@lone30
Profile
Registered: 5 months, 3 weeks ago
Using EAT to defend against hacking attacks that deceive AI: Adversarial Training, Ensemble There are many attacks against the AI system, which will cause related troubles, ranging from wrong license plate recognition, leading to payment problems; seriously affecting the security recognition system, causing a security crisis. We can relatively easily defend against a single attack, but when encountering other attacks, it will still cause a system crisis. The characteristic of this type of attack (Adversarial Attack) is that if the attack threatens the A model, it will also There is a high probability of threatening the B model, so a single type of defense is obviously insufficient. How to train the model to resist Adversarial Attack is our goal. malicious attack Adversarial Attack is a man-made malicious attack, which makes the system misidentify the target, confuses the audience, or distinguishes a specific A as B. The purpose is to make the system's judgment wrong. There is a Double Attack on the security system, which first deceives the security checkpoint of the system, and then attacks the inside. Taking image recognition as an example, a common practice is to add noise that is difficult for our naked eyes to recognize on the image, such as a photo of a dog. After adding noise, although the human eye looks the same, it may make the system recognize the picture as A butterfly, other visual and audio information also uses a similar principle. Model Training Policy For the training of the model, it is divided into four ways to discuss: 1.Basic, 2.Ensemble, 3.Adversarial, 4.Ensembled Adversarial. For example, the model is like an unseen child whose goal is to distinguish good from bad strangers, and Adversarial Attack is like a bad guy who pretends to be nice. Method 1 (Basic) is to let a child study alone, but does not let him see fake good people; method 2 (Ensemble) does not have fake good people, but gathers the opinions of multiple children, and finally votes to decide; method 3 (Adversarial) is Let a child see fake good people and teach him that they are bad people; Method 4 (Ensembled Adversarial) is to combine the ideas of multiple children who have learned how to identify fake good people. Among them, we are also curious about whether to use method 2 or method 3 alone, which method will be better? Generate "Negative Textbooks" A very important part of the learning process of the model is to prepare the training data. After having the original Dataset, which is the original "positive teaching materials", you need to obtain "negative teaching materials". These negative teaching materials are the original Dataset through the Obtained after conversion of Adversarial Attack Function. It should be noted that the same attack does not necessarily apply to every model. Add the data converted by these Adversarial Attack Functions to the original Dataset to form the final Adversarial Dataset (positive + negative teaching materials). optimization model Through training, it is known that without Adversarial Attack, the Basic model performs very well, and the score after Ensemble is only slightly improved, and the effect is limited. After adding Adversarial Attack, the performance of Ensemble has improved significantly. It can be seen that Ensemble can effectively improve the defense effect of Adversarial Attack.
Website: https://techtuba.com/
Forums
Topics Started: 0
Replies Created: 0
Forum Role: Participant