5,350
edits
Line 920: | Line 920: | ||
Symmetric difference is defined as <math>A \ominus B = (A \setminus B) \cup (B \setminus A)</math>. | Symmetric difference is defined as <math>A \ominus B = (A \setminus B) \cup (B \setminus A)</math>. | ||
Last lecture, we had provable defenses against ''sparse'' inference time attacks using randomized ablation. | Last lecture, we had provable defenses against ''sparse'' inference time attacks using randomized ablation. | ||
Deep Partition Aggregation (DPA): | |||
# Partition the training set into <math>k</math> partitions. | |||
#* Use a hash function <math>h</math> to deterministically define partition assignments for samples. The hash should only depend on <math>x</math> and not the labels <math>y</math>. | |||
# Train a classifier for each partition: <math>f_1,...,f_k</math>. | |||
# At test time, run <math>x_t</math> through every classifier and take the majority class. | |||
<math>K_1</math> be the base classifier returning the majority class <math>C</math>. | |||
<math>K_2</math> be the runner up class <math>C'</math>. | |||
The gap <math>\Delta = K_1 - K_2</math>. | |||
To change the plurality C to C', the adversary needs to change the output of at least <math>\Delta/2</math> base classifiers. | |||
This is probably robust against any insertion/deletion <math>\leq \Delta/2</math>. | |||
Both DPA and SS-DPA (semi-supervised DPA) are state-of-the-art against label flipping attacks. | |||
==Misc== | ==Misc== |