Sufficient Conditions for Idealised Models to Have No Adversarial Examples: a Theoretical and Empirical Study with Bayesian Neural Networks

TL;DR

This paper establishes theoretical conditions under which idealised models, including Bayesian neural networks, have no adversarial examples, and empirically demonstrates these ideas using HMC inference on synthetic and real image data.

Contribution

It provides the first theoretical conditions for models to lack adversarial examples and empirically validates these conditions with Bayesian neural networks using HMC inference.

Findings

Idealised models can have no adversarial examples under certain conditions.

Near-idealised BNNs with HMC show high epistemic uncertainty on off-manifold images.

Dropout-based models can be bypassed with new attack methods, highlighting limitations.

Abstract

We prove, under two sufficient conditions, that idealised models can have no adversarial examples. We discuss which idealised models satisfy our conditions, and show that idealised Bayesian neural networks (BNNs) satisfy these. We continue by studying near-idealised BNNs using HMC inference, demonstrating the theoretical ideas in practice. We experiment with HMC on synthetic data derived from MNIST for which we know the ground-truth image density, showing that near-perfect epistemic uncertainty correlates to density under image manifold, and that adversarial images lie off the manifold in our setting. This suggests why MC dropout, which can be seen as performing approximate inference, has been observed to be an effective defence against adversarial examples in practice; We highlight failure-cases of non-idealised BNNs relying on dropout, suggesting a new attack for dropout models and a new defence as well. Lastly, we demonstrate the defence on a cats-vs-dogs image classification task with a VGG13 variant.