← ML Research Wiki / 1412.6572

Published as a conference paper at ICLR 2015 EXPLAINING AND HARNESSING ADVERSARIAL EXAMPLES

Ian J Goodfellow [email protected] Google Inc Mountain ViewCA, Jonathon Shlens [email protected] Google Inc Mountain ViewCA, Christian Szegedy [email protected] Google Inc Mountain ViewCA (2014)

Paper Information
arXiv ID
1412.6572
Venue
International Conference on Learning Representations
Domain
Not specified
Contents

Abstract

Several machine learning models, including neural networks, consistently misclassify adversarial examples-inputs formed by applying small but intentionally worst-case perturbations to examples from the dataset, such that the perturbed input results in the model outputting an incorrect answer with high confidence. Early attempts at explaining this phenomenon focused on nonlinearity and overfitting. We argue instead that the primary cause of neural networks' vulnerability to adversarial perturbation is their linear nature. This explanation is supported by new quantitative results while giving the first explanation of the most intriguing fact about them: their generalization across architectures and training sets. Moreover, this view yields a simple and fast method of generating adversarial examples. Using this approach to provide examples for adversarial training, we reduce the test set error of a maxout network on the MNIST dataset.

Summary

This paper discusses the vulnerability of machine learning models, particularly neural networks, to adversarial examples, which are inputs altered by small, intentional perturbations that lead to incorrect predictions. The authors argue that the primary cause of this vulnerability is the linear nature of neural networks rather than nonlinearity or overfitting. They introduce a fast method for generating adversarial examples using the fast gradient sign method and demonstrate its effectiveness in adversarial training, which provides additional regularization benefits over traditional methods like dropout. The paper also explores various models' capacities to resist adversarial perturbations and concludes that only more complex architectures with hidden layers can effectively address this issue. Observations include the notion that adversarial examples tend to generalize across different classifiers, and it emphasizes the inadequacies of current models in accurately understanding input distributions. Finally, the authors discuss potential improvements in optimization methods to enhance model stability against adversarial inputs.

Methods

This paper employs the following methods:

  • Fast Gradient Sign Method

Models Used

  • Maxout Network
  • Logistic Regression
  • RBF Network

Datasets

The following datasets were used in this research:

  • MNIST
  • ImageNet
  • CIFAR-10

Evaluation Metrics

  • Error Rate

Results

  • Reduced test set error of a maxout network on the MNIST dataset from 0.94% to 0.84% with adversarial training
  • Achieved error rate of 17.9% on adversarial examples after adversarial training

Limitations

The authors identified the following limitations:

  • Current models are susceptible to adversarial examples
  • The existence of adversarial examples suggests models do not truly understand given tasks
  • Models' responses are overly confident in areas outside the data distribution

Technical Requirements

  • Number of GPUs: None specified
  • GPU Type: None specified

Papers Using Similar Methods

External Resources

Funding: Not specified
References: 19
Influential Citations: 3771