Deep learning-based image restoration methods have achieved promising performance. However, how to faithfully preserve the structure of the original image remains challenging. To address this challenge, we propose a novel Residual-Conditioned Optimal Transport (RCOT) approach, which models the image restoration as an optimal transport (OT) problem for both unpaired and paired settings, integrating the transport residual as a unique degradation-specific cue for both the transport cost and the transport map. Specifically, we first formalize a Fourier residual-guided OT objective by incorporating the degradation-specific information of the residual into the transport cost. Based on the dual form of the OT formulation, we design the transport map as a two-pass RCOT map that comprises a base model and a refinement process, in which the transport residual is computed by the base model in the first pass and then encoded as a degradation-specific embedding to condition the second-pass restoration. By duality, the RCOT problem is transformed into a minimax optimization problem, which can be solved by adversarially training neural networks. Extensive experiments on multiple restoration tasks show the effectiveness of our approach in terms of both distortion measures and perceptual quality. Particularly, RCOT restores images with more faithful structural details compared to state-of-the-art methods.
基于深度学习的图像修复方法已经取得了很好的性能。然而,如何忠实保留原始图像的结构仍然具有挑战性。为解决这个问题,我们提出了一个新颖的残差约束优化传输(RCOT)方法,将图像修复建模为对于未配对和成对设置的优化传输(OT)问题,将传输残差作为传输成本和传输映射的唯一退化特定提示。具体来说,我们首先通过将残差的退化特定信息融入传输成本中,形式化了一个Fourier残差引导的OT目标。基于OT公式的双形式,我们设计了一个包含基模型和优化过程的两层RCOT映射,其中传输残差在第一层由基模型计算,然后用退化特定编码作为第二层修复的调节。通过极值,RCOT问题转化为一个最小最大优化问题,可以被对抗性训练的神经网络求解。在多个修复任务上进行的大量实验证明了我们方法在失真度和感知质量方面的有效性。特别是,RCOT修复的图像具有比现有方法更忠实于结构的细节。
https://arxiv.org/abs/2405.02843
We propose a novel data augmentation method termed You Only Need hAlf (YONA), which simplifies the augmentation process. YONA bisects an image, substitutes one half with noise, and applies data augmentation techniques to the remaining half. This method reduces the redundant information in the original image, encourages neural networks to recognize objects from incomplete views, and significantly enhances neural networks' robustness. YONA is distinguished by its properties of parameter-free, straightforward application, enhancing various existing data augmentation strategies, and thereby bolstering neural networks' robustness without additional computational cost. To demonstrate YONA's efficacy, extensive experiments were carried out. These experiments confirm YONA's compatibility with diverse data augmentation methods and neural network architectures, yielding substantial improvements in CIFAR classification tasks, sometimes outperforming conventional image-level data augmentation methods. Furthermore, YONA markedly increases the resilience of neural networks to adversarial attacks. Additional experiments exploring YONA's variants conclusively show that masking half of an image optimizes performance. The code is available at this https URL.
我们提出了一个名为You Only Need hAlf(YONA)的新数据增强方法,该方法简化了数据增强过程。YONA对图像进行分割,用噪声替换图像的一半,并应用数据增强技术对剩余的一半。这种方法减少了原始图像中的冗余信息,鼓励神经网络从 incomplete views 中识别物体,并显著增强了神经网络的鲁棒性。YONA的特点是参数免费、简单易用、增强各种现有的数据增强策略,从而提高了神经网络的鲁棒性,而无需增加额外的计算成本。为了证明YONA的有效性,进行了广泛的实验。这些实验证实了YONA与各种数据增强方法和神经网络架构的兼容性,在CIFAR分类任务中取得了显著的改进,有时甚至超过了传统的图像级数据增强方法。此外,YONA显著增强了神经网络对对抗攻击的鲁棒性。此外,通过探索YONA的变体,实验证明遮盖图像的一半可以优化性能。代码可在此处访问:https://www.thunar.mamail.com/
https://arxiv.org/abs/2405.02830
Large Language Models (LLMs) have revolutionized natural language processing, but their robustness against adversarial attacks remains a critical concern. We presents a novel white-box style attack approach that exposes vulnerabilities in leading open-source LLMs, including Llama, OPT, and T5. We assess the impact of model size, structure, and fine-tuning strategies on their resistance to adversarial perturbations. Our comprehensive evaluation across five diverse text classification tasks establishes a new benchmark for LLM robustness. The findings of this study have far-reaching implications for the reliable deployment of LLMs in real-world applications and contribute to the advancement of trustworthy AI systems.
