论文标题
关于深度神经网络中对抗性鲁棒性与决策区域之间的关系
On the Relationship Between Adversarial Robustness and Decision Region in Deep Neural Network
论文作者
论文摘要
通常,深层神经网络(DNN)是通过在训练阶段不包括的看不见的数据中测量的概括性能评估的。随着DNN的发展,概括性能会融合到最新的面前,并且很难仅根据该指标评估DNN。针对对抗攻击的鲁棒性已被用作通过测量其脆弱性来评估DNN的附加度量。但是,很少有研究通过DNN中的几何形状来分析对抗性鲁棒性。在这项工作中,我们进行了一项经验研究,以分析影响对抗性攻击下模型鲁棒性的DNN的内部特性。特别是,我们提出了人口稠密区域集(PRS)的新颖概念,其中训练样本更频繁地代表在实用环境中DNN的内部特性。从针对拟议概念的系统实验中,我们提供了经验证据,以证明低PRS比与DNN的对抗鲁棒性具有牢固的关系。我们还设计了PRS正常器利用PR的特征来改善对抗性鲁棒性,而无需对抗训练。
In general, Deep Neural Networks (DNNs) are evaluated by the generalization performance measured on unseen data excluded from the training phase. Along with the development of DNNs, the generalization performance converges to the state-of-the-art and it becomes difficult to evaluate DNNs solely based on this metric. The robustness against adversarial attack has been used as an additional metric to evaluate DNNs by measuring their vulnerability. However, few studies have been performed to analyze the adversarial robustness in terms of the geometry in DNNs. In this work, we perform an empirical study to analyze the internal properties of DNNs that affect model robustness under adversarial attacks. In particular, we propose the novel concept of the Populated Region Set (PRS), where training samples are populated more frequently, to represent the internal properties of DNNs in a practical setting. From systematic experiments with the proposed concept, we provide empirical evidence to validate that a low PRS ratio has a strong relationship with the adversarial robustness of DNNs. We also devise PRS regularizer leveraging the characteristics of PRS to improve the adversarial robustness without adversarial training.
