks with symmetric splitting. Uncertainty in Artificial Intelligence, 2021.
  18. Elements of information theory. Wiley, New York, 1991.
  19. Reliable evaluation of adversarial robustness with an ensemble of diverse parameter-free attacks. In ICML, 2020.
  20. Robustbench: a standardized adversarial robustness benchmark. In Thirty-fifth Conference on Neural Information Processing Systems Datasets and Benchmarks Track (Round 2), 2021.
  21. Adversarial robustness guarantees for random deep neural networks. In Marina Meila and Tong Zhang, editors, Proceedings of the 38th International Conference on Machine Learning, volume 139 of Proceedings of Machine Learning Research, pages 2522–2534. PMLR, 18–24 Jul 2021.
  22. Libre: A practical Bayesian approach to adversarial detection. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 972–982, 2021.
  23. Decomposition of uncertainty in Bayesian deep learning for efficient and risk-sensitive learning. In Jennifer Dy and Andreas Krause, editors, Proceedings of the 35th International Conference on Machine Learning, volume 80 of Proceedings of Machine Learning Research, pages 1184–1193, Stockholmsmässan, Stockholm Sweden, 10–15 Jul 2018. PMLR.
  24. Bayesian learning with information gain provably bounds risk for a robust adversarial defense. In Kamalika Chaudhuri, Stefanie Jegelka, Le Song, Csaba Szepesvari, Gang Niu, and Sivan Sabato, editors, Proceedings of the 39th International Conference on Machine Learning, volume 162 of Proceedings of Machine Learning Research, pages 5309–5323. PMLR, 17–23 Jul 2022.
  25. On the foundations of noise-free selective classification. Journal of Machine Learning Research, 11(53):1605–1641, 2010.
  26. Detecting adversarial samples from artifacts, 2017.
  27. Dropout as a Bayesian approximation: Representing model uncertainty in deep learning. In Proceedings of the 33rd International Conference on International Conference on Machine Learning - Volume 48, ICML 2016, pages 1050–1059, 2016.
  28. Disrupting deep uncertainty estimation without harming accuracy. Advances in Neural Information Processing Systems, 34:21285–21296, 2021.
  29. On the limitations of stochastic pre-processing defenses. In Alice H. Oh, Alekh Agarwal, Danielle Belgrave, and Kyunghyun Cho, editors, Advances in Neural Information Processing Systems, 2022.
  30. Explaining and harnessing adversarial examples. In Yoshua Bengio and Yann LeCun, editors, 3rd International Conference on Learning Representations, ICLR 2015, San Diego, CA, USA, May 7-9, 2015, Conference Track Proceedings, 2015.
  31. Alex Graves. Practical variational inference for neural networks. In Proceedings of the 24th International Conference on Neural Information Processing Systems, NIPS’11, page 2348–2356, Red Hook, NY, USA, 2011. Curran Associates Inc. ISBN 9781618395993.
  32. The limitations of model uncertainty in adversarial settings. arXiv preprint arXiv:1812.02606, 2018.
  33. Killing four birds with one gaussian process: the relation between different test-time attacks. In 2020 25th International Conference on Pattern Recognition (ICPR), pages 4696–4703. IEEE, 2021.
  34. Deep residual learning for image recognition. In 2016 IEEE Conference on Computer Vision and Pattern Recognition, CVPR 2016, Las Vegas, NV, USA, June 27-30, 2016, pages 770–778. IEEE Computer Society, 2016. doi: 10.1109/CVPR.2016.90.
  35. Gaussian processes for big data. In Proceedings of the Twenty-Ninth Conference on Uncertainty in Artificial Intelligence, UAI’13, pages 282–290, Arlington, Virginia, United States, 2013. AUAI Press.
  36. Scalable variational Gaussian process classification. In AISTATS, 2014.
  37. Stochastic variational inference. Journal of Machine Learning Research, 14(1):1303–1347, May 2013. ISSN 1532-4435.
  38. What are Bayesian neural network posteriors really like? In Marina Meila and Tong Zhang, editors, Proceedings of the 38th International Conference on Machine Learning, volume 139 of Proceedings of Machine Learning Research, pages 4629–4640. PMLR, 18–24 Jul 2021.
