How Does Bayes Error Limit Probabilistic Robust Accuracy

TL;DR

The paper develops a Bayes-error framework to bound probabilistic robust accuracy under adversarial perturbations. It derives that the optimal probabilistic-robust decision rule is a MAP rule in the vicinity and shows that any probabilistically robust input is deterministically robust within a smaller vicinity, enabling an upper bound on probabilistic robust accuracy derived from deterministic robustness. The authors prove that this upper bound monotonically increases with the tolerance ${\kappa}$ and is consistently between the bounds for vanilla accuracy and deterministic robustness, with empirical results across synthetic and real datasets validating the theory. They also demonstrate that voting within the vicinity improves probabilistic robust accuracy and that the bound provides a practical measure of room for improvement on existing models.

Abstract

Adversarial examples pose a security threat to many critical systems built on neural networks. Given that deterministic robustness often comes with significantly reduced accuracy, probabilistic robustness (i.e., the probability of having the same label with a vicinity is $\ge 1-κ$) has been proposed as a promising way of achieving robustness whilst maintaining accuracy. However, existing training methods for probabilistic robustness still experience non-trivial accuracy loss. It is unclear whether there is an upper bound on the accuracy when optimising towards probabilistic robustness, and whether there is a certain relationship between $κ$ and this bound. This work studies these problems from a Bayes error perspective. We find that while Bayes uncertainty does affect probabilistic robustness, its impact is smaller than that on deterministic robustness. This reduced Bayes uncertainty allows a higher upper bound on probabilistic robust accuracy than that on deterministic robust accuracy. Further, we prove that with optimal probabilistic robustness, each probabilistically robust input is also deterministically robust in a smaller vicinity. We also show that voting within the vicinity always improves probabilistic robust accuracy and the upper bound of probabilistic robust accuracy monotonically increases as $κ$ grows. Our empirical findings also align with our results.

Figures (6)

• Figure 1: Two truncated normal distributions are used to visualise the Bayes error of (a) vanilla accuracy, (b) deterministic robust accuracy and (c) probabilistic robust accuracy. (d) Example of \ref{['cor:linf']}. The nearest adversarial example of $\bm{x}$ is at the midpoint of $\bm{x}$ and $\bm{x'}$. Both $\bm{x}$ and $\bm{x'}$ are probabilistically robust but $h(\bm{x})\neq h(\bm{x'})$. The dashed box with side length $2\phi_i$ representes $\mathbb{V}^{\downarrow\kappa}(\bm{x})$.
• Figure 2: Comparing the SOTA classifier performance with upper bounds of vanilla accuracy ($b_a$), probabilisti c robust accuracy ($b_p$), and deterministic robust accuracy ($b_d$) .
• Figure 3: As $\kappa$ increases, we plot the upper bounds of probabilistic robust accuracy as well as classifiers' probabilistic robust accuracy change in the Moons and Chan dataset.
• Figure 4: 1D visualizations of vicinity function. This vicinity function is a rectangular function that returns a constant value if an input is in the vicinity. Vicinity function $v(\bm{x})$ is shown in dashed line ($\epsilon=0.5$). To get the vicinity at a specific input $\bm{x}=2$, we simply shift $v(\bm{x})$ along the positive direction of the x-axis by 2.
• Figure 5: This figure illustrates the conditional distribution for (a) Moons scikit-learn and (b) Chan chen2023evaluating.

Theorems & Definitions (23)

• Remark 2.1: Vicinity
• Lemma 3.1
• Theorem 3.2
• proof
• Lemma 3.3
• Theorem 3.4
• proof
• Corollary 3.5
• Corollary 3.6
• Theorem 3.7