Adversarial robustness of amortized Bayesian inference

TL;DR

This paper investigates the vulnerability of amortized Bayesian inference to adversarial data perturbations and proposes a Fisher information-based regularization to enhance its robustness.

Contribution

It reveals the susceptibility of amortized Bayesian inference to adversarial attacks and introduces a regularization method to improve its robustness against such perturbations.

Findings

Adversarial perturbations can drastically alter posterior estimates.

Regularization based on Fisher information improves robustness.

The method is effective across multiple benchmark tasks and real-world data.

Abstract

Bayesian inference usually requires running potentially costly inference procedures separately for every new observation. In contrast, the idea of amortized Bayesian inference is to initially invest computational cost in training an inference network on simulated data, which can subsequently be used to rapidly perform inference (i.e., to return estimates of posterior distributions) for new observations. This approach has been applied to many real-world models in the sciences and engineering, but it is unclear how robust the approach is to adversarial perturbations in the observed data. Here, we study the adversarial robustness of amortized Bayesian inference, focusing on simulation-based estimation of multi-dimensional posterior distributions. We show that almost unrecognizable, targeted perturbations of the observations can lead to drastic changes in the predicted posterior and highly unrealistic posterior predictive samples, across several benchmark tasks and a real-world example from neuroscience. We propose a computationally efficient regularization scheme based on penalizing the Fisher information of the conditional density estimator, and show how it improves the adversarial robustness of amortized Bayesian inference.