Bayesian Learning with Information Gain Provably Bounds Risk for a Robust Adversarial Defense

Bao Gia Doan; Ehsan Abbasnejad; Javen Qinfeng Shi; Damith C. Ranashinghe

Bayesian Learning with Information Gain Provably Bounds Risk for a Robust Adversarial Defense

Bao Gia Doan, Ehsan Abbasnejad, Javen Qinfeng Shi, Damith C. Ranashinghe

Research output: Chapter in Book/Report/Conference proceeding › Conference Paper › Research › peer-review

Abstract

We present a new algorithm to learn a deep neural network model robust against adversarial attacks. Previous algorithms demonstrate an adversarially trained Bayesian Neural Network (BNN) provides improved robustness. We recognize the adversarial learning approach for approximating the multi-modal posterior distribution of a Bayesian model can lead to mode collapse; consequently, the model's achievements in robustness and performance are sub-optimal. Instead, we first propose preventing mode collapse to better approximate the multi-modal posterior distribution. Second, based on the intuition that a robust model should ignore perturbations and only consider the informative content of the input, we conceptualize and formulate an information gain objective to measure and force the information learned from both benign and adversarial training instances to be similar. Importantly. we prove and demonstrate that minimizing the information gain objective allows the adversarial risk to approach the conventional empirical risk. We believe our efforts provide a step toward a basis for a principled method of adversarially training BNNs. Our model demonstrate significantly improved robustness-up to 20%-compared with adversarial training (Madry et al., 2018) and Adv-BNN (Liu et al., 2019) under PGD attacks with 0.035 distortion on both CIFAR-10 and STL-10 datasets.

Original language	English
Title of host publication	Proceedings of the 39th International Conference on Machine Learning 2022
Editors	Kamalika Chaudhuri, Stefanie Jegelka, Le Song, Csaba Szepesvari, Gang Niu, Sivan Sabato
Place of Publication	London UK
Publisher	Proceedings of Machine Learning Research (PMLR)
Pages	5309-5323
Number of pages	15
Volume	162
Publication status	Published - 2022
Externally published	Yes
Event	International Conference on Machine Learning 2022 - Baltimore, United States of America Duration: 17 Jul 2022 → 23 Jul 2022 Conference number: 396th https://icml.cc/Conferences/2022 https://icml.cc/virtual/2022/index.html (Website) https://proceedings.mlr.press/v162/ (Proceedings)

Conference

Conference	International Conference on Machine Learning 2022
Abbreviated title	ICML 2022
Country/Territory	United States of America
City	Baltimore
Period	17/07/22 → 23/07/22
Internet address	https://icml.cc/Conferences/2022 https://icml.cc/virtual/2022/index.html (Website) https://proceedings.mlr.press/v162/ (Proceedings)

Access to Document

https://proceedings.mlr.press/v162/doan22a.html

Cite this

Doan, B. G., Abbasnejad, E., Shi, J. Q., & Ranashinghe, D. C. (2022). Bayesian Learning with Information Gain Provably Bounds Risk for a Robust Adversarial Defense. In K. Chaudhuri, S. Jegelka, L. Song, C. Szepesvari, G. Niu, & S. Sabato (Eds.), Proceedings of the 39th International Conference on Machine Learning 2022 (Vol. 162, pp. 5309-5323). Proceedings of Machine Learning Research (PMLR). https://proceedings.mlr.press/v162/doan22a.html

Doan, Bao Gia ; Abbasnejad, Ehsan ; Shi, Javen Qinfeng et al. / Bayesian Learning with Information Gain Provably Bounds Risk for a Robust Adversarial Defense. Proceedings of the 39th International Conference on Machine Learning 2022. editor / Kamalika Chaudhuri ; Stefanie Jegelka ; Le Song ; Csaba Szepesvari ; Gang Niu ; Sivan Sabato. Vol. 162 London UK : Proceedings of Machine Learning Research (PMLR), 2022. pp. 5309-5323

@inproceedings{a45c583399dc4c02b5e6a421340eec78,

title = "Bayesian Learning with Information Gain Provably Bounds Risk for a Robust Adversarial Defense",

abstract = "We present a new algorithm to learn a deep neural network model robust against adversarial attacks. Previous algorithms demonstrate an adversarially trained Bayesian Neural Network (BNN) provides improved robustness. We recognize the adversarial learning approach for approximating the multi-modal posterior distribution of a Bayesian model can lead to mode collapse; consequently, the model's achievements in robustness and performance are sub-optimal. Instead, we first propose preventing mode collapse to better approximate the multi-modal posterior distribution. Second, based on the intuition that a robust model should ignore perturbations and only consider the informative content of the input, we conceptualize and formulate an information gain objective to measure and force the information learned from both benign and adversarial training instances to be similar. Importantly. we prove and demonstrate that minimizing the information gain objective allows the adversarial risk to approach the conventional empirical risk. We believe our efforts provide a step toward a basis for a principled method of adversarially training BNNs. Our model demonstrate significantly improved robustness-up to 20%-compared with adversarial training (Madry et al., 2018) and Adv-BNN (Liu et al., 2019) under PGD attacks with 0.035 distortion on both CIFAR-10 and STL-10 datasets.",

author = "Doan, {Bao Gia} and Ehsan Abbasnejad and Shi, {Javen Qinfeng} and Ranashinghe, {Damith C.}",

note = "Publisher Copyright: Copyright {\textcopyright} 2022 by the author(s); International Conference on Machine Learning 2022, ICML 2022 ; Conference date: 17-07-2022 Through 23-07-2022",

year = "2022",

language = "English",

volume = "162",

pages = "5309--5323",

editor = "Kamalika Chaudhuri and Stefanie Jegelka and Le Song and Csaba Szepesvari and Gang Niu and Sivan Sabato",

booktitle = "Proceedings of the 39th International Conference on Machine Learning 2022",

publisher = "Proceedings of Machine Learning Research (PMLR)",

address = "United States of America",

url = "https://icml.cc/Conferences/2022, https://icml.cc/virtual/2022/index.html, https://proceedings.mlr.press/v162/",

