Robustness of classifiers: from adversarial to random noise

hskksk @ 2017/2/3

1

•

• nota&on

• /

•

•

2

3

Fawzi, A., Moosavi-Dezfooli, S.-M., & Frossard, P. (2016). Robustness of classifiers: from adversarial to random noise. In NIPS (pp. 1624–1632).

4

• Deep learning state-of-the-art

• Adversarial ( )

•

• Adversarial

5

Adversarial (1)

•

•

• :

6

Adversarial (2)

•

•

worst-case

• worst-case

7

(1)

• [1, 10, 19]

• DL adversarial example [17]

• DL adversarial example

• [3, 5, 14, 18]

• robust network [6, 8, 20, 13, 15, 12]

8

(2)

• [18] empirical adversarial example

pixel

• [3] random adversarial

9

• semi-random

• semi-random random/worst-case

• worst-case semi-random

•

10

nota%on

11

nota%on

クラス分類器

データ点

推定されたラベル

次元 の の任意の部分空間

12

•

•

•

13

adversarial

•

•

• adversarial

→ adversarial

14

15

16

•

•

17

1:

•

18

• 1

•

•

•

19

(d )

•

•

• e.g.

(

)

20

(m=1 )

•

21

1

•

• m

22

23

•

• pairwise

•

•

•

24

( )

•

•

25

(1)

• bound

•

• i j

worst-case

26

(2)

• worst-case radius:

• :

•

•

27

2: ( )

•

•

28

•

•

• affine classifier

29

•

•

( )

•

30

2-1: (1)

• (5)

•

31

2-1: (2)

•

• global 2

• 2

( )

32

33

1: 2-1 (1)

•

•

• 1 1

34

1: 2-1 (2)

• [13]

• 1000

35

1 (1)

• 1 2-1

36

1 (2)

•

37

2: (5)

•

•

•

38

2 (1)

39

2 (2)

•

• (5)

•

(5)

•

40

3:

•

• NIPS,SPAIN,2016

•

•

•

41

3

•

Po$lower → Pineapple

42

• → adversarial

•

robust

• state-of-the-art semi-random

43