Deep learning models are known to be vulnerable to adversarial attacks. Adversarial learning is therefore becoming a crucial task. We propose a new vision on neural network robustness using Riemannian geometry and foliation theory. The idea is illustrated by creating a new adversarial attack that takes into account the curvature of the data space. This new adversarial attack called the two-step spectral attack is a piece-wise linear approximation of a geodesic in the data space. The data space is treated as a (degenerate) Riemannian manifold equipped with the pullback of the Fisher Information Metric (FIM) of the neural network. In most cases, this metric is only semi-definite and its kernel becomes a central object to study. A canonical foliation is derived from this kernel. The curvature of transverse leaves gives the appropriate correction to get a two-step approximation of the geodesic and hence a new efficient adversarial attack. The method is first illustrated on a 2D toy example in order to visualize the neural network foliation and the corresponding attacks. Next, experiments on the MNIST dataset with the proposed technique and a state of the art attack presented in Zhao et al. (2019) are reported. The result show that the proposed attack is more efficient at all levels of available budget for the attack (norm of the attack), confirming that the curvature of the transverse neural network FIM foliation plays an important role in the robustness of neural networks.
相關內容
神(shen)(shen)(shen)(shen)經(jing)網(wang)(wang)絡(luo)(luo)(Neural Networks)是世界上三個最古(gu)老的(de)(de)(de)(de)神(shen)(shen)(shen)(shen)經(jing)建(jian)(jian)模學(xue)(xue)會的(de)(de)(de)(de)檔案期刊:國際(ji)神(shen)(shen)(shen)(shen)經(jing)網(wang)(wang)絡(luo)(luo)學(xue)(xue)會(INNS)、歐洲(zhou)神(shen)(shen)(shen)(shen)經(jing)網(wang)(wang)絡(luo)(luo)學(xue)(xue)會(ENNS)和(he)(he)(he)日本神(shen)(shen)(shen)(shen)經(jing)網(wang)(wang)絡(luo)(luo)學(xue)(xue)會(JNNS)。神(shen)(shen)(shen)(shen)經(jing)網(wang)(wang)絡(luo)(luo)提供(gong)了(le)一(yi)個論(lun)壇,以發(fa)(fa)(fa)(fa)展和(he)(he)(he)培育一(yi)個國際(ji)社(she)(she)會的(de)(de)(de)(de)學(xue)(xue)者和(he)(he)(he)實(shi)踐者感(gan)興趣(qu)的(de)(de)(de)(de)所有(you)方面(mian)的(de)(de)(de)(de)神(shen)(shen)(shen)(shen)經(jing)網(wang)(wang)絡(luo)(luo)和(he)(he)(he)相(xiang)關方法(fa)的(de)(de)(de)(de)計(ji)(ji)(ji)算(suan)(suan)智(zhi)能(neng)(neng)。神(shen)(shen)(shen)(shen)經(jing)網(wang)(wang)絡(luo)(luo)歡迎高質量(liang)(liang)論(lun)文的(de)(de)(de)(de)提交,有(you)助(zhu)于(yu)全(quan)面(mian)的(de)(de)(de)(de)神(shen)(shen)(shen)(shen)經(jing)網(wang)(wang)絡(luo)(luo)研(yan)究(jiu),從行為(wei)和(he)(he)(he)大腦建(jian)(jian)模,學(xue)(xue)習算(suan)(suan)法(fa),通過(guo)數學(xue)(xue)和(he)(he)(he)計(ji)(ji)(ji)算(suan)(suan)分(fen)析,系統的(de)(de)(de)(de)工程(cheng)和(he)(he)(he)技(ji)術(shu)應用(yong),大量(liang)(liang)使用(yong)神(shen)(shen)(shen)(shen)經(jing)網(wang)(wang)絡(luo)(luo)的(de)(de)(de)(de)概(gai)念和(he)(he)(he)技(ji)術(shu)。這一(yi)獨特而廣(guang)泛(fan)的(de)(de)(de)(de)范(fan)圍促進了(le)生(sheng)物和(he)(he)(he)技(ji)術(shu)研(yan)究(jiu)之間的(de)(de)(de)(de)思想交流,并(bing)有(you)助(zhu)于(yu)促進對(dui)生(sheng)物啟(qi)發(fa)(fa)(fa)(fa)的(de)(de)(de)(de)計(ji)(ji)(ji)算(suan)(suan)智(zhi)能(neng)(neng)感(gan)興趣(qu)的(de)(de)(de)(de)跨學(xue)(xue)科社(she)(she)區的(de)(de)(de)(de)發(fa)(fa)(fa)(fa)展。