LiBRe: A Practical Bayesian Approach to Adversarial Detection

Zhijie Deng1, Xiao Yang1, Shizhen Xu2, Hang Su1∗, Jun Zhu1*

1 Dept. of Comp. Sci. and Tech., BNRist Center, Institute for AI, Tsinghua-Bosch Joint ML Center, THBI Lab1 Tsinghua University, Beijing, 100084, China 2 RealAI

{dzj17,yangxiao19}@mails.tsinghua.edu.cn, shizhen.xu@realai.ai, {suhangss,dcszj}@tsinghua.edu.cn

Abstract

Despite their appealing flexibility, deep neural networks(DNNs) are vulnerable against adversarial examples. Vari-ous adversarial defense strategies have been proposed to re-solve this problem, but they typically demonstrate restrictedpracticability owing to unsurmountable compromise on uni-versality, effectiveness, or efficiency. In this work, we pro-pose a more practical approach, Lightweight Bayesian Re-finement (LiBRe), in the spirit of leveraging Bayesian neu-ral networks (BNNs) for adversarial detection. Empow-ered by the task and attack agnostic modeling under Bayesprinciple, LiBRe can endow a variety of pre-trained task-dependent DNNs with the ability of defending heteroge-neous adversarial attacks at a low cost. We develop andintegrate advanced learning techniques to make LiBRe ap-propriate for adversarial detection. Concretely, we buildthe few-layer deep ensemble variational and adopt the pre-training & fine-tuning workflow to boost the effectivenessand efficiency of LiBRe. We further provide a novel in-sight to realise adversarial detection-oriented uncertaintycorrection without inefficiently crafting adversarial exam-ples during training. Extensive empirical studies coveringa wide range of scenarios verify the practicability of LiBRe.We also conduct thorough ablation studies to evidence thesuperiority of our modeling and learning strategies.1

1. IntroductionThe blooming development of deep neural networks

(DNNs) has brought great success in extensive industrialapplications, such as image classification [23], face recog-nition [9] and object detection [50]. However, despitetheir promising expressiveness, DNNs are highly vulnera-ble to adversarial examples [57, 19], which are generated byadding human-imperceptible perturbations upon clean ex-amples to deliberately cause misclassification, partly due totheir non-linear and black-box nature. The threats from ad-

*Corresponding author1Code at https://github.com/thudzj/ScalableBDL.

• benign • adversarial

accept/reject

task-dependent prediction

Bayesian sub-module

Deterministic layers

Figure 1: Given a pre-trained DNN, LiBRe converts its last fewlayers (excluding the task-dependent output head) to be Bayesian,and reuses the pre-trained parameters. Then, LiBRe launchesseveral-round adversarial detection-oriented fine-tuning to renderthe posterior effective for prediction and meanwhile appropriatefor adversarial detection. In the inference phase, LiBRe estimatesthe predictive uncertainty and task-dependent predictions of theinput concurrently, where the former is used for adversarial detec-tion and determines the fidelity of the latter.

versarial examples have been witnessed in a wide spectrumof practical systems [52, 12], raising an urgent requirementfor advanced techniques to achieve robust and reliable deci-sion making, especially in safety-critical scenarios [13].

Though increasing methods have been developed totackle adversarial examples [42, 69, 25, 18, 68], they arenot problemless. On on hand, as one of the most popu-lar adversarial defenses, adversarial training [42, 69] intro-duces adversarial examples into training to explicitly tailorthe decision boundaries, which, yet, causes added trainingoverheads and typically leads to degraded predictive per-formance on clean examples. On the other hand, adversar-ial detection methods bypass the drawbacks of modifyingthe original DNNs by deploying a workflow to detect theadversarial examples ahead of decision making, by virtueof auxiliary classifiers [44, 18, 68, 5] or designed statis-tics [14, 40]. Yet, they are usually developed for specifictasks (e.g., image classification [68, 32, 18]) or for specificadversarial attacks [39], lacking the flexibility to effectivelygeneralize to other tasks or attacks.

By regarding the adversarial example as a special caseof out-of-distribution (OOD) data, Bayesian neural net-works (BNNs) have shown promise in adversarial detec-tion [14, 38, 54]. In theory, the predictive uncertainty ac-quired under Bayes principle suffices for detecting hetero-

1

arX

iv:2

103.

1483

5v2

[cs

.LG

] 3

1 M

ay 2

021

geneous adversarial examples in various tasks. However, inpractice, BNNs without a sharpened posterior often presentsystematically worse performance than their deterministiccounterparts [61]; also relatively low-cost Bayesian infer-ence methods frequently suffer from mode collapse andhence unreliable uncertainty [15]. BNNs’ requirement ofmore expertise for implementation and more efforts fortraining than DNNs further undermine their practicability.

In the work, we aim to develop a more practical adversar-ial detection approach by overcoming the aforementionedissues of BNNs. We propose Lightweight Bayesian Refine-ment (LiBRe), depicted in Fig. 1, to reach a good balanceamong predictive performance, quality of uncertainty esti-mates and learning efficiency. Concretely, LiBRe followsthe stochastic variational inference pipeline [2], but is em-powered by two non-trivial designs: (i) To achieve efficientlearning with high-quality outcomes, we devise the Few-lAyer Deep Ensemble (FADE) variational, which is remi-niscent of Deep Ensemble [31], one of the most effectiveBayesian marginalization methods [62], and meanwhile in-spired by the scalable last-layer Bayesian inference [29].Namely, FADE only performs deep ensemble in the last fewlayers of a model due to their crucial role for determiningmodel behaviour, while keeps the other layers determinis-tic. To encourage various ensemble candidates to capturediverse function modes, we develop a stochasticity-injectedlearning principle for FADE, which also benefits to reducethe gradient variance of the parameters. (ii) To further easeand accelerate the learning, we propose a Bayesian refine-ment paradigm, where we initialize the parameters of FADEwith the parameters of its pre-trained deterministic coun-terpart, thanks to the high alignment between FADE andpoint estimate. We then perform fine-tuning to constantlyimprove the FADE posterior.

As revealed by [22], the uncertainty quantification purelyacquired from Bayes principle may be unreliable for per-ceiving adversarial examples, thus it is indispensable to pur-sue an adversarial detection-oriented uncertainty correction.For universality, we place no assumption on the adversarialexamples to detect, so we cannot take the common strat-egy of integrating the adversarial examples crafted by spe-cific attacks into detector training [40]. Alternatively, wecheaply create uniformly perturbed examples and demandhigh predictive uncertainty on them during Bayesian refine-ment to make the model be sensitive to data with any style ofperturbation. Though such a correction renders the learnedposterior slightly deviated from the true Bayesian one, it cansignificantly boost adversarial detection performance.

The task and attack agnostic designs enable LiBRe toquickly and cheaply endow a pre-trained task-dependentDNN with the ability to detect various adversarial exampleswhen facing new tasks, as testified by our empirical studiesin Sec 5. Furthermore, LiBRe has significantly higher in-

ference (i.e., testing) speed than typical BNNs thanks to theadoption of lightweight variational. We can achieve furtherspeedup by exploring the potential of parallel computing,giving rise to inference speed close to the DNN in the samesetting. Extensive experiments in scenarios ranging fromimage classification, face recognition, to object detectionconfirm these claims and testify the superiority of LiBRe.We further perform thorough ablation studies to deeply un-derstand the adopted modeling and learning strategies.

2. Related WorkDetecting adversarial examples to bypass their safety

threats has attracted increasing attention recently. Manyworks aim at distinguishing adversarial examples from be-nign ones via an auxiliary classifier applied on statisticalfeatures [18, 68, 5, 7, 65]. [21] introduces an extra class inthe classifier for adversarial examples. Some recent worksexploit neighboring statistics to construct more powerfuldetection algorithms: [32] fits a Gaussian mixture model ofthe network responses, and resorts to the Mahalanbobis dis-tance for adversarial detection in the inference phase; [40]introduces the more advanced local intrinsic dimensional-ity to describe the distance distribution and observes betterresults. RCE [47] is developed with the promise of leadingto an enhanced distance between adversarial and normal im-ages for kernel density [14] based detection. However, mostof the aforementioned methods are restricted in the classi-fication scope, and the detectors trained against certain at-tacks may not effectively generalize to unseen attacks [39].