大语言模型(LLMs)在自然语言处理领域取得了巨大的革命性突破,但它们对对抗性攻击的鲁棒性仍然是一个关键的担忧。我们提出了一种新颖的白色盒攻击方法,揭示了包括LLMA、OPT和T5在内领先的开源LLM中的漏洞。我们评估了模型大小、结构和微调策略对其对对抗性干扰的鲁棒性影响。我们在五个多样化的文本分类任务上进行全面的评估,为LLM的鲁棒性树立了新的基准。本研究的结果对在现实应用中可靠部署LLM以及可信AI系统的进步具有深远的影响。
https://arxiv.org/abs/2405.02764
Large language models (LLMs) tend to inadequately integrate input context during text generation, relying excessively on encoded prior knowledge in model parameters, potentially resulting in generated text with factual inconsistencies or contextually unfaithful content. LLMs utilize two primary knowledge sources: 1) prior (parametric) knowledge from pretraining, and 2) contextual (non-parametric) knowledge from input prompts. The study addresses the open question of how LLMs effectively balance these knowledge sources during the generation process, specifically in the context of open-domain question answering. To address this issue, we introduce a novel approach integrating contrastive decoding with adversarial irrelevant passages as negative samples to enhance robust context grounding during generation. Notably, our method operates at inference time without requiring further training. We conduct comprehensive experiments to demonstrate its applicability and effectiveness, providing empirical evidence showcasing its superiority over existing methodologies. Our code is publicly available at: this https URL.
大语言模型(LLMs)在文本生成过程中往往不足以很好地整合输入上下文,过分依赖模型参数中的编码先验知识,可能导致生成的文本存在事实不一致或上下文不忠实的内容。LLM利用两个主要知识来源:1)预训练中的先验(参数)知识,2)输入提示中的上下文(非参数)知识。本研究回答了一个开放性问题:LLM在生成过程中如何有效地平衡这些知识来源,尤其是在开放领域问题回答的背景下。为解决这个问题,我们引入了一种新颖的方法,将对比性解码与对抗无关段落作为负样本,以增强生成过程中的上下文接地。值得注意的是,我们的方法在推理过程中无需进一步训练。我们进行了全面的实验来证明其应用性和有效性,提供了其优于现有方法的实证证据。我们的代码可在以下这个链接公开使用:https:// this URL。
https://arxiv.org/abs/2405.02750
Retrieval-augmented large language models (LLMs) leverage relevant content retrieved by information retrieval systems to generate correct responses, aiming to alleviate the hallucination problem. However, existing retriever-responder methods typically append relevant documents to the prompt of LLMs to perform text generation tasks without considering the interaction of fine-grained structural semantics between the retrieved documents and the LLMs. This issue is particularly important for accurate response generation as LLMs tend to ``lose in the middle'' when dealing with input prompts augmented with lengthy documents. In this work, we propose a new pipeline named ``Reinforced Retriever-Reorder-Responder'' (R$^4$) to learn document orderings for retrieval-augmented LLMs, thereby further enhancing their generation abilities while the large numbers of parameters of LLMs remain frozen. The reordering learning process is divided into two steps according to the quality of the generated responses: document order adjustment and document representation enhancement. Specifically, document order adjustment aims to organize retrieved document orderings into beginning, middle, and end positions based on graph attention learning, which maximizes the reinforced reward of response quality. Document representation enhancement further refines the representations of retrieved documents for responses of poor quality via document-level gradient adversarial learning. Extensive experiments demonstrate that our proposed pipeline achieves better factual question-answering performance on knowledge-intensive tasks compared to strong baselines across various public datasets. The source codes and trained models will be released upon paper acceptance.
检索增强的大型语言模型(LLMs)利用信息检索系统检索的相关内容来生成正确的答案,旨在减轻混杂问题。然而,现有的检索响应方法通常在LLM的提示中附加相关文档进行文本生成任务,而没有考虑检索到的文档与LLM之间细粒度语义结构的交互。这个问题在准确回答问题方面尤为重要,因为LLM在处理带有长文档的输入提示时往往会出现“在中途迷失”的情况。在本文中,我们提出了一个名为“强化检索-排序-回答者”(R$^4$)的新管道来学习检索增强LLM的文档顺序,从而在保持LLM的大参数的同时进一步增强其生成能力。排序学习过程根据生成的响应质量分为两个步骤:文档顺序调整和文档表示增强。具体来说,文档顺序调整旨在根据图注意力学习将检索到的文档顺序组织为开始、中间和结束位置,从而最大化响应质量的强化奖励。文档表示增强通过文档级的梯度 adversarial 学习进一步优化了用于低质量响应的文档表示。大量实验证明,与各种公共数据集上的强大基线相比,我们提出的管道在知识密集型任务上的事实问题回答表现更好。源代码和训练好的模型将在论文接受后发布。
https://arxiv.org/abs/2405.02659
In the past, research on a single low dimensional activation function in networks has led to internal covariate shift and gradient deviation problems. A relatively small research area is how to use function combinations to provide property completion for a single activation function application. We propose a network adversarial method to address the aforementioned challenges. This is the first method to use different activation functions in a network. Based on the existing activation functions in the current network, an adversarial function with opposite derivative image properties is constructed, and the two are alternately used as activation functions for different network layers. For complex situations, we propose a method of high-dimensional function graph decomposition(HD-FGD), which divides it into different parts and then passes through a linear layer. After integrating the inverse of the partial derivatives of each decomposed term, we obtain its adversarial function by referring to the computational rules of the decomposition process. The use of network adversarial methods or the use of HD-FGD alone can effectively replace the traditional MLP+activation function mode. Through the above methods, we have achieved a substantial improvement over standard activation functions regarding both training efficiency and predictive accuracy. The article addresses the adversarial issues associated with several prevalent activation functions, presenting alternatives that can be seamlessly integrated into existing models without any adverse effects. We will release the code as open source after the conference review process is completed.
