Recent studies have shown that deep neural networks are vulnerable to adversarial examples, but most of the methods proposed to defense adversarial examples cannot solve this problem fundamentally. In this paper, we theoretically prove that there is an upper bound for neural networks with identity mappings to constrain the error caused by adversarial noises. However, in actual computations, this kind of neural network no longer holds any upper bound and is therefore susceptible to adversarial examples. Following similar procedures, we explain why adversarial examples can fool other deep neural networks with skip connections. Furthermore, we demonstrate that a new family of deep neural networks called Neural ODEs (Chen et al., 2018) holds a weaker upper bound. This weaker upper bound prevents the amount of change in the result from being too large. Thus, Neural ODEs have natural robustness against adversarial examples. We evaluate the performance of Neural ODEs compared with ResNet under three white-box adversarial attacks (FGSM, PGD, DI2-FGSM) and one black-box adversarial attack (Boundary Attack). Finally, we show that the natural robustness of Neural ODEs is even better than the robustness of neural networks that are trained with adversarial training methods, such as TRADES and YOPO.
翻译:最近的研究显示,深神经网络很容易受到对抗性实例的影响,但大多数为对抗性实例辩护的拟议方法无法从根本上解决这一问题。在本文中,我们理论上证明,神经网络有一个带有身份映射的神经网络上限,以限制对抗性噪音造成的错误。然而,在实际计算中,这种神经网络不再具有任何上限,因此很容易受到对抗性实例的影响。按照类似程序,我们解释为什么对抗性实例可以愚弄其他有跳过连接的深神经网络。此外,我们证明,一个称为神经组织(Chen et al., 2018)的新的深神经网络大家庭拥有较弱的上限。这种较弱的上限防止了结果变化的幅度太大。因此,神经组织对对抗性例子具有自然的稳健性。我们比ResNet在三种白箱对抗性攻击(FGSM、PGD、DI2-FGSM)和一种黑箱对抗性攻击(Boundary attack-bronical Network)下评估神经组织的绩效。我们最后表明,经过训练的内审性网络的自然坚固性强性强性,甚至比内审的内审的内建系统更强。
相关内容
微信扫码咨询专知VIP会员