Towards Adversarial Training with Moderate Performance Improvement for Neural Network Classification
TTowards Adversarial Training with Moderate Performance Improvementfor Neural Network Classification
Xinhan Di , Pengqian Yu , Meng Tian , Huawei Technologies Noah’s Ark Lab National University of [email protected], [email protected], [email protected]
Abstract
It has been demonstrated that deep neural net-works are prone to noisy examples particularadversarial samples during inference process.The gap between robust deep learning systemsin real world applications and vulnerable neu-ral networks is still large. Current adversar-ial training strategies improve the robustnessagainst adversarial samples. However, thesemethods lead to accuracy reduction when theinput examples are clean thus hinders the prac-ticability. In this paper, we investigate an ap-proach that protects the neural network classi-fication from the adversarial samples and im-proves its accuracy when the input examplesare clean. We demonstrate the versatility andeffectiveness of our proposed approach on avariety of different networks and datasets.
Many high-performance deep learning applications incomputer vision, speech recognition and other areas aresusceptible to minimal changes of the inputs He et al. [2018]. Therefore, a robust system is required for thereal-world applications when the input is affected bymany interferences and noise.Current robust learning strategies in the context of neu-ral network classification only play against adversarialsamples, while the accuracy reduces when the samplesare clean. In this paper, we stand on the perspectiveof robust optimization and propose an approach to im-prove the performance of the networks on both clean andnoise data. In particular, we propose a counterpart of theFSGM algorithm (Goodfellow et al. [2014]), which in-herits the sign function for the robustness against permu-tation and helps the neural network leaves saddle points during the training process.
Adversarial training strategies are proposed for both at-tacks and defenses inspired by robust optimization. Forexample, a training procedure is provided that modelparameters updates are augmented with the worst-caseperturbations of the training data Sinha et al. [2017].A mixed strategy named stochastic activation pruning(SAP) is applied on the training of deep neural networksfor the robustness against adversarial examples in He etal. [2018]. A potential application of local intrinsic di-mensionality is studied to distinguish adversarial exam-ples Ma et al. [2018]. These adversarial training strate-gies are presented with better performance when the in-put examples are noisy. However, the above algorithmsdo not perform well when the input samples are free fromnoise. In the following, we introduce an algorithm thatis capable to improve the performance without any as-sumption on the data quality.
In a standard deep learning task, we let f denote the com-plex non-linear function of the deep neural network and θ denote the parameters of f . Let x and y be the in-put and output sample of the network. y = f ( x ) de-notes the standard function of a deep learning task. Weuse sgn to denote the sign function and use δ ( x ) to de-fine the dirac delta function. We use D to represent thedata distribution over pairs of examples x ∈ R d and la-bels y ∈ R d . Denote L ( θ, x, y ) as the loss function,and the goal is to find model parameters θ that minimizethe risk E ( x,y ) [ L ( θ, x, y )] . This empirical risk minimiza-tion (ERM) is successful for finding classifiers with smallpopulation task. However, it is not robust enough againstsome common disturbances. In particular, the model in-correctly classifies ˆ x as belonging to a different class of a r X i v : . [ c s . L G ] J u l if ˆ x is very close to ˆ x .In order to impose robustness, the population risk E D [ L ] is formulated as the following ρ ( θ ) = E ( x,y ) ∼ D (cid:20) max δ ∈ S L ( θ, x + δ, y ) (cid:21) . (1)The objective is to minimize the above population risk min ρ ( θ ) . We next define g ( x ) to be the function which pro-duces adversarial samples from clean samples. That is, ˆ x = g ( x ) . The population risk E D [ L ] is representedas ρ ( θ ) = E ( x,y ) ∼ D [max δ ∈ S L ( θ, g ( x ) , y )] . The cor-responding function is denoted as y = f ( g ( x )) . In thefollowing, we first propose an algorithm, and analyzedthe Jacobian of the deep neural network when the algo-rithm is applied. We further analyze the Hessian. Basedon the analysis, we could safely say that the proposed al-gorithm