Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

A unified Bayesian framework for adversarial robustness

Pablo G. Arce, Roi Naveiro, David Ríos Insua

TL;DR

The paper presents a statistically principled fully Bayesian framework for adversarial robustness by modeling adversarial perturbations as a stochastic channel that links clean inputs to attacked ones. It derives two complementary defenses: a reactive defense that performs robust inference at deployment and a proactive defense that optimizes a robust posterior during training; both strategies generalize and subsume established defenses such as adversarial training and randomized smoothing. Empirical results on classification and regression show that explicitly modeling adversarial uncertainty improves predictive accuracy and calibration under attack, and that diverse or learned adversarial channels can enhance robustness beyond fixed threat models. The framework provides a flexible, uncertainty-aware foundation for robust Bayesian prediction with practical training strategies and directions toward robust decision-making in high-stakes settings.

Abstract

The vulnerability of machine learning models to adversarial attacks remains a critical security challenge. Traditional defenses, such as adversarial training, typically robustify models by minimizing a worst-case loss. However, these deterministic approaches do not account for uncertainty in the adversary's attack. While stochastic defenses placing a probability distribution on the adversary exist, they often lack statistical rigor and fail to make explicit their underlying assumptions. To resolve these issues, we introduce a formal Bayesian framework that models adversarial uncertainty through a stochastic channel, articulating all probabilistic assumptions. This yields two robustification strategies: a proactive defense enacted during training, aligned with adversarial training, and a reactive defense enacted during operations, aligned with adversarial purification. Several previous defenses can be recovered as limiting cases of our model. We empirically validate our methodology, showcasing the benefits of explicitly modeling adversarial uncertainty.

A unified Bayesian framework for adversarial robustness

TL;DR

The paper presents a statistically principled fully Bayesian framework for adversarial robustness by modeling adversarial perturbations as a stochastic channel that links clean inputs to attacked ones. It derives two complementary defenses: a reactive defense that performs robust inference at deployment and a proactive defense that optimizes a robust posterior during training; both strategies generalize and subsume established defenses such as adversarial training and randomized smoothing. Empirical results on classification and regression show that explicitly modeling adversarial uncertainty improves predictive accuracy and calibration under attack, and that diverse or learned adversarial channels can enhance robustness beyond fixed threat models. The framework provides a flexible, uncertainty-aware foundation for robust Bayesian prediction with practical training strategies and directions toward robust decision-making in high-stakes settings.

Abstract

The vulnerability of machine learning models to adversarial attacks remains a critical security challenge. Traditional defenses, such as adversarial training, typically robustify models by minimizing a worst-case loss. However, these deterministic approaches do not account for uncertainty in the adversary's attack. While stochastic defenses placing a probability distribution on the adversary exist, they often lack statistical rigor and fail to make explicit their underlying assumptions. To resolve these issues, we introduce a formal Bayesian framework that models adversarial uncertainty through a stochastic channel, articulating all probabilistic assumptions. This yields two robustification strategies: a proactive defense enacted during training, aligned with adversarial training, and a reactive defense enacted during operations, aligned with adversarial purification. Several previous defenses can be recovered as limiting cases of our model. We empirically validate our methodology, showcasing the benefits of explicitly modeling adversarial uncertainty.

Paper Structure

This paper contains 42 sections, 3 theorems, 58 equations, 11 figures, 6 tables.

Table of Contents

  1. INTRODUCTION
  2. RELATED WORK
  3. METHODOLOGY
  4. Problem Formulation
  5. Protection During Operations
  6. Protection During Training
  7. EXPERIMENTS
  8. Experimental Setup
  9. Case Study: Classification
  10. Evaluating Defenses
  11. Downstream Task: Selective Accuracy
  12. Ablation Study
  13. Case Study: Regression
  14. CONCLUSIONS
  15. ON THE INCONSISTENCY OF BAYESIAN ADVERSARIAL LEARNING
  16. ...and 27 more sections

Key Result

Proposition 1

The conditional distributions for the learner and the adversary defined in the BAL framework cannot be derived from a single, valid joint probability distribution.

Figures (11)

  • Figure 1: Model for reactive defense
  • Figure 2: Model for proactive defense, where the training process explicitly models the adversarial channel.
  • Figure 3: Accuracy and NLL against PGD50 attack.
  • Figure 4: Accuracy and NLL against PGD$^+$ attack.
  • Figure 5: Selective accuracy.
  • ...and 6 more figures

Theorems & Definitions (6)

  • Proposition 1
  • proof
  • Proposition 2
  • proof
  • Proposition 3
  • proof