IMPROVING ADVERSARIAL ROBUSTNESS REQUIRES REVISITING MISCLASSIFIED EXAMPLES

Wang Y, Zou D, Yi J, et al. Improving Adversarial Robustness Requires Revisiting Misclassified Examples[C]. international conference on learning representations, 2020.

@article{wang2020improving,
title={Improving Adversarial Robustness Requires Revisiting Misclassified Examples},
author={Wang, Yisen and Zou, Difan and Yi, Jinfeng and Bailey, James and Ma, Xingjun and Gu, Quanquan},
year={2020}}

概

作者认为, 错分样本对于提高网络的鲁棒性是很重要的, 为此提出了一个启发于此的新的损失函数.

主要内容

符号

$h_{\theta }$: 参数为$\theta$的神经网络;
( x , y ) ∈ R d × { 1 , … , K } (x,y) \in \mathbb{R}^d \times \{1,\ldots, K\} (x,y)∈Rd×{1,…,K}: 类别及其标签;

$$h_{\mathbf{\theta }}\left({\mathbf{x}}_i\right)=\underset{k=1,\dots ,K}{\mathrm{argmax}}{\mathbf{p}}_k\left({\mathbf{x}}_i,\mathbf{\theta }\right),{\mathbf{p}}_k\left({\mathbf{x}}_i,\mathbf{\theta }\right)=\exp \left({\mathbf{z}}_k\left({\mathbf{x}}_i,\mathbf{\theta }\right)\right)/\sum _{k^{\prime }=1}^K\exp \left({\mathbf{z}}_{k^{\prime }}\left({\mathbf{x}}_i,\mathbf{\theta }\right)\right)\text{\hspace{1em}(2)}$$

定义正分类样本和误分类样本
S h θ + = { i : i ∈ [ n ] , h θ ( x i ) = y i } a n d S h θ − = { i : i ∈ [ n ] , h θ ( x i ) ≠ y i } . \mathcal{S}_{h_{\theta}}^+ = \{i : i \in [n], h_{\theta} (x_i)=y_i \} \quad \mathrm{and} \quad \mathcal{S}_{h_{\theta}}^- = \{i : i \in [n], h_{\theta} (x_i) \not =y_i \}. Shθ​+​={i:i∈[n],hθ​(xi​)=yi​}andShθ​−​={i:i∈[n],hθ​(xi​)​=yi​}.

MART

在所有样本上的鲁棒分类误差:
$$\mathcal{R}(h_{\theta })=\frac{1}{n}\sum _{i=1}^n\underset{x_i^{\prime }\in {\mathcal{B}}_{ϵ}(x_i)}{\max }1(h_{\theta }(x_i^{\prime })\ne y_i),\text{\hspace{1em}(3)}$$
并定义在错分样本上的鲁棒分类误差
$${\mathcal{R}}^{-}(h_{\theta },x_i):=1(h_{\theta }({\hat{x}}_i^{\prime })\ne y_i)+1(h_{\theta }(x_i)\ne h_{\theta }({\hat{x}}_i^{\prime }))\text{\hspace{1em}(4)}$$

其中
$${\hat{x}}_i^{\prime }=\arg \underset{x_i^{\prime }\in {\mathcal{B}}_{ϵ}(x_i)}{\max }1(h_{\theta }(x_i^{\prime })\ne y_i).\text{\hspace{1em}(5)}$$

以及正分样本上的鲁棒分类误差:
$${\mathcal{R}}^{+}(h_{\theta },x_i):=1(h_{\theta }({\hat{x}}_i^{\prime })\ne y_i).\text{\hspace{1em}(6)}$$

