Adversarial Robustness Guarantees for Classification with Gaussian Processes
This work addresses the problem of ensuring adversarial robustness for GPC models, which is incremental as it applies existing robustness concepts to a specific model class.
The paper tackles the problem of computing guaranteed adversarial robustness bounds for Gaussian Process Classification (GPC) models by deriving lower- and upper-bounding functions and implementing a branch-and-bound algorithm that is guaranteed to reach values within a specified error threshold in finitely many iterations. The result includes empirical analysis on datasets like SPAM and MNIST, showing that GPC robustness increases with more accurate posterior estimation.
We investigate adversarial robustness of Gaussian Process Classification (GPC) models. Given a compact subset of the input space $T\subseteq \mathbb{R}^d$ enclosing a test point $x^*$ and a GPC trained on a dataset $\mathcal{D}$, we aim to compute the minimum and the maximum classification probability for the GPC over all the points in $T$. In order to do so, we show how functions lower- and upper-bounding the GPC output in $T$ can be derived, and implement those in a branch and bound optimisation algorithm. For any error threshold $ε> 0$ selected a priori, we show that our algorithm is guaranteed to reach values $ε$-close to the actual values in finitely many iterations. We apply our method to investigate the robustness of GPC models on a 2D synthetic dataset, the SPAM dataset and a subset of the MNIST dataset, providing comparisons of different GPC training techniques, and show how our method can be used for interpretability analysis. Our empirical analysis suggests that GPC robustness increases with more accurate posterior estimation.