Adversarial Robustness Guarantees for Classification with Gaussian Processes

We investigate adversarial robustness of Gaussian Process classification (GPC) models. Specifically, given a compact subset of the input space $T\subseteq \mathbb{R}^d$ enclosing a test point $x^*$ and a GPC trained on a given dataset $\mathcal{D}$, we aim to compute the minimum and the maximum classification probability for the GPC over all the points in $T$. In order to do so, we show how functions lower- and upper-bounding the GPC output in $T$ can be derived, and implement those in a branch and bound optimisation algorithm. For any error threshold $\epsilon > 0$ selected a priori, we show that our algorithm is guaranteed to reach values $\epsilon$-close to the actual values in finitely many iterations. We apply our method to experimentally investigate the robustness of GPC models on a 2D synthetic dataset, the SPAM dataset and a subset of the MNIST dataset, providing comparisons of different GPC training methods, and show how our method can be used for interpretability analysis. Our empirical analysis suggests that GPC robustness increases with more accurate posterior estimation.

[1]  Fabio Roli,et al.  Wild Patterns: Ten Years After the Rise of Adversarial Machine Learning , 2018, CCS.

[2]  Michael Backes,et al.  The Limitations of Model Uncertainty in Adversarial Settings , 2018, ArXiv.

[3]  Mykel J. Kochenderfer,et al.  Reluplex: An Efficient SMT Solver for Verifying Deep Neural Networks , 2017, CAV.

[4]  David Barber,et al.  Bayesian Classification With Gaussian Processes , 1998, IEEE Trans. Pattern Anal. Mach. Intell..

[5]  Michael Backes,et al.  Adversarial Vulnerability Bounds for Gaussian Process Classification , 2019, ArXiv.

[6]  Matthijs C. Dorst Distinctive Image Features from Scale-Invariant Keypoints , 2011 .

[7]  Hyun-Chul Kim,et al.  Outlier Robust Gaussian Process Classification , 2008, SSPR/SPR.

[8]  David A. McAllester A PAC-Bayesian Tutorial with A Dropout Bound , 2013, ArXiv.

[9]  Aleksander Madry,et al.  Robustness May Be at Odds with Accuracy , 2018, ICLR.

[10]  Sebastian Thrun,et al.  Dermatologist-level classification of skin cancer with deep neural networks , 2017, Nature.

[11]  Daniel Hernández-Lobato,et al.  Robust Multi-Class Gaussian Process Classification , 2011, NIPS.

[12]  Luca Cardelli,et al.  Statistical Guarantees for the Robustness of Bayesian Neural Networks , 2019, IJCAI.

[13]  C. Rasmussen,et al.  Approximations for Binary Gaussian Process Classification , 2008 .

[14]  Jonathon Shlens,et al.  Explaining and Harnessing Adversarial Examples , 2014, ICLR.

[15]  Chih-Jen Lin,et al.  A comparison of methods for multiclass support vector machines , 2002, IEEE Trans. Neural Networks.

[16]  Min Wu,et al.  Safety Verification of Deep Neural Networks , 2016, CAV.

[17]  James Hensman,et al.  Scalable Variational Gaussian Process Classification , 2014, AISTATS.

[18]  Carl E. Rasmussen,et al.  Gaussian processes for machine learning , 2005, Adaptive computation and machine learning.

[19]  Yann LeCun,et al.  The mnist database of handwritten digits , 2005 .

[20]  A. Neumaier Complete search in continuous global optimization and constraint satisfaction , 2004, Acta Numerica.

[21]  Zoubin Ghahramani,et al.  Adversarial Examples, Uncertainty, and Transfer Testing Robustness in Gaussian Process Hybrid Deep Networks , 2017, 1707.02476.

[22]  Tom Minka,et al.  Expectation Propagation for approximate Bayesian inference , 2001, UAI.

[23]  Carlos Guestrin,et al.  "Why Should I Trust You?": Explaining the Predictions of Any Classifier , 2016, ArXiv.

[24]  Luca Cardelli,et al.  Efficiency through uncertainty: scalable formal synthesis for stochastic hybrid systems , 2019, HSCC.

[25]  Hyun-Chul Kim,et al.  Bayesian Gaussian Process Classification with the EM-EP Algorithm , 2006, IEEE Transactions on Pattern Analysis and Machine Intelligence.

[26]  Stephen P. Boyd,et al.  Branch and bound algorithm for computing the minimum stability degree of parameter-dependent linear systems , 1991, International Journal of Robust and Nonlinear Control.

[27]  Xiaowei Huang,et al.  Reachability Analysis of Deep Neural Networks with Provable Guarantees , 2018, IJCAI.

[28]  Luca Cardelli,et al.  Robustness Guarantees for Bayesian Inference with Gaussian Processes , 2019, AAAI.

[29]  Panos M. Pardalos,et al.  Global minimization of large-scale constrained concave quadratic problems by separable programming , 1986, Math. Program..

[30]  Ryan R. Curtin,et al.  Detecting Adversarial Samples from Artifacts , 2017, ArXiv.

[31]  Matthias W. Seeger,et al.  PAC-Bayesian Generalisation Error Bounds for Gaussian Process Classification , 2003, J. Mach. Learn. Res..

[32]  Volkan Cevher,et al.  Adversarially Robust Optimization with Gaussian Processes , 2018, NeurIPS.

[33]  Radford M. Neal Pattern Recognition and Machine Learning , 2007, Technometrics.

[34]  Yarin Gal,et al.  Sufficient Conditions for Idealised Models to Have No Adversarial Examples: a Theoretical and Empirical Study with Bayesian Neural Networks , 2018, 1806.00667.