因此,神(shen)(shen)(shen)(shen)經(jing)網(wang)(wang)絡(luo)(luo)編委會代(dai)表的(de)(de)(de)(de)專(zhuan)(zhuan)家領(ling)域(yu)包括心理學(xue)(xue),神(shen)(shen)(shen)(shen)經(jing)生(sheng)物學(xue)(xue),計(ji)(ji)(ji)算(suan)(suan)機科學(xue)(xue),工程(cheng),數學(xue)(xue),物理。該雜志發(fa)(fa)(fa)(fa)表文章、信件(jian)和(he)(he)(he)評(ping)論(lun)以及給編輯(ji)的(de)(de)(de)(de)信件(jian)、社(she)(she)論(lun)、時事、軟件(jian)調(diao)查和(he)(he)(he)專(zhuan)(zhuan)利信息(xi)。文章發(fa)(fa)(fa)(fa)表在(zai)五個部分(fen)之一(yi):認(ren)知科學(xue)(xue),神(shen)(shen)(shen)(shen)經(jing)科學(xue)(xue),學(xue)(xue)習系統,數學(xue)(xue)和(he)(he)(he)計(ji)(ji)(ji)算(suan)(suan)分(fen)析、工程(cheng)和(he)(he)(he)應用(yong)。
官網(wang)(wang)地址(zhi):
Gaussian graphical models are nowadays commonly applied to the comparison of groups sharing the same variables, by jointy learning their independence structures. We consider the case where there are exactly two dependent groups and the association structure is represented by a family of coloured Gaussian graphical models suited to deal with paired data problems. To learn the two dependent graphs, together with their across-graph association structure, we implement a fused graphical lasso penalty. We carry out a comprehensive analysis of this approach, with special attention to the role played by some relevant submodel classes. In this way, we provide a broad set of tools for the application of Gaussian graphical models to paired data problems. These include results useful for the specification of penalty values in order to obtain a path of lasso solutions and an ADMM algorithm that solves the fused graphical lasso optimization problem. Finally, we present an application of our method to cancer genomics where it is of interest to compare cancer cells with a control sample from histologically normal tissues adjacent to the tumor. All the methods described in this article are implemented in the $\texttt{R}$ package $\texttt{pdglasso}$ availabe at: //github.com/savranciati/pdglasso.
Matrix factorizations in dual number algebra, a hypercomplex system, have been applied to kinematics, mechanisms, and other fields recently. We develop an approach to identify spatiotemporal patterns in the brain such as traveling waves using the singular value decomposition of dual matrices in this paper. Theoretically, we propose the compact dual singular value decomposition (CDSVD) of dual complex matrices with explicit expressions as well as a necessary and sufficient condition for its existence. Furthermore, based on the CDSVD, we report on the optimal solution to the best rank-$k$ approximation under a newly defined quasi-metric in the dual complex number system. The CDSVD is also related to the dual Moore-Penrose generalized inverse. Numerically, comparisons with other available algorithms are conducted, which indicate less computational costs of our proposed CDSVD. In addition, the infinitesimal part of the CDSVD can identify the true rank of the original matrix from the noise-added matrix, but the classical SVD cannot. Next, we employ experiments on simulated time-series data and a road monitoring video to demonstrate the beneficial effect of the infinitesimal parts of dual matrices in spatiotemporal pattern identification. Finally, we apply this approach to the large-scale brain fMRI data, identify three kinds of traveling waves, and further validate the consistency between our analytical results and the current knowledge of cerebral cortex function.
