Athalye A, Carlini N, Wagner D, et al. Obfuscated Gradients Give a False Sense of Security: Circumventing Defenses to Adversarial Examples[J]. arXiv: Learning, 2018.
@article{athalye2018obfuscated,
由于有很多defense方法都是基于破坏梯度(不能有效计算梯度, 梯度爆炸, 消失), 但是作者提出一种算法能够攻破这一类方法, 并提议以后的defense方法不要以破坏梯度为前提.
f ( ⋅ ) f(\cdot) f ( ⋅ ) f ( x ) i f(x)_i f ( x ) i x x x i i i f j ( ⋅ ) f^j(\cdot) f j ( ⋅ ) j j j f 1.. j ( ⋅ ) f^{1..j}(\cdot) f 1 . . j ( ⋅ ) 1 1 1 j j j c ( x ) c(x) c ( x ) arg max i f ( x ) i \arg \max_i f(x)_i arg max i f ( x ) i c ∗ ( x ) c^*(x) c ∗ ( x )
Shattered Gradients: 一些不可微的defense, 或者一些令导数不存在的defense造成;
Stochastic Gradients: 一些随机化的defense造成;
Exploding & Vanishing Gradients: 通常由一些包括多次评估的defense造成.
有很多方法, 会构建一个不可微(或者其导数"不好用")的函数g g g f ( g ( x ) ) f(g(x)) f ( g ( x ) ) f ( x ) f(x) f ( x ) g ( x ) ≈ x g(x) \approx x g ( x ) ≈ x
这类防御方法, 可以很简单地用∇ x f ( g ( x ) ) ∣ x = x ^ ← ∇ x f ( x ) ∣ x = g ( x ^ ) ,
\nabla_x f(g(x))|_{x=\hat{x}} \leftarrow \nabla_x f(x)|_{x=g(\hat{x})},
∇ x f ( g ( x ) ) ∣ x = x ^ ← ∇ x f ( x ) ∣ x = g ( x ^ ) , g ( x ) g(x) g ( x )
假设f i ( x ) f^i(x) f i ( x ) g ( x ) g(x) g ( x ) g ( x ) ≈ f i ( x ) g(x) \approx f^i(x) g ( x ) ≈ f i ( x ) g g g ∇ x g \nabla_x g ∇ x g ∇ f i ( x ) \nabla f^i(x) ∇ f i ( x )
注: 作者说在前向也用g ( x ) g(x) g ( x )
这类方法使用于攻破那些随机化的defense的, 这类方法往往会从一个变换集合T T T t t t f ( t ( x ) ) f(t(x)) f ( t ( x ) ) ∇ f ( t ( x ) ) \nabla f(t(x)) ∇ f ( t ( x ) ) ∇ E t ∼ T f ( t ( x ) ) = E t ∼ T ∇ f ( t ( x ) ) \nabla \mathbb{E}_{t \sim T} f(t(x)) = \mathbb{E}_{t \sim T} \nabla f(t(x)) ∇ E t ∼ T f ( t ( x ) ) = E t ∼ T ∇ f ( t ( x ) )
重参用于针对梯度爆炸或者消失的情况, 因为这种情况往往出现于f ( g ( x ) ) f(g(x)) f ( g ( x ) ) g ( x ) g(x) g ( x ) x x x f ( g ( x ) ) f(g(x)) f ( g ( x ) )
策略是利用构建x = h ( z ) x=h(z) x = h ( z ) g ( h ( z ) ) = h ( z ) g(h(z))=h(z) g ( h ( z ) ) = h ( z )
利用f ( h ( z ) ) f(h(z)) f ( h ( z ) ) h ( z a d v ) h(z_{adv}) h ( z a d v )
这里的τ \tau τ x i , j , c x_{i,j,c} x i , j , c τ : x i , j , c → R l \tau:x_{i,j,c} \rightarrow \mathbb{R}^l τ : x i , j , c → R l τ ( x i , j , c ) k = { 1 x i , j , c > k / l 0 e l s e .
\tau(x_{i, j, c})_k=
\left \{
\begin{array}{ll}
1 & x_{i,j,c}>k/l \\
0 & else.
\end{array} \right.
τ ( x i , j , c ) k = { 1 0 x i , j , c > k / l e l s e .
只需令g ( x i , j , c ) k = min ( max ( x i , j , c − k / l , 0 ) , 1 ) .
g(x_{i,j,c})_k= \min (\max (x_{i, j, c} - k/l, 0),1).
g ( x i , j , c ) k = min ( max ( x i , j , c − k / l , 0 ) , 1 ) .
包括:
既包括随机化又包括了不可微, 所以既要用EPDA, 也要用EOT.
LID能够防御min ∥ x − x ′ ∥ 2 2 + α ( ℓ ( x ′ ) + L I D l o s s ( x ′ ) ) ,
\min \quad \| x-x'\|_2^2 + \alpha(\ell(x')+\mathrm{LID_{loss}} (x')),
min ∥ x − x ′ ∥ 2 2 + α ( ℓ ( x ′ ) + L I D l o s s ( x ′ ) ) ,
SAP实际上是dropout的一个变种, SAP会随机将某层的f i f^i f i
这个方法可以用EOT攻破, 即用∑ i = 1 k ∇ x f ( x ) \sum_{i=1}^k \nabla_xf(x) ∑ i = 1 k ∇ x f ( x ) ∇ x f ( x ) \nabla_x f(x) ∇ x f ( x )
这个方法的输入是229 × 229 229\times 229 2 2 9 × 2 2 9 r × r r\times r r × r r ∈ [ 229 , 331 ) r\in[229, 331) r ∈ [ 2 2 9 , 3 3 1 ) 331 × 331 331\times 331 3 3 1 × 3 3 1
同样, 用EOT可以攻破.
pass
对于每一个样本, 首先初始化R R R z 0 ( 1 ) , … , z 0 ( R ) z_0^{(1)}, \ldots, z_0^{(R)} z 0 ( 1 ) , … , z 0 ( R ) L L L min ∥ G ( z ) − x ∥ 2 2 , (DGAN)
\tag{DGAN}
\min \quad \|G(z)-x\|_2^2,
min ∥ G ( z ) − x ∥ 2 2 , ( D G A N ) G ( z ) G(z) G ( z )
得到R R R z ∗ ( 1 ) , … , z ∗ ( R ) z_*^{(1)},\ldots, z_*^{(R)} z ∗ ( 1 ) , … , z ∗ ( R ) z ∗ z^* z ∗ x ^ = G ( z ∗ ) \hat{x} = G(z^*) x ^ = G ( z ∗ ) x ^ \hat{x} x ^ x x x x ^ \hat{x} x ^
这个方法, 利用梯度方法更新的难处在于, x → x ^ x \rightarrow \hat{x} x → x ^ L L L
所以攻击的策略是:
min ∥ G ( z ) − x ∥ 2 2 + c ⋅ ℓ ( G ( z ) )
\min \quad \|G(z)-x\|_2^2 + c \cdot \ell (G(z))
min ∥ G ( z ) − x ∥ 2 2 + c ⋅ ℓ ( G ( z ) ) z a d v z_{adv} z a d v x a d v = G ( z a d v ) x_{adv}=G(z_{adv}) x a d v = G ( z a d v )
注意, 通过这个式子能找到对抗样本说明, 由训练样本训练生成器, 生成器的分布p G p_G p G
