当前位置：网站首页>Paper reading (54):deepfool: a simple and accurate method to four deep neural networks

Paper reading (54):deepfool: a simple and accurate method to four deep neural networks

2022-06-10 05:36:00 【Inge】

List of articles

1 introduce
2 DeepFool
3 DeepFool And two categories
4 DeepFool And multiclassification

1 introduce

1.1 subject

2016CVPR： Simple fool deep neural network (DeepFool: A simple and accurate method to fool deep neural networks)

1.2 motivation

There is no doubt about the achievements of deep neural network in image classification . However , These architectures have been shown to be less robust to small perturbations in images , At present, there is also a lack of effective methods to accurately calculate the robustness of depth classifiers to large-scale data sets . This paper quantifies these robustness reliably .

1.3 Code

Torch：http://github.com/lts4/deepfool

1.4 Bib

@inproceedings{Moosavi:2016:25742582,
author		=	{Seyed-Mohsen Moosavi-Dezfooli and Alhussein Fawzi and Pascal Frossard},
title		=	{Deep{F}ool: A simple and accurate method to fool deep neural networks},
booktitle	=	{
   {IEEE} Conference on Computer Vision and Pattern Recognition},
pages		=	{2574--2582},
year		=	{2016}
}

2 DeepFool

For a given classifier , Define a minimum Antagonistic disturbance $r$ , It is used to change the evaluation label of the sample $\hat{k}(x)$ ：
$\tag{1} \Delta(x;\hat{k}):=\min_r\|r\|_2\qquad s.t. \qquad \hat{k}(x+r)\neq\hat{k}(x),$ among $x$ It's the input image . This formula is also called $\hat{k}$ At point $x$ Robustness of , So the classifier $\hat{k}$ Of Robustness, Defined as ：
$\tag{2} \rho_\text{adv}(\hat{k})=\mathbb{E}_x\frac{\Delta(x;\hat{k})}{\|x\|_2},$ among $\mathbb{E}_x$ Is the expectation of data set distribution .

3 DeepFool And two categories

Under the second classification problem , Yes $\hat{k}(x)=\text{sign}(f(x))$ , among $f:\mathbb{R}^n\to \mathbf{R}$ Is an image classification function . Make $\mathcal{F}\overset{\Delta}{=}\{x:f(x)=0\}$ Express $f$ stay 0 Situated level set. First, the linear classifier is analyzed $f(x)=w^Tx+b$ The situation of , Then we derive a general algorithm that can be applied to any differentiable two classifiers .
It is easy to see the linearity $f$ At point $x_0$ Robustness at , $\Delta(x;f)$ Equivalent to $x_0$ To the separating hyperplane $\mathcal{F}=\{x:w^Tx+b=0\}$ Distance of ( Such as chart 2), The minimum disturbance that changes the decision of the classifier corresponds to $x_0$ To $\mathcal{F}$ The orthogonal projection of . A closed form formula to describe the process is as follows ：
$\tag{3} r_*(x_0):=\argmin\|r\|_2\qquad s.t. \qquad\text{sign}(f(x_0+r))\neq\text{sign}(f(x_0))=-\frac{f(x_0)}{\|w\|_2^2}w.$

hypothesis $f$ A general two class differentiable classifier , We use one Iteration strategy To assess robustness $\Delta(x_0;f)$ . In each iteration , $f$ Around the current point $x_i$ Linearization , The minimum disturbance of the linear classifier is calculated as
$\tag{4} \argmin_{r_i}\|r_i\|\qquad s.t.\qquad f(x_i)+\nabla f(x_i)^Tr_i=0.$ Disturbance $r_i$ Pass the formula in each iteration 3 Calculation , And in the next iteration $x_{i+1}$ When the update . The algorithm will stop when the flag of the classifier changes . Algorithm 1 Sum up DeepFool Process for binary classification problems . chart 3 Is a visual result .

actually , The above algorithm can often converge to the zero level set $\mathcal{F}$ The last point . To reach the other side of the classification boundary , The final disturbance $\hat{r}$ Will multiply by a constant $1+\eta$ , among $\eta\ll1$ . Set to... In the experiment $0.02$ .

4 DeepFool And multiclassification

One to many is the most commonly used multi classification strategy , So we extend... Based on this strategy DeepFool To multiple categories . Under this setting , The classifier will have $c$ Outputs , So the classifier is defined as $f:\mathbb{R}^d\to \mathbb{R}^c$ And ：
$\tag{5} \hat{k}(x)=\argmax_kf_k(x),$ among $f_k(x)$ yes $f (x)$ In the $c$ Class . Similar to the second classification , First, the linear case is analyzed and extended to other classifiers .