Bayesian deep learning [20, 60, 2, 1, 36, 26] providesus with a more theoretically appealing way to adversarialdetection. However, though the existing BNNs manage toperceive adversarial examples [14, 49, 54, 38, 48, 33], theyare typically limited in terms of training efficiency, predic-tive performance, etc., and thus cannot effectively scale upto real-world settings. More severely, the uncertainty esti-mates given by the BNNs for adversarial examples are notalways reliable [22], owing to the lack of particular designsfor adversarial detection. In this work, we address these is-sues with elaborated techniques and establish a more prac-tical adversarial detection approach.

3. BackgroundIn this section, we motivate Lightweight Bayesian Re-

finement (LiBRe) by briefly reviewing the background ofadversarial defense, and then describe the general workflowof Bayesian neural networks (BNNs).

3.1. Adversarial Defense

Typically, letD = {(xi, yi)}ni=1 denote a collection of ntraining samples with xi ∈ Rd and yi ∈ Y as the input dataand label, respectively. A deep neural network (DNN) pa-rameterized by w ∈ Rp is frequently trained via maximum

2

a posteriori estimation (MAP):

maxw

1

n

n∑i=1

log p(yi|xi;w) +1

nlog p(w), (1)

where p(y|x;w) refers to the predictive distribution of theDNN model. By setting the prior p(w) as an isotropicGaussian, the second term amounts to the L2 (weight de-cay) regularizer with a tunable coefficient λ in optimization.Generally speaking, the adversarial example correspondingto (xi, yi) against the model is defined as

xadvi = xi + argmin

δi∈Slog p(yi|xi + δi;w), (2)

where S = {δ : ‖δ‖ ≤ ε} is the valid perturbation setwith ε > 0 as the perturbation budget and ‖·‖ as some norm(e.g., l∞). Extensive attack methods have been developedwith promise to solve the above minimization problem [19,41, 4, 58], based on gradients or not.

The central goal of adversarial defense is to protect themodel from making undesirable decisions for the adversar-ial examples xadv

i . A representative line of work approachesthis objective by augmenting the training data with on-the-fly generated adversarial examples and forcing the model toyield correct predictions on them [42, 69]. But their limitedtraining efficiency and compromising performance on cleandata pose a major obstacle for real-world adoption. As analternative, adversarial detection methods focus on distin-guishing the adversarial examples from the normal ones soas to bypass the potentially harmful outcomes of makingdecisions for adversarial examples [44, 5, 40]. However,satisfactory transferability to unseen attacks and tasks be-yond image classification remains elusive [39].

3.2. Bayesian Neural Networks

In essence, the problem of distinguishing adversarialexamples from benign ones can be viewed as a special-ized out-of-distribution (OOD) detection problem of partic-ular concern in safety-sensitive scenarios – with the modeltrained on the clean data, we expect to identify the adver-sarial examples from a shifted data manifold, though theshift magnitude may be subtle and human-imperceptible. Inthis sense, we naturally introduce BNNs into the picture at-tributed to their principled OOD detection capacity alongwith the equivalent flexibility for data fitting as DNNs.

Modeling and training. Typically, a BNN is specifiedby a parameter prior p(w) and an NN-instantiated data like-lihood p(D|w). We are interested in the parameter posteriorp(w|D) instead of a point estimate as in DNN. It is knownthat precisely deriving the posterior is intractable owing tothe high non-linearity of neural networks. Among the widespectrum of approximate Bayesian inference methods, vari-ational BNNs are particularly attractive due to their close re-semblance to standard backprop [20, 2, 37, 55, 56, 53, 46].

Generally, in variational BNNs, we introduce a variationaldistribution q(w|θ) with parameters θ and maximize theevidence lower bound (ELBO) for learning (scaled by 1/n):

maxθ

Eq(w|θ)

[1

n

n∑i=1

log p(yi|xi;w)

]− 1

nDKL(q(w|θ)‖p(w)).

(3)Inference. The obtained posterior q(w|θ)2 offers us

the opportunities to predict robustly. For computationaltractability, we usually estimate the posterior predictive via:

p(y|x,D) = Eq(w|θ) [p(y|x;w)] ≈ 1

T

T∑t=1

p(y|x;w(t)), (4)

where w(t) ∼ q(w|θ), t = 1, ..., T denote the Monte Carlo(MC) samples. In other words, the BNN assembles the pre-dictions yielded by all likely models to make more reliableand calibrated decisions, in stark contrast to the DNN whichonly cares about the most possible parameter point.

Measure of uncertainty. For adversarial detection, weare interested in the epistemic uncertainty which is indica-tive of covariate shift. A superior choice of uncertainty met-ric is the softmax variance given its previous success for ad-versarial detection in image classification [14] and insight-ful theoretical support [54]. However, the softmax outputof the model may be less attractive during inference (e.g.,in open-set face recognition), letting alone that not all thecomputer vision tasks can be formulated as pure classifi-cation problems (e.g., object detection). To make the met-ric faithful and readily applicable to diverse scenarios, weconcern the predictive variance of the hidden feature z cor-responding to x, by mildly assuming the information flowinside the model as x −→ z −→ y. We utilize an unbiasedvariance estimator and summarize the variance of all coor-dinates of z into a scalar via:

U(x) =1

T − 1

[T∑

t=1

‖z(t)‖22 − T (‖1

T

T∑t=1

z(t)‖22)

], (5)

where z(t) denotes the features of x under parameter sam-ple w(t) ∼ q(w|θ), t = 1, ..., T , with ‖·‖2 as `2 norm. Itis natural to simultaneously make prediction and quantifyuncertainty via Eq. (4) and Eq. (5) when testing.

4. Lightweight Bayesian RefinementDespite their theoretical appealingness, BNNs are sel-

dom adopted for real-world adversarial detection, owing toa wide range of concerns on their training efficiency, pre-dictive performance, quality of uncertainty estimates, andinference speed. In this section, we provide detailed andnovel strategies to relieve these concerns and build the prac-tical Lightweight Bayesian Refinement (LiBRe) framework.

2We use q(w|θ) equivalently with p(w|D) in the following if there isno misleading.

3

Variational configuration. At the core of variationalBNNs lies the configuration of the variational distribu-tion. The recent surge of variational Bayes has enabled usto leverage mean-field Gaussian [2], matrix-variate Gaus-sian [37, 55], multiplicative normalizing flows [38] andeven implicit distributions [34, 53] to build expressive andflexible variational distributions. However, on one side,there is evidence to suggest that more complex variation-als are commonly accompanied with less user-friendly andless scalable inference processes; on the other side, morepopular and more approachable variationals like mean-fieldGaussian, low-rank Gaussian [15] and MC Dropout [17]tend to concentrate on a single mode in the function space,rendering the yielded uncertainty estimates unreliable [15].

Deep Ensemble [31], a powerful alternative to BNNs,builds a set of parameter candidates θ = {w(c)}Cc=1, whichare separately trained to account for diverse function modes,and uniformly assembles their corresponding predictionsfor inference. In a probabilistic view, Deep Ensemblebuilds the variational q(w|θ) = 1

C

∑Cc=1 δ(w − w(c))

with δ as the Dirac delta function. Yet, obviously, opti-mizing the parameters of such a variational is computation-ally prohibitive [31]. Motivated by the success of last-layerBayesian inference [29], we propose to only convert the lastfew layers of the feature extraction module of a DNN, e.g.,the last residual block of ResNet-50 [23], to be Bayesianlayers whose parameters take the deep ensemble variational.

