Abstract
Deep Neural Network is an application of Big Data, and the robustness of Big Data is one of the most important issues. This paper proposes a new approach named PCD for computing adversarial examples for Deep Neural Network (DNN) and increase the robustness of Big Data. In safety-critical applications, adversarial examples are big threats to the reliability of DNNs. PCD generates adversarial examples by generating different coverage of pooling functions using gradient ascent. Among the 2707 input images, PCD generates 672 adversarial examples with L∞ distances less than 0.3. Comparing to PGD (state-of-art tool for generating adversarial examples with distances less than 0.3), PCD finds 1.5 times more adversarial examples than PGD (449) does.
Introduction
Recent researches show that Machine Learning (ML) algorithms based on Big Data, especially Deep Neural Networks (DNN), have achieved great success in solving complex tasks with near (or beyond) human-intelligence (with acceptable accuracy). Powered by massive amount of data, DNNs are increasingly being utilized in several domains, including speech interpreting [1, 2], image recognition [3, 4] and game playing [5, 6]. The average accuracy of modern Deep Neural Networks are pretty high, which allows them to apply in real-world applications and tasks.
But for some of the security (safety)-critical tasks, including autonomous driving [7–9], malware detection [10–12], and cyber-security [13–15], there are more concerns need to be addressed other than accuracy.
One of the main problems in these areas is the robustness of DNN towards adversarial examples. Great effort have been made to build reliability DNNs, including [16–20]. With less differences from the original input, the adversarial examples are more likely to active the same part of neurons in DNNs. Therefore, the weight matrices of the active neurons are more accurate and robust.
There are also several approaches to generate adversarial examples, such as gradient based attacks [21] spatial based attack [22] and attacks from real world (brightness and contrast) [23].
Here, this paper proposes a new adversarial attack PCD to challenge adversarial trained DNN proposed by Madry et al. in paper [18]. In the paper, Mardy et al. proposed PGD attack and generate adversarial examples with L∞ less than 0.3 using MNIST data-set.
In the new approach, PCD first generates coverage of pooling functions and guides the generating of adversarial examples with the coverage. PCD uses gradient ascent to generate coverage for pooing functions.
PCD attacks the adversarial-trained DNN in Mardy et al. paper [18] and follows the same constraint established in that paper, such that the L∞ distance between adversarial examples and original images should be less than 0.3. With the constraint, PCD is able to compute more useful adversarial examples for the DNN in [18] than PGD does.
PCD selected 2707 images as testing benchmark, PCD found 672 images with adversarial examples, which is 1.5 times more than PGD does (449).
There are three main contributions in the new proposed approach. Firstly, PCD finds more adversarial examples than PGD. With the 2707 images, PCD PCD finds 672 images with adversarial examples, while PGD finds 449 images with adversarial examples.
Secondly, PCD first uses the coverage of pooling functions in DNNs. Pooling Layers and pooling functions are widely used in DNNs, and the coverage of pooling functions are easily generated in PCD. With the coverage of pooling functions, PCD generates adversarial examples.
Thirdly, PCD generates multiple adversarial examples for a single input image, which is helpful to increase the robustness of adversarial trained DNNs.
By generating different coverage for different pooling functions in the DNN, PCD generates multiple adversarial examples for one image without randomization.
Related work
There are three other work that also use coverage in adversarial examples generating. DeepXplore [23] uses neuron coverage to generate adversarial examples, DeepGauge [24] aims at covering a range of values using activated neurons, and DeepCover [25] aims at generating a MC/DC coverage for a layer in DNN.
DeepXplore tries to increase the neuron value of a select neuron. Different from PCD, DeepXplore only choose one neuron to cover, and it only tries to increase the value that selected neuron. While PCD tries to increase the value of neurons in the input set of a pooling functions.
DeepGauge tries to cover a value range with activated neurons. It finds the neurons that are closet either to the higher or lower boundary of the range, and either increase or decrease the value of neurons. Comparing to PCD, DeepGauge has to decide the value of range with some strategies and generates the loss function, while PCD is able to generate the loss function based on each pooling functions automatically.
DeepCover tries to generate a MC/DC coverage for a layer in DNN. It tries to find a neuron n (c, i) such that v (c + 1,) * v (c, i) <0 and for all j ≠ i, v (c, j) * (v (c + 1, j) >0. DeepCover finds the coverage for layers, and PCD tries to find the coverage for pooling functions.
In the paper that proposed PGD attacks, the DNN N used in PCD was proposed in Madry, Aleksander et al. And N is also the target DNN of PGD attacks. In the paper, N was trained using a min-max optimization to find a large number of adversarial examples, and add them to the training set of N. In this way, N was adversarial trained and the robustness of N towards adversary is better than other DNN.
Preliminaries and approaches
Preliminaries
The DNN considered in this paper is composed of an input layer, an output layer and multiple hidden layers. A layer is composed of multiple neurons, connected to the neurons in the previous layer with a set of weights and activation functions. The set of weights is well-trained in the training phase. There are three types of activation functions used in this paper: convolution functions, pooling functions and Relu functions. There are also three types of hidden layers: convolution layers, pooling layers and fully connected layers.