dose not introduce extra saddle points and maybe very likely help the neural network leave saddle pointson a sharper direction of the loss function surface. We propose the following algorithm: g ( x ) = x + (cid:15)xsgn ( x ) . We have ∂g ( x ) ∂x = 1 + (cid:15) ( sgn ( x ) + xδ (cid:48) ) ,∂ g ( x ) ∂x = (cid:15) ( δ ( x ) + δ ( x ) + xδ (cid:48) ( x ))= (cid:15) ( δ ( x ) + δ ( x ) − δ ( x ))= (cid:15)δ ( x ) Firstly, the Jacobian is given as following. J ( θ ) = ∂f ( g ( x )) ∂x = ∂f ( x ) ∂x (1 + (cid:15) ( sgn ( x ) + xδ (cid:48) ))= ∂f ( x ) ∂x (1 + (cid:15)sgn ( x )) If (cid:15) is smaller than , no extra extreme points will beintroduced. The extreme points are all from ∂f ( x ) ∂x = 0 . The Hessian is given as following. H ( θ ) = ∂ f ( g ( x )) ∂x = ∂ f ( x ) ∂x ∂g ( x ) ∂x ∂g ( x ) ∂x + ∂f ( x ) ∂x ∂ g ( x ) ∂x = ∂ f ( x ) ∂x (1 + (cid:15) ( sgn ( x ) + xδ ( x ))) + ∂f ( x ) ∂x ( (cid:15)δ ( x )) For any extreme points such that ∂f ( x ) ∂x = 0 , the Hessianequation is given by H ( θ ) = ∂ f ( x ) ∂x (1 + (cid:15) sgn ( x ) sgn ( x )) . It could be observed that the change rate of the Jacobianis increased as (cid:15) sgn ( x ) sgn ( x ) ≥ . This impliesa higher rate of change which helps the neural networksleave saddle points during the training process. The proposed g ( x ) could be applied in the input spaceand the hidden space of the deep neural networks. Thatis, x could be samples of the input and the vectors in thehidden space of the deep neural networks.In order to apply the adversarial training strategy on-linewithout extra computational burden, the proposed algo-rithm dose not rely on the calculation of gradients likeFGSM (Goodfellow et al. [2014]). Instead, the perturba-tion item is calculated feed-forward once the samples inthe input/hidden space are calculated.Let x denote the samples in the input/hidden space. Inthe following experiments, g ( x ) has the form g ( x ) = x + (cid:15)x (cid:12) l ( x ) . Here (cid:26) l ( x ) = sgn ( x ) w.p. p,l ( x ) = − sgn ( x ) w.p. − p. We evaluate the proposed form of robust algorithm g ( x ) where p = 0 . . The evaluation is made on a vari-ety of popular datasets, including small-scale, middle-scale and large-scale datasets (MNIST LeCun et al. [1998], CIFAR10, CIFAR100 Krizhevsky and Hinton[2009], SVHN Netzer et al. [2011] and Imagenet-1kRussakovsky et al. [2015]). Extensive experimental eval-uations are presented in two aspects including perfor-mance improvement for the clean samples in input spaceigure 1: Five common attacks.Table 1: Top-1 classification accuracy on ImageNet-1k for five different disturbances in the input space. Model Ran-Crop Ran-Hlip Ran-GrayScale (%)
Ran-Color (%)
Random Five Crop (%)ImagenetFGSM-CondenseNet(G=C=8) 68.27 69.42 68.03 69.21 58.17CondenseNet(G=C=8) . ± .
05 71 . ± .
03 69 . ± .
04 71 . ± .
04 60 . ± . R-CondenseNet(G=C=8) ± . ± . ± . ± . ± . FGSM-CondenseNet(G=C=4) 70.34 71.48 70.72 71.39 60.04CondenseNet(G=C=4) 7 . ± .
02 73 . ± .
05 72 . ± .
03 73 . ± .
03 62 . ± . R-CondenseNet(G=C=4) ± . ± . ± . ± . ± . Table 2: Top-1 and Top-5 classification accuracies of state-of-art regular models on ImageNet-1k.
Model Image Size Params Mul-Adds Tops-1 (%)
Tops-5 (%)ImagenetSENet × × × × ± ± Table 3: Top-1 and Top-5 classification error rate of state-of-art compact models on ImageNet-1k.
Model FLOPs Params Tops-1 (%)
Tops-5 (%)ImagenetInception V1 1,448M 6.6M 30.2 10.11.0 MobileNet-224 569M 4.2M 29.4 10.5ShffleNet 2x 524M 5.3M 29.1 10.5NASNet-B(N=4) 488M 5.3M 27.2 9.0NASNet-C(N=3) 558M 4.9M 27.5 9.0CondenseNet(G=C=8) 274M 2.9M 29.0 10.0CondenseNet(G=C=4) 274M 2.9M 26.2 8.3FGSM-CondenseNet(G=C=8) 274M 2.9M 30.8 12.3FGSM-CondenseNet(G=C=4) 529M 4.8M 27.9 10.7R-CondenseNet(G=C=8) 274M 2.9M ± ± R-CondenseNet(G=C=4) 529M 4.8M ± ± and the noisy samples in input space (see Figure 1). Weevaluate the FGSM for base models and the proposed algorithm for based models, called R-base models. Asshown in Table 1, the accuracy is improved when the in-able 4: Middle-scaled supervised classification: MNIST and SVHN. Model Depth Factor Dropout Standard Aug Random Erase Error(%)MNISTLeNetLeCun et al. [1998] - - √ - - 0.50FGSM-LeNet - - √ - - 0.60R-LeNet - - √ - - CapsNetSabour et al. [2017] - - √ - - 0.35FGSM-CapsNet - - √ - - 0.51R-CapsNet - - √ - - SVHNS-ResNet Huang et al. [2016] 110 - √ √ - 1.75FGSM-S-ResNet 110 - √ √ - 1.90R-S-ResNet 110 - √ √ - W-ResNet Zagoruyko and Komodakis [2016] 16 k = 8 √ √ - 1.54FGSM-S-Resnet 16 k = 8 √ √ - 1.71R-W-ResNet 16 k = 8 √ √ - Table 5: Middle-scaled supervised classification: CIFAR10 and CIFAR100.
