Robustness bounds on the successful adversarial examples in probabilistic models: Implications from Gaussian processes

TL;DR

This paper establishes a new theoretical upper bound on the success probability of adversarial attacks in Gaussian Process classification, linking it to perturbation size, kernel choice, and training data separation, with experimental validation.

Contribution

It introduces a novel upper bound on AE success probability in probabilistic models that is independent of data distribution and influenced by kernel parameters.

Findings

Upper bound depends on perturbation norm, kernel, and data separation.

The bound is independent of data distribution.

Kernel parameter changes affect the success probability bound.

Abstract

Adversarial example (AE) is an attack method for machine learning, which is crafted by adding imperceptible perturbation to the data inducing misclassification. In the current paper, we investigated the upper bound of the probability of successful AEs based on the Gaussian Process (GP) classification, a probabilistic inference model. We proved a new upper bound of the probability of a successful AE attack that depends on AE's perturbation norm, the kernel function used in GP, and the distance of the closest pair with different labels in the training dataset. Surprisingly, the upper bound is determined regardless of the distribution of the sample dataset. We showed that our theoretical result was confirmed through the experiment using ImageNet. In addition, we showed that changing the parameters of the kernel function induces a change of the upper bound of the probability of successful AEs.