在过去,研究单一低维激活函数在网络中的作用导致了内部协变量偏移和梯度偏差问题。一个相对较小的研究领域是如何使用函数组合来提供单个激活函数应用的属性完成。我们提出了一个网络对抗方法来解决上述挑战。这是第一个在网络中使用不同激活函数的方法。根据当前网络中的激活函数,构建了一个具有相反导数图像属性的对抗函数,并将其交替用于不同网络层的激活函数。对于复杂情况,我们提出了高维函数图分解(HD-FGD)方法,将其划分为不同的部分并传递给线性层。然后通过整合每个分解项的逆导数,我们得到了其对抗函数,通过分解过程的计算规则进行参考。网络对抗方法和HD-FGD单独使用可以有效替代传统的MLP+激活函数模式。通过上述方法,我们在关于训练效率和预测准确性的标准激活函数方面取得了显著的改进。本文讨论了几个普遍激活函数的对抗问题,提出了可以轻松集成到现有模型中而不会产生任何不利影响的可替代方案。在会议审稿过程中完成代码发布为开源。
https://arxiv.org/abs/2405.03712
Human object recognition exhibits remarkable resilience in cluttered and dynamic visual environments. In contrast, despite their unparalleled performance across numerous visual tasks, Deep Neural Networks (DNNs) remain far less robust than humans, showing, for example, a surprising susceptibility to adversarial attacks involving image perturbations that are (almost) imperceptible to humans. Human object recognition likely owes its robustness, in part, to the increasingly resilient representations that emerge along the hierarchy of the ventral visual cortex. Here we show that DNNs, when guided by neural representations from a hierarchical sequence of regions in the human ventral visual stream, display increasing robustness to adversarial attacks. These neural-guided models also exhibit a gradual shift towards more human-like decision-making patterns and develop hierarchically smoother decision surfaces. Importantly, the resulting representational spaces differ in important ways from those produced by conventional smoothing methods, suggesting that such neural-guidance may provide previously unexplored robustness solutions. Our findings support the gradual emergence of human robustness along the ventral visual hierarchy and suggest that the key to DNN robustness may lie in increasing emulation of the human brain.
人类物体识别在杂乱和动态的视觉环境中表现出非凡的弹性。相比之下,尽管它们在多个视觉任务中的表现无与伦比,深度神经网络(DNNs)仍然比人类差得多,显示出对涉及图像扰动的对抗攻击的意外易感性,例如对人类无法察觉的几乎不可见的图像扰动。人类物体识别的稳健性在一定程度上要归功于随着分级视觉皮层中越来越坚韧的表示的出现。在这里,我们证明了,当指导神经表示沿着人分级视觉流中的区域时,DNNs对对抗攻击的稳健性逐渐增加。这些由神经表示引导的模型还表现出逐渐向更人类化的决策模式转变,并发展出层次化的平滑决策表面。重要的是,这些表示空间与传统平滑方法的产生有很大的不同,表明这种神经指导可能提供以前未探索的稳健性解决方案。我们的研究支持了沿分级视觉流中人类稳健性逐渐出现的现象,并表明提高对人类大脑的模拟可能是DNN稳健性的关键。
https://arxiv.org/abs/2405.02564
Extensive research exists on the performance of large language models on logic-based tasks, whereas relatively little has been done on their ability to generate creative solutions on lateral thinking tasks. The BrainTeaser shared task tests lateral thinking and uses adversarial datasets to prevent memorization, resulting in poor performance for out-of-the-box models. We propose a system for iterative, chain-of-thought prompt engineering which optimizes prompts using human evaluation. Using this shared task, we demonstrate our system's ability to significantly improve model performance by optimizing prompts and evaluate the input dataset.
大量的研究表明,大型语言模型在基于逻辑的任务上的表现,而关于其在横向思维任务上生成创新解决方案的能力,相对较少研究。BrainTeaser共享任务测试横向思维并使用对抗数据集来防止记忆,导致离线模型的性能较差。我们提出了一个迭代式、连锁思维提示工程系统,通过人类评估优化提示。使用这个共享任务,我们证明了我们的系统通过优化提示和评估输入数据集显著提高了模型性能。
https://arxiv.org/abs/2405.02517
Automatic citation generation for sentences in a document or report is paramount for intelligence analysts, cybersecurity, news agencies, and education personnel. In this research, we investigate whether large language models (LLMs) are capable of generating references based on two forms of sentence queries: (a) Direct Queries, LLMs are asked to provide author names of the given research article, and (b) Indirect Queries, LLMs are asked to provide the title of a mentioned article when given a sentence from a different article. To demonstrate where LLM stands in this task, we introduce a large dataset called REASONS comprising abstracts of the 12 most popular domains of scientific research on arXiv. From around 20K research articles, we make the following deductions on public and proprietary LLMs: (a) State-of-the-art, often called anthropomorphic GPT-4 and GPT-3.5, suffers from high pass percentage (PP) to minimize the hallucination rate (HR). When tested with this http URL (7B), they unexpectedly made more errors; (b) Augmenting relevant metadata lowered the PP and gave the lowest HR; (c) Advance retrieval-augmented generation (RAG) using Mistral demonstrates consistent and robust citation support on indirect queries and matched performance to GPT-3.5 and GPT-4. The HR across all domains and models decreased by an average of 41.93% and the PP was reduced to 0% in most cases. In terms of generation quality, the average F1 Score and BLEU were 68.09% and 57.51%, respectively; (d) Testing with adversarial samples showed that LLMs, including the Advance RAG Mistral, struggle to understand context, but the extent of this issue was small in Mistral and GPT-4-Preview. Our study con tributes valuable insights into the reliability of RAG for automated citation generation tasks.