Formally, breaking downw intowb andw−b, which de-note the parameters of the tiny Bayesian sub-module andthe other parameters in the model respectively, we devisethe Few-lAyer Deep Ensemble (FADE) variational:

q(w|θ) = 1

C

C∑c=1

δ(wb −w(c)b )δ(w−b −w(0)

−b ), (6)

where θ = {w(0)−b ,w

(1)b , ...,w

(C)b }. Intuitively, FADE will

strikingly ease and accelerate the learning, permitting scal-ing Bayesian inference up to deep architectures trivially.

ELBO maximization. Given the FADE variational, wedevelop an effective and user-friendly implementation forlearning. Equally assuming an isotropic Gaussian prior asthe MAP estimation for DNN, the second term of the ELBOin Eq. (3) boils down to weight decay regularizers with co-efficients λ onw(0)

−b and λC onw(c)

b , c = 1, ..., C, which canbe easily implemented inside the optimizer.3 Then, we onlyneed to explicitly deal with the first term in the ELBO. An-alytically estimating the expectation in this term is feasiblebut may hinder different parameter candidates from explor-ing diverse function modes (as they may undergo similaroptimization trajectories). Thus, we advocate maximizing a

3The derivation is based on relaxing the Dirac distribution as Gaussianwith small variance. See Sec 3.4 of [16] for detailed derivation insights.

stochastic estimate of it on top of stochastic gradient ascent:

maxθL =

1

|B|∑

(xi,yi)∈B

log p(yi|xi;w(c)b ,w

(0)−b ), (7)

where B is a stochastic mini-batch, and c is drawn fromunif{1, C}, i.e., the uniform distribution over {1, ..., C}.

However, intuitively, ∇w

(0)−b

L exhibits high varianceacross iterations due to its correlation with the varyingchoice of c, which is harmful for the convergence (seeSec 5.4 and [28]). To disentangle such correlation, we pro-pose to replace the batch-wise parameter sample w(c)

b with

instance-wise ones w(ci)b , ci

i.i.d.∼ unif{1, C}, i = 1, ..., |B|,which ensures w(0)

−b to comprehensively consider the vari-able behaviour of the Bayesian sub-module at per iteration.Formally, we solve the following problem for training:

maxθL∗ = 1

|B|∑

(xi,yi)∈B

log p(yi|xi;w(ci)b ,w

(0)−b ). (8)

Under such a learning criterion, each Bayesian param-eter candidate accounts for a stochastically assigned, sep-arate subset of B. Such stochasticity will be injected intothe gradient ascent dynamics and serves as an implicitregularization [43], leading {w(c)

b }Cc=1 to investigate di-verse weight sub-spaces and ideally diverse function modes.Compared to Deep Ensemble [31] which depends on ran-dom initialization to avoid mode collapse, our approach ismore theoretically motivated and more economical.

Though computing L∗ involves the same FLOPS ascomputing L, there is a barrier to make the computationcompatible with modern autodiff libraries and time-saving– de facto computational kernels routinely process a batchgiven shared parameters while estimating L∗ needs thekernels to embrace instance-specialized parameters in theBayesian sub-module. In spirit of parallel computing, weresort to the group convolution, batch matrix multiplication,etc. to address this issue. The resultant computation burdenis negligibly more than the original DNN thanks to the sup-port of powerful backends like cuDNN [6] for these opera-tors and the tiny size of the Bayesian sub-module.

Adversarial example free uncertainty correction. It isa straightforward observation that the above designs of theBNN are OOD data agnostic, leaving the ability to detectadversarial examples solely endowed by the rigorous Bayesprinciple. Nevertheless, as a special category of OOD data,adversarial examples hold several special characteristics,e.g., the close resemblance to benign data and the strongoffensive to the behaviour of black-box deep models, whichmay easily destroy the uncertainty based adversarial detec-tion [22]. A common strategy to address this issue is toincorporate adversarial examples crafted by specific attacksinto detector training [40], which, yet, is costly and may

4

limit the learned models from generalizing to unseen at-tacks. Instead, we propose an adversarial example free un-certainty correction strategy by considering a superset of theadversarial examples. We feed uniformly perturbed traininginstances (which encompass all kinds of adversarial exam-ples) into the BNN and demand relatively high predictiveuncertainty on them. Formally, with εtrain as the trainingperturbation budget, we perturb a mini-batch of data via

xi = xi + δi, δii.i.d.∼ U(−εtrain, εtrain)d, i = 1, ..., |B|. (9)

Then we calculate the uncertainty measure U cheaply withT = 2 MC samples, and regularize the outcome via solvingthe following margin loss:

maxθR =

1

|B|∑

(xi,yi)∈B

min(‖z(ci,1)

i − z(ci,2)

i ‖22, γ), (10)

where z(ci,j)i refers to the features of xi given parameter

samplew(ci,j) = {w(ci,j)b ,w

(0)−b}, with ci,j

i.i.d.∼ unif{1, C}and ci,1 6= ci,2, i = 1, ..., |B|, j = 1, 2. γ is a tun-able threshold. Surprisingly, this regularization remarkablyboosts the adversarial detection performance (see Sec 5.4).

Efficient learning by refining pre-trained DNNs.Though from-scratch BNN training is feasible, a recentwork demonstrate that it probably incurs worse predic-tive performance than a fairly trained DNN [61]. There-fore, given the alignment between the posterior parametersθ = {w(0)

−b ,w(1)b , ...,w

(C)b } and their DNN counterparts,

we suggest to perform cost-effective Bayesian refinementupon a pre-trained DNN model, which renders our work-flow more appropriate for large-scale learning.

With the pre-training DNN parameters denoted asw† =

{w†b ,w†−b}, we initialize w(0)

−b as w†−b and w(c)b as w†b for

c = 1, ..., C. Continuing from this, we fine-tune the vari-ational parameters to maximize L∗ + αR4 under weightdecay regularizers with suitable coefficients to realise ad-versarial detection-oriented posterior inference. The wholealgorithmic procedure is presented in Algorithm 1. Sucha practical and economical refinement significantly benefitsfrom the prevalence of open-source DNN model zoo, and ispromised to maintain non-degraded predictive performanceby the well-evaluated pre-training & fine-tuning workflow.

Inference speedup. After learning, a wide criticism onBNNs is their requirement for longer inference time thanDNNs. This is because BNNs leverage a collection of MCsamples to marginalize the posterior for prediction and un-certainty quantification, as shown in Eq. (4) and Eq. (5).However, such a problem is desirably alleviated in our ap-proach thanks to the adoption of the FADE variational. Themain part of the model remains deterministic, allowing usto perform only once forward propagation to reach the entryof the Bayesian sub-module. In the Bayesian sub-module,

4α refers to a trade-off coefficient.

Algorithm 1: Lightweight Bayesian Refinement

Input: pre-trained DNN parametersw†, weight decaycoefficient λ, threshold γ, trade-off coefficient α

1 Initialize {w(c)b }

Cc=1 andw(0)

−b based onw†

2 Build optimizers optb and opt−b with weight decay λ/Cand λ for {w(c)

b }Cc=1 andw(0)

−b respectively3 for epoch = 1, 2, ..., E do4 for mini-batch B = {(xi, yi)}|B|i=1 in D do5 Estimate the log-likelihood L∗ via Eq. (8)6 Uniformly perturb the clean data via Eq. (9)7 Estimate the uncertainty penaltyR via Eq. (10)8 Backward the gradients of L∗ + αR via autodiff9 Perform 1-step gradient ascent with optb & opt−b

we expect to take all the C parameter candidates into ac-count for prediction to thoroughly exploit their heteroge-neous predictive behaviour, i.e., T = C. Naively sequen-tially calculating the outcomes under each parameter can-didate w(c)

b is viable, but we can achieve further speedupby unleashing the potential of parallel computing. Take theconvolution layer in the front of the Bayesian sub-module asan example (we abuse some notations here): Given a batchof features xin ∈ Rb×i×h×w and C convolution kernelsw(c) ∈ Ro×i×k×k, c = 1, ..., C, we first repeat xin at thechannel dimension for C times, getting x′in = Rb×Ci×h×w,and concatenate {w(c)}Cc=1 as w′ ∈ RCo×i×k×k. Then,we estimate the outcomes in parallel via group convolution:x′out = conv(x′in,w

′, groups = C), and the outcome cor-responding to w(c) is x(c)

out = x′out[:, co − o : co, ...]. Thecooperation between FADE variational and the above strat-egy makes our inference time close to that of the DNNs inthe same setting (see Sec 5.4), while only our approach en-joys the benefits from Bayes principle and is able to achieverobust adversarial detection.

