Probabilistic Safety for Bayesian Neural Networks

TL;DR

This paper introduces a method to compute lower bounds on the probabilistic safety of Bayesian Neural Networks under adversarial perturbations, enabling certification of safety even for large models.

Contribution

It develops a relaxation-based approach for probabilistic safety verification of BNNs, including explicit procedures for interval and linear propagation techniques.

Findings

Can certify safety of BNNs with millions of parameters

Applicable to regression, collision avoidance, and image classification tasks

Provides a scalable method for probabilistic safety assessment

Abstract

We study probabilistic safety for Bayesian Neural Networks (BNNs) under adversarial input perturbations. Given a compact set of input points, $T \subseteq \mathbb{R}^m$, we study the probability w.r.t. the BNN posterior that all the points in $T$ are mapped to the same region $S$ in the output space. In particular, this can be used to evaluate the probability that a network sampled from the BNN is vulnerable to adversarial attacks. We rely on relaxation techniques from non-convex optimization to develop a method for computing a lower bound on probabilistic safety for BNNs, deriving explicit procedures for the case of interval and linear function propagation techniques. We apply our methods to BNNs trained on a regression task, airborne collision avoidance, and MNIST, empirically showing that our approach allows one to certify probabilistic safety of BNNs with millions of parameters.