最后, 我们要最小化的是二者的混合误差:
min ⁡ θ R misc  ( h θ ) : = 1 n ( ∑ i ∈ S h + R + ( h θ , x i ) + ∑ i ∈ S h θ − R − ( h θ , x i ) ) = 1 n ∑ i = 1 n { 1 ( h θ ( x ^ i ′ ) ≠ y i ) + 1 ( h θ ( x i ) ≠ h θ ( x ^ i ′ ) ) ⋅ 1 ( h θ ( x i ) ≠ y i ) } . (7) \tag{7} \begin{aligned} \min _{\boldsymbol{\theta}} \mathcal{R}_{\text {misc }}\left(h_{\boldsymbol{\theta}}\right): &=\frac{1}{n}\left(\sum_{i \in \mathcal{S}_{h}^{+}} \mathcal{R}^{+}\left(h_{\boldsymbol{\theta}}, \mathbf{x}_{i}\right)+\sum_{i \in \mathcal{S}_{\boldsymbol{h}_{\boldsymbol{\theta}}}^{-}} \mathcal{R}^{-}\left(h_{\boldsymbol{\theta}}, \mathbf{x}_{i}\right)\right) \\ &=\frac{1}{n} \sum_{i=1}^{n}\left\{\mathbb{1}\left(h_{\boldsymbol{\theta}}\left(\hat{\mathbf{x}}_{i}^{\prime}\right) \neq y_{i}\right)+\mathbb{1}\left(h_{\boldsymbol{\theta}}\left(\mathbf{x}_{i}\right) \neq h_{\boldsymbol{\theta}}\left(\hat{\mathbf{x}}_{i}^{\prime}\right)\right) \cdot \mathbb{1}\left(h_{\boldsymbol{\theta}}\left(\mathbf{x}_{i}\right) \neq y_{i}\right)\right\} \end{aligned}. θmin​Rmisc ​(hθ​):​=n1​⎝⎜⎛​i∈Sh+​∑​R+(hθ​,xi​)+i∈Shθ​−​∑​R−(hθ​,xi​)⎠⎟⎞​=n1​i=1∑n​{1(hθ​(x^i′​)​=yi​)+1(hθ​(xi​)​=hθ​(x^i′​))⋅1(hθ​(xi​)​=yi​)}​.(7)

为了能够传递梯度, 需要利用一些替代函数"软化"上面的损失函数, 对于$1(h_{\theta }({\hat{x}}_i^{\prime })\ne y_i)$利用BCE损失函数替代
$$\mathrm{B}\mathrm{C}\mathrm{E}(p({\hat{x}}_i,\theta ),y_i)=-\log (p_{y_i}({\hat{x}}_i^{\prime },\theta ))-\log (1-\underset{k\ne y_i}{\max }{p}_k({\hat{x}}_i^{\prime },\theta )),\text{\hspace{1em}(8)}$$
第一项为普通的交叉熵损失, 第二项用于提高分类边界.

对于第二项$1(h_{\theta }(x_i)\ne h_{\theta }({\hat{x}}_i^{\prime }))$, 用KL散度作为替代
$$\mathrm{K}\mathrm{L}(p(x_i,\theta )\Vert p({\hat{x}}_i^{\prime },\theta ))=\sum _{k=1}^K{p}_k(x_i,\theta )\log \frac{p_k(x_i,\theta )}{p_k({\hat{x}}_i^{\prime },\theta )}.\text{\hspace{1em}(9)}$$

最后一项$1(h_{\theta }(x_i)\ne y_i)$则可用 $1-p_{y_i}(x_i,\theta )$来代替.

于是最后的损失函数便是
$${\mathcal{L}}^{\mathrm{M}\mathrm{A}\mathrm{R}\mathrm{T}}(\theta )=\frac{1}{n}\sum _{i=1}^n\ell (x_i,y_i,\theta ),\text{\hspace{1em}(11)}$$
其中
$$\ell (x_i,y_i,\theta ):=\mathrm{B}\mathrm{C}\mathrm{E}(p({\hat{x}}_i^{\prime },\theta ),y_i)+\lambda \cdot \mathrm{K}\mathrm{L}(p(x_i,\theta )\Vert p({\hat{x}}_i,\theta ))\cdot (1-p_{y_i}(x_i,\theta )).$$