Efficient Calculation of Adversarial Examples for Bayesian Neural Networks

Abstract

Calculating adversarial examples for Bayesian neural networks is cumbersome. Due to the inherent stochasticity, the gradient of the network can only be reliable approximated by sampling multiple times from the posterior, leading to a greatly increased computational cost. In this paper we propose to efficiently attack Bayesian neural networks with adversarial examples calculated for a deterministic network with parameters given by the mean o the posterior distribution. We show in a series of experiments, that the proposed approach
can be used to effectively attack Bayesian neural networks while using 4.2 times less of the resources of existing adversarial example estimation methods with comparable strength.
We demonstrate that this is especially helpful during adversarial training, when multiple different model configuration need to be evaluated.