Certifiably Robust Variational Autoencoders

• URL: http://arxiv.org/abs/2102.07559v1
• Date: Mon, 15 Feb 2021 13:56:54 GMT
• Title: Certifiably Robust Variational Autoencoders
• Authors: Ben Barrett, Alexander Camuto, Matthew Willetts, Tom Rainforth
• Abstract summary: We introduce an approach for training Variational Autoencoders (VAEs) that are certifiably robust to adversarial attack. We derive actionable bounds on the minimal size of an input perturbation required to change a VAE's reconstruction. We show how these parameters can be controlled, thereby providing a mechanism to ensure a VAE will attain a desired level of robustness.
• Score: 74.28099923969754
• License: http://creativecommons.org/licenses/by/4.0/
• Abstract: We introduce an approach for training Variational Autoencoders (VAEs) that are certifiably robust to adversarial attack. Specifically, we first derive actionable bounds on the minimal size of an input perturbation required to change a VAE's reconstruction by more than an allowed amount, with these bounds depending on certain key parameters such as the Lipschitz constants of the encoder and decoder. We then show how these parameters can be controlled, thereby providing a mechanism to ensure a priori that a VAE will attain a desired level of robustness. Moreover, we extend this to a complete practical approach for training such VAEs to ensure our criteria are met. Critically, our method allows one to specify a desired level of robustness upfront and then train a VAE that is guaranteed to achieve this robustness. We further demonstrate that these Lipschitz--constrained VAEs are more robust to attack than standard VAEs in practice.

Related papers

• Closing the gap: Exact maximum likelihood training of generative autoencoders using invertible layers [7.76925617801895]
  We show that VAE-style autoencoders can be constructed using invertible layers, which offer a tractable exact likelihood without the need for regularization terms. This is achieved while leaving complete freedom in the choice of encoder, decoder and prior architectures. We show that the approach results in strikingly higher performance than architecturally equivalent VAEs in term of log-likelihood, sample quality and denoising performance.
  arXiv  Detail & Related papers  (2022-05-19T13:16:09Z)
• Defending Variational Autoencoders from Adversarial Attacks with MCMC [74.36233246536459]
  Variational autoencoders (VAEs) are deep generative models used in various domains. As previous work has shown, one can easily fool VAEs to produce unexpected latent representations and reconstructions for a visually slightly modified input. Here, we examine several objective functions for adversarial attacks construction, suggest metrics assess the model robustness, and propose a solution.
  arXiv  Detail & Related papers  (2022-03-18T13:25:18Z)
• Adaptive Feature Alignment for Adversarial Training [56.17654691470554]
  CNNs are typically vulnerable to adversarial attacks, which pose a threat to security-sensitive applications. We propose the adaptive feature alignment (AFA) to generate features of arbitrary attacking strengths. Our method is trained to automatically align features of arbitrary attacking strength.
  arXiv  Detail & Related papers  (2021-05-31T17:01:05Z)
• Diagnosing Vulnerability of Variational Auto-Encoders to Adversarial Attacks [80.73580820014242]
  We show how to modify data point to obtain a prescribed latent code (supervised attack) or just get a drastically different code (unsupervised attack) We examine the influence of model modifications on the robustness of VAEs and suggest metrics to quantify it.
  arXiv  Detail & Related papers  (2021-03-10T14:23:20Z)
• Consistent Non-Parametric Methods for Adaptive Robustness [26.016647703500887]
  A major drawback of the standard robust learning framework is the imposition of an artificial robustness radius $r$ that applies to all inputs. We propose a new framework for adaptive robustness, called neighborhood preserving robustness.
  arXiv  Detail & Related papers  (2021-02-18T00:44:07Z)
• Autoencoding Variational Autoencoder [56.05008520271406]
  We study the implications of this behaviour on the learned representations and also the consequences of fixing it by introducing a notion of self consistency. We show that encoders trained with our self-consistency approach lead to representations that are robust (insensitive) to perturbations in the input introduced by adversarial attacks.
  arXiv  Detail & Related papers  (2020-12-07T14:16:14Z)
• Towards a Theoretical Understanding of the Robustness of Variational Autoencoders [82.68133908421792]
  We make inroads into understanding the robustness of Variational Autoencoders (VAEs) to adversarial attacks and other input perturbations. We develop a novel criterion for robustness in probabilistic models: $r$-robustness. We show that VAEs trained using disentangling methods score well under our robustness metrics.
  arXiv  Detail & Related papers  (2020-07-14T21:22:29Z)
• Double Backpropagation for Training Autoencoders against Adversarial Attack [15.264115499966413]
  This paper focuses on the adversarial attack on autoencoders. We propose to adopt double backpropagation (DBP) to secure autoencoder such as VAE and DRAW.
  arXiv  Detail & Related papers  (2020-03-04T05:12:27Z)
• Safe Wasserstein Constrained Deep Q-Learning [2.088376060651494]
  This paper presents a distributionally robust Q-Learning algorithm (DrQ) which leverages Wasserstein ambiguity sets to provide idealistic probabilistic out-of-sample safety guarantees. Using a case study of lithium-ion battery fast charging, we explore how idealistic safety guarantees translate to generally improved safety.
  arXiv  Detail & Related papers  (2020-02-07T21:23:46Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.