Probabilistic Safety for Bayesian Neural Networks

We study probabilistic safety for Bayesian Neural Networks (BNNs) under adversarial input perturbations. Given a compact set of input points, $T \subseteq \mathbb{R}^m$, we study the probability w.r.t. the BNN posterior that all the points in $T$ are mapped to the same region $S$ in the output space. In particular, this can be used to evaluate the probability that a network sampled from the BNN is vulnerable to adversarial attacks. We rely on relaxation techniques from non-convex optimization to develop a method for computing a lower bound on probabilistic safety for BNNs, deriving explicit procedures for the case of interval and linear function propagation techniques. We apply our methods to BNNs trained on a regression task, airborne collision avoidance, and MNIST, empirically showing that our approach allows one to certify probabilistic safety of BNNs with millions of parameters.Comment: UAI 2020; 13 pages, 5 figures, 1 tabl

Automated recognition of sleep arousal using multimodal and personalized deep ensembles of neural networks

Background and Aim: Monitoring physiological signals during sleep can have substantial impact on detecting temporary intrusion of wakefulness, referred to as sleep arousals. To overcome the problems associated with the cubersome visual inspection of these events by experts, sleep arousal recognition algorithms have been proposed. Method: As part of the Physionet/Computing in Cardiology Challenge 2018, this study proposes a deep ensemble neural network architecture for automatic arousal recognition from multi-modal sensor signals. Separate branches of the neural network extract features from electro-encephalography, electrooculography, electromyogram, breathing patterns and oxygen saturation level; and a final fully-connected neural network combines features computed from the signal sources to estimate the probability of arousal in each region of interest. We investigate the use of shared-parameter Siamese architectures for effective feature calibration. Namely, at each forward and backward pass through the network we concatenate to the input a user-specific template signal that is processed by an identical copy of the network. Result: The proposed architecture obtains an AUPR score of 0.40 on the test set of the official phase of Physionet/CbiC Challenge 2018. A score of 0.45 is obtained by means of 10 -fold cross-validation on the training set

Adversarial Robustness Certification for Bayesian Neural Networks

We study the problem of certifying the robustness of Bayesian neural networks (BNNs) to adversarial input perturbations. Given a compact set of input points $T \subseteq \mathbb{R}^m$ and a set of output points $S \subseteq \mathbb{R}^n$, we define two notions of robustness for BNNs in an adversarial setting: probabilistic robustness and decision robustness. Probabilistic robustness is the probability that for all points in $T$ the output of a BNN sampled from the posterior is in $S$. On the other hand, decision robustness considers the optimal decision of a BNN and checks if for all points in $T$ the optimal decision of the BNN for a given loss function lies within the output set $S$. Although exact computation of these robustness properties is challenging due to the probabilistic and non-convex nature of BNNs, we present a unified computational framework for efficiently and formally bounding them. Our approach is based on weight interval sampling, integration, and bound propagation techniques, and can be applied to BNNs with a large number of parameters, and independently of the (approximate) inference method employed to train the BNN. We evaluate the effectiveness of our methods on various regression and classification tasks, including an industrial regression benchmark, MNIST, traffic sign recognition, and airborne collision avoidance, and demonstrate that our approach enables certification of robustness and uncertainty of BNN predictions

Individual Fairness in Bayesian Neural Networks

We study Individual Fairness (IF) for Bayesian neural networks (BNNs). Specifically, we consider the $\epsilon$-$\delta$-individual fairness notion, which requires that, for any pair of input points that are $\epsilon$-similar according to a given similarity metrics, the output of the BNN is within a given tolerance $\delta>0.$ We leverage bounds on statistical sampling over the input space and the relationship between adversarial robustness and individual fairness to derive a framework for the systematic estimation of $\epsilon$-$\delta$-IF, designing Fair-FGSM and Fair-PGD as global,fairness-aware extensions to gradient-based attacks for BNNs. We empirically study IF of a variety of approximately inferred BNNs with different architectures on fairness benchmarks, and compare against deterministic models learnt using frequentist techniques. Interestingly, we find that BNNs trained by means of approximate Bayesian inference consistently tend to be markedly more individually fair than their deterministic counterparts

