40
Explaining and Harnessing Adversarial Examples (2015) Ian J. Goodfellow, Jonathon Shlens, Christian Szegedy @mikibear_ 논문 정리 170118

Explaining and harnessing adversarial examples (2015)

Embed Size (px)

Citation preview

Page 1: Explaining and harnessing adversarial examples (2015)

Explaining and Harnessing Adversarial Examples(2015)Ian J. Goodfellow, Jonathon Shlens, Christian Szegedy

@mikibear_ 논문 정리 170118

Page 2: Explaining and harnessing adversarial examples (2015)

핵심,

ADVERSARIAL EXAMPLES

Page 3: Explaining and harnessing adversarial examples (2015)

핵심,

ADVERSARIAL EXAMPLES적대적 예제...?

Page 4: Explaining and harnessing adversarial examples (2015)

거슬러 올라가봅시다

Page 5: Explaining and harnessing adversarial examples (2015)

Intriguing properties of neural networks(2013, Christian Szegedy at el.)

Page 6: Explaining and harnessing adversarial examples (2015)

분류를 시행하는 뉴럴 네트워크 모델 아무거나 하나를 생각해봅시다ex) Alexnet, VGG, ResNet, Inception...

Page 7: Explaining and harnessing adversarial examples (2015)

이 논문에서는 다음과 같은 상황을 가능케 하는 예시(Examples)를 제시합니다

분류 모델 : "이것은 '확실히' 개다"

(위와 같은)분류 모델 : "이것은 '확실히' 개가 아니다"

Page 8: Explaining and harnessing adversarial examples (2015)

?????????

Page 9: Explaining and harnessing adversarial examples (2015)
Page 10: Explaining and harnessing adversarial examples (2015)

더해지는노이즈

제대로 분류되는 원본 사진

높은 confidence로 오분류되는 사진

Page 11: Explaining and harnessing adversarial examples (2015)

네, 사실 두 사진은 다른 사진입니다.

'정상적으로 분류되는 사진'에'적절한 작은 노이즈'를 더하면'명백하게 오분류하는 사진'을 만들 수 있다…

는 것이 본 논문의 요지입니다.

Page 12: Explaining and harnessing adversarial examples (2015)

근데 이 사진 두 개가 정말 달라보이나요?

“개” (99%)

"타조" (99%)

Page 13: Explaining and harnessing adversarial examples (2015)

근데 이 사진 두 개가 정말 달라보이나요?

“개” (99%)

"타조" (99%)

아뇨

Page 14: Explaining and harnessing adversarial examples (2015)

그럼 이런 노이즈를 어떻게 적절하게 찾을 수 있나요?

Page 15: Explaining and harnessing adversarial examples (2015)

너무나 흔한 Optimization Problem...

Page 16: Explaining and harnessing adversarial examples (2015)

너무나 흔한 Optimization Problem...

분류 모델의Black-box 함수

원본 이미지 노이즈 라벨

Page 17: Explaining and harnessing adversarial examples (2015)

1) 이미지에 노이즈를 더했더니 오분류를 일으키는 노이즈를 찾되,

2) Norm이 가장 작은 것을 찾아야 한다

정리하면...

Page 18: Explaining and harnessing adversarial examples (2015)

그 다음엔 원하는 Optimization 기법을 걸면 됩니다. 논문에서는 L-BFGS를 걸고 있습니다.

근데 이 문제 Non-convex라네요

Page 19: Explaining and harnessing adversarial examples (2015)

Explaining and Harnessing Adversarial Examples(2015, Ian J. Goodfellow, Jonathon Shlens & Christian Szegedy)

다시 처음으로 돌아와서요...

Page 20: Explaining and harnessing adversarial examples (2015)

‘좀 더 편하게 이런 Adversarial Example를 찾을 순 없을까?’

Page 21: Explaining and harnessing adversarial examples (2015)

Linear Model에서...

얘를 가능한 작게 키워서 Decision Boundary를 크게 넘기는 term을 찾으면…

(따라서 모델의 입력이 high-dimension일수록 이러한 예제를 찾기 쉬워집니다.)

Page 22: Explaining and harnessing adversarial examples (2015)

Non-linear model에 linear한 노이즈 때려박아Adversarial Example 만들기

"The linear view of adversarial examples suggests a fast way of generating them. We hypothesize that neural networks are too linear to resist linear adversarial perturbation."