}

Doan, BG, Abbasnejad, E, Shi, JQ & Ranashinghe, DC 2022, Bayesian Learning with Information Gain Provably Bounds Risk for a Robust Adversarial Defense. in K Chaudhuri, S Jegelka, L Song, C Szepesvari, G Niu & S Sabato (eds), Proceedings of the 39th International Conference on Machine Learning 2022. vol. 162, Proceedings of Machine Learning Research (PMLR), London UK, pp. 5309-5323, International Conference on Machine Learning 2022, Baltimore, Maryland, United States of America, 17/07/22. <https://proceedings.mlr.press/v162/doan22a.html>

Bayesian Learning with Information Gain Provably Bounds Risk for a Robust Adversarial Defense. / Doan, Bao Gia; Abbasnejad, Ehsan; Shi, Javen Qinfeng et al.
Proceedings of the 39th International Conference on Machine Learning 2022. ed. / Kamalika Chaudhuri; Stefanie Jegelka; Le Song; Csaba Szepesvari; Gang Niu; Sivan Sabato. Vol. 162 London UK: Proceedings of Machine Learning Research (PMLR), 2022. p. 5309-5323.

Research output: Chapter in Book/Report/Conference proceeding › Conference Paper › Research › peer-review

TY - GEN

T1 - Bayesian Learning with Information Gain Provably Bounds Risk for a Robust Adversarial Defense

AU - Doan, Bao Gia

AU - Abbasnejad, Ehsan

AU - Shi, Javen Qinfeng

AU - Ranashinghe, Damith C.

N1 - Conference code: 396th

PY - 2022

Y1 - 2022

N2 - We present a new algorithm to learn a deep neural network model robust against adversarial attacks. Previous algorithms demonstrate an adversarially trained Bayesian Neural Network (BNN) provides improved robustness. We recognize the adversarial learning approach for approximating the multi-modal posterior distribution of a Bayesian model can lead to mode collapse; consequently, the model's achievements in robustness and performance are sub-optimal. Instead, we first propose preventing mode collapse to better approximate the multi-modal posterior distribution. Second, based on the intuition that a robust model should ignore perturbations and only consider the informative content of the input, we conceptualize and formulate an information gain objective to measure and force the information learned from both benign and adversarial training instances to be similar. Importantly. we prove and demonstrate that minimizing the information gain objective allows the adversarial risk to approach the conventional empirical risk. We believe our efforts provide a step toward a basis for a principled method of adversarially training BNNs. Our model demonstrate significantly improved robustness-up to 20%-compared with adversarial training (Madry et al., 2018) and Adv-BNN (Liu et al., 2019) under PGD attacks with 0.035 distortion on both CIFAR-10 and STL-10 datasets.

AB - We present a new algorithm to learn a deep neural network model robust against adversarial attacks. Previous algorithms demonstrate an adversarially trained Bayesian Neural Network (BNN) provides improved robustness. We recognize the adversarial learning approach for approximating the multi-modal posterior distribution of a Bayesian model can lead to mode collapse; consequently, the model's achievements in robustness and performance are sub-optimal. Instead, we first propose preventing mode collapse to better approximate the multi-modal posterior distribution. Second, based on the intuition that a robust model should ignore perturbations and only consider the informative content of the input, we conceptualize and formulate an information gain objective to measure and force the information learned from both benign and adversarial training instances to be similar. Importantly. we prove and demonstrate that minimizing the information gain objective allows the adversarial risk to approach the conventional empirical risk. We believe our efforts provide a step toward a basis for a principled method of adversarially training BNNs. Our model demonstrate significantly improved robustness-up to 20%-compared with adversarial training (Madry et al., 2018) and Adv-BNN (Liu et al., 2019) under PGD attacks with 0.035 distortion on both CIFAR-10 and STL-10 datasets.

UR - http://www.scopus.com/inward/record.url?scp=85163092677&partnerID=8YFLogxK

M3 - Conference Paper

AN - SCOPUS:85163092677

VL - 162

SP - 5309

EP - 5323

BT - Proceedings of the 39th International Conference on Machine Learning 2022

A2 - Chaudhuri, Kamalika

A2 - Jegelka, Stefanie

A2 - Song, Le

A2 - Szepesvari, Csaba

A2 - Niu, Gang

A2 - Sabato, Sivan

PB - Proceedings of Machine Learning Research (PMLR)

CY - London UK

T2 - International Conference on Machine Learning 2022

Y2 - 17 July 2022 through 23 July 2022

ER -

Doan BG, Abbasnejad E, Shi JQ, Ranashinghe DC. Bayesian Learning with Information Gain Provably Bounds Risk for a Robust Adversarial Defense. In Chaudhuri K, Jegelka S, Song L, Szepesvari C, Niu G, Sabato S, editors, Proceedings of the 39th International Conference on Machine Learning 2022. Vol. 162. London UK: Proceedings of Machine Learning Research (PMLR). 2022. p. 5309-5323

Bayesian Learning with Information Gain Provably Bounds Risk for a Robust Adversarial Defense

Abstract

Conference

Access to Document

Other files and links

Cite this