Robustness of Bayesian Neural Networks to White-Box Adversarial Attacks

TL;DR

This paper demonstrates that Bayesian Neural Networks (BNNs) exhibit superior robustness to white-box adversarial attacks compared to traditional neural networks, and that adversarial training further enhances their defenses while providing better uncertainty estimates.

Contribution

The study introduces a new BNN architecture called BNN-DenseNet and a combined adversarial training method, showing improved robustness and uncertainty calibration over non-Bayesian models.

Findings

BNNs outperform TNNs under various white-box attacks.

Adversarial training significantly boosts BNN robustness.

BNNs provide more calibrated and less overconfident predictions.

Abstract

Bayesian Neural Networks (BNNs), unlike Traditional Neural Networks (TNNs) are robust and adept at handling adversarial attacks by incorporating randomness. This randomness improves the estimation of uncertainty, a feature lacking in TNNs. Thus, we investigate the robustness of BNNs to white-box attacks using multiple Bayesian neural architectures. Furthermore, we create our BNN model, called BNN-DenseNet, by fusing Bayesian inference (i.e., variational Bayes) to the DenseNet architecture, and BDAV, by combining this intervention with adversarial training. Experiments are conducted on the CIFAR-10 and FGVC-Aircraft datasets. We attack our models with strong white-box attacks ($l_\infty$-FGSM, $l_\infty$-PGD, $l_2$-PGD, EOT $l_\infty$-FGSM, and EOT $l_\infty$-PGD). In all experiments, at least one BNN outperforms traditional neural networks during adversarial attack scenarios. An adversarially-trained BNN outperforms its non-Bayesian, adversarially-trained counterpart in most experiments, and often by significant margins. Lastly, we investigate network calibration and find that BNNs do not make overconfident predictions, providing evidence that BNNs are also better at measuring uncertainty.