为情报分析员、网络安全人员、新闻机构和教育工作者,自动引用文献中的句子至关重要。在这项研究中,我们调查了大型语言模型(LLMs)是否能够根据两种句子查询形式生成引用: (a)直接查询,LLM被要求提供给定研究文章的作者姓名;(b)间接查询,当给定一个来自不同文章的句子时,LLM被要求提供提及的文章标题。为了证明LLM在这项任务中的地位,我们引入了一个大型数据集REASONS,其包括arXiv上最热门的12个科学研究领域摘要。从大约20K篇研究论文中,我们做出了以下推断:(a)最先进的、被称为类人化的GPT-4和GPT-3.5,存在高通过率(PP)问题,以最小化幻觉率(HR)。当用这个url(7B)进行测试时,它们出人意料地犯了更多的错误;(b)增加相关元数据降低了PP,并提供了最低的HR;(c) Mistral使用 Advance Retrieval-Augmented Generation (RAG) 展示了在间接查询和GPT-3.5及GPT-4上的匹配性能和一致性支持。所有领域和模型的HR下降了平均41.93%,而PP在大多数情况下降至0%。在生成质量方面,平均的F1分数和BLEU分别为68.09%和57.51%。(d) 使用对抗样本测试表明,包括Advance RAG Mistral在内的LLM在理解上下文方面遇到困难,但Mistral和GPT-4-Preview中的这个问题程度较小。我们的研究为自动引用生成任务的可靠性提供了宝贵的见解。
https://arxiv.org/abs/2405.02228
The Adversarial Markov Decision Process (AMDP) is a learning framework that deals with unknown and varying tasks in decision-making applications like robotics and recommendation systems. A major limitation of the AMDP formalism, however, is pessimistic regret analysis results in the sense that although the cost function can change from one episode to the next, the evolution in many settings is not adversarial. To address this, we introduce and study a new variant of AMDP, which aims to minimize regret while utilizing a set of cost predictors. For this setting, we develop a new policy search method that achieves a sublinear optimistic regret with high probability, that is a regret bound which gracefully degrades with the estimation power of the cost predictors. Establishing such optimistic regret bounds is nontrivial given that (i) as we demonstrate, the existing importance-weighted cost estimators cannot establish optimistic bounds, and (ii) the feedback model of AMDP is different (and more realistic) than the existing optimistic online learning works. Our result, in particular, hinges upon developing a novel optimistically biased cost estimator that leverages cost predictors and enables a high-probability regret analysis without imposing restrictive assumptions. We further discuss practical extensions of the proposed scheme and demonstrate its efficacy numerically.
Adversarial Markov Decision Process(AMDP)是一种处理决策应用中未知且变化的任务的学习框架,如机器人技术和推荐系统。然而,AMDP形式的一个主要局限性是悲观的后悔分析结果,这意味着虽然成本函数可以从每一刻变化,但许多环境中的演变不是对抗的。为了解决这个问题,我们引入并研究了一种新的AMDP变体,旨在最小化后悔,同时利用一组成本预测器。对于这个设置,我们开发了一种新的策略搜索方法,实现了具有高概率的非线性乐观后悔,即在估计能力下,后悔的上界。建立这样的乐观后悔上界并非易事,因为(i)正如我们所证明的,现有的重要性加权成本估计器无法建立乐观的上界;(ii)AMDP的反馈模型与现有的乐观在线学习工作不同(更现实)。我们的结果,特别是取决于开发了一个新的具有高概率的乐观 biased 成本估计器,利用成本预测器,从而在没有强制假设的情况下实现高概率后悔分析。我们进一步讨论了所提出的方案的实用扩展,并将其有效性进行了数值证明。
https://arxiv.org/abs/2405.02188
Motivation: Alzheimer's Disease hallmarks include amyloid-beta deposits and brain atrophy, detectable via PET and MRI scans, respectively. PET is expensive, invasive and exposes patients to ionizing radiation. MRI is cheaper, non-invasive, and free from ionizing radiation but limited to measuring brain atrophy. Goal: To develop an 3D image translation model that synthesizes amyloid-beta PET images from T1-weighted MRI, exploiting the known relationship between amyloid-beta and brain atrophy. Approach: The model was trained on 616 PET/MRI pairs and validated with 264 pairs. Results: The model synthesized amyloid-beta PET images from T1-weighted MRI with high-degree of similarity showing high SSIM and PSNR metrics (SSIM>0.95&PSNR=28). Impact: Our model proves the feasibility of synthesizing amyloid-beta PET images from structural MRI ones, significantly enhancing accessibility for large-cohort studies and early dementia detection, while also reducing cost, invasiveness, and radiation exposure.