4.1 Linear multiple classifiers

Make $f(x)=W^Tx+b$ Represents a linear classifier , Under the one to many strategy , The minimum disturbance of fooling the classifier is rewritten as ：
$\tag{6} \argmin_r\|r\|_2\qquad s.t.\qquad\exists k:w_k^T(x_0+r)+b_k\geq w_{\hat{k}(x_0)}^T(x_0+r)+b_{\hat{k}(x_0)},$ among $w_k$ yes $W$ Of the $k$ Column . Geometrically , The above problem corresponds to the calculation $x_0$ And convex polyhedron complement $P$ Distance between ：
$\tag{7} P=\bigcap_{k=1}^c\{x:f_{\hat{k}(x_o)}(x)\geq f_k(x)\},$ among $x_0$ It's located in $P$ In the point . We define this distance by $\mathbf{dist}(x_0,P^c)$ . Polyhedron $P$ Defined $f$ Output label $\hat{k}(x_0)$ The spatial area of , Such as chart 4 Shown .

The formula 6 The solution of can be calculated in closed form as follows . Make $\hat{l}(x_0)$ It means to leave $P$ The nearest hyperplane to the boundary of , for example chart 4 Medium $\hat{l}(x_0)=3$ . Formally , $\hat{l}(x_0)$ It can be calculated as ：
$\tag{8} \hat{l}\left({x}_{0}\right)=\underset{k \neq \hat{k}\left({x}_{0}\right)}{\arg \min } \frac{\left|f_{k}\left({x}_{0}\right)-f_{\hat{k}\left({x}_{0}\right)}\left({x}_{0}\right)\right|}{\left\|{w}_{k}-{w}_{\hat{k}\left({x}_{0}\right)}\right\|_{2}}.$ Minimum disturbance $r_*(x_0)$ Yes, it will $x_0$ Projected to by $\hat{l}(x_0)$ Vectors on the hyperplane of the index ：
$\tag{9} {r}_{*}\left({x}_{0}\right)=\frac{\left|f_{\hat{l}\left({x}_{0}\right)}\left({x}_{0}\right)-f_{\hat{k}\left({x}_{0}\right)}\left({x}_{0}\right)\right|}{\left\|{w}_{\hat{l}\left({x}_{0}\right)}-{w}_{\hat{k}\left({x}_{0}\right)}\right\|_{2}^{2}}\left({w}_{\hat{l}\left({x}_{0}\right)}-{w}_{\hat{k}\left({x}_{0}\right)}\right) .$ let me put it another way , We can find $x_o$ stay $P$ The nearest projection on the plane of .

4.2 Generalized classifier

For nonlinear classifiers , The formula 7 Describes the output label of the classifier $\hat{k}(x_0)$ A collection of spatial regions $P$ No longer a polyhedron . It is similar to the iterative solution under two categories , aggregate $P$ Pass the first $i$ Round iterated polyhedron $\tilde{P}_i$ The approximate ：
$\tag{10} \tilde{P}_i=\bigcap_{k=1}^c\left\{x:f_k(x_i)-f_{\hat{k}(x_0)}(x_i)+\nabla f_k(x_i)^Tx-\nabla f_{\hat{k}(x_0)}(x_i)^Tx\leq0\right\}.$ And then in each iteration through $\mathbf{dist}(x_i,\tilde{P}_i)$ To approximate $\mathbf{dist}(x_i,P_i)$ . Algorithm 2 Shows the process . It should be noted that , The proposed algorithm runs greedily , Convergence to... Is not guaranteed The formula 1 Optimal perturbation in . The observation results in practice show that the proposed algorithm can produce very small disturbance , This is considered to be a good approximation of the minimum disturbance .

4.3 $\ell_p$ An extended version of the norm

DeepFool The previous steps of are in $\ell_2$ Proceed under , When in $\ell_p,p\in[1,\infty)$ When you lower the constraint , Algorithm 2 No 10、11 The line needs to be replaced with ：
$\tag{11} \hat{l} \leftarrow \underset{k \neq \hat{k}\left({x}_{0}\right)}{\arg \min } \frac{\left|f_{k}^{\prime}\right|}{\left\|{w}_{k}^{\prime}\right\|_{q}},$ $\tag{12} {r}_{i} \leftarrow \frac{\left|f_{\hat{\imath}}^{\prime}\right|}{\left\|{w}_{\hat{\imath}}^{\prime}\right\|_{q}^{q}}\left|{w}_{\hat{\imath}}^{\prime}\right|^{q-1} \odot \operatorname{sign}\left({w}_{\hat{l}}^{\prime}\right),$
among $\odot$ Multiply by elements 、 $q=\frac{p}{p-1} \cdot$ . Specially $p=\infty$ when , Yes ：
$\tag{13} \hat{l} \leftarrow \underset{k \neq \hat{k}\left(\boldsymbol{x}_{0}\right)}{\arg \min } \frac{\left|f_{k}^{\prime}\right|}{\left\|\boldsymbol{w}_{k}^{\prime}\right\|_{1}},$ $\tag{14} \boldsymbol{r}_{i} \leftarrow \frac{\left|f_{\hat{l}}^{\prime}\right|}{\left\|\boldsymbol{w}_{\hat{l}}^{\prime}\right\|_{1}} \operatorname{sign}\left(\boldsymbol{w}_{\hat{l}}^{\prime}\right).$