36 research outputs found
Improving Adversarial Robustness to Sensitivity and Invariance Attacks with Deep Metric Learning
Intentionally crafted adversarial samples have effectively exploited
weaknesses in deep neural networks. A standard method in adversarial robustness
assumes a framework to defend against samples crafted by minimally perturbing a
sample such that its corresponding model output changes. These sensitivity
attacks exploit the model's sensitivity toward task-irrelevant features.
Another form of adversarial sample can be crafted via invariance attacks, which
exploit the model underestimating the importance of relevant features. Previous
literature has indicated a tradeoff in defending against both attack types
within a strictly L_p bounded defense. To promote robustness toward both types
of attacks beyond Euclidean distance metrics, we use metric learning to frame
adversarial regularization as an optimal transport problem. Our preliminary
results indicate that regularizing over invariant perturbations in our
framework improves both invariant and sensitivity defense.Comment: v
Event sequence metric learning
In this paper we consider a challenging problem of learning discriminative
vector representations for event sequences generated by real-world users.
Vector representations map behavioral client raw data to the low-dimensional
fixed-length vectors in the latent space. We propose a novel method of learning
those vector embeddings based on metric learning approach. We propose a
strategy of raw data subsequences generation to apply a metric learning
approach in a fully self-supervised way. We evaluated the method over several
public bank transactions datasets and showed that self-supervised embeddings
outperform other methods when applied to downstream classification tasks.
Moreover, embeddings are compact and provide additional user privacy
protection
Adversarial Feature Stacking for Accurate and Robust Predictions
Deep Neural Networks (DNNs) have achieved remarkable performance on a variety
of applications but are extremely vulnerable to adversarial perturbation. To
address this issue, various defense methods have been proposed to enhance model
robustness. Unfortunately, the most representative and promising methods, such
as adversarial training and its variants, usually degrade model accuracy on
benign samples, limiting practical utility. This indicates that it is difficult
to extract both robust and accurate features using a single network under
certain conditions, such as limited training data, resulting in a trade-off
between accuracy and robustness. To tackle this problem, we propose an
Adversarial Feature Stacking (AFS) model that can jointly take advantage of
features with varied levels of robustness and accuracy, thus significantly
alleviating the aforementioned trade-off. Specifically, we adopt multiple
networks adversarially trained with different perturbation budgets to extract
either more robust features or more accurate features. These features are then
fused by a learnable merger to give final predictions. We evaluate the AFS
model on CIFAR-10 and CIFAR-100 datasets with strong adaptive attack methods,
which significantly advances the state-of-the-art in terms of the trade-off.
Without extra training data, the AFS model achieves a benign accuracy
improvement of 6% on CIFAR-10 and 9% on CIFAR-100 with comparable or even
stronger robustness than the state-of-the-art adversarial training methods.
This work demonstrates the feasibility to obtain both accurate and robust
models under the circumstances of limited training data
μ미보쑴 μ λμ νμ΅
νμλ
Όλ¬Έ (μμ¬) -- μμΈλνκ΅ λνμ : 곡과λν μ»΄ν¨ν°κ³΅νλΆ, 2021. 2. μ΄μꡬ.Adversarial training is a defense technique that improves adversarial robustness of a deep neural network (DNN) by including adversarial examples in the training data. In this paper, we identify an overlooked problem of adversarial training in that these adversarial examples often have different semantics than the original data, introducing unintended biases into the model. We hypothesize that such non-semantics-preserving (and resultingly ambiguous) adversarial data harm the robustness of the target models. To mitigate such unintended semantic changes of adversarial examples, we propose semantics-preserving adversarial
training (SPAT) which encourages perturbation on the pixels that are shared among all classes when generating adversarial examples in the training stage. Experiment results show that SPAT improves adversarial robustness and achieves state-of-the-art results in CIFAR-10, CIFAR-100, and STL-10.μ λμ νμ΅μ μ λμ μμ λ₯Ό νμ΅ λ°μ΄ν°μ ν¬ν¨μν΄μΌλ‘μ¨ μ¬μΈ΅ μ κ²½λ§μ μ λμ κ°κ±΄μ±μ κ°μ νλ λ°©μ΄ λ°©λ²μ΄λ€. μ΄ λ
Όλ¬Έμμλ μ λμ μμ λ€μ΄ μλ³Έ λ°μ΄ν°μλ λλλ‘ λ€λ₯Έ μλ―Έλ₯Ό κ°μ§λ©°, λͺ¨λΈμ μλνμ§ μμ νΈν₯μ μ§μ΄ λ£λλ€λ κΈ°μ‘΄μλ κ°κ³Όλμ΄μλ μ λμ νμ΅μ λ¬Έμ λ₯Ό λ°νλ€. μ°λ¦¬λ μ΄λ¬ν μλ―Έλ₯Ό 보쑴νμ§ μλ, κ·Έλ¦¬κ³ κ²°κ³Όμ μΌλ‘ μ 맀λͺ¨νΈν μ λμ λ°μ΄ν°κ° λͺ©ν λͺ¨λΈμ κ°κ±΄μ±μ ν΄μΉλ€κ³ κ°μ€μ μΈμ λ€. μ°λ¦¬λ μ΄λ¬ν μ λμ μμ λ€μ μλνμ§ μμ μλ―Έμ λ³νλ₯Ό μννκΈ° μν΄, νμ΅ λ¨κ³μμ μ λμ μμ λ€μ μμ±ν λ λͺ¨λ ν΄λμ€λ€μκ²μ 곡μ λλ ν½μ
μ κ΅λνλλ‘ κΆμ₯νλ, μλ―Έ 보쑴 μ λμ νμ΅μ μ μνλ€. μ€ν κ²°κ³Όλ μλ―Έ 보쑴 μ λμ νμ΅μ΄ μ λμ κ°κ±΄μ±μ κ°μ νλ©°, CIFAR-10κ³Ό CIFAR-100κ³Ό STL-10μμ μ΅κ³ μ μ±λ₯μ λ¬μ±ν¨μ 보μΈλ€.Chapter 1 Introduction 1
Chapter 2 Preliminaries 5
Chapter 3 Related Works 9
Chapter 4 Semantics-Preserving Adversarial Training 11
4.1 Problem of PGD-training . . . . . . . . . . . . . . . . . . . . . . 11
4.2 Semantics-Preserving Adversarial Training . . . . . . . . . . . . . 13
4.3 Combining with Adversarial Training Variants . . . . . . . . . . 14
Chapter 5 Analysis of Adversarial Examples 16
5.1 Visualizing Various Adversarial Examples . . . . . . . . . . . . . 16
5.2 Comparing the Attack Success Rate . . . . . . . . . . . . . . . . 17
Chapter 6 Experiments & Results 22
6.1 Evaluating Robustness . . . . . . . . . . . . . . . . . . . . . . . . 22
6.1.1 CIFAR-10 & CIFAR-100 . . . . . . . . . . . . . . . . . . . 22
6.1.2 CIFAR-10 with 500K Unlabeled Data . . . . . . . . . . . 24
6.1.3 STL-10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
6.2 Effect of Label Smoothing HyperparameterΞ±. . . . . . . . . . . 25
Chapter 7 Conclusion & Future Work 29Maste