Certifiably Robust Variational Autoencoders

Ben Barrett, Alexander Camuto, Matthew Willetts, Tom Rainforth
Proceedings of The 25th International Conference on Artificial Intelligence and Statistics, PMLR 151:3663-3683, 2022.

Abstract

We introduce an approach for training variational autoencoders (VAEs) that are certifiably robust to adversarial attack. Specifically, we first derive actionable bounds on the minimal size of an input perturbation required to change a VAE’s reconstruction by more than an allowed amount, with these bounds depending on certain key parameters such as the Lipschitz constants of the encoder and decoder. We then show how these parameters can be controlled, thereby providing a mechanism to ensure a priori that a VAE will attain a desired level of robustness. Moreover, we extend this to a complete practical approach for training such VAEs to ensure our criteria are met. Critically, our method allows one to specify a desired level of robustness upfront and then train a VAE that is guaranteed to achieve this robustness. We further demonstrate that these Lipschitz-constrained VAEs are more robust to attack than standard VAEs in practice.

Cite this Paper

BibTeX
@InProceedings{pmlr-v151-barrett22a, title = { Certifiably Robust Variational Autoencoders }, author = {Barrett, Ben and Camuto, Alexander and Willetts, Matthew and Rainforth, Tom}, booktitle = {Proceedings of The 25th International Conference on Artificial Intelligence and Statistics}, pages = {3663--3683}, year = {2022}, editor = {Camps-Valls, Gustau and Ruiz, Francisco J. R. and Valera, Isabel}, volume = {151}, series = {Proceedings of Machine Learning Research}, month = {28--30 Mar}, publisher = {PMLR}, pdf = {https://proceedings.mlr.press/v151/barrett22a/barrett22a.pdf}, url = {https://proceedings.mlr.press/v151/barrett22a.html}, abstract = { We introduce an approach for training variational autoencoders (VAEs) that are certifiably robust to adversarial attack. Specifically, we first derive actionable bounds on the minimal size of an input perturbation required to change a VAE’s reconstruction by more than an allowed amount, with these bounds depending on certain key parameters such as the Lipschitz constants of the encoder and decoder. We then show how these parameters can be controlled, thereby providing a mechanism to ensure a priori that a VAE will attain a desired level of robustness. Moreover, we extend this to a complete practical approach for training such VAEs to ensure our criteria are met. Critically, our method allows one to specify a desired level of robustness upfront and then train a VAE that is guaranteed to achieve this robustness. We further demonstrate that these Lipschitz-constrained VAEs are more robust to attack than standard VAEs in practice. } }
Endnote
%0 Conference Paper %T Certifiably Robust Variational Autoencoders %A Ben Barrett %A Alexander Camuto %A Matthew Willetts %A Tom Rainforth %B Proceedings of The 25th International Conference on Artificial Intelligence and Statistics %C Proceedings of Machine Learning Research %D 2022 %E Gustau Camps-Valls %E Francisco J. R. Ruiz %E Isabel Valera %F pmlr-v151-barrett22a %I PMLR %P 3663--3683 %U https://proceedings.mlr.press/v151/barrett22a.html %V 151 %X We introduce an approach for training variational autoencoders (VAEs) that are certifiably robust to adversarial attack. Specifically, we first derive actionable bounds on the minimal size of an input perturbation required to change a VAE’s reconstruction by more than an allowed amount, with these bounds depending on certain key parameters such as the Lipschitz constants of the encoder and decoder. We then show how these parameters can be controlled, thereby providing a mechanism to ensure a priori that a VAE will attain a desired level of robustness. Moreover, we extend this to a complete practical approach for training such VAEs to ensure our criteria are met. Critically, our method allows one to specify a desired level of robustness upfront and then train a VAE that is guaranteed to achieve this robustness. We further demonstrate that these Lipschitz-constrained VAEs are more robust to attack than standard VAEs in practice.
APA
Barrett, B., Camuto, A., Willetts, M. & Rainforth, T.. (2022). Certifiably Robust Variational Autoencoders . Proceedings of The 25th International Conference on Artificial Intelligence and Statistics, in Proceedings of Machine Learning Research 151:3663-3683 Available from https://proceedings.mlr.press/v151/barrett22a.html.

Related Material