5. ExperimentsTo verify if LiBRE could quickly and economically equip

the pre-trained DNNs with principled adversarial detectionability in various scenarios, we perform extensive empiricalstudies covering ImageNet classification [8], open-set facerecognition [66], and object detection [35] in this section.

General setup. We fetch the pre-trained DNNs avail-able online, and inherit all their settings for the Bayesianrefinement unless otherwise stated. We use C = 20 can-didates for FADE across scenarios. The FADE posterior isgenerally employed for the parameters of the last convolu-tion block (e.g., the last residual block for ImageNet andface tasks or the feature output heads for object detection).We take the immediate output of the Bayesian sub-moduleas z for estimating feature variance uncertainty.

Attacks. We adopt some popular attacks to craft ad-versarial examples under `2 and `∞ threat models, includ-

5

Method Prediction accuracy ↑ AUROC of adversarial detection under model transfer ↑TOP1 TOP5 PGD MIM TIM DIM

MAP 76.13% 92.86% - - - -MC dropout [17] 74.86% 92.33% 0.660 0.723 0.695 0.605

LMFVI 76.06% 92.92% 0.125 0.200 0.510 0.018MFVI 75.24% 92.58% 0.241 0.205 0.504 0.150LiBRe 76.19% 92.98% 1.000 1.000 0.982 1.000

Table 1: Left: comparison on accuracy. Right: comparison on AUROC of adversarial detection under model transfer. (ImageNet)

Method FGSM BIM C&W PGD MIM TIM DIM FGSM-`2 BIM-`2 PGD-`2KD [14] 0.639 1.000 0.999 1.000 1.000 0.999 0.624 0.633 1.000 1.000LID [40] 0.846 0.999 0.999 0.999 0.997 0.999 0.762 0.846 0.999 0.999

MC dropout [17] 0.607 1.000 0.980 1.000 1.000 0.999 0.628 0.577 0.999 0.999LMFVI 0.029 0.992 0.738 0.943 0.996 0.997 0.021 0.251 0.993 0.946MFVI 0.102 1.000 0.780 0.992 1.000 0.999 0.298 0.358 0.952 0.935LiBRe 1.000 0.984 0.985 0.994 0.996 0.994 1.000 0.995 0.983 0.993

Table 2: Comparison on AUROC of adversarial detection for regular attacks ↑. (ImageNet)

ing fast gradient sign method (FGSM) [19], basic itera-tive method (BIM) [30], projected gradient descent method(PGD) [41], momentum iterative method (MIM) [10], Car-lini & Wagner’s method (C&W) [4], diverse inputs method(DIM) [64], and translation-invariant method (TIM) [11].We set the perturbation budget as ε =16/255. We set stepsize as 1/255 and the number of steps as 20 for all the it-erative methods. When attacking BNNs, the minimizationgoal in Eq. (2) refers to the posterior predictive in Eq. (4)with T = 20. More details are deferred to Appendix.

Baselines. Given the fact that many of the recent adver-sarial detection methods focus on specific tasks or attacksand hence can hardly be effectively extended to the chal-lenging settings considered in this paper (e.g., attacks undermodel transfer, object detection), we mainly compare Li-BRe to baselines implemented by ourselves, including 1)the fine-tuning start point MAP; 2) two standard adversar-ial detection approaches KD [14] and LID [40], which bothwork on the extracted features by MAP; 3) three popularBNN baselines MC dropout [17], MFVI [2], and LMFVI.MC dropout trains dropout networks from scratch and en-ables dropout during inference. MFVI is trained by thetypical mean-field variational inference, and LMFVI is alightweight variant of it with only the last few layers con-verted to be Bayesian (similar to LiBRe). MFVI and LMFVIwork in a Bayesian refinement manner in analogy to LiBRefor fair comparison. MC dropout, MFVI, and LMFVI areall trained without uncertainty calibration R and take thefeature variance as the measure of uncertainty.

Metric. The adversarial detection is essentially a binaryclassification, so we report the area under the receiver op-erating characteristic (AUROC) based on the raw predictiveuncertainty (for MFVI, LMFVI, MC dropout, and LiBRe),or the output of an extra detector (for KD and LID).

5.1. ImageNet Classification

We firstly check the adversarial detection effectivenessof LiBRe on ImageNet. We utilize the ResNet-50 [23] archi-

tecture with weight decay coefficient λ = 10−4, and set theuncertainty threshold γ as 0.5 according to the observationthat the normal samples usually have< 0.5 feature varianceuncertainty. We set α = 1 without tuning. We uniformlysample a training perturbation budget εtrain ∈ [ ε2 , 2ε] at periteration. We perform fine-tuning for E = 6 epochs withlearning rate of {w(c)

b }Cc=1 annealing from 10−3 to 10−4

with a cosine schedule and that of w(0)−b fixed as 10−4.

To defend regular attacks, KD and LID require to train aseparate detector for every attack under the supervision ofthe adversarial examples from that attack. Thus, to showthe best performance of KD and LID, we test the traineddetectors only on their corresponding adversarial examples.By contrast, LiBRE, MC dropout, LMFVI, and MFVI donot rely on specific attacks for training, thus have the poten-tial to detect any (unseen) attack, which is more flexible yetmore challenging. With that said, they can be trivially ap-plied to detect the adversarial examples under model trans-fer, which are crafted against a surrogate ResNet-152 DNNbut are used to attack the trained models, to further assessthe generalization ability of these defences.

The results are presented in Table 1 and Table 2. Wealso illustrate the uncertainty of normal and adversarial ex-amples assigned by LiBRe and a baseline in Fig. 2. It is animmediate observation that LiBRe preserves non-degradedprediction accuracy compared to its refinement start pointMAP, and meanwhile demonstrates near-perfect capacity ofdetecting adversarial examples. The superiority of LiBRe isespecially apparent under the more difficult model transferparadigm. The results in Fig. 2 further testify the abilityof LiBRe to assign higher uncertainty for adversarial exam-ples to distinguish them from the normal ones. AlthoughKD and the golden standard, LID, obtain full knowledge ofthe models and the attacks, we can still see evident marginsbetween their worst-case5 results and that of LiBRe.

5The worst case is of much more concern than the average for assessingrobustness.

6

(a) LiBRe, ImageNet (b) LMFVI, ImageNet (c) LiBRe, Face (d) MC dropout, FaceFigure 2: The histograms for the feature variance uncertainty of normal and adversarial examples given by LiBRe or the baselines.

Method Softmax CosFace ArcFaceMAP MCD LMFVI LiBRe MAP MCD LMFVI LiBRe MAP MCD LMFVI LiBRe

VGGFace2 0.9256 0.9254 0.9198 0.9246 0.9370 0.9370 0.9360 0.9376 0.9356 0.9334 0.9358 0.9348LFW 0.9913 0.9898 0.9912 0.9892 0.9930 0.9932 0.9920 0.9935 0.9933 0.9930 0.9933 0.9943

CPLFW 0.8630 0.8638 0.8610 0.8598 0.8915 0.8890 0.8925 0.8910 0.8808 0.8803 0.8833 0.8837CALFW 0.9107 0.9110 0.9087 0.9120 0.9327 0.9345 0.9333 0.9352 0.9292 0.9300 0.9250 0.9283

AgedDB-30 0.9177 0.9170 0.9128 0.9167 0.9435 0.9422 0.9387 0.9433 0.9327 0.9317 0.9337 0.9337CFP-FP 0.9523 0.9543 0.9480 0.9489 0.9564 0.9567 0.9583 0.9597 0.9587 0.9586 0.9554 0.9573CFP-FF 0.9873 0.9870 0.9874 0.9874 0.9927 0.9926 0.9916 0.9927 0.9914 0.9910 0.9911 0.9921

Table 3: Accuracy comparison on face recognition ↑. MCD is short for MC dropout. Bold refers to the best results under specific lossfunction. Blue bold refers to the overall best results.

