Publication:
Calibrated Multi-probabilistic Prediction as a Defense Against Adversarial Attacks
| cris.virtual.department | #PLACEHOLDER_PARENT_METADATA_VALUE# | |
| cris.virtual.orcid | 0000-0002-1666-5483 | |
| cris.virtualsource.department | ca80dd44-0864-4cd3-a701-870434fb124c | |
| cris.virtualsource.orcid | ca80dd44-0864-4cd3-a701-870434fb124c | |
| dc.contributor.author | Peck, Jonathan | |
| dc.contributor.author | Goossens, Bart | |
| dc.contributor.author | Saeys, Yvan | |
| dc.date.accessioned | 2026-05-11T09:08:09Z | |
| dc.date.available | 2026-05-11T09:08:09Z | |
| dc.date.createdwos | 2025-12-10 | |
| dc.date.issued | 2020 | |
| dc.description.abstract | Machine learning (ML) classifiers—in particular deep neural networks—are surprisingly vulnerable to so-called adversarial examples. These are small modifications of natural inputs which drastically alter the output of the model even though no relevant features appear to have been modified. One explanation that has been offered for this phenomenon is the calibration hypothesis, which states that the probabilistic predictions of typical ML models are miscalibrated. As a result, classifiers can often be very confident in completely erroneous predictions. Based on this idea, we propose the MultIVAP algorithm for defending arbitrary ML models against adversarial examples. Our method is inspired by the inductive Venn-ABERS predictor (IVAP) technique from the field of conformal prediction. The IVAP enjoys the theoretical guarantee that its predictions will be perfectly calibrated, thus addressing the problem of miscalibration. Experimental results on five image classification tasks demonstrate empirically that the MultIVAP has a reasonably small computational overhead and provides significantly higher adversarial robustness without sacrificing accuracy on clean data. This increase in robustness is observed both against defense-oblivious attacks as well as a defense-aware white-box attack specifically designed for the MultIVAP. | |
| dc.description.wosFundingText | We thank the NVIDIA Corporation for the donation of a Titan Xp GPU with which we were able to carry out our experiments. Jonathan Peck is sponsored by a fellowship of the Research Foundation Flanders (FWO). Yvan Saeys is an ISAC Marylou Ingram scholar. | |
| dc.identifier.doi | 10.1007/978-3-030-65154-1_6 | |
| dc.identifier.isbn | 978-3-030-65153-4 | |
| dc.identifier.issn | 1865-0929 | |
| dc.identifier.uri | https://imec-publications.be/handle/20.500.12860/59411 | |
| dc.language.iso | eng | |
| dc.provenance.editstepuser | greet.vanhoof@imec.be | |
| dc.publisher | SPRINGER INTERNATIONAL PUBLISHING AG | |
| dc.source.beginpage | 85 | |
| dc.source.conference | Artificial Intelligence and Machine Learning , BNAIC 2019, BENELEARN 2019 | |
| dc.source.conferencedate | 2019-11-06 | |
| dc.source.conferencelocation | Brussels | |
| dc.source.endpage | 125 | |
| dc.source.journal | ARTIFICIAL INTELLIGENCE AND MACHINE LEARNING, BNAIC 2019, BENELEARN 2019 | |
| dc.source.numberofpages | 41 | |
| dc.title | Calibrated Multi-probabilistic Prediction as a Defense Against Adversarial Attacks | |
| dc.type | Proceedings paper | |
| dspace.entity.type | Publication | |
| imec.internal.crawledAt | 2026-04-07 | |
| imec.internal.source | crawler | |
| imec.internal.wosCreatedAt | 2026-04-07 | |
| Files | ||
| Publication available in collections: |