Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Non-Parametric Probabilistic Robustness: A Conservative Metric with Optimized Perturbation Distributions

Zheng Wang, Yi Zhang, Siddartha Khastgir, Carsten Maple, Xingyu Zhao

TL;DR

The paper tackles the limitation of probabilistic robustness (PR) that hinges on a fixed perturbation distribution by proposing Non-Parametric Probabilistic Robustness (NPPR), a data-driven metric that learns perturbation distributions from data within a budget. It introduces a GMM-based NPPR estimator powered by MLP heads and bicubic up-sampling to model input-dependent and input-independent perturbations, plus a softplus-margin objective for optimization. The authors prove theoretical relations among AR, PR, and NPPR and demonstrate, across CIFAR-10/100 and Tiny ImageNet with multiple architectures, that NPPR yields more conservative robustness estimates—up to about 40% lower PR—than common predefined perturbations. This approach provides a practical, conservative framework for robustness evaluation under distributional uncertainty and offers insights into how dependency structures affect learned perturbations and consequent robustness estimates.

Abstract

Deep learning (DL) models, despite their remarkable success, remain vulnerable to small input perturbations that can cause erroneous outputs, motivating the recent proposal of probabilistic robustness (PR) as a complementary alternative to adversarial robustness (AR). However, existing PR formulations assume a fixed and known perturbation distribution, an unrealistic expectation in practice. To address this limitation, we propose non-parametric probabilistic robustness (NPPR), a more practical PR metric that does not rely on any predefined perturbation distribution. Following the non-parametric paradigm in statistical modeling, NPPR learns an optimized perturbation distribution directly from data, enabling conservative PR evaluation under distributional uncertainty. We further develop an NPPR estimator based on a Gaussian Mixture Model (GMM) with Multilayer Perceptron (MLP) heads and bicubic up-sampling, covering various input-dependent and input-independent perturbation scenarios. Theoretical analyses establish the relationships among AR, PR, and NPPR. Extensive experiments on CIFAR-10, CIFAR-100, and Tiny ImageNet across ResNet18/50, WideResNet50 and VGG16 validate NPPR as a more practical robustness metric, showing up to 40\% more conservative (lower) PR estimates compared to assuming those common perturbation distributions used in state-of-the-arts.

Non-Parametric Probabilistic Robustness: A Conservative Metric with Optimized Perturbation Distributions

TL;DR

The paper tackles the limitation of probabilistic robustness (PR) that hinges on a fixed perturbation distribution by proposing Non-Parametric Probabilistic Robustness (NPPR), a data-driven metric that learns perturbation distributions from data within a budget. It introduces a GMM-based NPPR estimator powered by MLP heads and bicubic up-sampling to model input-dependent and input-independent perturbations, plus a softplus-margin objective for optimization. The authors prove theoretical relations among AR, PR, and NPPR and demonstrate, across CIFAR-10/100 and Tiny ImageNet with multiple architectures, that NPPR yields more conservative robustness estimates—up to about 40% lower PR—than common predefined perturbations. This approach provides a practical, conservative framework for robustness evaluation under distributional uncertainty and offers insights into how dependency structures affect learned perturbations and consequent robustness estimates.

Abstract

Deep learning (DL) models, despite their remarkable success, remain vulnerable to small input perturbations that can cause erroneous outputs, motivating the recent proposal of probabilistic robustness (PR) as a complementary alternative to adversarial robustness (AR). However, existing PR formulations assume a fixed and known perturbation distribution, an unrealistic expectation in practice. To address this limitation, we propose non-parametric probabilistic robustness (NPPR), a more practical PR metric that does not rely on any predefined perturbation distribution. Following the non-parametric paradigm in statistical modeling, NPPR learns an optimized perturbation distribution directly from data, enabling conservative PR evaluation under distributional uncertainty. We further develop an NPPR estimator based on a Gaussian Mixture Model (GMM) with Multilayer Perceptron (MLP) heads and bicubic up-sampling, covering various input-dependent and input-independent perturbation scenarios. Theoretical analyses establish the relationships among AR, PR, and NPPR. Extensive experiments on CIFAR-10, CIFAR-100, and Tiny ImageNet across ResNet18/50, WideResNet50 and VGG16 validate NPPR as a more practical robustness metric, showing up to 40\% more conservative (lower) PR estimates compared to assuming those common perturbation distributions used in state-of-the-arts.

Paper Structure

This paper contains 23 sections, 4 theorems, 39 equations, 9 figures, 5 tables.

