1. Working Group Meeting (9. June 2018)
Attendees: Timo Denk, Samed Güner
Tracks
Research focus on defense track. However, state of the art knowledge about attacks is requried in order to validate new defenses. We need to do research in both topics and have to come up with something new at the defense track.
- Defense: Find a function X->W where X is the set of all images and W are the classes. The function is parametrized by theta.
- Attack: Find a function (x1,w,theta)->x2, which takes an image x1 of class w and finds another image x2 using the weights theta of the given model. Such that |x2-x1| is minimal and x2 is misclassified.
Evaluation Criterion
- Let M be the model and S be the set of samples.
- We apply the five best untargeted attacks on M for each sample in S. Sample from training or test data? Do targeted attacks come into play as well?
- For each sample we record the minimum adversarial L2 distance (MAD) across the attacks. L2 can behave in a weird way (curse of dimensionality). Our test should also be validated using L2 distance.
- If a model misclassifies a sample then the minimum adversarial distance is registered as zero for this sample.
- The final model score is the median MAD across all samples.
- The higher the score, the better.
Our deployment pipeline should perform validation in a very similar manner. In particular L2 distance and median.
Example:
let list of distances d = []
foreach image I_s[i] in the dataset S
calculate 5 perturbation I_p[j] images from I_s[i]
foreach image I_p[j]
calculate |I_p[j]-I_s[i]|_2
Add minimum L_2 distance to d
return median(d)
Deadlines
- June 25th, 2018: Challenge begins
- November 1st: Final submission date
- November 15th: Winners Announced
Research
We need to do research on both topics. Relevant papers need to be determined, asap.
Papers
Ideas
Linear combinations of inputs (for evaluation). Determine the distance from an image (when linearly approaching an image of another class) of the first miss-classified input. Analyze how noisy the classifications along the line are.
Derivative penalties regularize training with penalities for high first and second order derivatives wrt input changes.
Growing filters of the CNN, similiar to progressive growing of GANs. I have not seen any research that goes into this direction, but it might work. New filters would be faded in slowly.
Fisher information matrix for network size reduction Overcoming catastrophic forgetting in neural networks. The matrix contains information on how relevant certain weights are for classification.
Dropout on kernel level / additive noise to kernels of higher layers. This might be common already, we have to do research on that.
Deployment and Infrastructure
Deployment on AWS or GCP (Azure is not an option, and never was).
Funding through free tier budget, our own money, and subsequently and in the long run sponsoring by SAP Machine Learning Foundation. Also, there might be sponsored computing power available.
Miscellaneous