Adversarial vulnerability bounds for Gaussian process classification

This is the latest version of this eprint.

Abstract

Protecting ML classifiers from adversarial examples is crucial. We propose that the main threat is an attacker perturbing a confidently classified input to produce a confident misclassification. We consider in this paper the L0 attack in which a small number of inputs can be perturbed by the attacker at test-time. To quantify the risk of this form of attack we have devised a formal guarantee in the form of an adversarial bound (AB) for a binary, Gaussian process classifier using the EQ kernel. This bound holds for the entire input domain, bounding the potential of any future adversarial attack to cause a confident misclassification. We explore how to extend to other kernels and investigate how to maximise the bound by altering the classifier (for example by using sparse approximations). We test the bound using a variety of datasets and show that it produces relevant and practical bounds for many of them.

Metadata

Item Type:	Article
Authors/Creators:	Smith, M.T. Grosse, K. Backes, M. Álvarez, M.A.
Copyright, Publisher and Additional Information:	© The Author(s) 2022. Open Access: This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.
Keywords:	Machine learning; Gaussian process; Adversarial example; Bound; Classification; Gaussian process classification
Dates:	Published: March 2023 Published (online): 8 September 2022 Accepted: 2 July 2022
Institution:	The University of Sheffield
Academic Units:	The University of Sheffield > Faculty of Engineering (Sheffield) > Department of Computer Science (Sheffield)
Funding Information:	Funder Grant number ENGINEERING AND PHYSICAL SCIENCE RESEARCH COUNCIL EP/N014162/1
Depositing User:	Symplectic Sheffield
Date Deposited:	25 Nov 2022 17:19
Last Modified:	14 Mar 2023 14:00
Status:	Published
Publisher:	Springer Science and Business Media LLC
Refereed:	Yes
Identification Number:	10.1007/s10994-022-06224-6
Open Archives Initiative ID (OAI ID):	oai:eprints.whiterose.ac.uk:193801

Available Versions of this Item

Adversarial vulnerability bounds for Gaussian process classification. (deposited 17 Jan 2020 13:57)
- Adversarial vulnerability bounds for Gaussian process classification. (deposited 25 Nov 2022 17:19) [Currently Displayed]

Download

Published Version

Filename: s10994-022-06224-6.pdf

Licence: CC-BY 4.0

CLICK TO DOWNLOAD

CORE (COnnecting REpositories)