Covariate shift may impact the operational safety performance of neural networks. A re-evaluation of the safety performance, however, requires collecting new operational data and creating corresponding ground truth labels, which often is not possible during operation. We are therefore proposing to reshape the initial test set, as used for the safety performance evaluation prior to deployment, based on an approximation of the operational data. This approximation is obtained by observing and learning the distribution of activation patterns of neurons in the network during operation. The reshaped test set reflects the distribution of neuron activation values as observed during operation, and may therefore be used for re-evaluating safety performance in the presence of covariate shift. First, we derive conservative bounds on the values of neurons by applying finite binning and static dataflow analysis. Second, we formulate a mixed integer linear programming (MILP) constraint for constructing the minimum set of data points to be removed in the test set, such that the difference between the discretized test and operational distributions is bounded. We discuss potential benefits and limitations of this constraint-based approach based on our initial experience with an implemented research prototype.
For Deep Neural Networks (DNNs) to become useful in safety-critical applications, such as self-driving cars and disease diagnosis, they must be stable to perturbations in input and model parameters. Characterizing the sensitivity of a DNN to perturbations is necessary to determine minimal bit-width precision that may be used to safely represent the network. However, no general result exists that is capable of predicting the sensitivity of a given DNN to round-off error, noise, or other perturbations in input. This paper derives an estimator that can predict such quantities. The estimator is derived via inequalities and matrix norms, and the resulting quantity is roughly analogous to a condition number for the entire neural network. An approximation of the estimator is tested on two Convolutional Neural Networks, AlexNet and VGG-19, using the ImageNet dataset. For each of these networks, the tightness of the estimator is explored via random perturbations and adversarial attacks.
Recent advances in hardware and big data acquisition have accelerated the development of deep learning techniques. For an extended period of time, increasing the model complexity has led to performance improvements for various tasks. However, this trend is becoming unsustainable and there is a need for alternative, computationally lighter methods. In this paper, we introduce a novel framework for efficient training of convolutional neural networks (CNNs) for large-scale spatial problems. To accomplish this we investigate the properties of CNNs for tasks where the underlying signals are stationary. We show that a CNN trained on small windows of such signals achieves a nearly performance on much larger windows without retraining. This claim is supported by our theoretical analysis, which provides a bound on the performance degradation. Additionally, we conduct thorough experimental analysis on two tasks: multi-target tracking and mobile infrastructure on demand. Our results show that the CNN is able to tackle problems with many hundreds of agents after being trained with fewer than ten. Thus, CNN architectures provide solutions to these problems at previously computationally intractable scales.
Knowledge graphs represent factual knowledge about the world as relationships between concepts and are critical for intelligent decision making in enterprise applications. New knowledge is inferred from the existing facts in the knowledge graphs by encoding the concepts and relations into low-dimensional feature vector representations. The most effective representations for this task, called Knowledge Graph Embeddings (KGE), are learned through neural network architectures. Due to their impressive predictive performance, they are increasingly used in high-impact domains like healthcare, finance and education. However, are the black-box KGE models adversarially robust for use in domains with high stakes? This thesis argues that state-of-the-art KGE models are vulnerable to data poisoning attacks, that is, their predictive performance can be degraded by systematically crafted perturbations to the training knowledge graph. To support this argument, two novel data poisoning attacks are proposed that craft input deletions or additions at training time to subvert the learned model's performance at inference time. These adversarial attacks target the task of predicting the missing facts in knowledge graphs using KGE models, and the evaluation shows that the simpler attacks are competitive with or outperform the computationally expensive ones. The thesis contributions not only highlight and provide an opportunity to fix the security vulnerabilities of KGE models, but also help to understand the black-box predictive behaviour of KGE models.