Table of Contents

  1. Introduction
  2. Preliminary and Related Works
  3. Adversarial vs. Probabilistic Robustness
  4. Probabilistic Robustness Assessment
  5. Non-Parametric Probabilistic Robustness
  6. NPPR Estimation via GMM
  7. Objective Function
  8. MLP heads
  9. GMM
  10. Bicubic up-sampling
  11. Experiments
  12. Experimental setup
  13. Learning Dynamics and Distribution Visualization
  14. Ablation Study
  15. Evaluation Across Models, Datasets, and Radii
  16. ...and 8 more sections

Key Result

Proposition 1

Considering AR, PR, and NPPR as defined in Def. def:ar, def:pr, and def:NPPR, and binary loss function for AR, let $\mathcal{G}_{\mathrm{AR}}$, $\mathcal{G}_{\mathrm{PR}}$, and $\mathcal{G}_{\mathrm{NPPR}}$ denote their corresponding global robustness metrics. Given a perturbation distribution $\ome If we allow $P_{\bm{\varepsilon}}$ to be unrestricted, representing any family of distributions (in

Figures (9)

  • Figure 1: Examples of perturbation results. We visualize perturbations (normalized to the range (0, 1) for visibility) generated by our optimisation pipeline using ResNet-18 on TinyImageNet under four different dependency settings. As shown, the optimized perturbations differ substantially from those produced by Gaussian or uniform noise (that are commonly assumed as fixed perturbation distributions in state-of-the-arts). Our proposed NPPR metric yields more conservative (i.e., lower) estimates on PR.
  • Figure 2: Illustration of PR vs. NPPR. Panel (a) illustrates PR, which measures the relative proportion of non-adversarial examples (Non-AEs) under a predefined fixed distribution. Panel (b) depicts NPPR, which evaluates the same metric under an optimized distribution learned via a GMM, resulting in a higher proportion of AEs and thus a more conservative robustness estimate.
  • Figure 3: Training pipeline of NPPR estimator. Our training pipeline comprises three main components: (i) MLP heads that model the dependency structure of perturbations, (ii) a GMM for sampling latent perturbations, and (iii) bicubic up-sampling to map perturbations to the input space. Given a clean image $\bm{x}$, we extract intermediate features from the classifier and pass them through the MLP heads to parameterize the GMM. Perturbations are subsequently sampled from the GMM and up-sampled to the input resolution via bicubic interpolation. $g_{\mathcal{B}}$ maps the unbounded perturbations into the perturbation budget. The classifier’s logits for the perturbed input $\bm{x}'$ are then used to construct a loss function based on the logit margin between the ground-truth class and the most confident non–ground-truth class. The margin parameter $\kappa$ controls the scale of the gap, following the formulation introduced in the C&W attack carlini2017towards.
  • Figure 4: Different dependency constructions. We employ distinct MLP heads to model different dependency structures. Panel (a) illustrates the setting in which the perturbation distribution is conditioned solely on the ground-truth label, whereas panel (b) depicts the joint dependency case, where perturbations are conditioned on both the input features and labels, with the labels influencing only the mixture proportions. The label embedding in panel (b) is omitted for clarity, as it is identical to that in panel (a).
  • Figure 5: Training results of the proposed framework.Panels (a) and (b) show the training dynamics of the NPPR and the entropy ratio of the mixture proportions $\pi_k$ over 200 epochs. We consider $L_{\infty}$-norm perturbations with radius $16/255$ under a Gaussian mixture model (GMM) with $K=7$ modes. The solid blue curve corresponds to the independent case, where the same GMM parameters $\phi$ are used for all $(\mathbf{x}, y)$. The red dashed curve represents the label-dependent setting, while the green dash-dotted curve denotes the input-dependent case. The purple dotted curve illustrates the joint-dependency setting, in which the perturbation distribution depends on both $\bm{x}$ and $y$. Panel (c) shows the PCA-projected contour of the perturbation distribution for the independent case (blue curve in Panels (a–b)). Panel (d) visualizes the t-SNE embeddings of perturbations for the label-dependent case (red dashed curve). Panel (e) presents PCA-based density plots for 50 randomly selected inputs under the input-dependent setting (green dash-dotted curve). Panel (f) displays a class-wise heatmap of perturbation densities for the jointly dependent case (purple dotted curve).
  • ...and 4 more figures

Theorems & Definitions (12)

  • Definition 1: Adversarial Robustness
  • Definition 2: Probabilistic Robustness
  • Remark 1: Input-dependency of perturbations
  • Definition 3: Non-parametric PR
  • Remark 2
  • Definition 4: Global Robustness
  • Proposition 1
  • Proposition 2
  • Proposition 3
  • Proof 1
  • ...and 2 more