  39. Evaluating robustness of predictive uncertainty estimation: Are dirichlet-based models reliable? In International Conference on Machine Learning, pages 5707–5718. PMLR, 2021.
  40. Adversarial examples in the physical world. In 5th International Conference on Learning Representations, ICLR 2017, Toulon, France, April 24-26, 2017, Workshop Track Proceedings, 2017.
  41. Detecting adversarial examples with Bayesian neural network. arXiv preprint arXiv:2105.08620, 2021.
  42. Adv-BNN: Improved adversarial defense through robust Bayesian neural network. In International Conference on Learning Representations, 2018.
  43. Informative priors improve the reliability of multimodal clinical data classification. In Machine Learning for Health Symposium Findings, 2023.
  44. David J. C. MacKay. A practical Bayesian framework for backpropagation networks. Neural Comput., 4(3):448–472, May 1992. ISSN 0899-7667. doi: 10.1162/neco.1992.4.3.448.
  45. Towards Deep Learning Models Resistant to Adversarial Attacks. In International Conference on Learning Representations, 2018.
  46. Kevin P. Murphy. Machine learning: A probabilistic perspective. MIT Press, Cambridge, Mass. [u.a.], 2013.
  47. Uncertainty baselines: Benchmarks for uncertainty & robustness in deep learning, 2022.
  48. Radford M Neal. Bayesian Learning for Neural Networks. 1996.
  49. Radford M. Neal. MCMC using Hamiltonian dynamics. Handbook of Markov Chain Monte Carlo, 54:113–162, 2010.
  50. Evaluating the robustness of Bayesian neural networks against different types of attacks. arXiv preprint arXiv:2106.09223, 2021.
  51. Distillation as a defense to adversarial perturbations against deep neural networks. In IEEE Symposium on Security and Privacy, SP 2016, San Jose, CA, USA, May 22-26, 2016, pages 582–597. IEEE Computer Society, 2016.
  52. Practical black-box attacks against machine learning. In Ramesh Karri, Ozgur Sinanoglu, Ahmad-Reza Sadeghi, and Xun Yi, editors, Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, AsiaCCS 2017, Abu Dhabi, United Arab Emirates, April 2-6, 2017, pages 506–519. ACM, 2017.
  53. Adversarial robustness guarantees for gaussian processes. Journal of Machine Learning Research, 23:1–55, 2022.
  54. Selective classification via neural network training dynamics, 2022.
  55. Gaussian Processes for Machine Learning. MIT Press, Massachusetts Institute of Technology, Cambridge, MA, USA, 2006. URL www.GaussianProcess.org/gpml.
  56. Adversarial phenomenon in the eyes of Bayesian deep learning, 2017.
  57. Continual Learning via Sequential Function-Space Variational Inference. In Proceedings of the 38th International Conference on Machine Learning, Proceedings of Machine Learning Research. PMLR, 2022a.
  58. Function-Space Regularization in Neural Networks: A Probabilistic Perspective. In Proceedings of the 40th International Conference on Machine Learning, Proceedings of Machine Learning Research. PMLR, 2023.
  59. Mind the gap: Improving robustness to subpopulation shifts with group-aware priors. In Proceedings of The 26th International Conference on Artificial Intelligence and Statistics, 2024.
  60. Tractable Function-space Variational Inference in Bayesian Neural Networks. In Advances in Neural Information Processing Systems, 2022b.
  61. Better the devil you know: An analysis of evasion attacks using out-of-distribution adversarial examples. arXiv preprint arXiv:1905.01726, 2019.
  62. The Mathematical Theory of Communication. University of Illinois Press, Urbana and Chicago, 1949.
  63. Pre-train your loss: Easy Bayesian transfer learning with informative priors. In Alice H. Oh, Alekh Agarwal, Danielle Belgrave, and Kyunghyun Cho, editors, Advances in Neural Information Processing Systems, 2022.