Attack Softmax CosFace ArcFaceMC dropout LMFVI LiBRe MC dropout LMFVI LiBRe MC dropout LMFVI LiBRe

FGSM 0.866 0.155 1.000 0.889 0.001 1.000 0.794 0.001 1.000BIM 1.000 1.000 0.999 1.000 1.000 0.999 1.000 1.000 1.000PGD 1.000 0.992 0.999 1.000 0.998 0.998 1.000 0.990 1.000MIM 1.000 1.000 0.999 1.000 1.000 0.999 1.000 1.000 1.000TIM 1.000 1.000 0.999 1.000 1.000 0.998 1.000 1.000 1.000DIM 0.910 0.025 1.000 0.850 0.000 1.000 0.746 0.000 1.000

FGSM-`2 0.860 0.659 1.000 0.825 0.014 0.999 0.660 0.002 0.999BIM-`2 1.000 1.000 0.999 1.000 1.000 1.000 1.000 1.000 1.000PGD-`2 1.000 0.996 0.999 1.000 0.999 1.000 1.000 0.994 1.000

Table 4: Comparison on adversarial detection AUROC ↑. We report the averaged AUROC over the verification datasets. (face recognition)

The uncertainty-based detection baselines MC dropout,LMFVI, and MFVI are substantially outperformed by Li-BRe when considering the worst case. It is noteworthy thatMC dropout is slightly better than LMFVI and MFVI foradversarial detection, despite with worse accuracy. We alsofind that the performance of LMFVI is matched with thatof MFVI, supporting the proposed lightweight variationalnotion. Thus we use LMFVI as a major baseline in facerecognition instead of MFVI due to its efficiency.

5.2. Face RecognitionIn this section, we concern the more realistic open-set

face recognition on CASIA-WebFace [66]. We adopt theIResNet-50 architecture [9] and try three task-dependentloss: Softmax, CosFace [59], and ArcFace [9]. We followthe default hyper-parameter settings of [59, 9] and set λ as5 × 10−4. We tune some crucial hyper-parameters accord-ing to a held-out validation set and set γ = 1, α = 100, andE = 4. We uniformly sample εtrain ∈ [ε, 2ε] at per itera-tion. We adopt the same optimizer settings as on ImageNet.We perform comprehensive evaluation on face verificationdatasets including LFW [24], CPLFW [70], CALFW [71],CFP [51], VGGFace2 [3], and AgeDB-30 [45].

We provide the comparison results in Table 3, Table 4,and sub-figure (c) and (d) of Fig. 2. As expected, LiBRefrequently yields non-degraded recognition accuracy com-pared to MAP. Though the major goal of LiBRe is not toboost the task-dependent performance of the pre-trainedDNNs, to our surprise, LiBRe demonstrates dominant per-formance under the CosFace loss function. Regarding thequality of adversarial detection, LiBRe also bypasses thecompetitive baselines, especially in the worst case. Theseresults prove the universality and practicability of LiBRe.

5.3. Object Detection on COCOThen, we move to a more challenging task – object de-

tection on COCO [35]. Attacking and defending in objectdetection are more complicated and harder than in imageclassification [63]. Thus, rare of the previous works havegeneralized their methodology into this scenario. By con-trast, the task agnostic designs in LiBRe make it readilyapplicable to object detection without compromising effec-tiveness. Here, we launch experiments to identify this.

We take the state-of-the-art YOLOV5 [67] to performexperiments on COCO. In detail, we setup the experimentswith λ = 5 × 10−4, γ = 0.02, and α = 0.02. The other

7

Method Object detection Adversarial detectionmAP@.5 mAP@.5:.95 FGSM BIM PGD MIM

MAP 0.559 0.357 - - - -LiBRe 0.545 0.344 0.957 0.936 0.972 0.966

Table 5: Results on object detection. (COCO)

settings are aligned with those on face recognition.Multi-objective attack. Distinct from the ordinary clas-

sifiers, the object detector exports the locations of objectsalong with their classification results. Thus, an adversaryneeds to perform multi-objective attack to either make thedetected objects wrongly classified or render the objects ofinterest undetectable. Specifically, we craft adversarial ex-amples by maximizing a unified loss of the two factors de-rived from [67] w.r.t. the input image, which enables us toreuse the well developed FGSM, BIM, PGD, MIM, etc.

Table 5 exhibits the results. As expected, LiBRe showssatisfactory performance for detecting the four kinds of ad-versarial examples, verifying the universality of the Bayesprinciple based adversarial detection mechanism.

5.4. Ablation StudyComparison on uncertainty measure. As argued, the

feature variance uncertainty is more generic than the widelyused softmax variance. But, do they have matched effec-tiveness for adversarial detection? Here we answer thisquestion. We estimate the AUROC of detecting various ad-versarial examples based on softmax variance uncertaintyand list the results in row 2-3 of Table 6. Notably, thesoftmax variance brings much worse detection performancethan feature variance. We attribute this to that the transfor-mations to produce softmax output aggressively prune theinformation uncorrelated with the task-dependent target, butsuch information is crucial for qualifying uncertainty.

Effectiveness of R. Another question of interestis whether the compromising adversarial detection perfor-mance of LMFVI and MFVI stems from the naive trainingwithout uncertainty regularization R. For an answer, wetrain two variants of LMFVI and MFVI which incorporateR into the training like LiBRe. Their results are offered inrow 4-5 of Table 6. These results reflect that training underR will indeed significantly boost the adversarial detectionperformance. Yet, the two variants are still not as good asLiBRe, implying the supremacy of FADE.

Effectiveness of L∗. We then look at another key de-sign of LiBRe – optimizing L∗, the instance-wise stochasticestimation of the expected log-likelihood (the first term ofthe ELBO), rather thanL. To deliver a quantitative analysis,we train LiBRe by optimizingL and estimate the adversarialdetection quality of the learned model, obtaining the resultspresented in row 6 of Table 6. The obviously worse resultsthan original LiBRe substantiate our concerns on L in Sec 4.

Inference speed. We compare the inference speed ofLiBRe to the baselines in sub-figure (a) of Fig. 3. LiBReand LMFVI are orders of magnitude faster than the other

Ablation Method FGSM C&W PGD DIM

w/ SV MC dropout 0.759 0.013 0.049 0.752LiBRe 0.708 0.107 0.361 0.650

w/ UR LMFVI 0.990 0.921 0.980 0.989MFVI 0.986 0.943 0.999 0.992

w/ L LiBRe 0.433 0.820 0.887 0.247

Table 6: AUROC comparison for ablation study. As a reference,the results of LiBRe are 1.000, 0.985, 0.994, and 1.000, respec-tively. SV refers to using softmax variance as uncertainty measure.UR refers to training under the uncertainty regularization R. Lrefers to using batch-wise MC estimation in training. (ImageNet)

Infe

renc

e tim

e pe

r ba

tch

(s)

0

0.75

1.5

2.25

3

MAP LiBRe LMFVI MFVI MC dropout

0.779

2.117

0.0650.0610.035

表格 1

MAP 0.0345257997512817LiBRe 0.061LMFVI 0MFVI 2MC dropout 1

(a) Inference speed comparison (b) Candidate similarity in the posterior

1

Figure 3: Left: the time for estimating the posterior predictive ofa mini-batch of 32 ImageNet instances with T = 20 MC sampleson one RTX 2080-Ti GPU (MAP performs deterministic inferencewithout MC estimation). Right: the similarity between the candi-dates in the learned FADE posterior.

two BNNs. LiBRe is only slightly slower than MAP, butcan yield uncertainty estimates for adversarial detection.