动机:阿尔茨海默病的关键特征包括淀粉样蛋白β(amyloid-β)沉积和脑萎缩,可以通过PET和MRI扫描检测到。PET费用昂贵,侵入性较强,且会暴露患者接受放射线治疗。MRI虽然比PET便宜,非侵入性,但只能测量脑萎缩,有限制。目标:开发一个3D图像翻译模型,从T1加权MRI合成amyloid-β PET图像,利用已知amyloid-β和脑萎缩之间的关系。方法:该模型在616个PET/MRI对上进行训练,并通过264个对进行验证。结果:该模型从T1加权MRI上合成了高程度的amyloid-β PET图像,具有很高的SSIM和PSNR指标(SSIM>0.95&PSNR=28)。影响:我们的模型证明了从结构MRI合成amyloid-β PET图像的可能性,显著增强了大型队列研究和早期痴呆症检测的可用性,同时降低了成本、侵入性和放射线暴露。
https://arxiv.org/abs/2405.02109
Robust Reinforcement Learning (RRL) is a promising Reinforcement Learning (RL) paradigm aimed at training robust to uncertainty or disturbances models, making them more efficient for real-world applications. Following this paradigm, uncertainty or disturbances are interpreted as actions of a second adversarial agent, and thus, the problem is reduced to seeking the agents' policies robust to any opponent's actions. This paper is the first to propose considering the RRL problems within the positional differential game theory, which helps us to obtain theoretically justified intuition to develop a centralized Q-learning approach. Namely, we prove that under Isaacs's condition (sufficiently general for real-world dynamical systems), the same Q-function can be utilized as an approximate solution of both minimax and maximin Bellman equations. Based on these results, we present the Isaacs Deep Q-Network algorithms and demonstrate their superiority compared to other baseline RRL and Multi-Agent RL algorithms in various environments.
鲁棒强化学习(RRL)是一个有前景的强化学习(RL)范式,旨在训练对不确定或扰动具有鲁棒性的模型,使其在现实应用中更加高效。遵循这一范式,不确定性或扰动被解释为第二个对抗代理的行动,因此问题 reduction为寻求具有对任何对手行动鲁棒的代理策略。本文是第一个考虑在位置微分游戏理论中提出RRL问题的论文,这有助于我们获得理论证明,以开发一种集中式Q学习方法。具体来说,我们证明了在Isaacs的条件下(对于现实世界动态系统足够通用),相同Q函数可以作为最小最大Bellman方程的近似解。基于这些结果,我们提出了Isaacs深度Q网络算法,并在各种环境中证明了它们与其他基线RRL和多代理器RL算法的优越性。
https://arxiv.org/abs/2405.02044
Social bots play a significant role in many online social networks (OSN) as they imitate human behavior. This fact raises difficult questions about their capabilities and potential risks. Given the recent advances in Generative AI (GenAI), social bots are capable of producing highly realistic and complex content that mimics human creativity. As the malicious social bots emerge to deceive people with their unrealistic content, identifying them and distinguishing the content they produce has become an actual challenge for numerous social platforms. Several approaches to this problem have already been proposed in the literature, but the proposed solutions have not been widely evaluated. To address this issue, we evaluate the behavior of a text-based bot detector in a competitive environment where some scenarios are proposed: \textit{First}, the tug-of-war between a bot and a bot detector is examined. It is interesting to analyze which party is more likely to prevail and which circumstances influence these expectations. In this regard, we model the problem as a synthetic adversarial game in which a conversational bot and a bot detector are engaged in strategic online interactions. \textit{Second}, the bot detection model is evaluated under attack examples generated by a social bot; to this end, we poison the dataset with attack examples and evaluate the model performance under this condition. \textit{Finally}, to investigate the impact of the dataset, a cross-domain analysis is performed. Through our comprehensive evaluation of different categories of social bots using two benchmark datasets, we were able to demonstrate some achivement that could be utilized in future works.
社交机器人在很多在线社交网络(OSN)中扮演着重要的角色,因为它们模仿人类行为。这一事实引发了关于其能力和潜在风险的困难问题。考虑到最近的生成人工智能(GenAI)进步,社交机器人能够产生高度逼真和复杂的內容,模仿人类的创造力。随着恶意社交机器人通过不现实的內容欺骗人们的出现,识别它们并区分它们产生的内容已成为许多社交平台的实际挑战。 在文献中已经提出了几种解决这个问题的方法,但所提出的解决方案尚未得到广泛评估。为了解决这个问题,我们在一个竞争的环境中评估了一个基于文本的机器人检测器的行为:\textit{首先},我们研究了机器人之间的拉锯战。分析哪个 party 更有可能获胜以及哪些情况会影响这些期望很有趣。在这方面,我们将问题建模为一个合成对抗游戏,其中聊天机器人和机器人检测器进行 strategic online interactions。\textit{其次},我们分析了由社交机器人生成的攻击样本来评估机器人检测器的表现。因此,我们用攻击样本来污染数据集,并在此条件下评估了模型性能。\textit{最后},为了研究数据集的影响,进行跨领域分析。通过使用两个基准数据集全面评估不同种类的社交机器人,我们能够证明未来工作中可以利用的一些成就。
https://arxiv.org/abs/2405.02016
Deep Learning (DL) is rapidly maturing to the point that it can be used in safety- and security-crucial applications. However, adversarial samples, which are undetectable to the human eye, pose a serious threat that can cause the model to misbehave and compromise the performance of such applications. Addressing the robustness of DL models has become crucial to understanding and defending against adversarial attacks. In this study, we perform comprehensive experiments to examine the effect of adversarial attacks and defenses on various model architectures across well-known datasets. Our research focuses on black-box attacks such as SimBA, HopSkipJump, MGAAttack, and boundary attacks, as well as preprocessor-based defensive mechanisms, including bits squeezing, median smoothing, and JPEG filter. Experimenting with various models, our results demonstrate that the level of noise needed for the attack increases as the number of layers increases. Moreover, the attack success rate decreases as the number of layers increases. This indicates that model complexity and robustness have a significant relationship. Investigating the diversity and robustness relationship, our experiments with diverse models show that having a large number of parameters does not imply higher robustness. Our experiments extend to show the effects of the training dataset on model robustness. Using various datasets such as ImageNet-1000, CIFAR-100, and CIFAR-10 are used to evaluate the black-box attacks. Considering the multiple dimensions of our analysis, e.g., model complexity and training dataset, we examined the behavior of black-box attacks when models apply defenses. Our results show that applying defense strategies can significantly reduce attack effectiveness. This research provides in-depth analysis and insight into the robustness of DL models against various attacks, and defenses.
