𝓁0攻击下高斯混合模型的鲁棒分类

IF 1.9 Q1 MATHEMATICS, APPLIED
Payam Delgosha, Hamed Hassani, Ramtin Pedarsani
{"title":"𝓁0攻击下高斯混合模型的鲁棒分类","authors":"Payam Delgosha, Hamed Hassani, Ramtin Pedarsani","doi":"10.1137/21m1426286","DOIUrl":null,"url":null,"abstract":"It is well-known that machine learning models are vulnerable to small but cleverly-designed adversarial perturbations that can cause misclassification. While there has been major progress in designing attacks and defenses for various adversarial settings, many fundamental and theoretical problems are yet to be resolved. In this paper, we consider classification in the presence of $\\ell_0$-bounded adversarial perturbations, a.k.a. sparse attacks. This setting is significantly different from other $\\ell_p$-adversarial settings, with $p\\geq 1$, as the $\\ell_0$-ball is non-convex and highly non-smooth. Under the assumption that data is distributed according to the Gaussian mixture model, our goal is to characterize the optimal robust classifier and the corresponding robust classification error as well as a variety of trade-offs between robustness, accuracy, and the adversary's budget. To this end, we develop a novel classification algorithm called FilTrun that has two main modules: Filtration and Truncation. The key idea of our method is to first filter out the non-robust coordinates of the input and then apply a carefully-designed truncated inner product for classification. By analyzing the performance of FilTrun, we derive an upper bound on the optimal robust classification error. We also find a lower bound by designing a specific adversarial strategy that enables us to derive the corresponding robust classifier and its achieved error. For the case that the covariance matrix of the Gaussian mixtures is diagonal, we show that as the input's dimension gets large, the upper and lower bounds converge; i.e. we characterize the asymptotically-optimal robust classifier. Throughout, we discuss several examples that illustrate interesting behaviors such as the existence of a phase transition for adversary's budget determining whether the effect of adversarial perturbation can be fully neutralized.","PeriodicalId":74797,"journal":{"name":"SIAM journal on mathematics of data science","volume":"10 3 1","pages":"362-385"},"PeriodicalIF":1.9000,"publicationDate":"2021-04-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"5","resultStr":"{\"title\":\"Robust Classification Under 𝓁0 Attack for the Gaussian Mixture Model\",\"authors\":\"Payam Delgosha, Hamed Hassani, Ramtin Pedarsani\",\"doi\":\"10.1137/21m1426286\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"It is well-known that machine learning models are vulnerable to small but cleverly-designed adversarial perturbations that can cause misclassification. While there has been major progress in designing attacks and defenses for various adversarial settings, many fundamental and theoretical problems are yet to be resolved. In this paper, we consider classification in the presence of $\\\\ell_0$-bounded adversarial perturbations, a.k.a. sparse attacks. This setting is significantly different from other $\\\\ell_p$-adversarial settings, with $p\\\\geq 1$, as the $\\\\ell_0$-ball is non-convex and highly non-smooth. Under the assumption that data is distributed according to the Gaussian mixture model, our goal is to characterize the optimal robust classifier and the corresponding robust classification error as well as a variety of trade-offs between robustness, accuracy, and the adversary's budget. To this end, we develop a novel classification algorithm called FilTrun that has two main modules: Filtration and Truncation. The key idea of our method is to first filter out the non-robust coordinates of the input and then apply a carefully-designed truncated inner product for classification. By analyzing the performance of FilTrun, we derive an upper bound on the optimal robust classification error. We also find a lower bound by designing a specific adversarial strategy that enables us to derive the corresponding robust classifier and its achieved error. For the case that the covariance matrix of the Gaussian mixtures is diagonal, we show that as the input's dimension gets large, the upper and lower bounds converge; i.e. we characterize the asymptotically-optimal robust classifier. Throughout, we discuss several examples that illustrate interesting behaviors such as the existence of a phase transition for adversary's budget determining whether the effect of adversarial perturbation can be fully neutralized.\",\"PeriodicalId\":74797,\"journal\":{\"name\":\"SIAM journal on mathematics of data science\",\"volume\":\"10 3 1\",\"pages\":\"362-385\"},\"PeriodicalIF\":1.9000,\"publicationDate\":\"2021-04-05\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"5\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"SIAM journal on mathematics of data science\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1137/21m1426286\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q1\",\"JCRName\":\"MATHEMATICS, APPLIED\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"SIAM journal on mathematics of data science","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1137/21m1426286","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"MATHEMATICS, APPLIED","Score":null,"Total":0}
引用次数: 5

