The maximum mean discrepancy (MMD) test could in principle detect any distributional discrepancy between two datasets. However, it has been shown that the MMD test is unaware of adversarial attacks -- the MMD test failed to detect the discrepancy between natural and adversarial data. Given this phenomenon, we raise a question: are natural and adversarial data really from different distributions? The answer is affirmative -- the previous use of the MMD test on the purpose missed three key factors, and accordingly, we propose three components. Firstly, the Gaussian kernel has limited representation power, and we replace it with an effective deep kernel. Secondly, the test power of the MMD test was neglected, and we maximize it following asymptotic statistics. Finally, adversarial data may be non-independent, and we overcome this issue with the wild bootstrap. By taking care of the three factors, we verify that the MMD test is aware of adversarial attacks, which lights up a novel road for adversarial data detection based on two-sample tests.
翻译:最大平均差异(MMD)测试原则上可以检测出两个数据集之间的任何分布差异。然而,已经表明MMD测试并不知道对抗性攻击 -- -- MMD测试未能发现自然数据和对抗性数据之间的差异。鉴于这一现象,我们提出了一个问题:自然和对抗性数据是否真的来自不同的分布?答案是肯定的 -- -- 先前对目的进行MMD测试时遗漏了三个关键因素,因此,我们提议三个组成部分。首先,高斯内核的表示力有限,我们用一个有效的深核取代它。第二,MMD测试的测试力被忽视,我们根据无约束性统计数据将它最大化。最后,对抗性数据可能是非独立数据,我们用野生靴子克服了这个问题。我们考虑到这三个因素,我们核实MMD测试意识到了对抗性攻击,这为基于两次模量测试的对抗性数据检测开辟了新的道路。