A visualization of the posterior. To verify the claimthat our learning strategies lead to posteriors without modecollapse, we reduce the dimension of the candidates in thelearned FADE posterior via PCA and then compute the co-sine similarity between them. Sub-figure (b) of Fig. 3 de-picts the results, which signify the candidate diversity.

6. ConclusionIn this work, we propose a practical Bayesian approach

to supplement the pre-trained task-dependent DNNs withthe ability of adversarial detection at a low cost. The de-veloped strategies enhance the efficiency and the quality ofadversarial detection without compromising predictive per-formance. Extensive experiments validate the practicabilityof the proposed method. For future work, we can developa parameter-sharing variant of FADE for higher efficiency,apply LiBRe to DeepFake detection, etc.

AcknowledgementsThis work was supported by the National Key

Research and Development Program of China(No.2020AAA0104304, No. 2017YFA0700904), NSFCProjects (Nos. 61620106010, 62076147, U19A2081,U19B2034, U1811461), Beijing Academy of ArtificialIntelligence (BAAI), Tsinghua-Huawei Joint ResearchProgram, a grant from Tsinghua Institute for Guo Qiang,Tiangong Institute for Intelligent Computing, and theNVIDIA NVAIL Program with GPU/DGX Acceleration.

8

References[1] Anoop Korattikara Balan, Vivek Rathod, Kevin P Murphy,

and Max Welling. Bayesian dark knowledge. In Advances inNeural Information Processing Systems, pages 3438–3446,2015. 2

[2] Charles Blundell, Julien Cornebise, Koray Kavukcuoglu,and Daan Wierstra. Weight uncertainty in neural network.In International Conference on Machine Learning, pages1613–1622, 2015. 2, 3, 4, 6

[3] Qiong Cao, Li Shen, Weidi Xie, Omkar M Parkhi, andAndrew Zisserman. Vggface2: A dataset for recognisingfaces across pose and age. In 2018 13th IEEE InternationalConference on Automatic Face & Gesture Recognition (FG2018), pages 67–74. IEEE, 2018. 7

[4] Nicholas Carlini and David Wagner. Towards evaluating therobustness of neural networks. In IEEE Symposium on Secu-rity and Privacy, 2017. 3, 6, 12

[5] Fabio Carrara, Rudy Becarelli, Roberto Caldelli, FabrizioFalchi, and Giuseppe Amato. Adversarial examples detec-tion in features distance spaces. In Proceedings of the Euro-pean Conference on Computer Vision (ECCV), 2018. 1, 2,3

[6] Sharan Chetlur, Cliff Woolley, Philippe Vandermersch,Jonathan Cohen, John Tran, Bryan Catanzaro, and EvanShelhamer. cudnn: Efficient primitives for deep learning.arXiv preprint arXiv:1410.0759, 2014. 4

[7] Gilad Cohen, Guillermo Sapiro, and Raja Giryes. Detect-ing adversarial samples using influence functions and nearestneighbors. In Conference on Computer Vision and PatternRecognition (CVPR), 2020. 2

[8] J. Deng, W. Dong, R. Socher, L.-J. Li, K. Li, and L. Fei-Fei.ImageNet: A Large-Scale Hierarchical Image Database. InCVPR09, 2009. 5

[9] Jiankang Deng, Jia Guo, Niannan Xue, and StefanosZafeiriou. Arcface: Additive angular margin loss for deepface recognition. In Proceedings of the IEEE Conferenceon Computer Vision and Pattern Recognition, pages 4690–4699, 2019. 1, 7

[10] Yinpeng Dong, Fangzhou Liao, Tianyu Pang, Hang Su, JunZhu, Xiaolin Hu, and Jianguo Li. Boosting adversarial at-tacks with momentum. In Proceedings of the IEEE Confer-ence on Computer Vision and Pattern Recognition (CVPR),2018. 6, 12

[11] Yinpeng Dong, Tianyu Pang, Hang Su, and Jun Zhu.Evading defenses to transferable adversarial examples bytranslation-invariant attacks. In Proceedings of the IEEEConference on Computer Vision and Pattern Recognition(CVPR), 2019. 6, 12

[12] Yinpeng Dong, Hang Su, Baoyuan Wu, Zhifeng Li, Wei Liu,Tong Zhang, and Jun Zhu. Efficient decision-based black-box adversarial attacks on face recognition. In Proceedingsof the IEEE Conference on Computer Vision and PatternRecognition (CVPR), 2019. 1

[13] Kevin Eykholt, Ivan Evtimov, Earlence Fernandes, Bo Li,Amir Rahmati, Florian Tramer, Atul Prakash, TadayoshiKohno, and Dawn Song. Physical adversarial examples forobject detectors. arXiv preprint arXiv:1807.07769, 2018. 1

[14] Reuben Feinman, Ryan R Curtin, Saurabh Shintre, and An-drew B Gardner. Detecting adversarial samples from arti-facts. arXiv preprint arXiv:1703.00410, 2017. 1, 2, 3, 6,13

[15] Stanislav Fort, Huiyi Hu, and Balaji Lakshminarayanan.Deep ensembles: A loss landscape perspective. arXivpreprint arXiv:1912.02757, 2019. 2, 4

[16] Yarin Gal and Zoubin Ghahramani. Dropout as a bayesianapproximation: appendix. arXiv preprint arXiv:1506.02157,420, 2015. 4

[17] Yarin Gal and Zoubin Ghahramani. Dropout as a Bayesianapproximation: Representing model uncertainty in deeplearning. In International Conference on Machine Learning,pages 1050–1059, 2016. 4, 6

[18] Zhitao Gong, Wenlu Wang, and Wei-Shinn Ku. Ad-versarial and clean data are not twins. arXiv preprintarXiv:1704.04960, 2017. 1, 2

[19] Ian J Goodfellow, Jonathon Shlens, and Christian Szegedy.Explaining and harnessing adversarial examples. arXivpreprint arXiv:1412.6572, 2014. 1, 3, 6, 12

[20] Alex Graves. Practical variational inference for neural net-works. In Advances in Neural Information Processing Sys-tems, pages 2348–2356, 2011. 2, 3

[21] Kathrin Grosse, Praveen Manoharan, Nicolas Papernot,Michael Backes, and Patrick McDaniel. On the (statis-tical) detection of adversarial examples. arXiv preprintarXiv:1702.06280, 2017. 2

[22] Kathrin Grosse, David Pfaff, Michael Thomas Smith, andMichael Backes. The limitations of model uncertainty in ad-versarial settings. arXiv preprint arXiv:1812.02606, 2018.2, 4

[23] Kaiming He, Xiangyu Zhang, Shaoqing Ren, and Jian Sun.Deep residual learning for image recognition. In Proceed-ings of the IEEE Conference on Computer Vision and PatternRecognition, pages 770–778, 2016. 1, 4, 6

[24] Gary B Huang, Marwan Mattar, Tamara Berg, and EricLearned-Miller. Labeled faces in the wild: A databaseforstudying face recognition in unconstrained environments.In Technical report, 2007. 7

[25] Harini Kannan, Alexey Kurakin, and Ian Goodfellow. Adver-sarial logit pairing. arXiv preprint arXiv:1803.06373, 2018.1

[26] Alex Kendall and Yarin Gal. What uncertainties do weneed in Bayesian deep learning for computer vision? InAdvances in Neural Information Processing Systems, pages5574–5584, 2017. 2

[27] Diederik P Kingma and Jimmy Ba. Adam: A method forstochastic optimization. arXiv preprint arXiv:1412.6980,2014. 12

[28] Durk P Kingma, Tim Salimans, and Max Welling. Vari-ational dropout and the local reparameterization trick. InAdvances in Neural Information Processing Systems, pages2575–2583, 2015. 4

[29] Agustinus Kristiadi, Matthias Hein, and Philipp Hennig. Be-ing bayesian, even just a bit, fixes overconfidence in relu net-works. arXiv preprint arXiv:2002.10118, 2020. 2, 4

