Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Verifiably Robust Conformal Prediction

Linus Jeary, Tom Kuipers, Mehran Hosseini, Nicola Paoletti

TL;DR

This paper introduces VRCP (Verifiably Robust Conformal Prediction), a new framework that leverages recent neural network verification methods to recover coverage guarantees under adversarial attacks and is the first to support perturbations bounded by arbitrary norms including $\ell^1, $\ell^2, and $\ell^\infty$.

Abstract

Conformal Prediction (CP) is a popular uncertainty quantification method that provides distribution-free, statistically valid prediction sets, assuming that training and test data are exchangeable. In such a case, CP's prediction sets are guaranteed to cover the (unknown) true test output with a user-specified probability. Nevertheless, this guarantee is violated when the data is subjected to adversarial attacks, which often result in a significant loss of coverage. Recently, several approaches have been put forward to recover CP guarantees in this setting. These approaches leverage variations of randomised smoothing to produce conservative sets which account for the effect of the adversarial perturbations. They are, however, limited in that they only support $\ell^2$-bounded perturbations and classification tasks. This paper introduces VRCP (Verifiably Robust Conformal Prediction), a new framework that leverages recent neural network verification methods to recover coverage guarantees under adversarial attacks. Our VRCP method is the first to support perturbations bounded by arbitrary norms including $\ell^1$, $\ell^2$, and $\ell^\infty$, as well as regression tasks. We evaluate and compare our approach on image classification tasks (CIFAR10, CIFAR100, and TinyImageNet) and regression tasks for deep reinforcement learning environments. In every case, VRCP achieves above nominal coverage and yields significantly more efficient and informative prediction regions than the SotA.

Verifiably Robust Conformal Prediction

TL;DR

This paper introduces VRCP (Verifiably Robust Conformal Prediction), a new framework that leverages recent neural network verification methods to recover coverage guarantees under adversarial attacks and is the first to support perturbations bounded by arbitrary norms including \ell^2, and .

Abstract

Conformal Prediction (CP) is a popular uncertainty quantification method that provides distribution-free, statistically valid prediction sets, assuming that training and test data are exchangeable. In such a case, CP's prediction sets are guaranteed to cover the (unknown) true test output with a user-specified probability. Nevertheless, this guarantee is violated when the data is subjected to adversarial attacks, which often result in a significant loss of coverage. Recently, several approaches have been put forward to recover CP guarantees in this setting. These approaches leverage variations of randomised smoothing to produce conservative sets which account for the effect of the adversarial perturbations. They are, however, limited in that they only support -bounded perturbations and classification tasks. This paper introduces VRCP (Verifiably Robust Conformal Prediction), a new framework that leverages recent neural network verification methods to recover coverage guarantees under adversarial attacks. Our VRCP method is the first to support perturbations bounded by arbitrary norms including , , and , as well as regression tasks. We evaluate and compare our approach on image classification tasks (CIFAR10, CIFAR100, and TinyImageNet) and regression tasks for deep reinforcement learning environments. In every case, VRCP achieves above nominal coverage and yields significantly more efficient and informative prediction regions than the SotA.
Paper Structure (37 sections, 3 theorems, 16 equations, 2 figures, 5 tables)

This paper contains 37 sections, 3 theorems, 16 equations, 2 figures, 5 tables.

Table of Contents

  1. Introduction
  2. Contributions
  3. Preliminaries
  4. Conformal Prediction
  5. Adversarial Attacks
  6. Neural Network Verification
  7. Related Work
  8. Adversarially Robust Conformal Prediction
  9. Provably Robust Conformal Prediction
  10. Probabilistically Robust Conformal Prediction
  11. Verifiably Robust Conformal Prediction (VRCP)
  12. Verifiably Robust Conformal Prediction via Robust Inference (VRCP--I)
  13. Verifiably Robust Conformal Prediction via Robust Calibration
  14. Computation of score bounds
  15. Classification
  16. ...and 22 more sections

Key Result

Theorem 1

Let $\tilde{\bm{x}}_{n+1}=\bm{x}_{n+1}+\bm{\delta}$ for a clean test sample $\bm{x}_{n+1}$ and $\lVert \bm{\delta} \rVert_p\leq \epsilon$. The prediction set $C_{\epsilon}(\tilde{\bm{x}}_{n+1})$ defined in eq: VRCP satisfies $\mathbb{P} \left[ y_{n+1} \in C_{\epsilon}(\tilde{\bm{x}}_{n+1}) \right] \

Figures (2)

  • Figure 1: Distribution of prediction set sizes for vanilla conformal prediction (vanilla CP) which violates \ref{['eq: MarginalVCP']}, as well as for our proposed robust algorithms (VRCP--I and VRCP--C) along with the SotA (RSCP+ and RSCP+ (PTT), see \ref{['sec:rel-work']}) on the CIFAR10 dataset. As we observe, VRCP--I and VRCP--C closely resemble the spread of vanilla CP prediction set sizes, whilst the SotA falls short of achieving this. Here we use an adversarial perturbation of radius $\epsilon = 0.02$, error rate $\alpha = 0.1$, number of splits $n_{\text{splits}} = 50$ and smoothing parameter (used in RSCP+ and RSCP+ (PTT)) $\sigma = 2\epsilon$.
  • Figure 2: Marginal Coverage and Average Set Sizes on CIFAR100 with 95% confidence intervals.

Theorems & Definitions (7)

  • Theorem 1
  • proof
  • Theorem 2
  • proof
  • Proposition 1
  • proof : Proof of \ref{['prop: Containment']}
  • proof