The Pitfalls and Promise of Conformal Inference Under Adversarial Attacks

Ziquan Liu; Yufei Cui; Yan Yan; Yi Xu; Xiangyang Ji; Xue Liu; Antoni B. Chan

The Pitfalls and Promise of Conformal Inference Under Adversarial Attacks

Ziquan Liu^*
, Yufei Cui
, Yan Yan
, Yi Xu
, Xiangyang Ji
, Xue Liu
, Antoni B. Chan

^*Corresponding author for this work

Department of Computer Science

Research output: Chapters, Conference Papers, Creative and Literary Works › RGC 32 - Refereed conference paper (with host publication) › peer-review

2 Citations (Scopus)

Abstract

In safety-critical applications such as medical imaging and autonomous driving, where decisions have profound implications for patient health and road safety, it is imperative to maintain both high adversarial robustness to protect against potential adversarial attacks and reliable uncertainty quantification in decision-making. With extensive research focused on enhancing adversarial robustness through various forms of adversarial training (AT), a notable knowledge gap remains concerning the uncertainty inherent in adversarially trained models. To address this gap, this study investigates the uncertainty of deep learning models by examining the performance of conformal prediction (CP) in the context of standard adversarial attacks within the adversarial defense community. It is first unveiled that existing CP methods do not produce informative prediction sets under the commonly used l_∞-norm bounded attack if the model is not adversarially trained, which underpins the importance of adversarial training for CP. Our paper next demonstrates that the prediction set size (PSS) of CP using adversarially trained models with AT variants is often worse than using standard AT, inspiring us to research into CP-efficient AT for improved PSS. We propose to optimize a Beta-weighting loss with an entropy minimization regularizer during AT to improve CP-efficiency, where the Beta-weighting loss is shown to be an upper bound of PSS at the population level by our theoretical analysis. Moreover, our empirical study on four image classification datasets across three popular AT baselines validates the effectiveness of the proposed Uncertainty-Reducing AT (AT-UR). Copyright 2024 by the author(s)

Original language	English
Title of host publication	Proceedings of the 41st International Conference on Machine Learning
Editors	Ruslan Salakhutdinov, Zico Kolter, Katherine Heller
Publisher	ML Research Press
Pages	30908-30928
Publication status	Published - Jul 2024
Event	41st International Conference on Machine Learning (ICML 2024) - Messe Wien Exhibition Congress Center, Vienna, Austria Duration: 21 Jul 2024 → 27 Jul 2024 https://proceedings.mlr.press/v235/ https://icml.cc/

Publication series

Name	Proceedings of Machine Learning Research
Volume	235
ISSN (Print)	2640-3498

Conference

Conference	41st International Conference on Machine Learning (ICML 2024)
Place	Austria
City	Vienna
Period	21/07/24 → 27/07/24
Internet address	https://proceedings.mlr.press/v235/ https://icml.cc/

Bibliographical note

Full text of this publication does not contain sufficient affiliation information. With consent from the author(s) concerned, the Research Unit(s) information for this record is based on the existing academic department affiliation of the author(s).

Funding

This work was supported by a grant from the Research Grants Council of the Hong Kong Special Administrative Region, China (Project No. CityU 11215820).

UN SDGs

This output contributes to the following UN Sustainable Development Goals (SDGs)

SDG 3 Good Health and Well-being
SDG 11 Sustainable Cities and Communities

Access Output

https://proceedings.mlr.press/v235/liu24m.html

Other Access Options

Check CityUHK Library

Permanent Link

Right click to copy link

Cite this

Liu, Z., Cui, Y., Yan, Y., Xu, Y., Ji, X., Liu, X., & Chan, A. B. (2024). The Pitfalls and Promise of Conformal Inference Under Adversarial Attacks. In R. Salakhutdinov, Z. Kolter, & K. Heller (Eds.), Proceedings of the 41st International Conference on Machine Learning (pp. 30908-30928). (Proceedings of Machine Learning Research; Vol. 235). ML Research Press. https://proceedings.mlr.press/v235/liu24m.html

