记录一下李宏毅机器学习课程关于对抗攻击的内容;
1、
一般模型training过程:
输入x_0,调整模型Network的参数θ,使得输出y_0和y_true的loss越小越好;损失函数:L_train(θ) = C(y_0, y_true)
Non-targeted Attack:
固定模型Network的参数θ,调整输入x',使得输出y'和y_true越远越好;损失函数:L(x') = -C(y', y_true)
Targeted Attack:
固定模型Network的参数θ,调整输入x',使得输出y'和y_true越远越好,同时让y'和某个y_false越近越好; L(x') = -C(y', y_true) + C(y',y_false)
Constraint:
约束:d(x_0,x') ≤ ε,希望攻击后的图片不要被人所发现,x_0和x'够相近
常见的有两种约束,L2-norm和L-infinity
1)L2-norm
d(x_0, x') = ||x_0 - x'||2
= (Δx_1)2+ (Δx_2)2+ (Δx_3)2+...
2) L-infinity
d(x_0, x') = ||x_0 - x'||∞
=max{ Δx_1, Δx_2+ Δx_3+...}
How to attack
x* = min L(x') st d(x_0, x') ≤ ε
- 用Gradient Descent start from original image x_0
- for t = 1 to T
- x_t <— x_t-1 - η求导(x_t-1)
- if d(x_0, x_t) > ε #满足L2-norm或者L-infinity
大部分attack只是用不同的距离来作为约束, 以及用不同的优化方法来最小化这个距离
Defense
Passive defense:Finding the attached image without modifying the model
Proactive defense: Training a model that is robust to adversarial attack
