Nicolas Papernot, Patrick McDaniel, Somesh Jha, Matt Fredrikson, Z. Berkay Celik, Ananthram Swami, The Limitations of Deep Learning in Adversarial Settings.

利用Jacobian矩阵构造adversarial samples,计算量比较大.

主要内容

目标:

\[\tag{1}
\mathop{\arg \min} \limits_{\delta_X} \|\delta_X\|, \mathbf{s.t.} \: F(X+\delta_X)=Y^*.
\]

简而言之, 在原图像\(X\)上加一个扰动\(\delta_X\), 使得\(F\)关于\(X+\delta_X\)的预测为\(Y^*\)而非\(Y\).

若\(Y \in \mathbb{R}^M\)是一个\(M\)维的向量, 类别由下式确定

\[label(X)=\mathop{\arg \min} \limits_{j} F_j(X).
\]

\(F(X)=Y\)关于\(X\)的Jacobian矩阵为

\[[\frac{\partial F_j(X)}{\partial X_i}]_{i=1,\ldots,N,j=1,\ldots,M},
\]

注意, 这里作者把\(X\)看成一个\(N\)维向量(只是为了便于理解).

因为我们的目的是添加扰动\(\delta_X\), 使得\(X+\delta_X\)的标签为我们指定的\(t\), 即我们希望

\[t=\mathop{\arg \min} \limits_{j} F_j(X+\delta_X).
\]

作者希望改动部分元素, 即\(\|\delta_X\|_0\le \Upsilon\), 作者是构造了一个saliency_map来选择合适的\(i\), 并在其上进行改动, 具体算法如下:

saliency_map的构造之一是:

\[S(X,t)[i] = \{
\begin{array}{ll}
0, & if \: \frac{\partial{F_t(X)}}{\partial X_i} <0 \:or \: \sum_{j \not= t} \frac{\partial F_j(X)}{\partial X_i} >0, \\
\frac{\partial{F_t(X)}}{\partial X_i} |\sum_{j \not= t} \frac{\partial F_j(X)}{\partial X_i}|, & otherwise.
\end{array}
\]

可以很直观的去理解, 改变标签, 自然希望\(F_t(X)\)增大, 其余部分减少, 故 \(\frac{\partial{F_t(X)}}{\partial X_i} <0 \:or \: \sum_{j \not= t} \frac{\partial F_j(X)}{\partial X_i} >0\)所对应的\(X_i\)自然是不重要的, 其余的是重要的, 其重要性用\(\frac{\partial{F_t(X)}}{\partial X_i} |\sum_{j \not= t} \frac{\partial F_j(X)}{\partial X_i}|\)来表示.

alg2, alg3

作者顺便提出了一个更加具体的算法, 应用于Mnist, max_iter 中的\(784\)即为图片的大小\(28 \times 28\), \(\Upsilon=50\), 相当于图片中\(50\%\)的像素发生了改变, 且这里采用了一种新的saliency_map, 其实质为寻找俩个指标\(p,q\)使得:



其实际的操作流程根据算法3. \(\theta\)是每次改变元素的量.

一些有趣的实验指标

Hardness measure





其中\(\epsilon(s,t,\tau)\)中, \(s\):图片标签, \(t\):目标标签, \(\tau\):成功率, \(\epsilon\)为改变像素点的比例. (12)是(11)的一个梯形估计, \(\tau_k\)由选取不同的\(\Upsilon_k\)来确定, \(H(s, t)\)越大说明将类别s改变为t的难度越大.

Adversarial distance



\(A(X,t)\)越大, 说明将图片\(X\)的标签变换至\(t\)的难度越大, 而一个模型的稳定性可以用下式衡量

\[\tag{14}
R(F)=\min_{X,t} A(X,t).
\]

The Limitations of Deep Learning in Adversarial Settings的更多相关文章

  1. What are some good books/papers for learning deep learning?

    What's the most effective way to get started with deep learning?       29 Answers     Yoshua Bengio, ...

  2. Applied Deep Learning Resources

    Applied Deep Learning Resources A collection of research articles, blog posts, slides and code snipp ...

