Few-shot classifiers have been shown to exhibit promising results in use cases where user-provided labels are scarce. These models are able to learn to predict novel classes simply by training on a non-overlapping set of classes. This can be largely attributed to the differences in their mechanisms as compared to conventional deep networks. However, this also offers new opportunities for novel attackers to induce integrity attacks against such models, which are not present in other machine learning setups. In this work, we aim to close this gap by studying a conceptually simple approach to defend few-shot classifiers against adversarial attacks. More specifically, we propose a simple attack-agnostic detection method, using the concept of self-similarity and filtering, to flag out adversarial support sets which destroy the understanding of a victim classifier for a certain class. Our extended evaluation on the miniImagenet (MI) and CUB datasets exhibit good attack detection performance, across three different few-shot classifiers and across different attack strengths, beating baselines. Our observed results allow our approach to establishing itself as a strong detection method for support set poisoning attacks. We also show that our approach constitutes a generalizable concept, as it can be paired with other filtering functions. Finally, we provide an analysis of our results when we vary two components found in our detection approach.
翻译:在用户提供的标签稀缺的情况下,少数少发分类显示在使用案例中展示出令人乐观的结果。这些模型能够学习仅仅通过非重叠类的培训来预测新课程。这在很大程度上可以归因于其机制与传统深层网络相比的不同。然而,这也为新攻击者提供了新的机会,以诱使这类模型受到廉正攻击,而其他机器学习设置中不存在这些模型。在这项工作中,我们的目标是缩小这一差距,通过研究一个概念简单的方法来保护少发分类者免受对抗性攻击。更具体地说,我们提出一种简单的攻击性鼻识检测方法,使用自我相似性和过滤的概念,来标出对抗性支持组,以摧毁受害者分类者对某一类的理解。我们对微型情报网(MI)和CUB数据集的扩大评价显示了良好的攻击性探测性表现,它来自三个不同的少发分类者,跨越了不同的攻击性强力,击打基线。我们观察到的结果使我们得以确定自己是支持设定中毒攻击的强有力检测方法。我们还表明,我们的方法构成了一种一般的过滤性概念,即我们最终找到了一种检测结果。
相关内容
微信扫码咨询专知VIP会员