Robustness of Bayesian Neural Networks to Gradient-Based Attacks

TL;DR

This paper investigates the robustness of Bayesian Neural Networks against gradient-based adversarial attacks, revealing that in the large-data limit, they are inherently more resistant due to data degeneracy, supported by experiments on MNIST datasets.

Contribution

It provides a theoretical analysis linking data geometry to BNN robustness and demonstrates empirical robustness in large-data regimes using Hamiltonian Monte Carlo and Variational Inference.

Findings

BNNs are robust to gradient-based attacks in the large-data limit.

Data degeneracy causes vulnerability in neural networks.

Experimental results show high accuracy and robustness on MNIST datasets.

Abstract

Vulnerability to adversarial attacks is one of the principal hurdles to the adoption of deep learning in safety-critical applications. Despite significant efforts, both practical and theoretical, the problem remains open. In this paper, we analyse the geometry of adversarial attacks in the large-data, overparametrized limit for Bayesian Neural Networks (BNNs). We show that, in the limit, vulnerability to gradient-based attacks arises as a result of degeneracy in the data distribution, i.e., when the data lies on a lower-dimensional submanifold of the ambient space. As a direct consequence, we demonstrate that in the limit BNN posteriors are robust to gradient-based adversarial attacks. Experimental results on the MNIST and Fashion MNIST datasets with BNNs trained with Hamiltonian Monte Carlo and Variational Inference support this line of argument, showing that BNNs can display both high accuracy and robustness to gradient based adversarial attacks.