文章链接:http://arxiv.org/pdf/1608.00853
摘要:文中评估JPG压缩对对抗性图像分类的影响。对于小幅度的FGSM扰动,我们发现JPG压缩常常在很大程度上逆转分类精度的下降,但并不总是如此。随着扰动大小的增加,仅通过JPG重新压缩不足以扭转FGSM的影响
- adversarial examples的出现
in any challenging high-dimensional classification task where the inputs naturally live in (or near) a complex lower-dimensional data subspace, adversarial examples will lie outside this data subspace, taking advantage of the fact that the training objective for the neural network is essentially agnostic to the network’s behavior outside the data subspace.
- 解释为什么adversarial perturbation有很好的效果,可能是因为神经网络可以很好的感应到自然图像中的一些偏差
Neural networks classifiers work well, in part, due to their strong inductive biases. But this same bias means that a neural network may report strong predictions beyond the data subspace where there is
-
How JPG compression work的示意图
JPG compression 使得adversarial example回到数据的subspace.
示意图 -
实验内容
实验内容
扩展内容
探索通过JPG压缩使得perturbation改善是依赖于JPG压缩的特定结构,还是可以通过共享一些类似的统计数据来模拟?
为了验证,通过添加一个random permutation of the vector(可以代表jpg compression的影响)到adversarial images中,判断其top-label probalities的变化。实验证明,添加vector之后, adversarial images 仍然保持为adversarial,其中top-label probalities可能比单纯的adversarial example 更低-
知识储备:
jpg图片的压缩原理:
http://www.360doc.com/content/17/0901/18/41193811_683881904.shtml
算法流程示意图
jpg 压缩算法代码示例:
https://github.com/richgel999/jpeg-compressor
