Adversarial vulnerability bounds for Gaussian process classification

Mike T Smith; K Grosse; M Backes; MA Alvarez

doi:10.1007/s10994-022-06224-6

Adversarial vulnerability bounds for Gaussian process classification

Mike T Smith, K Grosse, M Backes, MA Alvarez

Information Management

Research output: Contribution to journal › Article › peer-review

Abstract

Protecting ML classifiers from adversarial examples is crucial. We propose that the main threat is an attacker perturbing a confidently classified input to produce a confident misclassification. We consider in this paper the L attack in which a small number of inputs can be perturbed by the attacker at test-time. To quantify the risk of this form of attack we have devised a formal guarantee in the form of an adversarial bound (AB) for a binary, Gaussian process classifier using the EQ kernel. This bound holds for the entire input domain, bounding the potential of any future adversarial attack to cause a confident misclassification. We explore how to extend to other kernels and investigate how to maximise the bound by altering the classifier (for example by using sparse approximations). We test the bound using a variety of datasets and show that it produces relevant and practical bounds for many of them.

Original language	English
Pages (from-to)	971-1009
Number of pages	39
Journal	Machine Learning
Volume	112
Issue number	3
Early online date	8 Sept 2022
DOIs	https://doi.org/10.1007/s10994-022-06224-6
Publication status	Published - 1 Mar 2023

Keywords

Adversarial example
Bound
Classification
Gaussian process
Gaussian process classification
Machine learning

Access to Document

10.1007/s10994-022-06224-6Licence: CC BY

Cite this

@article{7d810941c5d2424f9d64be6f8eea6f9b,

title = "Adversarial vulnerability bounds for Gaussian process classification",

abstract = "Protecting ML classifiers from adversarial examples is crucial. We propose that the main threat is an attacker perturbing a confidently classified input to produce a confident misclassification. We consider in this paper the L attack in which a small number of inputs can be perturbed by the attacker at test-time. To quantify the risk of this form of attack we have devised a formal guarantee in the form of an adversarial bound (AB) for a binary, Gaussian process classifier using the EQ kernel. This bound holds for the entire input domain, bounding the potential of any future adversarial attack to cause a confident misclassification. We explore how to extend to other kernels and investigate how to maximise the bound by altering the classifier (for example by using sparse approximations). We test the bound using a variety of datasets and show that it produces relevant and practical bounds for many of them.",

keywords = "Adversarial example, Bound, Classification, Gaussian process, Gaussian process classification, Machine learning",

author = "Smith, {Mike T} and K Grosse and M Backes and MA Alvarez",

year = "2023",

month = mar,

day = "1",

doi = "10.1007/s10994-022-06224-6",

language = "English",

volume = "112",

pages = "971--1009",

journal = "Machine Learning",

issn = "0885-6125",

publisher = "Springer Nature",

number = "3",

}

TY - JOUR

T1 - Adversarial vulnerability bounds for Gaussian process classification

AU - Smith, Mike T

AU - Grosse, K

AU - Backes, M

AU - Alvarez, MA

PY - 2023/3/1

Y1 - 2023/3/1

N2 - Protecting ML classifiers from adversarial examples is crucial. We propose that the main threat is an attacker perturbing a confidently classified input to produce a confident misclassification. We consider in this paper the L attack in which a small number of inputs can be perturbed by the attacker at test-time. To quantify the risk of this form of attack we have devised a formal guarantee in the form of an adversarial bound (AB) for a binary, Gaussian process classifier using the EQ kernel. This bound holds for the entire input domain, bounding the potential of any future adversarial attack to cause a confident misclassification. We explore how to extend to other kernels and investigate how to maximise the bound by altering the classifier (for example by using sparse approximations). We test the bound using a variety of datasets and show that it produces relevant and practical bounds for many of them.

AB - Protecting ML classifiers from adversarial examples is crucial. We propose that the main threat is an attacker perturbing a confidently classified input to produce a confident misclassification. We consider in this paper the L attack in which a small number of inputs can be perturbed by the attacker at test-time. To quantify the risk of this form of attack we have devised a formal guarantee in the form of an adversarial bound (AB) for a binary, Gaussian process classifier using the EQ kernel. This bound holds for the entire input domain, bounding the potential of any future adversarial attack to cause a confident misclassification. We explore how to extend to other kernels and investigate how to maximise the bound by altering the classifier (for example by using sparse approximations). We test the bound using a variety of datasets and show that it produces relevant and practical bounds for many of them.

KW - Adversarial example

KW - Bound

KW - Classification

KW - Gaussian process

KW - Gaussian process classification

KW - Machine learning

UR - https://www.webofscience.com/api/gateway?GWVersion=2&SrcApp=pure_starter&SrcAuth=WosAPI&KeyUT=WOS:000851348600002&DestLinkType=FullRecord&DestApp=WOS

UR - http://www.scopus.com/inward/record.url?scp=85137600625&partnerID=8YFLogxK

UR - https://www.mendeley.com/catalogue/adddf974-b39f-3aab-9530-33efe5fb1b96/

U2 - 10.1007/s10994-022-06224-6

DO - 10.1007/s10994-022-06224-6

M3 - Article

SN - 0885-6125

VL - 112

SP - 971

EP - 1009

JO - Machine Learning

JF - Machine Learning

IS - 3

ER -

Adversarial vulnerability bounds for Gaussian process classification

Abstract

Keywords

Access to Document

Other files and links

Fingerprint

MCAIF: Centre for AI Fundamentals

Cite this

Adversarial vulnerability bounds for Gaussian process classification

Abstract

Keywords

Access to Document

Other files and links

Fingerprint

Projects

MCAIF: Centre for AI Fundamentals

Cite this