Adversarial robustness guarantees for classification with Gaussian Processes

We investigate adversarial robustness of Gaussian Process classification (GPC) models. Specifically, given a compact subset of the input space T⊆ℝd enclosing a test point x∗ and a GPC trained on a dataset , we aim to compute the minimum and the maximum classification probability for the GPC over all the points in T.In order to do so, we show how functions lower- and upper-bounding the GPC output in T can be derived, and implement those in a branch and bound optimisation algorithm. For any error threshold ϵ>0 selected \emph{a priori}, we show that our algorithm is guaranteed to reach values ϵ-close to the actual values in finitely many iterations.We apply our method to investigate the robustness of GPC models on a 2D synthetic dataset, the SPAM dataset and a subset of the MNIST dataset, providing comparisons of different GPC training techniques, and show how our method can be used for interpretability analysis. Our empirical analysis suggests that GPC robustness increases with more accurate posterior estimation

On the Robustness of Bayesian Neural Networks to Adversarial Attacks

Vulnerability to adversarial attacks is one of the principal hurdles to the adoption of deep learning in safety-critical applications. Despite significant efforts, both practical and theoretical, training deep learning models robust to adversarial attacks is still an open problem. In this paper, we analyse the geometry of adversarial attacks in the large-data, overparameterized limit for Bayesian Neural Networks (BNNs). We show that, in the limit, vulnerability to gradient-based attacks arises as a result of degeneracy in the data distribution, i.e., when the data lies on a lower-dimensional submanifold of the ambient space. As a direct consequence, we demonstrate that in this limit BNN posteriors are robust to gradient-based adversarial attacks. Crucially, we prove that the expected gradient of the loss with respect to the BNN posterior distribution is vanishing, even when each neural network sampled from the posterior is vulnerable to gradient-based attacks. Experimental results on the MNIST, Fashion MNIST, and half moons datasets, representing the finite data regime, with BNNs trained with Hamiltonian Monte Carlo and Variational Inference, support this line of arguments, showing that BNNs can display both high accuracy on clean data and robustness to both gradient-based and gradient-free based adversarial attacks.Comment: arXiv admin note: text overlap with arXiv:2002.0435

Statistical Guarantees for the Robustness of Bayesian Neural Networks

We introduce a probabilistic robustness measure for Bayesian Neural Networks (BNNs), defined as the probability that, given a test point, there exists a point within a bounded set such that the BNN prediction differs between the two. Such a measure can be used, for instance, to quantify the probability of the existence of adversarial examples. Building on statistical verification techniques for probabilistic models, we develop a framework that allows us to estimate probabilistic robustness for a BNN with statistical guarantees, i.e., with a priori error and confidence bounds. We provide experimental comparison for several approximate BNN inference techniques on image classification tasks associated to MNIST and a two-class subset of the GTSRB dataset. Our results enable quantification of uncertainty of BNN predictions in adversarial settings.Comment: 9 pages, 6 figure

Enhancing quantum efficiency of thin-film silicon solar cells by Pareto optimality

We present a composite design methodology for the simulation and optimization of the solar cell performance. Our method is based on the synergy of different computational techniques and it is especially designed for the thin-film cell technology. In particular, we aim to efficiently simulate light trapping and plasmonic effects to enhance the light harvesting of the cell. The methodology is based on the sequential application of a hierarchy of approaches: (a) full Maxwell simulations are applied to derive the photon’s scattering probability in systems presenting textured interfaces; (b) calibrated Photonic Monte Carlo is used in junction with the scattering matrices method to evaluate coherent and scattered photon absorption in the full cell architectures; (c) the results of these advanced optical simulations are used as the pair generation terms in model implemented in an effective Technology Computer Aided Design tool for the derivation of the cell performance; (d) the models are investigated by qualitative and quantitative sensitivity analysis algorithms, to evaluate the importance of the design parameters considered on the models output and to get a first order descriptions of the objective space; (e) sensitivity analysis results are used to guide and simplify the optimization of the model achieved through both Single Objective Optimization (in order to fully maximize devices efficiency) and Multi Objective Optimization (in order to balance efficiency and cost); (f) Local, Global and “Glocal” robustness of optimal solutions found by the optimization algorithms are statistically evaluated; (g) data-based Identifiability Analysis is used to study the relationship between parameters. The results obtained show a noteworthy improvement with respect to the quantum efficiency of the reference cell demonstrating that the methodology presented is suitable for effective optimization of solar cell devices