深度学习(DL)正在迅速成熟,以至于它可用于关键的安全和安保应用。然而,对于人类肉眼无法检测的对抗样本,它们对模型行为的威胁是严重的,可能导致模型表现不佳并危及此类应用的性能。解决DL模型的稳健性变得至关重要,以理解并防御对抗攻击。在这项研究中,我们对各种知名数据集进行了全面的实验,以研究对抗攻击和防御对各种模型架构的影响。我们的研究重点关注黑盒攻击,如SimBA、HopSkipJump、MGAAttack和边界攻击,以及基于预处理器的防御机制,包括比特挤缩、中值平滑和JPEG滤波器。通过实验各种模型,我们的结果表明,攻击所需的噪声水平随着层数的增加而增加。此外,随着层数的增加,攻击成功率下降。这表明模型复杂性和稳健性之间存在显著关系。研究了多样性与稳健性之间的关系,我们用各种模型进行实验,发现具有大量参数并不一定意味着更高的稳健性。我们的实验还扩展到研究训练数据对模型稳健性的影响。使用各种数据集,如ImageNet-1000、CIFAR-100和CIFAR-10,对黑盒攻击进行了评估。考虑到我们的分析的多个方面,例如模型复杂性和训练数据,我们研究了当模型应用防御策略时,黑盒攻击的行为。我们的结果表明,应用防御策略可以显著降低攻击的有效性。这项研究深入探讨了DL模型对各种攻击和防御的稳健性,以及它们之间的关系。
https://arxiv.org/abs/2405.01963
Rapid advancements of deep learning are accelerating adoption in a wide variety of applications, including safety-critical applications such as self-driving vehicles, drones, robots, and surveillance systems. These advancements include applying variations of sophisticated techniques that improve the performance of models. However, such models are not immune to adversarial manipulations, which can cause the system to misbehave and remain unnoticed by experts. The frequency of modifications to existing deep learning models necessitates thorough analysis to determine the impact on models' robustness. In this work, we present an experimental evaluation of the effects of model modifications on deep learning model robustness using adversarial attacks. Our methodology involves examining the robustness of variations of models against various adversarial attacks. By conducting our experiments, we aim to shed light on the critical issue of maintaining the reliability and safety of deep learning models in safety- and security-critical applications. Our results indicate the pressing demand for an in-depth assessment of the effects of model changes on the robustness of models.
深度学习的快速发展在各种应用中加速了其采用,包括自动驾驶车辆、无人机、机器人和监控系统等安全关键应用。这些进步包括应用复杂的技巧来提高模型的性能。然而,这些模型并非免受对抗性操纵的影响,这可能导致系统表现异常,并让专家无法察觉。对现有深度学习模型的修改频率表明,需要对模型的一致性进行深入分析,以确定其对模型鲁棒性的影响。在这项工作中,我们通过使用对抗攻击来评估模型修改对深度学习模型鲁棒性的影响。我们的方法包括研究模型修改对各种对抗攻击的鲁棒性。通过进行我们的实验,我们希望阐明在安全性和安全性关键应用中保持深度学习模型可靠性和安全性的迫切需求。我们的结果表明,对模型更改对模型鲁棒性的影响进行深入评估的需求非常紧迫。
https://arxiv.org/abs/2405.01934
The findings of the 2023 AAPM Grand Challenge on Deep Generative Modeling for Learning Medical Image Statistics are reported in this Special Report. The goal of this challenge was to promote the development of deep generative models (DGMs) for medical imaging and to emphasize the need for their domain-relevant assessment via the analysis of relevant image statistics. As part of this Grand Challenge, a training dataset was developed based on 3D anthropomorphic breast phantoms from the VICTRE virtual imaging toolbox. A two-stage evaluation procedure consisting of a preliminary check for memorization and image quality (based on the Frechet Inception distance (FID)), and a second stage evaluating the reproducibility of image statistics corresponding to domain-relevant radiomic features was developed. A summary measure was employed to rank the submissions. Additional analyses of submissions was performed to assess DGM performance specific to individual feature families, and to identify various artifacts. 58 submissions from 12 unique users were received for this Challenge. The top-ranked submission employed a conditional latent diffusion model, whereas the joint runners-up employed a generative adversarial network, followed by another network for image superresolution. We observed that the overall ranking of the top 9 submissions according to our evaluation method (i) did not match the FID-based ranking, and (ii) differed with respect to individual feature families. Another important finding from our additional analyses was that different DGMs demonstrated similar kinds of artifacts. This Grand Challenge highlighted the need for domain-specific evaluation to further DGM design as well as deployment. It also demonstrated that the specification of a DGM may differ depending on its intended use.