Given a determined input image x, DNN N is able to recognize i as a digit number from 0 to 9. The output of N with input x is denoted as N (x).
Suppose there are n layers in N, then layer m1 is the input layer, and layer m n is the output layer, layers m2 . . . . mn-1, are hidden layers. The mn-1 layer is denoted as the logit layer. For a 2D-matrix m, there are only two dimensions (columns and rows) in m. A Multi-Dimensional Matrix m′ is an extension of 2D-matrix and use additional subscripts for indexing. If there are N subscripts in m′, then m′ is a ND-matrix.
An input image x is a 2D-matrix, a layer m i in N is a 4D-matrix, the weight matrix w1 of m i is a 4D-matrix.
For a 4D-matrix m, PCD uses m [x, y, z, n] to denote an element in m.
For a layer c in a given DNN Ninnn, if a neuron is the i-th neuron in layer c, then the neuron is denoted asn (c, i).
A neuron n (c, i) is a 3D-matrix. The weight matrix w (c, i) of n (c, i) is a 3D-matrix.
PCD uses v (c, i) to denote the value of neuron n (c, i) with original input image x.
PCD uses v (c, i, k) x (short as v (c, i, k) if x is not specified) to denote the value of n (c, i) with image x as input.
In the DNN N used in this paper, there are 10 neurons in layer mn-1. Neuron n (n - 1, i) is called the i tk label inN, v (n - 1, i) shows the possibility that N distinguishes the input image as the i tk digit number. There are also 10 neurons in mn-2, the values of neurons in mn-1 is the softmax results of values of neurons in mn-2. v (n - 1, i) is greater than v (n - 1, j) if and only if v (n - 2, i) is greater thanv (n - 2, j).
For an input image x, the neuron (label) that has the highest value in n - 2 layer is n (n - 2, l) , and the neuron (label) that has the second highest value in n-2 layer is n(n - 2, s). The value difference between n (n - 2, l) and n (n - 2, s) isg (x) .
Layers are composed of neurons, for example, in a hidden layer m c , suppose the size of m c is 28 * 28 * 16 * 32, then m c [0 : 28, 0 : 28, 0 : 16, i] is the matrix of neuron n (c, i). In other words, the matrix m of n (c, i) is a 3D-sub-matrix of m c .
For an image x′, x′ is a k - mutated image of x if the L∞ distance between x and x’ is less than k. In this paper, k equals to 0.3.
For an input image x, and a k - mutated image x′, it N (x) is different from N (x′) , then x′ is a k-Adversarial Example of x.
Approaches
Pooling functions
In Deep Neural Network, Pooling Functions are used to adjust the scale and complexity of the DNN. The pooling functions used in this paper are 2 * 2 pooling functions. There are two pooling layers mp1 and mp1 with pooling functions in it. PCD tries to generate a coverage for each pooling function. Each neuron value v (p, i) [x, y, z] in a pooling layer p is the output of a pooling function pf. The input of pf is a 2 * 2 matrix, represented as v (p, i - 1) [x : x + e, y : y + e, z], where 0 < e < 2. In other words:
pf : v (p, i - 1) [x : x + e, y : y + e, z] → v (p, i)[x, y, z] , and v (p, i) [x, y, z] : = max (v (p, i - 1) [x : x + e, y : y + e, z]) . Suppose v (p, i - 1) [m a , m b , z]= = v (p, i, z), then m a and m b are called the maximal indices of v (p - 1, i) [x : x + e, y : y + e, z] .
Coverage of pooling functions
For an input v(p-1, i)[x:x+e, y:y+e] of a pooling function pf, if there exists another k * k matrix v′ (p - 1, i) [x : x + e, y : y + e] such that the maximal indices of v (p - 1, i) [x : x + e, y : y + e] and v′ (p - 1, i) [x : x + e, y : y + e] are different, then v′ (p - 1, i) [x : x + e, y : y + e] covers a different output situation of pf, and PCD considers it as the coverage of v (p - 1, i) [x : x + e, y : y + e] . For an input image x, and a k-Mutated image x′ of $x, if v (p - 1, i) [x : x + e, y : y + e] x′ is a coverage of v (p - 1, i) [x : x + e, y : y + e] x′, then x′ is a pooling coverage of x . x′ might be a k -Adversarial Example of x.
Gradient ascent based coverage generation
For a pooling function pf, an input matrix v(p-1, i)[x:x+e, y:y+e], and the maximal indices m a , m b ,PCD tries to decrease the value of v (p - 1, i) [m a , m b ] and increase the value of other elements in the input matrix to generate a coverage for the input. The loss function is the sum of element values in the input matrix minus two times the value of v (p - 1, i) [m a , m b ].
PCD uses the gradient function in tensorflow to compute the gradient of input layer towards the loss value. PCD also uses the clip function in numpy package to guarantee that the changes in the input image x is less than k (L∞ distance). In this way, PCD generates k-Mutated image x′ of an original input image x. PCD then feeds the DNN N with x’ and decide whether x’ is a k-Adversarial Example of x or not. If N (x) ≠ N (x′), then x′ is a k-Adversarial Example, otherwise, x′ is not.
