Athalye A, Carlini N, Wagner D, et al. Obfuscated Gradients Give a False Sense of Security: Circumventing Defenses to Adversarial Examples[J]. arXiv: Learning, 2018.
@article{athalye2018obfuscated,
由於有很多defense方法都是基於破壞梯度(不能有效計算梯度, 梯度爆炸, 消失), 但是作者提出一種算法能夠攻破這一類方法, 並提議以後的defense方法不要以破壞梯度爲前提.
f ( ⋅ ) f(\cdot) f ( ⋅ ) f ( x ) i f(x)_i f ( x ) i x x x i i i f j ( ⋅ ) f^j(\cdot) f j ( ⋅ ) j j j f 1.. j ( ⋅ ) f^{1..j}(\cdot) f 1 . . j ( ⋅ ) 1 1 1 j j j c ( x ) c(x) c ( x ) arg max i f ( x ) i \arg \max_i f(x)_i arg max i f ( x ) i c ∗ ( x ) c^*(x) c ∗ ( x )
Shattered Gradients: 一些不可微的defense, 或者一些令導數不存在的defense造成;
Stochastic Gradients: 一些隨機化的defense造成;
Exploding & Vanishing Gradients: 通常由一些包括多次評估的defense造成.
有很多方法, 會構建一個不可微(或者其導數"不好用")的函數g g g f ( g ( x ) ) f(g(x)) f ( g ( x ) ) f ( x ) f(x) f ( x ) g ( x ) ≈ x g(x) \approx x g ( x ) ≈ x
這類防禦方法, 可以很簡單地用∇ x f ( g ( x ) ) ∣ x = x ^ ← ∇ x f ( x ) ∣ x = g ( x ^ ) ,
\nabla_x f(g(x))|_{x=\hat{x}} \leftarrow \nabla_x f(x)|_{x=g(\hat{x})},
∇ x f ( g ( x ) ) ∣ x = x ^ ← ∇ x f ( x ) ∣ x = g ( x ^ ) , g ( x ) g(x) g ( x )
假設f i ( x ) f^i(x) f i ( x ) g ( x ) g(x) g ( x ) g ( x ) ≈ f i ( x ) g(x) \approx f^i(x) g ( x ) ≈ f i ( x ) g g g ∇ x g \nabla_x g ∇ x g ∇ f i ( x ) \nabla f^i(x) ∇ f i ( x )
注: 作者說在前向也用g ( x ) g(x) g ( x )
這類方法使用於攻破那些隨機化的defense的, 這類方法往往會從一個變換集合T T T t t t f ( t ( x ) ) f(t(x)) f ( t ( x ) ) ∇ f ( t ( x ) ) \nabla f(t(x)) ∇ f ( t ( x ) ) ∇ E t ∼ T f ( t ( x ) ) = E t ∼ T ∇ f ( t ( x ) ) \nabla \mathbb{E}_{t \sim T} f(t(x)) = \mathbb{E}_{t \sim T} \nabla f(t(x)) ∇ E t ∼ T f ( t ( x ) ) = E t ∼ T ∇ f ( t ( x ) )
重參用於針對梯度爆炸或者消失的情況, 因爲這種情況往往出現於f ( g ( x ) ) f(g(x)) f ( g ( x ) ) g ( x ) g(x) g ( x ) x x x f ( g ( x ) ) f(g(x)) f ( g ( x ) )
策略是利用構建x = h ( z ) x=h(z) x = h ( z ) g ( h ( z ) ) = h ( z ) g(h(z))=h(z) g ( h ( z ) ) = h ( z )
利用f ( h ( z ) ) f(h(z)) f ( h ( z ) ) h ( z a d v ) h(z_{adv}) h ( z a d v )
這裏的τ \tau τ x i , j , c x_{i,j,c} x i , j , c τ : x i , j , c → R l \tau:x_{i,j,c} \rightarrow \mathbb{R}^l τ : x i , j , c → R l τ ( x i , j , c ) k = { 1 x i , j , c > k / l 0 e l s e .
\tau(x_{i, j, c})_k=
\left \{
\begin{array}{ll}
1 & x_{i,j,c}>k/l \\
0 & else.
\end{array} \right.
τ ( x i , j , c ) k = { 1 0 x i , j , c > k / l e l s e .
只需令g ( x i , j , c ) k = min ( max ( x i , j , c − k / l , 0 ) , 1 ) .
g(x_{i,j,c})_k= \min (\max (x_{i, j, c} - k/l, 0),1).
g ( x i , j , c ) k = min ( max ( x i , j , c − k / l , 0 ) , 1 ) .
包括:
既包括隨機化又包括了不可微, 所以既要用EPDA, 也要用EOT.
LID能夠防禦min ∥ x − x ′ ∥ 2 2 + α ( ℓ ( x ′ ) + L I D l o s s ( x ′ ) ) ,
\min \quad \| x-x'\|_2^2 + \alpha(\ell(x')+\mathrm{LID_{loss}} (x')),
min ∥ x − x ′ ∥ 2 2 + α ( ℓ ( x ′ ) + L I D l o s s ( x ′ ) ) ,
SAP實際上是dropout的一個變種, SAP會隨機將某層的f i f^i f i
這個方法可以用EOT攻破, 即用∑ i = 1 k ∇ x f ( x ) \sum_{i=1}^k \nabla_xf(x) ∑ i = 1 k ∇ x f ( x ) ∇ x f ( x ) \nabla_x f(x) ∇ x f ( x )
這個方法的輸入是229 × 229 229\times 229 2 2 9 × 2 2 9 r × r r\times r r × r r ∈ [ 229 , 331 ) r\in[229, 331) r ∈ [ 2 2 9 , 3 3 1 ) 331 × 331 331\times 331 3 3 1 × 3 3 1
同樣, 用EOT可以攻破.
pass
對於每一個樣本, 首先初始化R R R z 0 ( 1 ) , … , z 0 ( R ) z_0^{(1)}, \ldots, z_0^{(R)} z 0 ( 1 ) , … , z 0 ( R ) L L L min ∥ G ( z ) − x ∥ 2 2 , (DGAN)
\tag{DGAN}
\min \quad \|G(z)-x\|_2^2,
min ∥ G ( z ) − x ∥ 2 2 , ( D G A N ) G ( z ) G(z) G ( z )
得到R R R z ∗ ( 1 ) , … , z ∗ ( R ) z_*^{(1)},\ldots, z_*^{(R)} z ∗ ( 1 ) , … , z ∗ ( R ) z ∗ z^* z ∗ x ^ = G ( z ∗ ) \hat{x} = G(z^*) x ^ = G ( z ∗ ) x ^ \hat{x} x ^ x x x x ^ \hat{x} x ^
這個方法, 利用梯度方法更新的難處在於, x → x ^ x \rightarrow \hat{x} x → x ^ L L L
所以攻擊的策略是:
min ∥ G ( z ) − x ∥ 2 2 + c ⋅ ℓ ( G ( z ) )
\min \quad \|G(z)-x\|_2^2 + c \cdot \ell (G(z))
min ∥ G ( z ) − x ∥ 2 2 + c ⋅ ℓ ( G ( z ) ) z a d v z_{adv} z a d v x a d v = G ( z a d v ) x_{adv}=G(z_{adv}) x a d v = G ( z a d v )
注意, 通過這個式子能找到對抗樣本說明, 由訓練樣本訓練生成器, 生成器的分佈p G p_G p G