2023年AAPM深度生成模型大挑战的研究成果报告在本报告中。这个挑战的目标是促进深度生成模型(DGMs)在医学成像领域的发展,并通过分析相关图像统计数据强调其领域相关的评估必要性。作为这个大挑战的一部分,基于VICTRE虚拟成像工具箱中的3D人形乳腺幻灯片,开发了一个训练数据集。采用两阶段评估方案,包括初步记忆检查和图像质量评估(基于弗雷切迭代近感知距离(FID)),以及评估领域相关放射学特征的重复性。采用总结度指标对提交进行排名。此外,对提交的附加分析还检查了DGM对各个特征家族的性能,并识别出了各种 artifacts。 这个挑战共收到来自12个独特用户的58篇提交。排名前两的提交分别采用了条件图层扩散模型和生成对抗网络(GAN),接着是图像超分辨率网络。我们观察到,根据我们的评估方法,前9个提交的总体排名(i)与FID基分类排名不匹配,且(ii)在各个特征家族之间存在差异。另外一个重要的发现来自我们的附加分析是,不同的DGM展示了类似类型的伪影。这个大挑战强调了在进一步设计和部署DGM时需要进行领域特定评估,以及DGM的指定可能因其实用目的而异。它还表明,DGM的指定可能会因其在实际应用中的目的而异。
https://arxiv.org/abs/2405.01822
Unlearnable examples (UEs) seek to maximize testing error by making subtle modifications to training examples that are correctly labeled. Defenses against these poisoning attacks can be categorized based on whether specific interventions are adopted during training. The first approach is training-time defense, such as adversarial training, which can mitigate poisoning effects but is computationally intensive. The other approach is pre-training purification, e.g., image short squeezing, which consists of several simple compressions but often encounters challenges in dealing with various UEs. Our work provides a novel disentanglement mechanism to build an efficient pre-training purification method. Firstly, we uncover rate-constrained variational autoencoders (VAEs), demonstrating a clear tendency to suppress the perturbations in UEs. We subsequently conduct a theoretical analysis for this phenomenon. Building upon these insights, we introduce a disentangle variational autoencoder (D-VAE), capable of disentangling the perturbations with learnable class-wise embeddings. Based on this network, a two-stage purification approach is naturally developed. The first stage focuses on roughly eliminating perturbations, while the second stage produces refined, poison-free results, ensuring effectiveness and robustness across various scenarios. Extensive experiments demonstrate the remarkable performance of our method across CIFAR-10, CIFAR-100, and a 100-class ImageNet-subset. Code is available at this https URL.
不可学习示例(UEs)试图通过在已正确标注的训练示例上进行微妙修改来最大化测试误差。这些 poisoning 攻击的防御可以根据在训练期间采用的具体干预进行分类。第一种方法是训练时防御,例如对抗性训练,它可以减轻毒性影响,但计算代价较高。第二种方法是预训练净化,例如图像短缩,它包括几个简单的压缩,但在处理各种 UEs 时往往遇到挑战。我们的工作提供了一种新颖的解纠缠机制来构建高效的预训练净化方法。首先,我们发现了速率约束的变分自编码器(VAEs),这表明有明显抑制 UEs 中扰动的趋势。随后,我们进行了理论分析来研究这种现象。基于这些洞察,我们引入了一种可学习类级嵌入的变分自编码器(D-VAE),它能够通过可学习类级嵌入实现对扰动的解纠缠。基于这个网络,我们自然地得到了一个两阶段净化方法。第一阶段关注消除大约的扰动,而第二阶段产生精确、无毒的结果,确保在各种场景中的有效性和鲁棒性。在 CIFAR-10、CIFAR-100 和 ImageNet 子集上进行的大量实验证明了我们方法在各个领域的非凡性能。代码可以从该链接获取:https://thisurl.com/
https://arxiv.org/abs/2405.01460
Pedestrian detection has significantly progressed in recent years, thanks to the development of DNNs. However, detection performance at occluded scenes is still far from satisfactory, as occlusion increases the intra-class variance of pedestrians, hindering the model from finding an accurate classification boundary between pedestrians and background clutters. From the perspective of reducing intra-class variance, we propose to complete features for occluded regions so as to align the features of pedestrians across different occlusion patterns. An important premise for feature completion is to locate occluded regions. From our analysis, channel features of different pedestrian proposals only show high correlation values at visible parts and thus feature correlations can be used to model occlusion patterns. In order to narrow down the gap between completed features and real fully visible ones, we propose an adversarial learning method, which completes occluded features with a generator such that they can hardly be distinguished by the discriminator from real fully visible features. We report experimental results on the CityPersons, Caltech and CrowdHuman datasets. On CityPersons, we show significant improvements over five different baseline detectors, especially on the heavy occlusion subset. Furthermore, we show that our proposed method FeatComp++ achieves state-of-the-art results on all the above three datasets without relying on extra cues.
