67 research outputs found
Probabilistic Safety for Bayesian Neural Networks
We study probabilistic safety for Bayesian Neural Networks (BNNs) under
adversarial input perturbations. Given a compact set of input points, , we study the probability w.r.t. the BNN posterior that
all the points in are mapped to the same region in the output space. In
particular, this can be used to evaluate the probability that a network sampled
from the BNN is vulnerable to adversarial attacks. We rely on relaxation
techniques from non-convex optimization to develop a method for computing a
lower bound on probabilistic safety for BNNs, deriving explicit procedures for
the case of interval and linear function propagation techniques. We apply our
methods to BNNs trained on a regression task, airborne collision avoidance, and
MNIST, empirically showing that our approach allows one to certify
probabilistic safety of BNNs with millions of parameters.Comment: UAI 2020; 13 pages, 5 figures, 1 tabl
Automated recognition of sleep arousal using multimodal and personalized deep ensembles of neural networks
Background and Aim: Monitoring physiological signals during sleep can have substantial impact on detecting temporary intrusion of wakefulness, referred to as sleep arousals. To overcome the problems associated with the cubersome visual inspection of these events by experts, sleep arousal recognition algorithms have been proposed. Method: As part of the Physionet/Computing in Cardiology Challenge 2018, this study proposes a deep ensemble neural network architecture for automatic arousal recognition from multi-modal sensor signals. Separate branches of the neural network extract features from electro-encephalography, electrooculography, electromyogram, breathing patterns and oxygen saturation level; and a final fully-connected neural network combines features computed from the signal sources to estimate the probability of arousal in each region of interest. We investigate the use of shared-parameter Siamese architectures for effective feature calibration. Namely, at each forward and backward pass through the network we concatenate to the input a user-specific template signal that is processed by an identical copy of the network. Result: The proposed architecture obtains an AUPR score of 0.40 on the test set of the official phase of Physionet/CbiC Challenge 2018. A score of 0.45 is obtained by means of 10 -fold cross-validation on the training set
Adversarial Robustness Certification for Bayesian Neural Networks
We study the problem of certifying the robustness of Bayesian neural networks
(BNNs) to adversarial input perturbations. Given a compact set of input points
and a set of output points , we define two notions of robustness for BNNs in an adversarial
setting: probabilistic robustness and decision robustness. Probabilistic
robustness is the probability that for all points in the output of a BNN
sampled from the posterior is in . On the other hand, decision robustness
considers the optimal decision of a BNN and checks if for all points in the
optimal decision of the BNN for a given loss function lies within the output
set . Although exact computation of these robustness properties is
challenging due to the probabilistic and non-convex nature of BNNs, we present
a unified computational framework for efficiently and formally bounding them.
Our approach is based on weight interval sampling, integration, and bound
propagation techniques, and can be applied to BNNs with a large number of
parameters, and independently of the (approximate) inference method employed to
train the BNN. We evaluate the effectiveness of our methods on various
regression and classification tasks, including an industrial regression
benchmark, MNIST, traffic sign recognition, and airborne collision avoidance,
and demonstrate that our approach enables certification of robustness and
uncertainty of BNN predictions
Individual Fairness in Bayesian Neural Networks
We study Individual Fairness (IF) for Bayesian neural networks (BNNs).