@inproceedings{1c5c2c49f5df403f96cac4715e1730ba,

title = "The Pitfalls and Promise of Conformal Inference Under Adversarial Attacks",

abstract = "In safety-critical applications such as medical imaging and autonomous driving, where decisions have profound implications for patient health and road safety, it is imperative to maintain both high adversarial robustness to protect against potential adversarial attacks and reliable uncertainty quantification in decision-making. With extensive research focused on enhancing adversarial robustness through various forms of adversarial training (AT), a notable knowledge gap remains concerning the uncertainty inherent in adversarially trained models. To address this gap, this study investigates the uncertainty of deep learning models by examining the performance of conformal prediction (CP) in the context of standard adversarial attacks within the adversarial defense community. It is first unveiled that existing CP methods do not produce informative prediction sets under the commonly used l∞-norm bounded attack if the model is not adversarially trained, which underpins the importance of adversarial training for CP. Our paper next demonstrates that the prediction set size (PSS) of CP using adversarially trained models with AT variants is often worse than using standard AT, inspiring us to research into CP-efficient AT for improved PSS. We propose to optimize a Beta-weighting loss with an entropy minimization regularizer during AT to improve CP-efficiency, where the Beta-weighting loss is shown to be an upper bound of PSS at the population level by our theoretical analysis. Moreover, our empirical study on four image classification datasets across three popular AT baselines validates the effectiveness of the proposed Uncertainty-Reducing AT (AT-UR). Copyright 2024 by the author(s)",

author = "Ziquan Liu and Yufei Cui and Yan Yan and Yi Xu and Xiangyang Ji and Xue Liu and Chan, \{Antoni B.\}",

note = "Full text of this publication does not contain sufficient affiliation information. With consent from the author(s) concerned, the Research Unit(s) information for this record is based on the existing academic department affiliation of the author(s).; 41st International Conference on Machine Learning (ICML 2024) ; Conference date: 21-07-2024 Through 27-07-2024",

year = "2024",

month = jul,

language = "English",

series = "Proceedings of Machine Learning Research",

publisher = "ML Research Press",

pages = "30908--30928",

editor = "Ruslan Salakhutdinov and Zico Kolter and Katherine Heller",

booktitle = "Proceedings of the 41st International Conference on Machine Learning",

url = "https://proceedings.mlr.press/v235/, https://icml.cc/",

}

Liu, Z, Cui, Y, Yan, Y, Xu, Y, Ji, X, Liu, X & Chan, AB 2024, The Pitfalls and Promise of Conformal Inference Under Adversarial Attacks. in R Salakhutdinov, Z Kolter & K Heller (eds), Proceedings of the 41st International Conference on Machine Learning. Proceedings of Machine Learning Research, vol. 235, ML Research Press, pp. 30908-30928, 41st International Conference on Machine Learning (ICML 2024), Vienna, Austria, 21/07/24. <https://proceedings.mlr.press/v235/liu24m.html>

The Pitfalls and Promise of Conformal Inference Under Adversarial Attacks. / Liu, Ziquan; Cui, Yufei; Yan, Yan et al.
Proceedings of the 41st International Conference on Machine Learning. ed. / Ruslan Salakhutdinov; Zico Kolter; Katherine Heller. ML Research Press, 2024. p. 30908-30928 (Proceedings of Machine Learning Research; Vol. 235).

Research output: Chapters, Conference Papers, Creative and Literary Works › RGC 32 - Refereed conference paper (with host publication) › peer-review

TY - GEN

T1 - The Pitfalls and Promise of Conformal Inference Under Adversarial Attacks

AU - Liu, Ziquan

AU - Cui, Yufei

AU - Yan, Yan

AU - Xu, Yi

AU - Ji, Xiangyang

AU - Liu, Xue

AU - Chan, Antoni B.

N1 - Full text of this publication does not contain sufficient affiliation information. With consent from the author(s) concerned, the Research Unit(s) information for this record is based on the existing academic department affiliation of the author(s).