9

[30] Alexey Kurakin, Ian Goodfellow, and Samy Bengio. Ad-versarial examples in the physical world. arXiv preprintarXiv:1607.02533, 2016. 6, 12

[31] Balaji Lakshminarayanan, Alexander Pritzel, and CharlesBlundell. Simple and scalable predictive uncertainty esti-mation using deep ensembles. In Advances in Neural Infor-mation Processing Systems, pages 6402–6413, 2017. 2, 4

[32] Kimin Lee, Kibok Lee, Honglak Lee, and Jinwoo Shin. Asimple unified framework for detecting out-of-distributionsamples and adversarial attacks. In Advances in Neural In-formation Processing Systems (NeurIPS), 2018. 1, 2

[33] Yingzhen Li and Yarin Gal. Dropout inference in bayesianneural networks with alpha-divergences. arXiv preprintarXiv:1703.02914, 2017. 2

[34] Yingzhen Li and Richard E Turner. Gradient estimators forimplicit models. arXiv preprint arXiv:1705.07107, 2017. 4

[35] Tsung-Yi Lin, Michael Maire, Serge Belongie, James Hays,Pietro Perona, Deva Ramanan, Piotr Dollar, and C LawrenceZitnick. Microsoft coco: Common objects in context. InEuropean conference on computer vision, pages 740–755.Springer, 2014. 5, 7

[36] Qiang Liu and Dilin Wang. Stein variational gradient de-scent: A general purpose Bayesian inference algorithm. InAdvances in Neural Information Processing Systems, pages2378–2386, 2016. 2

[37] Christos Louizos and Max Welling. Structured and effi-cient variational deep learning with matrix gaussian poste-riors. In International Conference on Machine Learning,pages 1708–1716, 2016. 3, 4

[38] Christos Louizos and Max Welling. Multiplicative normal-izing flows for variational Bayesian neural networks. In In-ternational Conference on Machine Learning, pages 2218–2227, 2017. 1, 2, 4

[39] Pei-Hsuan Lu, Pin-Yu Chen, and Chia-Mu Yu. On thelimitation of local intrinsic dimensionality for characteriz-ing the subspaces of adversarial examples. arXiv preprintarXiv:1803.09638, 2018. 1, 2, 3

[40] Xingjun Ma, Bo Li, Yisen Wang, Sarah M Erfani, SudanthiWijewickrema, Grant Schoenebeck, Dawn Song, Michael EHoule, and James Bailey. Characterizing adversarial sub-spaces using local intrinsic dimensionality. In InternationalConference on Learning Representations (ICLR), 2018. 1, 2,3, 4, 6

[41] Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt,Dimitris Tsipras, and Adrian Vladu. Towards deep learn-ing models resistant to adversarial attacks. arXiv preprintarXiv:1706.06083, 2017. 3, 6

[42] Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt,Dimitris Tsipras, and Adrian Vladu. Towards deep learningmodels resistant to adversarial attacks. In International Con-ference on Learning Representations (ICLR), 2018. 1, 3, 12

[43] Stephan Mandt, Matthew D Hoffman, and David M Blei.Stochastic gradient descent as approximate bayesian in-ference. The Journal of Machine Learning Research,18(1):4873–4907, 2017. 4

[44] Jan Hendrik Metzen, Tim Genewein, Volker Fischer, andBastian Bischoff. On detecting adversarial perturbations.

In International Conference on Learning Representations(ICLR), 2017. 1, 3

[45] Stylianos Moschoglou, Athanasios Papaioannou, Chris-tos Sagonas, Jiankang Deng, Irene Kotsia, and StefanosZafeiriou. Agedb: the first manually collected, in-the-wildage database. In Proceedings of the IEEE Conference onComputer Vision and Pattern Recognition Workshops, pages51–59, 2017. 7

[46] Kazuki Osawa, Siddharth Swaroop, Anirudh Jain, Runa Es-chenhagen, Richard E Turner, Rio Yokota, and Moham-mad Emtiyaz Khan. Practical deep learning with Bayesianprinciples. arXiv preprint arXiv:1906.02506, 2019. 3

[47] Tianyu Pang, Chao Du, Yinpeng Dong, and Jun Zhu. To-wards robust detection of adversarial examples. In Advancesin Neural Information Processing Systems (NeurIPS), pages4579–4589, 2018. 2

[48] Nick Pawlowski, Andrew Brock, Matthew CH Lee, MartinRajchl, and Ben Glocker. Implicit weight uncertainty in neu-ral networks. arXiv preprint arXiv:1711.01297, 2017. 2

[49] Ambrish Rawat, Martin Wistuba, and Maria-Irina Nicolae.Adversarial phenomenon in the eyes of bayesian deep learn-ing. arXiv preprint arXiv:1711.08244, 2017. 2

[50] Joseph Redmon, Santosh Divvala, Ross Girshick, and AliFarhadi. You only look once: Unified, real-time object de-tection. In Proceedings of the IEEE conference on computervision and pattern recognition, pages 779–788, 2016. 1

[51] Soumyadip Sengupta, Jun-Cheng Chen, Carlos Castillo,Vishal M Patel, Rama Chellappa, and David W Jacobs.Frontal to profile face verification in the wild. In 2016IEEE Winter Conference on Applications of Computer Vision(WACV), pages 1–9. IEEE, 2016. 7

[52] Mahmood Sharif, Sruti Bhagavatula, Lujo Bauer, andMichael K. Reiter. Accessorize to a crime: Real andstealthy attacks on state-of-the-art face recognition. In ACMSigsac Conference on Computer and Communications Secu-rity, pages 1528–1540, 2016. 1

[53] Jiaxin Shi, Shengyang Sun, and Jun Zhu. A spectral ap-proach to gradient estimation for implicit distributions. arXivpreprint arXiv:1806.02925, 2018. 3, 4

[54] Lewis Smith and Yarin Gal. Understanding measures of un-certainty for adversarial example detection. arXiv preprintarXiv:1803.08533, 2018. 1, 2, 3

[55] Shengyang Sun, Changyou Chen, and Lawrence Carin.Learning structured weight uncertainty in Bayesian neuralnetworks. In International Conference on Artificial Intelli-gence and Statistics, pages 1283–1292, 2017. 3, 4

[56] Shengyang Sun, Guodong Zhang, Jiaxin Shi, and RogerGrosse. Functional variational Bayesian neural networks.In International Conference on Learning Representations,2019. 3

[57] Christian Szegedy, Wojciech Zaremba, Ilya Sutskever, JoanBruna, Dumitru Erhan, Ian Goodfellow, and Rob Fergus. In-triguing properties of neural networks. In International Con-ference on Learning Representations (ICLR), 2014. 1

[58] Jonathan Uesato, Brendan O’Donoghue, Aaron van denOord, and Pushmeet Kohli. Adversarial risk and the dangersof evaluating against weak attacks. In International Confer-ence on Machine Learning (ICML), 2018. 3, 12, 13

10

[59] Hao Wang, Yitong Wang, Zheng Zhou, Xing Ji, Zhifeng Li,Dihong Gong, Jingchao Zhou, and Wei Liu. Cosface: Largemargin cosine loss for deep face recognition. In CVPR, 2018.7

[60] Max Welling and Yee W Teh. Bayesian learning via stochas-tic gradient langevin dynamics. In Proceedings of the 28thinternational conference on machine learning (ICML-11),pages 681–688, 2011. 2

[61] Florian Wenzel, Kevin Roth, Bastiaan S Veeling, JakubSwiatkowski, Linh Tran, Stephan Mandt, Jasper Snoek, TimSalimans, Rodolphe Jenatton, and Sebastian Nowozin. Howgood is the bayes posterior in deep neural networks really?arXiv preprint arXiv:2002.02405, 2020. 2, 5

[62] Andrew Gordon Wilson and Pavel Izmailov. Bayesian deeplearning and a probabilistic perspective of generalization.arXiv preprint arXiv:2002.08791, 2020. 2

