Conformal prediction (CP) is a framework to quantify uncertainty of machine learning classifiers including deep neural networks. Given a testing example and a trained classifier, CP produces a prediction set of candidate labels with a user-specified coverage (i.e., true class label is contained with high probability). Almost all the existing work on CP assumes clean testing data and there is not much known about the robustness of CP algorithms w.r.t natural/adversarial perturbations to testing examples. This paper studies the problem of probabilistically robust conformal prediction (PRCP) which ensures robustness to most perturbations around clean input examples. PRCP generalizes the standard CP (cannot handle perturbations) and adversarially robust CP (ensures robustness w.r.t worst-case perturbations) to achieve better trade-offs between nominal performance and robustness. We propose a novel adaptive PRCP (aPRCP) algorithm to achieve probabilistically robust coverage. The key idea behind aPRCP is to determine two parallel thresholds, one for data samples and another one for the perturbations on data (aka "quantile-of-quantile" design). We provide theoretical analysis to show that aPRCP algorithm achieves robust coverage. Our experiments on CIFAR-10, CIFAR-100, and ImageNet datasets using deep neural networks demonstrate that aPRCP achieves better trade-offs than state-of-the-art CP and adversarially robust CP algorithms.

翻译：共形预测（CP）是一种量化机器学习分类器（包括深度神经网络）不确定性的框架。给定一个测试样本和训练好的分类器，CP 生成包含候选标签的预测集，并具有用户指定的覆盖度（即真实类别标签以高概率被包含）。现有关于 CP 的工作几乎都假设测试数据是干净的，关于 CP 算法对测试样本的自然/对抗扰动的鲁棒性鲜有研究。本文研究概率鲁棒共形预测（PRCP）问题，该问题确保对干净输入样本周围的大多数扰动具有鲁棒性。PRCP 推广了标准 CP（无法处理扰动）和对抗鲁棒 CP（确保对最坏情况扰动具有鲁棒性），以实现在名义性能和鲁棒性之间更好的权衡。我们提出了一种新颖的自适应 PRCP（aPRCP）算法来实现概率鲁棒覆盖。aPRCP 的关键思想是确定两个并行阈值，一个用于数据样本，另一个用于数据上的扰动（即“分位数中的分位数”设计）。我们提供了理论分析，证明 aPRCP 算法能够实现鲁棒覆盖。我们在 CIFAR-10、CIFAR-100 和 ImageNet 数据集上使用深度神经网络进行的实验表明，aPRCP 比最先进的 CP 和对抗鲁棒 CP 算法实现了更好的权衡。