A unified Bayesian framework for adversarial robustness
This work addresses security challenges in machine learning by providing a statistically rigorous approach to adversarial robustness, though it appears incremental as it builds on existing defenses like adversarial training and purification.
The authors tackled the problem of machine learning models being vulnerable to adversarial attacks by introducing a formal Bayesian framework that models adversarial uncertainty, resulting in two robustification strategies that improve upon traditional deterministic defenses.
The vulnerability of machine learning models to adversarial attacks remains a critical security challenge. Traditional defenses, such as adversarial training, typically robustify models by minimizing a worst-case loss. However, these deterministic approaches do not account for uncertainty in the adversary's attack. While stochastic defenses placing a probability distribution on the adversary exist, they often lack statistical rigor and fail to make explicit their underlying assumptions. To resolve these issues, we introduce a formal Bayesian framework that models adversarial uncertainty through a stochastic channel, articulating all probabilistic assumptions. This yields two robustification strategies: a proactive defense enacted during training, aligned with adversarial training, and a reactive defense enacted during operations, aligned with adversarial purification. Several previous defenses can be recovered as limiting cases of our model. We empirically validate our methodology, showcasing the benefits of explicitly modeling adversarial uncertainty.