【時間】2018.12.22
【題目】對抗攻擊(Adversarial attacks)的常用術語
概述
本文是論文《Threat of Adversarial Attacks on Deep Learning in Computer Vision: A Survey》中Section 2 的翻譯,主要講述了對抗攻擊(Adversarial attacks)的常用術語。
一、 對抗攻擊(Adversarial attacks)的常用術語
In this section, we describe the common technical terms used in the literature related to adversarial attacks on deep learning in Computer Vision.
在本節中,我們描述了計算機視覺中與對抗性攻擊有關的文獻中常用的技術術語。
1.1 Adversarial example/image
Adversarial example/image is a modified version of a clean image that is intentionally perturbed (e.g. by adding noise) to confuse/fool a machine learning technique, such as deep neural networks.
對抗樣本/圖像是乾淨圖像的一個修改版本,它被故意干擾(例如通過添加噪聲)來混淆/愚弄機器學習技術,如深層神經網絡。
1.2 Adversarial perturbation
Adversarial perturbation is the noise that is added to the clean image to make it an adversarial example.
對抗性擾動是指加到乾淨的圖像中,使其成爲一個對抗樣本的噪聲。
1.3 Adversarial training
Adversarial training uses adversarial images besides the clean images to train machine learning models.
對抗訓練是指除了使用乾淨的圖像外,還使用對抗性圖像來訓練機器學習模型
1.4 Adversary
Adversary more commonly refers to the agent who creates an adversarial example. However, in some cases the example itself is also called adversary.
對抗者更多的是指創造對抗樣本的代理人。然而,在某些情況下,這個對抗樣本本身也被稱爲對抗者。
1.5 Black-box attacks & ‘semi-black-box’ attacks
Black-box attacks feed a targeted model with the adversarial examples (during testing) that are generated without the knowledge of that model. In some instances, it is assumed that the adversary has a limited knowledge of the model (e.g. its training procedure and/or its architecture) but definitely does not know about the model parameters. In other instances, using any information about the target model is referred to as ‘semi-black-box’attack. We use the former convention in this article.
黑箱攻擊向目標模型提供了不瞭解該模型而生成的對抗樣本(在測試期間)。在某些情況下,假定對抗者對模型的瞭解有限(例如,訓練過程和/或其結構),但肯定不知道模型參數。在其他情況下,使用任何關於目標模型的信息都被稱爲“半黑箱”攻擊。
1.6 White-box attacks
White-box attacks assume the complete knowledge of the targeted model, including its parameter values, architecture, training method, and in some cases its training data as well.
白箱攻擊假定(對抗者)完全瞭解目標模型,包括其參數值、體系結構、訓練方法,在某些情況下還包括其訓練數據。
1.7 Detector
Detector is a mechanism to (only) detect if an image is an adversarial example.
檢測器是一種用於(僅)檢測圖像是否是對抗樣本的工具。
1.8 Fooling ratio/rate
Fooling ratio/rate indicates the percentage of images on which a trained model changes its prediction label after the images are perturbed.
欺騙率是指一個經過訓練的模型在受到干擾後改變其預測標籤的圖像百分比。
1.9 One-shot/one-step methods & iterative methods
One-shot/one-step methods generate an adversarial perturbation by performing a single step computation, e.g. computing gradient of model loss once. The opposite are iterative methods that perform the same computation multiple times to get a single perturbation. The latter are often computationally expensive.
一次/一步方式通過執行一步計算,例如計算模型損失梯度一次來產生對抗擾動。相反的是迭代方式,它們多次執行相同的計算以獲得單個擾動。後者通常在計算上很昂貴。
1.10 Quasi-imperceptible perturbations
Quasi-imperceptible perturbations impair images very slightly for human perception.
準不可察覺的擾動會輕微地損害圖像,就人類感知方面而言。
1.11 Rectifier
Rectifier modifies an adversarial example to restore the prediction of the targeted model to its prediction on the clean version of the same example.
整流器(校正器)修改對抗樣本,以將目標模型的預測恢復到其對同一示例的乾淨版本的預測。
1.12 Targeted attacks & non-targeted attacks
Targeted attacks fool a model into falsely predicting a specific label for the adversarial image. They are opposite to the non-targeted attacks in which the predicted label of the adversarial image is irrelevant, as long as it is not the correct label.
目標攻擊欺騙了模型,使其錯誤地預測對抗性圖像爲特定標籤。它們與非目標攻擊相反,在非目標攻擊中,對抗性圖像的預測標記是不相關的,只要它不是正確的標記。
1.13 Threat model
Threat model refers to the types of potential attacks considered by an approach, e.g. black-box attack.
威脅模型是指一種方法所考慮的潛在攻擊類型,例如黑匣子攻擊。
1.14 Transferability
Transferability refers to the ability of an adversarial example to remain effective even for the models other than the one used to generate it.
可轉移性是指對抗性範例即使對生成模型以外的模型也保持有效的能力。
1.15 Universal perturbation & universality
Universal perturbation is able to fool a given model on ‘any’ image with high probability. Note that, universality refers to the property of a perturbation
being ‘image-agnostic’ as opposed to having good transferability.
普遍擾動能夠以很高的概率在任意圖像上欺騙給定模型。請注意,普遍性是指擾動的性質是“圖像不可知論”,而不是具有良好的可轉移性。