How to beat a Bayesian adversary
Deep neural networks and other modern machine learning models are often susceptible to adversarial attacks. Indeed, an adversary may often be able to change a model’s prediction through a small, directed perturbation of the model’s input – an issue in safety-critical applications. Adversarially robu...
Saved in:
| Main Authors: | , , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
Cambridge University Press
|
| Series: | European Journal of Applied Mathematics |
| Subjects: | |
| Online Access: | https://www.cambridge.org/core/product/identifier/S0956792525000105/type/journal_article |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1849338212512694272 |
|---|---|
| author | Zihan Ding Kexin Jin Jonas Latz Chenguang Liu |
| author_facet | Zihan Ding Kexin Jin Jonas Latz Chenguang Liu |
| author_sort | Zihan Ding |
| collection | DOAJ |
| description | Deep neural networks and other modern machine learning models are often susceptible to adversarial attacks. Indeed, an adversary may often be able to change a model’s prediction through a small, directed perturbation of the model’s input – an issue in safety-critical applications. Adversarially robust machine learning is usually based on a minmax optimisation problem that minimises the machine learning loss under maximisation-based adversarial attacks. In this work, we study adversaries that determine their attack using a Bayesian statistical approach rather than maximisation. The resulting Bayesian adversarial robustness problem is a relaxation of the usual minmax problem. To solve this problem, we propose Abram – a continuous-time particle system that shall approximate the gradient flow corresponding to the underlying learning problem. We show that Abram approximates a McKean–Vlasov process and justify the use of Abram by giving assumptions under which the McKean–Vlasov process finds the minimiser of the Bayesian adversarial robustness problem. We discuss two ways to discretise Abram and show its suitability in benchmark adversarial deep learning experiments. |
| format | Article |
| id | doaj-art-907d0deeb6044426afc061c085cb7c6d |
| institution | Kabale University |
| issn | 0956-7925 1469-4425 |
| language | English |
| publisher | Cambridge University Press |
| record_format | Article |
| series | European Journal of Applied Mathematics |
| spelling | doaj-art-907d0deeb6044426afc061c085cb7c6d2025-08-20T03:44:28ZengCambridge University PressEuropean Journal of Applied Mathematics0956-79251469-442512310.1017/S0956792525000105How to beat a Bayesian adversaryZihan Ding0Kexin Jin1Jonas Latz2https://orcid.org/0000-0002-4600-0247Chenguang Liu3Department of Electrical and Computer Engineering, Princeton University, Princeton, USADepartment of Mathematics, Princeton University, Princeton, USADepartment of Mathematics, University of Manchester, Manchester, UKDelft Institute of Applied Mathematics, Technische Universiteit Delft, Delft, The NetherlandsDeep neural networks and other modern machine learning models are often susceptible to adversarial attacks. Indeed, an adversary may often be able to change a model’s prediction through a small, directed perturbation of the model’s input – an issue in safety-critical applications. Adversarially robust machine learning is usually based on a minmax optimisation problem that minimises the machine learning loss under maximisation-based adversarial attacks. In this work, we study adversaries that determine their attack using a Bayesian statistical approach rather than maximisation. The resulting Bayesian adversarial robustness problem is a relaxation of the usual minmax problem. To solve this problem, we propose Abram – a continuous-time particle system that shall approximate the gradient flow corresponding to the underlying learning problem. We show that Abram approximates a McKean–Vlasov process and justify the use of Abram by giving assumptions under which the McKean–Vlasov process finds the minimiser of the Bayesian adversarial robustness problem. We discuss two ways to discretise Abram and show its suitability in benchmark adversarial deep learning experiments.https://www.cambridge.org/core/product/identifier/S0956792525000105/type/journal_articleMachine learningadversarial robustnessStochastic differential equationsMcKean–Vlasov processparticle system90C1568T0765C35 |
| spellingShingle | Zihan Ding Kexin Jin Jonas Latz Chenguang Liu How to beat a Bayesian adversary European Journal of Applied Mathematics Machine learning adversarial robustness Stochastic differential equations McKean–Vlasov process particle system 90C15 68T07 65C35 |
| title | How to beat a Bayesian adversary |
| title_full | How to beat a Bayesian adversary |
| title_fullStr | How to beat a Bayesian adversary |
| title_full_unstemmed | How to beat a Bayesian adversary |
| title_short | How to beat a Bayesian adversary |
| title_sort | how to beat a bayesian adversary |
| topic | Machine learning adversarial robustness Stochastic differential equations McKean–Vlasov process particle system 90C15 68T07 65C35 |
| url | https://www.cambridge.org/core/product/identifier/S0956792525000105/type/journal_article |
| work_keys_str_mv | AT zihanding howtobeatabayesianadversary AT kexinjin howtobeatabayesianadversary AT jonaslatz howtobeatabayesianadversary AT chenguangliu howtobeatabayesianadversary |