  3. (转)Deep Learning Research Review Week 1: Generative Adversarial Nets

    Adit Deshpande CS Undergrad at UCLA ('19) Blog About Resume Deep Learning Research Review Week 1: Ge ...

  4. 论文笔记之:UNSUPERVISED REPRESENTATION LEARNING WITH DEEP CONVOLUTIONAL GENERATIVE ADVERSARIAL NETWORKS

    UNSUPERVISED REPRESENTATION LEARNING WITH DEEP CONVOLUTIONAL GENERATIVE ADVERSARIAL NETWORKS  ICLR 2 ...

  5. Towards Deep Learning Models Resistant to Adversarial Attacks

    目录 概 主要内容 Note Madry A, Makelov A, Schmidt L, et al. Towards Deep Learning Models Resistant to Adver ...

  6. (转) The major advancements in Deep Learning in 2016

    The major advancements in Deep Learning in 2016 Pablo Tue, Dec 6, 2016 in MACHINE LEARNING DEEP LEAR ...

  7. 博弈论揭示了深度学习的未来(译自:Game Theory Reveals the Future of Deep Learning)

    Game Theory Reveals the Future of Deep Learning Carlos E. Perez Deep Learning Patterns, Methodology ...

  8. [C3] Andrew Ng - Neural Networks and Deep Learning

    About this Course If you want to break into cutting-edge AI, this course will help you do so. Deep l ...

  9. 0.读书笔记之The major advancements in Deep Learning in 2016

    The major advancements in Deep Learning in 2016 地址:https://tryolabs.com/blog/2016/12/06/major-advanc ...

随机推荐

  1. 【Python】【Basic】MacOS上搭建Python开发环境

    1. Python3 1.1. 下载地址:https://www.python.org/downloads/mac-osx/ 1.1.1. PKG包安装: 没啥可说的,点点点,下一步而已,不用手动配置 ...

  2. When should we write our own assignment operator in C++?

    The answer is same as Copy Constructor. If a class doesn't contain pointers, then there is no need t ...

  3. 【Linux】【Services】【SaaS】Docker+kubernetes(7. 安装Docker私有镜像仓库)

    1. 简介 1.1. 自己做个私有镜像,方便上传和下载,我也在docker官网注册了一个账号,做好的镜像可以传上去 1.2. Redhat自带私有镜像的功能,需要安装包,这是howto: https: ...

  4. 【Linux】【Services】【SaaS】Docker+kubernetes(2. 配置NTP服务chrony)

    1. 简介 1.1. 这次使用另外一个轻量级的NTP服务,chrony.这是openstack推荐使用的ntp服务. 1.2. 官方网站:https://chrony.tuxfamily.org/ 2 ...

  5. 【Spring Framework】spring管理自己new的对象

    使用AutowireCapableBeanFactory手动注入 使用.newInstance();创建对象的话,如果其他对象都使用Spring Autowired,还需要手动创建所有依赖的Bean: ...

  6. shiro免认证的路径配置

    – ?:匹配一个字符,如/admin? 将匹配/admin1,但不匹配/admin 或/admin/:– *:匹配零个或多个字符串,如/admin 将匹配/admin./admin123,但不匹配/a ...

  7. 解决tensorflow和keras版本不相匹配的问题

    查看安装版本 pip list https://docs.floydhub.com/guides/environments/ 查看对应版本 我感觉是我tensorflow版本装太高了,keras没有

  8. 【C/C++】PAT A1025 Ranking/算法笔记

    题目意思大概是输入一堆人的学号,成绩,给出学号,总排名,考场号,考场内排名. 这是我第一次写的: #include <iostream> #include <algorithm> ...

  9. Redis集群断电恢复

    再集群整体断点或关闭后,默认启动集群后,会成为孤立的单点,需要删除每个节点的pid文件,node.conf.并将RDB和AOF文件移动出来,再挨个启动每个节点,并用create创建集群脚本,重新创建集 ...

  10. gitlab 集成openldap

    Setting up LDAP sign-in If you have an LDAP directory service such as Active Directory, you can conf ...