The detail algorithms in PCD of generating a k -Adversarial Example is presented in Algorithm 1.
In Algorithm 1, the input is a pooling function p f with n (p - 1, n) [x : x + e, y : y + e, z] as input. At Line 2, v computes the maximum value among the input using the pooling function. Starting at Line 3, PCD finds the maximum indices of the maximum by searching the input one by one. At Line 7 and the following line, PCD computes the loss function to generate mutated images. The loss function is the sum of element value among the input matrix minus 2 times the value of the maximum value (m at Line 2). If the generated k-Mutated image x′ has a different output from x with N. Then x′ is returned as a k-Adversarial Example. Otherwise, the algorithm returns null.
PCD is useful for all DNN with pooling functions
PCD uses pooling functions to generate adversarial examples of a given DNN. Therefore, PCD is applicable to all DNNs with Pooling Layers. Moreover, Pooling Layers are widely used in Deep Neural Network, therefore, PCD is useful for most of the current DNN model.
Experimental results and evaluation
Experiments on finding adversarial examples
DNN and testing images set
PCD uses the adversarial trained DNN N in Mardy’s paper and generates adversarial examples of Ninnn. Comparing to other DNNs, N is more reliable towards adversarial attacks [18].
In Mardy et al. paper [18], all adversarial examples find by PGD are 0.3-Adversarial Example, since any adversary that is allowed to perturb each pixel by more than 0.5 can construct a uniformly gray image, thus fooling any classifier [18]. PCD also applies the same constraint and only finds 0.3-Adversarial Example for the input images. The runtime limit of PCD is 1 hour and the memory limit of PCD is 32G.
As defined in Section 3, g (x) is the difference between the maximal neuron value v (n - 2, l) and the second maximal neuron value v (n - 2, s) in mn-2 layer. The range of g(x) is (0 + ∞)
The
P is the set of images that adversarial examples find by PGD. P is a subset of T, the number of images in P is 449.
PCD separates T and P into 7 different groups.
The first and second columns show the ID of the groups and the range of g (x′) in each group. The third and last columns show the number of images that belongs to the groups in P and T respectively.
Adversarial examples find by PCD
Figure 1 shows the original images and adversarial examples that are found by PCD and PGD.
Adversarial examples generated by PGD and PCD.
Less pixels are changed by PCD to generate an adversarial example than PGD does. It means that the gradient used in PCD is more efficient than that used in PGD.
Figure 2 shows the original images, the adversarial examples that PCD finds and the images that PGD generates (not adversary).
Images with adversarial examples only generated PCD.
There are minor differences between the images generated using PCD and PGD in the green rectangle.
PGD can not find an adversarial example from the images because the gradients it used were rigid, and PCD is able to increase the flexibility of gradients by using the coverage of pooling functions.
Table 2 shows the number of images with adversarial examples find in the experiments using PCD or PGD.
Groups of testing data in MNIST
Groups of testing data in MNIST
Adversarial examples in each group
The first column is the ID of the group, the second and third columns show the number of images with adversarial examples only find by PCD and PGD respectively. The fourth and fifth columns show the number of images with adversarial examples find by PCD and PGD respectively. The last column shows the number of images in each group.
Comparing to PGD, PCD is able to find 232 more adversarial examples in T, and PGD is able to find 2 more adversarial examples than PCD in T.
PCD finds 1.5 times more adversarial examples than PGD does.
For the set of P, PCD finds 287 images with adversarial examples without adding the xent value to loss function. After adding xent value to loss function, PCD finds 447 images with adversarial examples.
PCD finds more adversarial examples in all the 7 groups in T and PGD only finds 2 more adversarial examples than PCD does in Group 2 and 3.
Also, PCD is able to generate multiple adversarial examples for one image without the help of randomization. There are 3.24e + 4 more adversarial examples generated by PCD with the 679 images with adversarial examples in T.
Relations Between g (x) and Adversary
In Table 2, the number of images with adversarial examples find by either tools decreases dramatically in group 5 (i.e., images that g (x) is greater than 4), it means that for both PCD and PGD, find adversarial examples becomes harder when g (x)is greater than 4.
PCD is still able to find 1.57 times more adversarial examples than PGD for g (x) greater than 4. It means that thought it becomes harder to find adversarial examples for images with g (x) greater than 4, the advantage for PCD is not weaken by the increasing of g (x).
In this paper, PCD proposed a new approach to generate adversarial examples with adversarial trained DNN.
Experiments show that for the selected 2707 images, PCD is able to generate around 3.2e + 4 adversarial examples from 672 images. PCD generates 222 more adversarial examples than PGD does, and the advantage of finding more adversarial examples is not weaken by the increasing of g (x).With more adversarial examples generated, the robustness of N will be increased.
PCD only generates one test case for a pooling function (neuron), actually, for a k * k pooling function (neuron), there are also k * k possibilities of maximum neurons in the previous layers. From complete testing coverage perspective, all the k * k possible output situations should be covered by different test cases.