Towards Certification of Uncertainty Calibration under Adversarial Attacks

TL;DR

This paper introduces methods to certify and improve the robustness of neural network calibration against adversarial attacks, providing bounds and new attack strategies to enhance safety in critical applications.

Contribution

It develops certified bounds for calibration metrics under adversarial perturbations and introduces novel calibration attacks and training methods to improve model robustness.

Findings

Certified bounds for Brier score and calibration error under attacks

Novel adversarial calibration attacks demonstrated

Calibration can be improved through adversarial training

Abstract

Since neural classifiers are known to be sensitive to adversarial perturbations that alter their accuracy, \textit{certification methods} have been developed to provide provable guarantees on the insensitivity of their predictions to such perturbations. Furthermore, in safety-critical applications, the frequentist interpretation of the confidence of a classifier (also known as model calibration) can be of utmost importance. This property can be measured via the Brier score or the expected calibration error. We show that attacks can significantly harm calibration, and thus propose certified calibration as worst-case bounds on calibration under adversarial perturbations. Specifically, we produce analytic bounds for the Brier score and approximate bounds via the solution of a mixed-integer program on the expected calibration error. Finally, we propose novel calibration attacks and demonstrate how they can improve model calibration through \textit{adversarial calibration training}.