Goodfellow I, Shlens J, Szegedy C, et al. Explaining and Harnessing Adversarial Examples[J]. arXiv: Machine Learning, 2014.

@article{goodfellow2014explaining,

title={Explaining and Harnessing Adversarial Examples},

author={Goodfellow, Ian and Shlens, Jonathon and Szegedy, Christian},

journal={arXiv: Machine Learning},

year={2014}}

Adversarial examples 中FGSM(fast gradient sign method)方法的来源,

\[\tilde{x}=x+ \epsilon \: \mathrm{sign} (\nabla_x J(\theta, x, y)).
\]

主要内容

在图像中, 像素点的进度是1/255, 所以如果我们在图像上的摄动小于此精度, 那么图像实际上是不会产生任何变化的. 作者首先说明, 即便是线性模型, 在输入上的微小摄动也能够引起结果(当维数够大)的很大变化.

从线性谈起

\(\tilde{x} = x+\eta\), 线性摄动如下

\[w^T\tilde{x} = w^Tx+w^T\eta,
\]

此时结果的摄动为\(w^T\eta\), 假设\(w\)的平均值为\(m\). 注意到, 在\(\|\eta\|_{\infty}<\epsilon\)的条件下, \(\eta=\epsilon \: \mathrm{sign}(w)\)时摄动最大(这也是FGSM的启发点), 此时摄动为\(\epsilon mn\), 注意到, 假设\(\epsilon, m\)是固定的, 那么\(n\)足够大的时候摄动就会特别大.

非线性

由线性启发至非线性(因为很多deep networks 的表现是线性的), 便是

\[\tilde{x}=x+ \epsilon \: \mathrm{sign} (\nabla_x J(\theta, x, y)).
\]

实验证明, 即便是GoogLeNet这样的网络也会被生成的adversarial examples所欺骗.

其实看这篇文章的主要一个问题就是为什么\(\eta \not = \epsilon \: \nabla_x J(\theta, x, y)\), 逼近这个方向才是令损失函数增长最快的方向.

文中有这么一段话, 不是很明白:

Because the derivative of the sign function is zero or undefined everywhere, gradient descent on the adversarial objective function based on the fast gradient sign method does not allow the model to anticipate how the adversary will react to changes in the parameters. If we instead adversarial examples based on small rotations or addition of the scaled gradient, then the perturbation process isitselfdifferentiableandthelearningcantakethereactionoftheadversaryintoaccount. However, we did not find nearly as powerful of a regularizing result from this process, perhaps because these kinds of adversarial examples are not as difficult to solve.

顺便记一下论文的总结:

  • 正是因为deep networks表现过于线性, 才会导致advesarial examples.
  • 不同的网络的adversarial examples是相通的, 这可能是因为二者逼近的函数是近似的
  • 摄动的方向而非个别特定点起了更重要的作用
  • 对抗训练是一种正则化过程
  • 越容易优化的模型又容易被欺骗
  • 线性模型缺乏对抗欺骗的能力
  • 拟合输入数据分布的模型缺乏对抗欺骗的能力
  • Ensembles are not resistant to adversarial examples. (多个模型组合(取平均判断类别)依然缺乏对抗欺骗的能力).

EXPLAINING AND HARNESSING ADVERSARIAL EXAMPLES的更多相关文章

  1. 《Explaining and harnessing adversarial examples》 论文学习报告

    <Explaining and harnessing adversarial examples> 论文学习报告 组员:裴建新   赖妍菱    周子玉 2020-03-27 1 背景 Sz ...

  2. Adversarial Examples for Semantic Segmentation and Object Detection 阅读笔记

    Adversarial Examples for Semantic Segmentation and Object Detection (语义分割和目标检测中的对抗样本) 作者:Cihang Xie, ...

  3. 文本adversarial examples

    对文本对抗性样本的研究极少,近期论文归纳如下: 文本对抗三个难点: text data是离散数据,multimedia data是连续数据,样本空间不一样: 对text data的改动可能导致数据不合 ...

  4. 论文阅读 | Generating Fluent Adversarial Examples for Natural Languages

    Generating Fluent Adversarial Examples for Natural Languages   ACL 2019 为自然语言生成流畅的对抗样本 摘要 有效地构建自然语言处 ...

  5. Limitations of the Lipschitz constant as a defense against adversarial examples

    目录 概 主要内容 Huster T., Chiang C. J. and Chadha R. Limitations of the lipschitz constant as a defense a ...

  6. Uncovering the Limits of Adversarial Training against Norm-Bounded Adversarial Examples

    Uncovering the Limits of Adversarial Training against Norm-Bounded Adversarial Examples 目录 概 主要内容 实验 ...

  7. Certified Robustness to Adversarial Examples with Differential Privacy

    目录 概 主要内容 Differential Privacy insensitivity Lemma1 Proposition1 如何令网络为-DP in practice Lecuyer M, At ...

  8. Generating Adversarial Examples with Adversarial Networks

    目录 概 主要内容 black-box 拓展 Xiao C, Li B, Zhu J, et al. Generating Adversarial Examples with Adversarial ...

  9. Obfuscated Gradients Give a False Sense of Security: Circumventing Defenses to Adversarial Examples

    目录 概 主要内容 Obfuscated Gradients BPDA 特例 一般情形 EOT Reparameterization 具体的案例 Thermometer encoding Input ...

随机推荐

  1. 学习java 6.29

    今天是学习Java的第一天. 学习内容:了解了JDK的下载和安装: 学会了如何配置Path环境变量及安装eclipse: 执行了HelloWorld案例: 在Java中关键字需要小写,Java中最基本 ...

  2. nodejs-CommonJS规范

    JavaScript 标准参考教程(alpha) 草稿二:Node.js CommonJS规范 GitHub TOP CommonJS规范 来自<JavaScript 标准参考教程(alpha) ...

  3. Output of C++ Program | Set 1

    Predict the output of below C++ programs. Question 1 1 // Assume that integers take 4 bytes. 2 #incl ...

  4. InnoDB的行锁模式及加锁方法

    MYSQL:InnoDB的行锁模式及加锁方法 共享锁:允许一个事务度一行,阻止其他事务获取相同数据集的排他锁. SELECT * FROM table_name WHERE ... LOCK IN S ...

  5. malloc() vs new

    Following are the differences between malloc() and operator new. (1)new calls constructors, while ma ...

  6. list通过比较器进行排序

    Collections.sort(dataList,new Comparator<BaseTransitData>(){            public int compare(Bas ...

  7. 01_ubantu国内软件源配置

    查找自己版本对应的软件源 https://mirrors.tuna.tsinghua.edu.cn/help/ubuntu/ 以下为19.10版本清华大学的,个人100M的带宽,平均安装速度在600K ...

  8. 【Linux】【Services】【Configuration】puppet

    1. 简介 1.1. 官方网站:https://docs.puppet.com/ 1.2. puppet是IT基础设施自动化管理工具,他的整个生命周期包括:provisioning,configura ...

  9. ssm动态查询向前台传json

    1.数据协议层 public User selectById(Integer id);//通过id值查询用户 2.数据层 <select id="selectById" re ...

  10. 1945-祖安 say hello-String

    1 #define _CRT_SECURE_NO_WARNINGS 1 2 #include<bits/stdc++.h> 3 char str[100][40]; 4 char s[10 ...