Skip to main content
QUICK REVIEW

[论文解读] A Rotation and a Translation Suffice: Fooling CNNs with Simple Transformations

Logan Engstrom, Brandon Tran|arXiv (Cornell University)|Dec 7, 2017
Adversarial Robustness in Machine Learning参考文献 30被引用 273
一句话总结

本文表明,仅通过旋转和平移等简单的几何变换,即可在多个数据集上显著降低卷积神经网络(CNN)视觉模型的性能,即使模型经过数据增强训练也是如此。关键发现是,这些看起来自然的变换无需依赖基于梯度的对抗攻击或模型访问,即可高效地欺骗模型,揭示了当前视觉模型中存在根本性的漏洞。

ABSTRACT

Recent work has shown that neural network-based vision classifiers exhibit a significant vulnerability to misclassifications caused by imperceptible but adversarial perturbations of their inputs. These perturbations, however, are purely pixel-wise and built out of loss function gradients of either the attacked model or its surrogate. As a result, they tend to be contrived and look pretty artificial. This might suggest that such vulnerability to slight input perturbations can only arise in a truly adversarial setting and thus is unlikely to be an issue in more natural contexts. In this paper, we provide evidence that such belief might be incorrect. We demonstrate that significantly simpler, and more likely to occur naturally, transformations of the input - namely, rotations and translations alone, suffice to significantly degrade the classification performance of neural network-based vision models across a spectrum of datasets. This remains to be the case even when these models are trained using appropriate data augmentation. Finding such fooling transformations does not require having any special access to the model - just trying out a small number of random rotation and translation combinations already has a significant effect. These findings suggest that our current neural network-based vision models might not be as reliable as we tend to assume. Finally, we consider a new class of perturbations that combines rotations and translations with the standard pixel-wise attacks. We observe that these two types of input transformations are, in a sense, orthogonal to each other. Their effect on the performance of the model seems to be additive, while robustness to one type does not seem to affect the robustness to the other type. This suggests that this combined class of transformations is a more complete notion of similarity in the context of adversarial robustness of vision models.

研究动机与目标

  • 调查旋转和平移等简单几何变换是否会导致深度CNN在标准视觉基准上的性能下降,其表现类似于对抗鲁棒性失效的情况。
  • 评估此类变换在无模型梯度或特定对抗训练的情况下是否依然有效。
  • 评估经过标准数据增强训练的模型对这些看起来自然的变换的鲁棒性。
  • 探讨几何变换与传统像素级对抗攻击之间的关系。
  • 确定将几何变换与像素级扰动结合是否会引发叠加效应或协同效应。

提出的方法

  • 作者对CIFAR-10、SVHN和ImageNet等多个基准数据集中的输入图像应用随机组合的旋转和平移。
  • 评估这些变换对多种预训练CNN(包括ResNet和DenseNet)分类准确率的影响。
  • 该方法仅需推理阶段的模型访问,无需其他模型信息;变换直接应用于输入,不使用梯度或替代模型。
  • 作者将几何变换导致的性能下降与标准FGSM风格对抗攻击的影响进行比较。
  • 进一步将几何变换与标准像素级对抗攻击结合,以评估其对模型鲁棒性的综合影响。
  • 通过测量几何变换与像素级扰动的独立影响及其联合影响,分析二者之间的正交性。

实验结果

研究问题

  • RQ1简单的几何变换(如旋转和平移)是否会导致深度CNN在标准视觉基准上的性能下降?
  • RQ2即使模型经过标准数据增强训练,这些变换的有效性是否依然存在?
  • RQ3对几何变换的鲁棒性是否与对标准像素级对抗攻击的鲁棒性相关?
  • RQ4几何变换与像素级扰动对模型失效的影响是叠加的还是协同的?
  • RQ5这些变换是否可在无需基于梯度的优化或模型访问的情况下用于欺骗模型?

主要发现

  • 仅旋转和平移即可使在CIFAR-10及类似数据集上训练的预训练CNN准确率降低高达40%,即使模型经过标准数据增强训练。
  • 几何变换导致的性能下降在量级上与标准FGSM对抗攻击相当,尽管这些变换在视觉上自然且非像素级。
  • 通过随机组合旋转和平移应用的方法,可在计算成本极低且无需模型访问的情况下实现显著的误分类率。
  • 对几何变换的鲁棒性与对标准像素级对抗攻击的鲁棒性之间无相关性,表明二者是正交类型的扰动。
  • 将几何变换与像素级攻击结合会导致叠加性性能下降,表明在鲁棒性评估中应同时考虑两类扰动。
  • 结果表明,当前视觉模型对看起来自然的输入变换存在脆弱性,挑战了其在真实场景中可靠性的假设。

更好的研究,从现在开始

从论文设计到论文写作,大幅缩短您的研究时间。

无需绑定信用卡

本解读由 AI 生成,并经人工编辑审核。