行人检测在近年来取得了显著的进步,得益于深度学习网络的发展。然而,在遮挡场景中的检测性能仍然离满意尚较远,因为遮挡增加了行人的内类方差,阻碍了模型在行人与背景混淆之间找到精确分类边界。从减少内类方差的角度来看,我们提出了一种方法来完成遮挡区域的特征,以使不同遮挡模式下的行人特征对齐。完成特征的一个重要前提是找到遮挡区域。从我们的分析中,不同行人建议的通道特征仅在可见部分表现出高相关性,因此特征相关性可用于建模遮挡模式。为了缩小完成特征与真实完全可见特征之间的差距,我们提出了一个对抗学习方法,该方法使用生成器完成遮挡特征,这样它们很难被鉴别器与真实完全可见特征区分开来。我们在CityPersons、Caltech和CrowdHuman数据集上进行了实验。在CityPersons数据集上,我们展示了五种不同的基线检测器中显著的改进,特别是在重度遮挡子集中。此外,我们还证明了我们的方法FeatureComp++在三个数据集上均实现了最先进的成果,而无需依赖额外的提示。
https://arxiv.org/abs/2405.01311
Numerous studies have shown that existing Face Recognition Systems (FRS), including commercial ones, often exhibit biases toward certain ethnicities due to under-represented data. In this work, we explore ethnicity alteration and skin tone modification using synthetic face image generation methods to increase the diversity of datasets. We conduct a detailed analysis by first constructing a balanced face image dataset representing three ethnicities: Asian, Black, and Indian. We then make use of existing Generative Adversarial Network-based (GAN) image-to-image translation and manifold learning models to alter the ethnicity from one to another. A systematic analysis is further conducted to assess the suitability of such datasets for FRS by studying the realistic skin-tone representation using Individual Typology Angle (ITA). Further, we also analyze the quality characteristics using existing Face image quality assessment (FIQA) approaches. We then provide a holistic FRS performance analysis using four different systems. Our findings pave the way for future research works in (i) developing both specific ethnicity and general (any to any) ethnicity alteration models, (ii) expanding such approaches to create databases with diverse skin tones, (iii) creating datasets representing various ethnicities which further can help in mitigating bias while addressing privacy concerns.
许多研究都表明,现有的Face Recognition系统(包括商业系统)往往因为代表性数据不足而倾向于针对某些民族产生偏见。在这项工作中,我们使用合成面部图像生成方法来探讨种族改变和肤色修改,以增加数据集的多样性。我们首先构建了一个代表三个民族的平衡面部图像数据集,然后利用现有的基于生成对抗网络(GAN)的图像到图像转换和多态学习模型,将一种民族的肤色改变为另一种民族。我们进一步研究了这种数据集对Face Recognition System(FRS)的适用性,通过研究个体典型角度(ITA)来评估肤色现实主义表示。此外,我们还分析了使用现有的面部图像质量评估(FIQA)方法来评估质量特征。然后,我们使用四种不同的系统提供了全面的FRS性能分析。我们的研究结果为未来研究奠定了基础:(一)开发既针对特定民族又针对任意民族改变模型的可能性;(二)将这种方法扩展到创建具有不同肤色的数据库的可能性;(三)创建代表各种民族的數據集,从而在减轻偏见的同时解决隐私问题。
https://arxiv.org/abs/2405.01273
Large Language Models (LLMs) have achieved remarkable success across diverse tasks, yet they remain vulnerable to adversarial attacks, notably the well-documented \textit{jailbreak} attack. Recently, the Greedy Coordinate Gradient (GCG) attack has demonstrated efficacy in exploiting this vulnerability by optimizing adversarial prompts through a combination of gradient heuristics and greedy search. However, the efficiency of this attack has become a bottleneck in the attacking process. To mitigate this limitation, in this paper we rethink the generation of adversarial prompts through an optimization lens, aiming to stabilize the optimization process and harness more heuristic insights from previous iterations. Specifically, we introduce the \textbf{M}omentum \textbf{A}ccelerated G\textbf{C}G (\textbf{MAC}) attack, which incorporates a momentum term into the gradient heuristic. Experimental results showcase the notable enhancement achieved by MAP in gradient-based attacks on aligned language models. Our code is available at this https URL.
大语言模型(LLMs)在各种任务上取得了显著的成功,然而它们仍然容易受到对抗攻击,尤其是著名的 \textit{jailbreak} 攻击。最近, Greedy Coordinate Gradient (GCG) 攻击通过优化对抗提示并通过梯度启发式和贪心搜索相结合,成功地利用了这一漏洞。然而,这种攻击的效率在攻击过程中成为了一个瓶颈。为了减轻这一限制,本文通过优化视角重新思考了生成对抗提示的过程,旨在稳定优化过程并从之前的迭代中获得更多的启发式洞察。具体来说,我们引入了 \textbf{M}omentum \textbf{A}ccelerated G\textbf{C}G (\textbf{MAC}) 攻击,该攻击在梯度启发式上的优化中引入了动量项。实验结果展示了 MAP 在基于梯度的攻击对对齐语言模型上的显著增强。我们的代码可在此处访问:https:// this URL.
https://arxiv.org/abs/2405.01229