[63] Cihang Xie, Jianyu Wang, Zhishuai Zhang, Yuyin Zhou,Lingxi Xie, and Alan Yuille. Adversarial examples for se-mantic segmentation and object detection. In Proceedingsof the IEEE International Conference on Computer Vision,pages 1369–1378, 2017. 7

[64] Cihang Xie, Zhishuai Zhang, Yuyin Zhou, Song Bai, JianyuWang, Zhou Ren, and Alan L Yuille. Improving transferabil-ity of adversarial examples with input diversity. In Proceed-ings of the IEEE Conference on Computer Vision and PatternRecognition (CVPR), 2019. 6, 12

[65] Weilin Xu, David Evans, and Yanjun Qi. Feature squeez-ing: Detecting adversarial examples in deep neural networks.arXiv preprint arXiv:1704.01155, 2017. 2

[66] Dong Yi, Zhen Lei, Shengcai Liao, and Stan Z Li. Learn-ing face representation from scratch. arXiv preprintarXiv:1411.7923, 2014. 5, 7

[67] yolov5, 2020. https : / / github . com /ultralytics/yolov5. Accessed: 2020-05-27. 7,8

[68] Chiliang Zhang, Zuochang Ye, Yan Wang, and ZhimouYang. Detecting adversarial perturbations with saliency. In2018 IEEE 3rd International Conference on Signal and Im-age Processing (ICSIP), pages 271–275. IEEE, 2018. 1, 2

[69] Hongyang Zhang, Yaodong Yu, Jiantao Jiao, Eric P Xing,Laurent El Ghaoui, and Michael I Jordan. Theoretically prin-cipled trade-off between robustness and accuracy. In Inter-national Conference on Machine Learning (ICML), 2019. 1,3

[70] Tianyue Zheng and Weihong Deng. Cross-pose lfw: Adatabase for studying cross-pose face recognition in un-constrained environments. Beijing University of Posts andTelecommunications, Tech. Rep, 5, 2018. 7

[71] Tianyue Zheng, Weihong Deng, and Jiani Hu. Cross-age lfw:A database for studying cross-age face recognition in un-constrained environments. arXiv preprint arXiv:1708.08197,2017. 7

11

A. Attack MethodsIn this part, we outline the details of the adopted attack

methods in this paper. For simplicity, we use l(x, y) to no-tate the loss function for attack which inherently connectsto the negative log data likelihood, e.g., the cross entropy inimage classification, the pairwise feature distance in open-set face recognition, and the weighted sum of the bounding-box regression loss and the classification loss in object de-tection.

FGSM [19] crafts an adversarial example under the `∞norm as

xadv = x+ ε · sign(∇xl(x, y)), (11)

FGSM can be extended to an `2 attack as

xadv = x+ ε · ∇xl(x, y)

‖∇xl(x, y)‖2. (12)

In all experiments, we set the perturbation budget ε as16/255.

BIM [30] extends FGSM by taking iterative gradient up-dates:

xadvt+1 = clipx,ε

(xadvt + η · sign(∇xl(x

advt , y))

), (13)

where clipx,ε guarantees the adversarial example to satisfythe `∞ constraint. For all the iterative attack methods, weset the number of iterations as 20 and the step size η as1/255.

PGD [42] complements BIM with a random initializa-tion for the adversarial examples (i.e., xadv

0 is uniformlysampled from the neighborhood of x).

MIM [10] introduces a momentum term into BIM as

gt+1 = µ · gt +∇xl(x

advt , y)

‖∇xl(xadvt , y)‖1

, (14)

where µ refers to the decay factor and is set as 1 in all ex-periments. Then, the adversarial example is calculated by

xadvt+1 = clipx,ε(x

advt + η · sign(gt+1)). (15)

We adopt the same hyper-parameters as in BIM.DIM [64] relies on a stochastic transformation function

to craft adversarial examples, which can be represented as

xadvt+1 = clipx,ε

(xadvt +η ·sign(∇xl(T (xadv

t ; p), y))), (16)

where T (xadvt ; p) refers to some transformation to diversify

the input with probability p.TIM [11] integrates the translation-invariant method into

BIM by convolving the gradient with the pre-defined kernelW as

xadvt+1 = clipx,ε

(xadvt + η · sign(W ∗∇xl(x

advt , y))

). (17)

C&W adopts the original C&W loss [4] based on theiterative mechanism of BIM to perform attack in classifica-tion tasks. In particular, the loss takes the form of

lcw = max(Z(xadvt )y −max

i 6=yZ(xadv

t )i, 0), (18)

where Z(xadvt ) is the logit output of the classifier.

SPSA [58] estimates the gradients by

g =1

q

q∑i=1

l(x+ σui, y)− l(x− σui, y)

2σ· ui, (19)

where {ui}qi=1 are samples from a Rademacher distribu-tion, and we set σ = 0.001 and q = 64. Besides, l(x, y) =Z(x)y − maxi 6=y Z(x)i is used in our experiments ratherthan the cross entropy loss. We take an Adam [27] optimizerwith 0.01 learning rate to apply the estimated gradients.

B. More Experiment Details

For `2 threat model, we adopt the normalized `2 distance¯2(a) = ‖a‖2√

das the measurement, where d is the dimen-

sion of a vector a. The decay factors of MIM, TIM, andDIM are 1.0.

In ImageNet classification, we apply Gaussian blur uponthe sampled uniform noise with 0.03 probability, and thenuse the outcome to perturb the training data. The techniquecan enrich the training perturbations with low-frequencypatterns, promoting the adversarial detection sensitivenessagainst diverse kinds of adversarial perturbations.

To attack the open-set face recognition system in theevaluation phase, we find every face pair belonging to thesame person, and use one of the paired faces as x and thefeature of the other as y to perform attack. The loss func-tion for such an attack is the `2 distance between y andthe feature of x (as mentioned in Sec A). As the poste-rior predictive is not useful in such an open-set scenario,we perform Bayes ensemble on the output features and thenleverage the outcomes to make decision. Due to the lim-ited GPU memory, we attack the deterministic features ofthe MC dropout baseline instead of the features from Bayesensemble, while the uncertainty estimates are still estimatedbased on 20 stochastic forward passes with dropout enabled.

In object detection, we adopt the YOLOV5-s architecture, there are three feature output heads(BottleneckCSP modules) to deliver features in variousscales. Thus, we make these three heads be Bayesian whenimplementing LiBRe. During inference, we average thefeatures calculated given different parameter candidates toobtain an assembled feature to detect objects, which assistsus to bypass the potential difficulties of directly assemblingthe object detection results.

12

C. Generalization to Score-based AttackWe additionally concern whether LiBRe can generalize

to the adversarial examples generated by score-based at-tacks, which usually present different characteristics fromthe gradient-based ones. We leverage the typical SPSA [58]to conduct experiments on ImageNet, getting 0.969 detec-tion AUROC. This further evidences our attack agnostic de-signs.

D. Detect More Ideal AttacksAt last, we evaluate the adversarial detection ability of

LiBRe on more ideal attacks. We add the constraint thatthe generated adversarial examples should also have smallpredictive uncertainty into the existing attacks. This meansthat the attacks can jointly fool the decision making anduncertainty quantification aspects of the model. We addan uncertainty minimization term upon the original attackobjective to implement this. We feed the crafted adversar-ial examples into LiBRe to assess if they can be identified.On ImageNet, we obtain the following adversarial detectionAUROCs: 0.9996, 0.2374, 0.0363, 0.2211, 0.1627, 0.1990,0.9998, 0.9627, 0.2537, and 0.2213 for FGSM, BIM, C&W,PGD, MIM, TIM, DIM, FGSM-`2, BIM-`2, and PGD-`2,respectively.

The results reveal that LiBRe is likely to be defeated ifbeing fully exposed to the attackers. But it is also no doubtthat LiBRe is powerful enough if keeping opaque to the at-tack algorithms as the pioneering work [14]. We believethat introducing adversarial training mechanism into LiBRewould significantly boost the ability of detecting these idealattacks, and we leave it as future work.

13