Deep Learning: Difference between revisions

Deep Learning (view source)

227 bytes added , 1 October 2020

no edit summary

5,337

edits

@@ Line 765: / Line 765: @@
 It depends on the data distribution, threat model, and hypothesis class.
-===Functional Adversarial Attacks===
+===Provable Defenses===
-Idea is to apply a global change to the image. E.g. every blue pixel becomes brighter and every green pixel becomes grayer.
+There are 3 types of Lp defenses:
+* Curvature-based defenses
+* IBP and Convex defenses
+* Randomzied smoothing
-===Adversarial Training===
+For Non-Lp
-Apply training on the worst perturbation.
+* Patch Threat
-E.g. Solve using alternating SGD + PGD.
+* Sparse Threat
-Adversarial training is couples with an attack type.
+* Wasserstein Threat
+===Randomized Smoothing===
+A smoothed classifier: <math>\bar{f}(x) = E_{\epsilon}[f(x+\epsilon)]</math>.
+The idea is that the decision boundary becomes smoother.
+Gaussian Smoothing for L2 attacks:
+;Theorem (Cohen et al., 2019)
+No adversarial example exists within the radius:
+<math>\frac{\sigma}{2}\left(\Phi^{-1}(p_1(x))-\Phi^{-1}(p_2(x))\right)</math>
 ==Misc==