文章链接:https://arxiv.org/abs/1610.08401
摘要:提出一个系统的方法可以生成 universal perturbations,并说明当下最先进的dnn很容易受到这些perturbations的干扰。
The code is available for download on code
A demo can be found on demo
by adding such a quasi-imperceptible perturbation to natural images, the label estimated by the deep neu- ral network is changed with high probability
we seek a single perturbation vector that fools the network on most natural images
以下为生成universal perturbations的算法过程(通常使用的数据数目m不需要很大就可以有效的生成universal perturbations)
生成universal perturbations
It should further be noticed that the objective of Algorithm 1 is not to find the smallest universal perturbation that fools most data points sampled from the distribution, but rather to find one such perturbation with sufficiently small norm.
1.the computed perturbations are universal across unseen data point
This result is significant when compared to the number of classes in ImageNet (1000), as it shows that we can fool a large set of unseen images, even when using a set X containing less than one image per class!
2.一些模型得到的 perturbations 具有cross-model universality的特点,即这些干扰可以有效fool其它模型
In particular, in order to fool a new image on an unknown neural network, a simple addition of a universal perturbation computed on the VGG-19 architecture is likely to misclassify the data point.
3.universial perturbations 会使得图像主要被几个主导标签进行分类。我们假设这些主导标签占据了图像空间的大部分区域,因此可以作为欺骗大多数图像的良好候选标签。
4.把部分adversarial perturbation加入训练集进行fine-tune,只能温和地提高鲁棒性,这个简单的解决方案并不能完全避免adversarial perturbation.同时,fine-tune过程还导致验证集的错误率略有增加,这可能是由于扰动数据的轻微过拟合造成的。
5.我们现在探索的决策边界的几何结构存在冗余。
知识储备:
几种范数(norm)的简单介绍
其它优秀笔记:
https://blog.csdn.net/tfcy694/article/details/80455899
网友评论