As data becomes increasingly vital, a company would be very cautious about releasing data, because the competitors could use it to train high-performance models, thereby posing a tremendous threat to the company's commercial competence. To prevent training good models on the data, we could add imperceptible perturbations to it. Since such perturbations aim at hurting the entire training process, they should reflect the vulnerability of DNN training, rather than that of a single model. Based on this new idea, we seek perturbed examples that are always unrecognized (never correctly classified) in training. In this paper, we uncover them by model checkpoints' gradients, forming the proposed self-ensemble protection (SEP), which is very effective because (1) learning on examples ignored during normal training tends to yield DNNs ignoring normal examples; (2) checkpoints' cross-model gradients are close to orthogonal, meaning that they are as diverse as DNNs with different architectures. That is, our amazing performance of ensemble only requires the computation of training one model. By extensive experiments with 9 baselines on 3 datasets and 5 architectures, SEP is verified to be a new state-of-the-art, e.g., our small $\ell_\infty=2/255$ perturbations reduce the accuracy of a CIFAR-10 ResNet18 from 94.56% to 14.68%, compared to 41.35% by the best-known method. Code is available at https://github.com/Sizhe-Chen/SEP.
翻译:随着数据变得越来越重要,公司会非常谨慎地发布数据,因为竞争对手可能会使用它来训练高性能模型,从而对公司的商业竞争力构成巨大威胁。为了防止在数据上训练好的模型,我们可以在数据中添加无法感知的扰动。由于这些扰动旨在破坏整个训练过程,因此它们应该反映DNN训练的脆弱性,而不是单个模型的脆弱性。基于这个新想法,我们寻找在训练中永远不被识别(从未正确分类)的扰动示例。在本文中,我们通过模型检查点的梯度来发现它们,形成所提出的自组防护(SEP),这是非常有效的,因为(1)在通常训练中忽略的示例上学习往往会产生忽略正常示例的DNN;(2)检查点的跨模型梯度接近正交,意味着它们像具有不同体系结构的DNN一样多样化。也就是说,我们惊人的集成表现只需要计算训练一个模型。在三个数据集和五个体系结构上进行的广泛实验验证了SEP是一种新的最先进技术,例如,我们小的$\ell_\infty=2/255$扰动将CIFAR-10 ResNet18的准确度从94.56%降至14.68%,而最佳已知方法只能达到41.35%。代码可在 https://github.com/Sizhe-Chen/SEP 上找到。