Tight Verification of Probabilistic Robustness in Bayesian Neural Networks

TL;DR

This work tackles the challenge of verifying probabilistic robustness in Bayesian Neural Networks, where weight uncertainty makes exact certification intractable. It introduces two iterative, dynamic-region expansion methods—Pure Dynamic Scaling (PIE) and Gradient-Guided Dynamic Scaling (GIE)—to compute provably tighter lower bounds than state-of-the-art sampling approaches. Empirical results on MNIST and CIFAR-10 show substantial improvements in probabilistic certification, with bounds often doubling those of prior methods; gradient guidance generally yields the strongest guarantees. The methods are designed to be compatible with any BNN verification backend, enabling tighter safety assurances for probabilistic models in safety-critical contexts while highlighting practical considerations such as computation time and iteration depth.

Abstract

We introduce two algorithms for computing tight guarantees on the probabilistic robustness of Bayesian Neural Networks (BNNs). Computing robustness guarantees for BNNs is a significantly more challenging task than verifying the robustness of standard Neural Networks (NNs) because it requires searching the parameters' space for safe weights. Moreover, tight and complete approaches for the verification of standard NNs, such as those based on Mixed-Integer Linear Programming (MILP), cannot be directly used for the verification of BNNs because of the polynomial terms resulting from the consecutive multiplication of variables encoding the weights. Our algorithms efficiently and effectively search the parameters' space for safe weights by using iterative expansion and the network's gradient and can be used with any verification algorithm of choice for BNNs. In addition to proving that our algorithms compute tighter bounds than the SoA, we also evaluate our algorithms against the SoA on standard benchmarks, such as MNIST and CIFAR10, showing that our algorithms compute bounds up to 40% tighter than the SoA.

Figures (5)

• Figure 1: A comparison between the area of the set of safe weights $\mathcal{C}$ in Example \ref{['ex: Iterative Expansion']} that is covered by the pure sampling (\ref{['subfig: Pure Sampling']}), PIE after two iterations (\ref{['subfig: Iterative Expansion']}), and GIE after two iterations (\ref{['subfig: Gradient-Guided']}) for the same initial weights $\bm{w}_1, \dots, \bm{w}_4 \sim \mathcal{N}(\bm{0}, \bm{1})$. See Section \ref{['sec: Evaluation']} for detailed comparisons, including comparison with equal compute.
• Figure 2: A 2-dimensional cross-section of the safe region $\mathcal{C}$ covered by pure sampling (black), PIE (blue), and GIE (Red) on the same image in CIFAR dataset.
• Figure 3: Probabilistic certification as a function of $\rho$, the gradient-based scaling factor in Algorithm \ref{['alg: GIE']}.
• Figure 4: The number of expansion iterations before PIE reaches max probabilistic certifications in Table \ref{['tbl: Evaluation']}.
• Figure 5: Comparison of the pure sampling, PIE, and GIE approaches against the empirical probabilistic robustness, obtained by sampling parameters from the BNN posterior and using IBP to verify whether they result in correct classification. 50 samples were used for calculating each empirical accuracy.

Theorems & Definitions (8)

• Definition 2.1: Bayesian Neural Network
• Definition 2.2: Probabilistic Robustness Problem
• Definition 2.3: Set of Safe Weights
• Proposition 2.1
• Example 3.1
• Proposition 3.1
• proof
• Example 3.2