face_adv 论文阅读 ——通过方差提高迁移性

链接: 论文链接
链接: 代码

face_adv 论文阅读

1. Enhancing the Transferability of Adversarial Attacks through Variance Tuning

通过方差调整 提高对抗样本的迁移性
cvpr2021

1.1摘要

Deep neural networks are vulnerable to adversarial examples that mislead the models with imperceptible perturbations. Though adversarial attacks have achieved incredible success rates in the white-box setting, most existing adversaries often exhibit weak transferability in the black-box
setting, especially under the scenario of attacking models
with defense mechanisms. In this work, we propose a new
method called variance tuning to enhance the class of iterative gradient based attack methods and improve their attack transferability. Specifically, at each iteration for the
gradient calculation, instead of directly using the current
gradient for the momentum accumulation, we further consider the gradient variance of the previous iteration to tune
the current gradient so as to stabilize the update direction
and escape from poor local optima. Empirical results on
the standard ImageNet dataset demonstrate that our method
could significantly improve the transferability of gradientbased adversarial attacks. Besides, our method could be
used to attack ensemble models or be integrated with various input transformations. Incorporating variance tuning with input transformations on iterative gradient-based
attacks in the multi-model setting, the integrated method
could achieve an average success rate of 90.1% against
nine advanced defense methods, improving the current best
attack performance significantly by 85.1% .

前面写的都是说网络易于扰动，本文提出的是nifgsm，这个的作用呢是为了限制 想mifgsm 直接迭代，会陷入到局部的最优点哪里
这个方法可以跟ni，mi，ti结合的，但是看源码都是tf的，可以参考一下。

1.2想法

stochastic variance reduced gradient
stochastic gradient decent (SGD) 这是训练模型 的想法，从随机梯度下降去，去拟合，训练。
所以从随机梯度的角度去思考换的是梯度的来源，可以是方差，均值，进而有的这个基于方差的攻击（动机）
该方法的目的：
we aim to craft highly transferable adversaries, which is equivalent to improving the generalization of the training models, while SGDVRMs aim to accelerate the convergence.
Second, we consider the gradient variance of the examples sampled in the neighborhood of input x, which is equivalent to the one in the parameter space for training the neural models but SGDVRMs utilize variance in the training set.
Third, our variance tuning strategy is more generalized and can be used to improve the performance of MI-FGSM and NI-FGSM.

1. 一个高的迁移性。加速收敛。
2. 对x附近的梯度求方差
3. 这个方差调整更加普遍吧，可以适用在其他的攻击方法上。（废话）

1.3思路

1.4算法流程

流程介绍：参数挑需要理解的讲解
参数 β 调整 方差点的范围的？ N对方差进行调整

1. 计算梯度
2. 迭代动量项 mi
3. 根据第二个图的公式，计算梯度的方差
4. 更新adv

问题存在： 这个方差调用的是 x ∈ X空间内的其他数据，是计算其他的输入的梯度，比如记录了上一个输入的梯度，对这个进行迭代。而且在这个流程中好像没有看到V（x）参与到梯度的计算，类似于一个中间变量，但是没有引用到adv中去
刚看到这个 Xi是 原始的数据进行随机产生一个数据变化加进去的

1.5想法 可以改进的部分

这个选取的 方差空间 ，感觉得选取这个相同类别产生的梯度吧，进行方差计算，如果这个 ，那这个跟di对输入进行梯度变化有什么区别呢，多一些输入，然后计算方差，减去去生成新的adv？