Page 23: Explaining and harnessing adversarial examples (2015)

"neural networks are too linear"

Page 24: Explaining and harnessing adversarial examples (2015)
Page 25: Explaining and harnessing adversarial examples (2015)

그러니까…

Non-linear하다고 받아들여지는 모델에 만약 linear perturbation을 넣어서 그 모델이 깨진다면, 그 모델은 충분히 linear하다고 볼 수 있다…

이런 말입니다.

Page 26: Explaining and harnessing adversarial examples (2015)

Non-linear model에 linear한 노이즈 때려박아Adversarial Example 만들기

Backpropagation으로 너무나 쉽게 구할 수 있는Gradient

Page 27: Explaining and harnessing adversarial examples (2015)

GoogleLeNet VS

Linear Perturbations

Page 28: Explaining and harnessing adversarial examples (2015)
Page 29: Explaining and harnessing adversarial examples (2015)
Page 30: Explaining and harnessing adversarial examples (2015)

LeNet, 박살

Page 31: Explaining and harnessing adversarial examples (2015)

첫번째 의문,

'이렇게 얻어진 Adversarial Example을 갖다가 다시 모델에 학습시키면 어떨까?'

Page 32: Explaining and harnessing adversarial examples (2015)
Page 33: Explaining and harnessing adversarial examples (2015)

결론,

'Adversarial Example 자체에 효과가 어느 정도 있을 뿐만 아니라, Model Generalization에 효과도 있다.심지어 그 성능이 Dropout보다도 낫다.'

Page 34: Explaining and harnessing adversarial examples (2015)

(사견) 하지만,

몇몇 다른 논문들을 보면 효과가 없을 때도 있고, 심지어 또 다른 Adversarial Example에 노출된다고 하니 좀 경계해야 하는 부분 같습니다.

Page 35: Explaining and harnessing adversarial examples (2015)

두번째 의문,

'그러면 좀 더 Non-linear한 RBF network는 어떤가?'

Page 36: Explaining and harnessing adversarial examples (2015)

역시나,좀 더 원본 데이터와 뚜렷하게 차이가 납니다.즉, Adversarial Example에 좀 더 robust하죠.

Page 37: Explaining and harnessing adversarial examples (2015)

세번째 의문,

'Ensembel 기법을 쓰면 좀 낫지 않을까?' -> 안 낫다네요.

네번째 의문,

'인풋에 일괄적으로 distortion을 걸면서 학습을 시키면 좀 낫지 않을까?' -> 안 낫다네요.

Page 38: Explaining and harnessing adversarial examples (2015)

논문의 결론,

1) Universal approximation theorem이 적용되는 현존하는 모든 모델은 Adversarial Example을 막기엔 너무 Linear하다

2) 근데 Adversarial Example로 모델을 학습시키면 좀 낫다

Page 39: Explaining and harnessing adversarial examples (2015)

References,1) Intriguing properties of neural networks

https://arxiv.org/abs/1312.6199 2) Explaining and Harnessing Adversarial Examples

https://arxiv.org/abs/1412.65723) Adversarial Examples

http://www.iro.umontreal.ca/~memisevr/dlss2015/goodfellow_adv.pdf

https://arxiv.org/abs/1312.6199
https://arxiv.org/abs/1312.6199
https://arxiv.org/abs/1312.6199
https://arxiv.org/abs/1412.6572
https://arxiv.org/abs/1412.6572
http://www.iro.umontreal.ca/~memisevr/dlss2015/goodfellow_adv.pdf
http://www.iro.umontreal.ca/~memisevr/dlss2015/goodfellow_adv.pdf
http://www.iro.umontreal.ca/~memisevr/dlss2015/goodfellow_adv.pdf
Page 40: Explaining and harnessing adversarial examples (2015)

틀린 내용이 있거나 중요한데 빠져있는 경우 알려주세요!@mikibear


Harnessing the Power of Mobile Computing Surveyed

Harnessing the Power of Mobile Computing Surveyed

Documents
Adversarial Search

Adversarial Search

Documents
Harnessing the Potential

Harnessing the Potential

Technology
Explaining Stroke

Explaining Stroke

Documents
Explaining the International Mobility of Chinese Workers ... · Explaining the International Mobility of Chinese Workers, ... Explaining the International Mobility of Chinese Workers

