How Sampling Impacts the Robustness of Stochastic Neural Networks
This provides theoretical insights into adversarial robustness for stochastic models, addressing a specific bottleneck in machine learning security, though it is incremental in building on prior observations.
The paper tackles the problem of understanding how sampling affects the robustness of stochastic neural networks against adversarial attacks, deriving a sufficient condition for robustness and identifying key factors like gradient variance and sample size that influence attack strength and model resilience.
Stochastic neural networks (SNNs) are random functions whose predictions are gained by averaging over multiple realizations. Consequently, a gradient-based adversarial example is calculated based on one set of samples and its classification on another set. In this paper, we derive a sufficient condition for such a stochastic prediction to be robust against a given sample-based attack. This allows us to identify the factors that lead to an increased robustness of SNNs and gives theoretical explanations for: (i) the well known observation, that increasing the amount of samples drawn for the estimation of adversarial examples increases the attack's strength, (ii) why increasing the number of samples during an attack can not fully reduce the effect of stochasticity, (iii) why the sample size during inference does not influence the robustness, and (iv) why a higher gradient variance and a shorter expected value of the gradient relates to a higher robustness. Our theoretical findings give a unified view on the mechanisms underlying previously proposed approaches for increasing attack strengths or model robustness and are verified by an extensive empirical analysis.