In 1954, Alston S. Householder published Principles of Numerical Analysis, one of the first modern treatments on matrix decomposition that favored a (block) LU decomposition-the factorization of a matrix into the product of lower and upper triangular matrices. And now, matrix decomposition has become a core technology in machine learning, largely due to the development of the back propagation algorithm in fitting a neural network. The sole aim of this survey is to give a self-contained introduction to concepts and mathematical tools in numerical linear algebra and matrix analysis in order to seamlessly introduce matrix decomposition techniques and their applications in subsequent sections. However, we clearly realize our inability to cover all the useful and interesting results concerning matrix decomposition and given the paucity of scope to present this discussion, e.g., the separated analysis of the Euclidean space, Hermitian space, Hilbert space, and things in the complex domain. We refer the reader to literature in the field of linear algebra for a more detailed introduction to the related fields.
Current deep learning research is dominated by benchmark evaluation. A method is regarded as favorable if it empirically performs well on the dedicated test set. This mentality is seamlessly reflected in the resurfacing area of continual learning, where consecutively arriving sets of benchmark data are investigated. The core challenge is framed as protecting previously acquired representations from being catastrophically forgotten due to the iterative parameter updates. However, comparison of individual methods is nevertheless treated in isolation from real world application and typically judged by monitoring accumulated test set performance. The closed world assumption remains predominant. It is assumed that during deployment a model is guaranteed to encounter data that stems from the same distribution as used for training. This poses a massive challenge as neural networks are well known to provide overconfident false predictions on unknown instances and break down in the face of corrupted data. In this work we argue that notable lessons from open set recognition, the identification of statistically deviating data outside of the observed dataset, and the adjacent field of active learning, where data is incrementally queried such that the expected performance gain is maximized, are frequently overlooked in the deep learning era. Based on these forgotten lessons, we propose a consolidated view to bridge continual learning, active learning and open set recognition in deep neural networks. Our results show that this not only benefits each individual paradigm, but highlights the natural synergies in a common framework. We empirically demonstrate improvements when alleviating catastrophic forgetting, querying data in active learning, selecting task orders, while exhibiting robust open world application where previously proposed methods fail.
Deep learning models on graphs have achieved remarkable performance in various graph analysis tasks, e.g., node classification, link prediction and graph clustering. However, they expose uncertainty and unreliability against the well-designed inputs, i.e., adversarial examples. Accordingly, various studies have emerged for both attack and defense addressed in different graph analysis tasks, leading to the arms race in graph adversarial learning. For instance, the attacker has poisoning and evasion attack, and the defense group correspondingly has preprocessing- and adversarial- based methods. Despite the booming works, there still lacks a unified problem definition and a comprehensive review. To bridge this gap, we investigate and summarize the existing works on graph adversarial learning tasks systemically. Specifically, we survey and unify the existing works w.r.t. attack and defense in graph analysis tasks, and give proper definitions and taxonomies at the same time. Besides, we emphasize the importance of related evaluation metrics, and investigate and summarize them comprehensively. Hopefully, our works can serve as a reference for the relevant researchers, thus providing assistance for their studies. More details of our works are available at //github.com/gitgiter/Graph-Adversarial-Learning.
Lots of learning tasks require dealing with graph data which contains rich relation information among elements. Modeling physics system, learning molecular fingerprints, predicting protein interface, and classifying diseases require that a model to learn from graph inputs. In other domains such as learning from non-structural data like texts and images, reasoning on extracted structures, like the dependency tree of sentences and the scene graph of images, is an important research topic which also needs graph reasoning models. Graph neural networks (GNNs) are connectionist models that capture the dependence of graphs via message passing between the nodes of graphs. Unlike standard neural networks, graph neural networks retain a state that can represent information from its neighborhood with an arbitrary depth. Although the primitive graph neural networks have been found difficult to train for a fixed point, recent advances in network architectures, optimization techniques, and parallel computation have enabled successful learning with them. In recent years, systems based on graph convolutional network (GCN) and gated graph neural network (GGNN) have demonstrated ground-breaking performance on many tasks mentioned above. In this survey, we provide a detailed review over existing graph neural network models, systematically categorize the applications, and propose four open problems for future research.
小貼士
登錄享
注冊地址: 北京市海淀區羊坊店路18號2幢3層301-191