Explaining the International Mobility of Chinese Workers ... · Explaining the International Mobility of Chinese Workers, ... Explaining the International Mobility of Chinese Workers

Documents
Unidad 3. Procedimiento Acusatorio Adversarial

Unidad 3. Procedimiento Acusatorio Adversarial

Documents
Model pengajaran presentasi dan explaining

Model pengajaran presentasi dan explaining

Documents
06. Adversarial Search

06. Adversarial Search

Documents
Explaining Ajax

Explaining Ajax

Technology
Sistema Acusatorio Adversarial - Etapa Preliminar

Sistema Acusatorio Adversarial - Etapa Preliminar

Documents
Research 2.0 Harnessing Collective Intelligence

Research 2.0 Harnessing Collective Intelligence

Documents
Harnessing the Power of Social Media

Harnessing the Power of Social Media

Documents
Emmeche, Koppe, Stjernfelt - Explaining Emergence

Emmeche, Koppe, Stjernfelt - Explaining Emergence

Documents
Explaining a Property Condition Assessment

Explaining a Property Condition Assessment

Business
REVIEWARTICLE Harnessing neuroplasticity for clinical ...idl/CV/HarnessingNeuroplasticity-Brain-2011.pdfBRAIN A JOURNAL OF NEUROLOGY REVIEWARTICLE Harnessing neuroplasticity for clinical

REVIEWARTICLE Harnessing neuroplasticity for clinical ...idl/CV/HarnessingNeuroplasticity-Brain-2011.pdfBRAIN A JOURNAL OF NEUROLOGY REVIEWARTICLE Harnessing neuroplasticity for clinical

Documents
Local & Adversarial Search

Local & Adversarial Search

Documents
Sistema Acusatorio Adversarial En

Sistema Acusatorio Adversarial En

Documents
Explaining the use of Trento_p

Explaining the use of Trento_p

Education
Harnessing the Invisible Fuel - Pandaawsassets.panda.org/downloads/harnessing_the_invisible_fuel___ho… · Harnessing the Invisible Fuel: ... TABLE OF CONTENTS. ... 2.1 Top countries

Harnessing the Invisible Fuel - Pandaawsassets.panda.org/downloads/harnessing_the_invisible_fuel___ho… · Harnessing the Invisible Fuel: ... TABLE OF CONTENTS. ... 2.1 Top countries

Documents
Generative Adversarial Nets - Semantic Scholargenerative adversarial text to image synthesis. Scott Reed, ZeynepAkata. ... Conditional Sequence Generative Adversarial Nets[J]. arXiv

Generative Adversarial Nets - Semantic Scholargenerative adversarial text to image synthesis. Scott Reed, ZeynepAkata. ... Conditional Sequence Generative Adversarial Nets[J]. arXiv

Documents
Harnessing Tech to Support Library Strategies

Harnessing Tech to Support Library Strategies

Documents
Explaining Tarp

Explaining Tarp

Health & Medicine
Explaining Persuasion API

Explaining Persuasion API

Technology
Sistema Acusatorio Adversarial - El Contrainterrogatorio

Sistema Acusatorio Adversarial - El Contrainterrogatorio

Documents
Harnessing the Invisible Fuel - RTI · Harnessing the Invisible Fuel: ... Emirates Green Building Council, ... DEWA Dubai Electricity and Water Authority

Harnessing the Invisible Fuel - RTI · Harnessing the Invisible Fuel: ... Emirates Green Building Council, ... DEWA Dubai Electricity and Water Authority

Documents
explaining Creative Commons in Greek

explaining Creative Commons in Greek

Education
Generative adversarial nets

Generative adversarial nets

Data & Analytics
Harnessing Deep Neural Networks with Logic Rules

Harnessing Deep Neural Networks with Logic Rules

Engineering
of Small Robot Squads in Complex Adversarial Environments ... · PDF fileReport Documentation Page ... Control of Small Robot Squads in Complex Adversarial Environments ... • Adversarial

of Small Robot Squads in Complex Adversarial Environments ... · PDF fileReport Documentation Page ... Control of Small Robot Squads in Complex Adversarial Environments ... • Adversarial

Documents
Lec: Generative Adversarial Networks

Lec: Generative Adversarial Networks

Documents