Adversarial Learning

• for given network f

• and some bening datapoint (x,y)

• find some delta such that

• f(x+delta) != y

• where

• delta is small (||d||_2 < epsilon)

• and x+delta does not exceed feature domain (e.g. [0,1] for images)

• targeted attacks

  • specify what misclassification you want

• untargeted attacks

  • whatever other class is fine…

• delta* = arg min (delta)

• L(f(x+delta), y_target)

• + lambda ||delta||_2

-> find delta so that

-> loss for specific missclassificaiton is minimized

-> while keeping the delta itself small (with influence factor lambda)

• delta* = arg min (delta)

• - L(f(x+delta), y_correct)

• +

• lambda ||delta||_2

=> minimize the negative loss (-> maximize the loss) of correct classification

=> by introducing the delta

=> and keeping delta still small…

• instead of loss

• -> use attacker loss function

• J(theta, x+delta, y_target) for targeted

• J(theta, x+delta, y_true) for untargeted

=> does not necissarily have to incorporate the actual loss….

• gradient descend…

• iterating to improve delta….

• where delta_0 = null vector

-> actual derivatives over the different x ((x+delta)_1, (x+delta)_2,…)

-> keep lambda||delta|| in it …

• results in larger averagely required distortion to train adversarial stuff

• -> trade off accuracy and robustness…..

• bith deep and shallow susceptible

• add term

• lambda Sum over i

• w_i^2 / k

• where k number of units in a layer…

• possible…

• boith

• high weight regularistaion

• white box -> does require model itself…

• expensive to find adv example x+delta

  • many forward and backward passes required

• no direct control over sizue of pretubation delta -> only posisble to introducee it in loss… / no hard limit

• fast gradient sign method

• -> faster way to find bound adversarial examples

• optimal pertubation: d = epsilong * sign(w)

• with

• difference between classification maximized

• and d bound by epsilon (infinity norm)

• we want to maximize |g(x+d) - g(x)|

• = |wT(x+d) - wTx|

• = |wTx + wTd - wTx|

• = |wTd|

• = |Sum over i w_i d_i|

• => can basically be maximized when all values have same sing…

• => thus by multiplying w_i with sign(w_i) -> always positive …

• -> also introduce times epsilon as actual distrortion…. (as distortion bound by epsilon…)

• = Sum |w_i| epsilon

• = n*avg(w)*epsilon…

• difference increases linearily with size of input n

• -> but delta itself does not change with n…

=> the higehr the input dimensionality

-> the higher the effect…

• max (abs(x))

• -> largest value disregarding the sign

• d = e * sign(gradients wrt. x)

• => finds in single step…

• assumes linear behavior of model (and loss function)

• -> works on deep non linear NN as they are locally (in neighborhood of epsilon) linear…

• adversarial retraining

• -> consider the loss to be

• actual loss

• plus adversarial loss

• weighted with alpha

• Loss =

• alpha * actual loss

• (1- alpha) *

• Loss over

• x + e*signum(gradient)

  • => which is basically x+delta…

• reduces test set error rate

• imporves model robustness

• weights of adv. trained model more localized

• apply FGSM T times, each time with small step size alpha

• -> after each iteration, clip the result to be still in the epsilon bound…

• => x’(t+1)

• =

• Clip(x’(t) + aplha * signum(gradient…))

• if FGSM oversteps

• -> e.g. local linear does not hold…

• infinity loss -> as measure of distance of the predicitons…