In this paper, we introduce BNN-DP, an efficient algorithmic framework for analysis of adversarial robustness of Bayesian Neural Networks (BNNs). Given a compact set of input points $T\subset \mathbb{R}^n$, BNN-DP computes lower and upper bounds on the BNN's predictions for all the points in $T$. The framework is based on an interpretation of BNNs as stochastic dynamical systems, which enables the use of Dynamic Programming (DP) algorithms to bound the prediction range along the layers of the network. Specifically, the method uses bound propagation techniques and convex relaxations to derive a backward recursion procedure to over-approximate the prediction range of the BNN with piecewise affine functions. The algorithm is general and can handle both regression and classification tasks. On a set of experiments on various regression and classification tasks and BNN architectures, we show that BNN-DP outperforms state-of-the-art methods by up to four orders of magnitude in both tightness of the bounds and computational efficiency.

翻译：本文提出BNN-DP，一个用于分析贝叶斯神经网络（BNN）对抗鲁棒性的高效算法框架。给定一个紧凑的输入点集$T\subset \mathbb{R}^n$，BNN-DP计算BNN对$T$中所有点预测值的下界和上界。该框架基于将BNN解释为随机动力系统，从而能够利用动态规划（DP）算法沿网络各层约束预测范围。具体而言，该方法采用界传播技术和凸松弛推导出向后递归过程，通过分段仿射函数对BNN的预测范围进行过近似。该算法具有通用性，可同时处理回归和分类任务。在多个回归与分类任务及不同BNN架构的实验上，我们证明BNN-DP在界紧致性和计算效率方面均优于现有最优方法多达四个数量级。