摘要

众所周知,机器学习模型很容易受到小而巧妙设计的对抗性扰动的影响,这些扰动可能导致错误分类。虽然在设计各种对抗环境的攻击和防御方面取得了重大进展,但许多基本和理论问题尚未得到解决。在本文中,我们考虑在存在的分类 $\ell_0$-有界对抗性扰动,又名稀疏攻击。这种设置与其他设置明显不同 $\ell_p$-对抗性设置,与 $p\geq 1$,作为… $\ell_0$-球是非凸的,高度不光滑。在假设数据按照高斯混合模型分布的情况下,我们的目标是表征最优鲁棒分类器和相应的鲁棒分类误差,以及鲁棒性、准确性和对手预算之间的各种权衡。为此,我们开发了一种新的分类算法FilTrun,它有两个主要模块:过滤和截断。我们的方法的关键思想是首先过滤掉输入的非鲁棒坐标,然后应用精心设计的截断内积进行分类。通过分析FilTrun算法的性能,给出了最优鲁棒分类误差的上界。我们还通过设计一个特定的对抗策略来找到一个下界,该策略使我们能够推导出相应的鲁棒分类器及其实现的误差。对于高斯混合的协方差矩阵为对角线的情况,我们证明了随着输入维数的增大,上下界收敛;即我们描述渐近最优鲁棒分类器。在整个过程中,我们讨论了几个例子,说明有趣的行为,如存在的相位转变的对手的预算决定是否对抗性扰动的影响可以完全抵消。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
Robust Classification Under 𝓁0 Attack for the Gaussian Mixture Model
It is well-known that machine learning models are vulnerable to small but cleverly-designed adversarial perturbations that can cause misclassification. While there has been major progress in designing attacks and defenses for various adversarial settings, many fundamental and theoretical problems are yet to be resolved. In this paper, we consider classification in the presence of $\ell_0$-bounded adversarial perturbations, a.k.a. sparse attacks. This setting is significantly different from other $\ell_p$-adversarial settings, with $p\geq 1$, as the $\ell_0$-ball is non-convex and highly non-smooth. Under the assumption that data is distributed according to the Gaussian mixture model, our goal is to characterize the optimal robust classifier and the corresponding robust classification error as well as a variety of trade-offs between robustness, accuracy, and the adversary's budget. To this end, we develop a novel classification algorithm called FilTrun that has two main modules: Filtration and Truncation. The key idea of our method is to first filter out the non-robust coordinates of the input and then apply a carefully-designed truncated inner product for classification. By analyzing the performance of FilTrun, we derive an upper bound on the optimal robust classification error. We also find a lower bound by designing a specific adversarial strategy that enables us to derive the corresponding robust classifier and its achieved error. For the case that the covariance matrix of the Gaussian mixtures is diagonal, we show that as the input's dimension gets large, the upper and lower bounds converge; i.e. we characterize the asymptotically-optimal robust classifier. Throughout, we discuss several examples that illustrate interesting behaviors such as the existence of a phase transition for adversary's budget determining whether the effect of adversarial perturbation can be fully neutralized.
求助全文
通过发布文献求助,成功后即可免费获取论文全文。 去求助
来源期刊
自引率
0.00%
发文量
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信