! 12: Adversial Examples

Question 1

Adversarial Examples

Answer 1

• input created from applying small but intentionally change to existing image
• -> wrong classification (create new input looks as close to its original as possible but gets missclassified)

Question 2

Adversial Examples Goal

Answer 2

• Make model robust: Models missclassify less inputs (usually missclassifiy slightly different from truly classiflied)
• make applications saver if find “limits” of inputs of model classifier and fake images for influence

Question 3

Poisoning

Answer 3

• injection of adversarial data into training data -> decrease performance
• goal: model perform task (with similar accuracy) under attack

Question 4

Adversial Attack

Answer 4

• deliberate attempt tofool a model by introducing carefully created modifications to the input data
• goal: cause the model to make incorrect predictions or classification

Question 5

Adversial Attack - Form

Answer 5

• Untargeted adversial attack: cannot control output label of adversial image
• Targeted adversarial attack: can

Question 6

Adversial Attack - Types

Answer 6

• White box: Attacker has access to training method (data/algorithm/hyperparameter): small perturbations -> bad performance
• Black box: doesn’t have complete access

Question 7

Generation Method of Adversial Examples

Answer 7

Fast Gradient Sign Method
- Input image -> CNN -> prediction
- Compute loss of prediction based on true label
- Calculate gradient of loss with respect to input image
- Compute gradient sign = epsilon > use to create adversarial sample (output): pixel + eps*noise = new_pixel

Question 8

Adversial Training as Defense Tactices

Answer 8

• Reactive Strategy: 2 different models -> unefficient (2* infrastructure needed)
• Proactive Strategy: use adversial example in training of model -> learns to classify those -> better performance overall

Question 9

Generative Adversarial Network (GAN)

Answer 9

• composed of 2 NN
• 1. Generator: takes random noise as input & creates fake images
• 2. Discriminator: takes fake image from generator or real from training set & guesses wheather fake or real

Question 10

GAN - Training

Answer 10

• Discriminator Training: Batch with real & fake images in trainng (binary cross-entropy loss)
• Generator Training: produces another batch of fake images, discirmantor used (no real images included!)

Question 11

GAN - Difficulties in Training

Answer 11

• Generator outputs become less diverse
• if G produces perfect realistic images, discriminator needs to guess
• G & D constantly try to outsmart each other (parameters might become unstable)

Question 12

Deep Convolutional GAN (DCGAN)

Answer 12

• GANs based on deeper convolutional nets for larger images
• pooling layer replaces by discrimnator
• convoluionts replaces by generator
• remove fully connected hidden layers for deeper architectures
• BatchNormalization in d & g (except: g output & d input layer)
• d: leaky ReLU activation for all layers
• g: ReLU activation for all (except: output use tanh)

Question 13

Virtual adversarial training

Answer 13

• semi-supervised regime & unlabeled examples