  64. Understanding measures of uncertainty for adversarial example detection. In Amir Globerson and Ricardo Silva, editors, Proceedings of the Thirty-Fourth Conference on Uncertainty in Artificial Intelligence, UAI 2018, Monterey, California, USA, August 6-10, 2018, pages 560–569. AUAI Press, 2018.
  65. Sparse Gaussian processes using pseudo-inputs. In Y. Weiss, B. Schölkopf, and J. C. Platt, editors, Advances in Neural Information Processing Systems 18, pages 1257–1264. MIT Press, 2006.
  66. Intriguing properties of neural networks, 2014.
  67. Florian Tramer. Detecting adversarial examples is (Nearly) as hard as classifying them. In Kamalika Chaudhuri, Stefanie Jegelka, Le Song, Csaba Szepesvari, Gang Niu, and Sivan Sabato, editors, Proceedings of the 39th International Conference on Machine Learning, volume 162 of Proceedings of Machine Learning Research, pages 21692–21702. PMLR, 17–23 Jul 2022.
  68. On adaptive attacks to adversarial example defenses. In Hugo Larochelle, Marc’Aurelio Ranzato, Raia Hadsell, Maria-Florina Balcan, and Hsuan-Tien Lin, editors, Advances in Neural Information Processing Systems 33: Annual Conference on Neural Information Processing Systems 2020, NeurIPS 2020, December 6-12, 2020, virtual, 2020.
  69. Plex: Towards reliability using pretrained large model extensions, 2022.
  70. Robustness of Bayesian neural networks to white-box adversarial attacks. In 2021 IEEE Fourth International Conference on Artificial Intelligence and Knowledge Engineering (AIKE), pages 72–80. IEEE, 2021.
  71. Uncertainty estimation using a single deep deterministic neural network. In International Conference on Machine Learning, 2020.
  72. Graphical Models, Exponential Families, and Variational Inference. Now Publishers Inc., Hanover, MA, USA, 2008. ISBN 1601981848.
  73. Exact Gaussian processes on a million data points. In H. Wallach, H. Larochelle, A. Beygelzimer, F. d’ Alché-Buc, E. Fox, and R. Garnett, editors, Advances in Neural Information Processing Systems, volume 32, pages 14648–14659. Curran Associates, Inc., 2019.
  74. Bayesian inference with certifiable adversarial robustness. In Arindam Banerjee and Kenji Fukumizu, editors, Proceedings of The 24th International Conference on Artificial Intelligence and Statistics, volume 130 of Proceedings of Machine Learning Research, pages 2431–2439. PMLR, 13–15 Apr 2021.
  75. Bayesian adversarial learning. In S. Bengio, H. Wallach, H. Larochelle, K. Grauman, N. Cesa-Bianchi, and R. Garnett, editors, Advances in Neural Information Processing Systems, volume 31. Curran Associates, Inc., 2018.
  76. Gradient-free adversarial attacks for Bayesian neural networks. In Third Symposium on Advances in Approximate Bayesian Inference, 2021.
  77. On attacking out-domain uncertainty estimation in deep neural networks. In Lud De Raedt, editor, Proceedings of the Thirty-First International Joint Conference on Artificial Intelligence, IJCAI-22, pages 4893–4899. International Joint Conferences on Artificial Intelligence Organization, 7 2022. Main Track.
  78. Theoretically principled trade-off between robustness and accuracy. In Kamalika Chaudhuri and Ruslan Salakhutdinov, editors, Proceedings of the 36th International Conference on Machine Learning, ICML 2019, 9-15 June 2019, Long Beach, California, USA, volume 97 of Proceedings of Machine Learning Research, pages 7472–7482. PMLR, 2019.
  79. Robust Bayesian neural networks by spectral expectation bound regularization. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pages 3815–3824, June 2021.
  80. Roland S Zimmermann. Comment on "Adv-BNN: Improved adversarial defense through robust Bayesian neural network". arXiv preprint arXiv:1907.00895, 2019.

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now
X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets