A0284
Title: Partially Bayesian neural networks for adversarial robustness
Authors: Tim-Moritz Buendert - Technische Universität Dortmund (Germany) [presenting]
Nadja Klein - Karlsruhe Institute of Technology (Germany)
Abstract: Neural network models have been shown to be inherently vulnerable to adversarial examples, which significantly hinders their deployment in safety-critical applications. As one countermeasure, Bayesian deep learning was previously proposed to improve the robustness of such models. Still, most neural networks are constructed deterministically due to their efficient training and lower computational costs compared to the fully Bayesian counterpart. To combine the best of the deterministic and Bayesian deep learning approach, it is proposed to use partially Bayesian neural networks (pBNNs) to increase model robustness against adversarial attacks. To this end, a pre-trained deterministic neural network model is employed, and only a single selected layer is treated in a Bayesian fashion. This, in turn, keeps the computational efforts fairly low while still yielding complete posterior distributions rather than only point estimates. First, it is shown theoretically that under certain assumptions, some of these models are asymptotically robust to gradient-based adversarial attacks. Experimental results support this idea, highlighting enhanced adversarial robustness compared to deterministic neural networks and other competing approaches. Beyond adversarial robustness, the efficacy of pBNNs is demonstrated in further applications where uncertainty quantification is crucial, such as out-of-distribution detection.
