| 预测不确定性与对抗鲁棒性的关系研究 |
| |
| 引用本文: | 陈思宏,沈浩靖,王冉,王熙照.预测不确定性与对抗鲁棒性的关系研究[J].软件学报,2022,33(2):524-538. |
| |
| 作者姓名: | 陈思宏 沈浩靖 王冉 王熙照 |
| |
| 作者单位: | 深圳大学 计算机与软件学院, 广东 深圳 518060;深圳大学 数学与统计学院, 广东 深圳 518060;深圳大学 计算机与软件学院, 广东 深圳 518060;广东省智能信息处理重点实验室(深圳大学), 广东 深圳 518060 |
| |
| 基金项目: | 国家自然科学基金(61732011, 62176160, 61976141, 61732011, 61772344); 深圳大学自然科学基金(827-000230); 深圳大学跨学科创新小组 |
| |
| 摘 要: | 对抗鲁棒性指的是模型抵抗对抗样本的能力,对抗训练是提高模型对抗鲁棒性的一种常用方法.然而,对抗训练会降低模型在干净样本上的准确率,这种现象被称为accuracy-robustness problem.由于在训练过程中需要生成对抗样本,这个过程显著增加了网络的训练时间.研究了预测不确定性与对抗鲁棒性的关系,得出以下结论:...
|
| 关 键 词: | 对抗样本 不确定性 对抗防御 深度学习 对抗鲁棒性 |
| 收稿时间: | 2020/8/8 0:00:00 |
| 修稿时间: | 2020/9/14 0:00:00 |
Relationship Between Prediction Uncertainty and Adversarial Robustness |
| |
| CHEN Si-Hong,SHEN Hao-Jing,WANG Ran,WANG Xi-Zhao.Relationship Between Prediction Uncertainty and Adversarial Robustness[J].Journal of Software,2022,33(2):524-538. |
| |
| Authors: | CHEN Si-Hong SHEN Hao-Jing WANG Ran WANG Xi-Zhao |
| |
| Affiliation: | College of Computer Science and Software Engineering, Shenzhen University, Shenzhen 518060, China;College of Mathematics and Statistics, Shenzhen University, Shenzhen 518060, China; College of Computer Science and Software Engineering, Shenzhen University, Shenzhen 518060, China;Guangdong Key Laboratory of Intelligent Information Processing (Shenzhen University), Shenzhen 518060, China |
| |
| Abstract: | Adversarial robustness describes the ability of the model to resist adversarial examples and adversarial training is a common method to improve the model''s adversarial robustness. However, adversarial training will reduce the accuracy of the model on clean samples. This phenomenon is called accuracy-robustness problem. Due to the need to generate adversarial examples during the adversarial training, this process significantly increases the training time of the network. This work studies the relationship between prediction uncertainty and adversarial robustness, and draws the following conclusions: the greater the prediction uncertainty, the greater the adversarial robustness. The conclusion is explained as: the boundary of the model obtained by cross-entropy is not perfect. In order to minimize the cross-entropy, the classification surface of some classes may become narrow, which makes the samples of these classes vulnerable to adversarial attacks. And if the output''s information entropy is maximized while training the model, the classification surface of the model could be more balanced, that is, the distance between boundary and data is as far as possible, which makes it more difficult for the attacker to attack the samples. Based on this finding, a new methodis proposed to improve the adversarial robustness of the model, by increasing the uncertainty of the model''s prediction to improve the adversarial robustness of the model. While ensuring the accuracy of the model, the prediction''s information entropy is larger. Extensive experiments and simplified model derivations on the MNIST, CIFAR-10, and CIFAR-100 datasets have confirmed the statistical relationship that the adversarial robustness increases with the increase of the model''s prediction uncertainty. The method proposed in this study also can be combined with adversarial training to further improve the model''s adversarial robustness. |
| |
| Keywords: | adversarial example uncertainty adversarial defense deep learning adversarial robustness |
| 本文献已被 维普 万方数据 等数据库收录! |
| 点击此处可从《软件学报》浏览原始摘要信息 |
|
点击此处可从《软件学报》下载全文 |
|