PY - 2024/7

Y1 - 2024/7

N2 - In safety-critical applications such as medical imaging and autonomous driving, where decisions have profound implications for patient health and road safety, it is imperative to maintain both high adversarial robustness to protect against potential adversarial attacks and reliable uncertainty quantification in decision-making. With extensive research focused on enhancing adversarial robustness through various forms of adversarial training (AT), a notable knowledge gap remains concerning the uncertainty inherent in adversarially trained models. To address this gap, this study investigates the uncertainty of deep learning models by examining the performance of conformal prediction (CP) in the context of standard adversarial attacks within the adversarial defense community. It is first unveiled that existing CP methods do not produce informative prediction sets under the commonly used l∞-norm bounded attack if the model is not adversarially trained, which underpins the importance of adversarial training for CP. Our paper next demonstrates that the prediction set size (PSS) of CP using adversarially trained models with AT variants is often worse than using standard AT, inspiring us to research into CP-efficient AT for improved PSS. We propose to optimize a Beta-weighting loss with an entropy minimization regularizer during AT to improve CP-efficiency, where the Beta-weighting loss is shown to be an upper bound of PSS at the population level by our theoretical analysis. Moreover, our empirical study on four image classification datasets across three popular AT baselines validates the effectiveness of the proposed Uncertainty-Reducing AT (AT-UR). Copyright 2024 by the author(s)

AB - In safety-critical applications such as medical imaging and autonomous driving, where decisions have profound implications for patient health and road safety, it is imperative to maintain both high adversarial robustness to protect against potential adversarial attacks and reliable uncertainty quantification in decision-making. With extensive research focused on enhancing adversarial robustness through various forms of adversarial training (AT), a notable knowledge gap remains concerning the uncertainty inherent in adversarially trained models. To address this gap, this study investigates the uncertainty of deep learning models by examining the performance of conformal prediction (CP) in the context of standard adversarial attacks within the adversarial defense community. It is first unveiled that existing CP methods do not produce informative prediction sets under the commonly used l∞-norm bounded attack if the model is not adversarially trained, which underpins the importance of adversarial training for CP. Our paper next demonstrates that the prediction set size (PSS) of CP using adversarially trained models with AT variants is often worse than using standard AT, inspiring us to research into CP-efficient AT for improved PSS. We propose to optimize a Beta-weighting loss with an entropy minimization regularizer during AT to improve CP-efficiency, where the Beta-weighting loss is shown to be an upper bound of PSS at the population level by our theoretical analysis. Moreover, our empirical study on four image classification datasets across three popular AT baselines validates the effectiveness of the proposed Uncertainty-Reducing AT (AT-UR). Copyright 2024 by the author(s)

UR - https://www.scopus.com/pages/publications/85203832282

UR - https://www.scopus.com/record/pubmetrics.uri?eid=2-s2.0-85203832282&origin=recordpage

M3 - RGC 32 - Refereed conference paper (with host publication)

T3 - Proceedings of Machine Learning Research

SP - 30908

EP - 30928

BT - Proceedings of the 41st International Conference on Machine Learning

A2 - Salakhutdinov, Ruslan

A2 - Kolter, Zico

A2 - Heller, Katherine

PB - ML Research Press

T2 - 41st International Conference on Machine Learning (ICML 2024)

Y2 - 21 July 2024 through 27 July 2024

ER -

The Pitfalls and Promise of Conformal Inference Under Adversarial Attacks

Abstract

Publication series

Conference

Bibliographical note

Funding

UN SDGs

Access Output

Other Access Options

Permanent Link

Other Files and Links

Fingerprint

GRF: Defending against Adversarial Examples in Deep Learning: New Regularization and Training Methods

Cite this

The Pitfalls and Promise of Conformal Inference Under Adversarial Attacks

Abstract

Publication series

Conference

Bibliographical note

Funding

UN SDGs

Access Output

Other Access Options

Permanent Link

Other Files and Links

Fingerprint

Projects

GRF: Defending against Adversarial Examples in Deep Learning: New Regularization and Training Methods

Cite this