Specifically, we consider the --individual fairness notion,
which requires that, for any pair of input points that are -similar
according to a given similarity metrics, the output of the BNN is within a
given tolerance We leverage bounds on statistical sampling over the
input space and the relationship between adversarial robustness and individual
fairness to derive a framework for the systematic estimation of
--IF, designing Fair-FGSM and Fair-PGD as
global,fairness-aware extensions to gradient-based attacks for BNNs. We
empirically study IF of a variety of approximately inferred BNNs with different
architectures on fairness benchmarks, and compare against deterministic models
learnt using frequentist techniques. Interestingly, we find that BNNs trained
by means of approximate Bayesian inference consistently tend to be markedly
more individually fair than their deterministic counterparts
Adversarial robustness guarantees for classification with Gaussian Processes
We investigate adversarial robustness of Gaussian Process classification (GPC) models. Specifically, given a compact subset of the input space T⊆ℝd enclosing a test point x∗ and a GPC trained on a dataset , we aim to compute the minimum and the maximum classification probability for the GPC over all the points in T.In order to do so, we show how functions lower- and upper-bounding the GPC output in T can be derived, and implement those in a branch and bound optimisation algorithm. For any error threshold ϵ>0 selected \emph{a priori}, we show that our algorithm is guaranteed to reach values ϵ-close to the actual values in finitely many iterations.We apply our method to investigate the robustness of GPC models on a 2D synthetic dataset, the SPAM dataset and a subset of the MNIST dataset, providing comparisons of different GPC training techniques, and show how our method can be used for interpretability analysis. Our empirical analysis suggests that GPC robustness increases with more accurate posterior estimation
On the Robustness of Bayesian Neural Networks to Adversarial Attacks
Vulnerability to adversarial attacks is one of the principal hurdles to the
adoption of deep learning in safety-critical applications. Despite significant
efforts, both practical and theoretical, training deep learning models robust
to adversarial attacks is still an open problem. In this paper, we analyse the
geometry of adversarial attacks in the large-data, overparameterized limit for
Bayesian Neural Networks (BNNs). We show that, in the limit, vulnerability to
gradient-based attacks arises as a result of degeneracy in the data
distribution, i.e., when the data lies on a lower-dimensional submanifold of
the ambient space. As a direct consequence, we demonstrate that in this limit
BNN posteriors are robust to gradient-based adversarial attacks. Crucially, we
prove that the expected gradient of the loss with respect to the BNN posterior
distribution is vanishing, even when each neural network sampled from the
posterior is vulnerable to gradient-based attacks. Experimental results on the
MNIST, Fashion MNIST, and half moons datasets, representing the finite data
regime, with BNNs trained with Hamiltonian Monte Carlo and Variational
Inference, support this line of arguments, showing that BNNs can display both
high accuracy on clean data and robustness to both gradient-based and
gradient-free based adversarial attacks.Comment: arXiv admin note: text overlap with arXiv:2002.0435
Statistical Guarantees for the Robustness of Bayesian Neural Networks
We introduce a probabilistic robustness measure for Bayesian Neural Networks
(BNNs), defined as the probability that, given a test point, there exists a
point within a bounded set such that the BNN prediction differs between the
two. Such a measure can be used, for instance, to quantify the probability of
the existence of adversarial examples. Building on statistical verification
techniques for probabilistic models, we develop a framework that allows us to
estimate probabilistic robustness for a BNN with statistical guarantees, i.e.,
with a priori error and confidence bounds. We provide experimental comparison
for several approximate BNN inference techniques on image classification tasks
associated to MNIST and a two-class subset of the GTSRB dataset. Our results
enable quantification of uncertainty of BNN predictions in adversarial
settings.Comment: 9 pages, 6 figure
Recommended from our members
Enhancing quantum efficiency of thin-film silicon solar cells by Pareto optimality
We present a composite design methodology for the simulation and optimization of the solar cell performance. Our method is based on the synergy of different computational techniques and it is especially designed for the thin-film cell technology. In particular, we aim to efficiently simulate light trapping and plasmonic effects to enhance the light harvesting of the cell. The methodology is based on the sequential application of a hierarchy of approaches: (a) full Maxwell simulations are applied to derive the photon’s scattering probability in systems presenting textured interfaces; (b) calibrated Photonic Monte Carlo is used in junction with the scattering matrices method to evaluate coherent and scattered photon absorption in the full cell architectures; (c) the results of these advanced optical simulations are used as the pair generation terms in model implemented in an effective Technology Computer Aided Design tool for the derivation of the cell performance; (d) the models are investigated by qualitative and quantitative sensitivity analysis algorithms, to evaluate the importance of the design parameters considered on the models output and to get a first order descriptions of the objective space; (e) sensitivity analysis results are used to guide and simplify the optimization of the model achieved through both Single Objective Optimization (in order to fully maximize devices efficiency) and Multi Objective Optimization (in order to balance efficiency and cost); (f) Local, Global and “Glocal” robustness of optimal solutions found by the optimization algorithms are statistically evaluated; (g) data-based Identifiability Analysis is used to study the relationship between parameters. The results obtained show a noteworthy improvement with respect to the quantum efficiency of the reference cell demonstrating that the methodology presented is suitable for effective optimization of solar cell devices
- …