Model Depth Factor Dropout Standard Aug Random Erase Error(%)CIFAR10W-ResNet Zagoruyko and Komodakis [2016] 28 k = 10 √ √ √ √ √ √ √ √ √
CIFAR100InceptionV3 Szegedy et al. [2015] 48 - √ √ - 22.69FGSM-InceptionV3 48 - √ √ - 23.41R-InceptionV3 48 - √ √ - W-ResNet Zagoruyko and Komodakis [2016] 28 k = 10 √ √ √ √ √ √ √ √ √ puts are noisy compared with base models and FGSMfor base models. As shown in Table 2 to Table 5, theaccuracy is improved when the inputs are clean.
We propose an approach that help neural networksachieve both robustness against noisy inputs and higheraccuracy for clean input. It enhances the practicality ofneural networks such that the input can be clean or noisy.This is an initial work that only five common types ofnoise are evaluated. In the real world, the types of noiseare unknown and it remains unclear whether the inputs isattacked by the disturbance or not. In addition, the basemodel is also a black box that the gradients are hard toobtain. A systematic way of overcoming these problemsdeserve one’s attention.
References
Ian J Goodfellow, Jonathon Shlens, and ChristianSzegedy. Explaining and harnessing adversarial ex-amples. arXiv preprint arXiv:1412.6572 , 2014. Warren He, Bo Li, and Dawn Song. Decision bound-ary analysis of adversarial examples. In
ICLR-International Conference on Learning Representa-tions , 2018.Gao Huang, Yu Sun, Zhuang Liu, Daniel Sedra, andKilian Q Weinberger. Deep networks with stochasticdepth. In
European Conference on Computer Vision ,pages 646–661. Springer, 2016.Alex Krizhevsky and Geoffrey Hinton. Learning multi-ple layers of features from tiny images. 2009.Yann LeCun, L´eon Bottou, Yoshua Bengio, and PatrickHaffner. Gradient-based learning applied to documentrecognition.
Proceedings of the IEEE , 86(11):2278–2324, 1998.Xingjun Ma, Bo Li, Yisen Wang, Sarah M Erfani,Sudanthi Wijewickrema, Michael E Houle, GrantSchoenebeck, Dawn Song, and James Bailey. Charac-terizing adversarial subspaces using local intrinsic di-mensionality. arXiv preprint arXiv:1801.02613 , 2018.Yuval Netzer, Tao Wang, Adam Coates, Alessandro Bis-sacco, Bo Wu, and Andrew Y Ng. Reading digitsin natural images with unsupervised feature learning.n
NIPS workshop on deep learning and unsupervisedfeature learning , volume 2011, page 5, 2011.Olga Russakovsky, Jia Deng, Hao Su, Jonathan Krause,Sanjeev Satheesh, Sean Ma, Zhiheng Huang, AndrejKarpathy, Aditya Khosla, Michael Bernstein, et al.Imagenet large scale visual recognition challenge.
In-ternational Journal of Computer Vision , 115(3):211–252, 2015.Sara Sabour, Nicholas Frosst, and Geoffrey E Hinton.Dynamic routing between capsules. arXiv preprintarXiv:1710.09829 , 2017.Aman Sinha, Hongseok Namkoong, and John Duchi.Certifiable distributional robustness with principledadversarial training. arXiv preprint arXiv:1710.10571 ,2017.Christian Szegedy, Wei Liu, Yangqing Jia, Pierre Ser-manet, Scott Reed, Dragomir Anguelov, Dumitru Er-han, Vincent Vanhoucke, and Andrew Rabinovich.Going deeper with convolutions. In
Proceedings ofthe IEEE conference on computer vision and patternrecognition , pages 1–9, 2015.Sergey Zagoruyko and Nikos Komodakis. Wide resid-ual networks. In Edwin R. Hancock Richard C. Wil-son and William A. P. Smith, editors,