AI帮你理解科学

AI 生成解读视频

AI抽取解析论文重点内容自动生成视频


pub
生成解读视频

AI 溯源

AI解析本论文相关学术脉络


Master Reading Tree
生成 溯源树

AI 精读

AI抽取本论文的概要总结


微博一下
Based on the hypothesis margin, we have proven an efficiently calculable and tight lower bound on the robust test error of an Nearest Prototype Classifiers

Fast Adversarial Robustness Certification of Nearest Prototype Classifiers for Arbitrary Seminorms

NIPS 2020, (2020)

被引用0|浏览14
EI
下载 PDF 全文
引用
微博一下

摘要

Methods for adversarial robustness certification aim to provide an upper bound on the test error of a classifier under adversarial manipulation of its input. Current certification methods are computationally expensive and limited to attacks that optimize the manipulation with respect to a norm. We overcome these limitations by investigati...更多

代码

数据

简介
  • Adversarial robustness of a classifier describes its stability in classification under adversarial manipulations of the input.
  • With the heuristic defenses at the losing side of the metaphorical arms race, provable robustness guarantees for classifiers provide a welcome alternative [11, 12, 17].
  • Robustness guarantees aim to provide the so-called robust test error of a classifier under adversarial attacks and are not dependent on the current state of adversarial attacks.
  • The authors cannot use them for the rejection of adversarial examples regarding an arbitrary seminorm without a huge computational overhead
重点内容
  • Adversarial robustness of a classifier describes its stability in classification under adversarial manipulations of the input
  • Results of the comparison As expected, there is a large difference in robustness between the Nearest Prototype Classifiers (NPCs) trained with a triplet loss (GLVQ and Generalized Tangent LVQ (GTLVQ)) and those trained with a different loss (RSLVQ), see Table 1
  • Generalized Learning Vector Quantization (GLVQ) and GTLVQ, on the other hand, do provide a nontrivial robustness certificate comparable to, or even better than, the results of an Neural Networks (NNs) trained with Convex outer Adversarial Polytope (CAP) as presented in Table 1 and Table 2
  • Based on the hypothesis margin, we have proven an efficiently calculable and tight lower bound on the robust test error of an NPC
  • The numerical evaluation of this bound showed that the robustness guarantee of NPCs surpassed other NN-based certification methods and is close to verification methods
  • The method does not improve over state of the art and we expect issues in scaling to high dimensional datasets like
  • It significantly improved the computational complexity. Together with their inherent interpretability [20, 22], NPCs are a great alternative for NNs in the adversarial setting and the superior choice when compute time is restricted
方法
  • In order to verify the presented theoretical results, the authors performed an experimental analysis on the MNIST [64] and CIFAR-10 [65] datasets.
  • Verify Certify Verify Certify Dataset MNIST = 0.3 CIFAR-10 = 8/255 Class Model.
  • GLVQ (128 ppc) RSLVQ (128 ppc) RT [50, Table 3] CAP [12, Table 2 “Small”].
  • GLVQ (64 ppc) RSLVQ (128 ppc) RT [50, Table 3] CAP [12, Table 2 “Resnet”] CTE [%]
结果
  • Results of the comparison

    As expected, there is a large difference in robustness between the NPCs trained with a triplet loss (GLVQ and GTLVQ) and those trained with a different loss (RSLVQ), see Table 1.
  • In addition to not being able to provide a guarantee, RSLVQ is not empirically robust—as shown by the trivial LRTE.
  • GLVQ and GTLVQ, on the other hand, do provide a nontrivial robustness certificate comparable to, or even better than, the results of an NN trained with CAP as presented in Table 1 and Table 2.
  • GLVQ (128 ppc) GTLVQ (1 ppc, m = 100) CAP [12, Table 2 “Resnet”].
结论
  • The experimental evaluation presents them with the following results: First of all, training NPCs with a triplet loss is an effective robustification strategy.
  • The resulting models are empirically robust and their guaranteed robustness is tight, nontrivial, improves over other certification methods, and yields comparable performance even when compared with verification methods.
  • The authors showed a large difference in computational overhead to derive the guarantees between NN certifiers and the NPC certification.
  • The numerical evaluation of this bound showed that the robustness guarantee of NPCs surpassed other NN-based certification methods and is close to verification methods.
  • Together with their inherent interpretability [20, 22], NPCs are a great alternative for NNs in the adversarial setting and the superior choice when compute time is restricted
总结
  • Introduction:

    Adversarial robustness of a classifier describes its stability in classification under adversarial manipulations of the input.
  • With the heuristic defenses at the losing side of the metaphorical arms race, provable robustness guarantees for classifiers provide a welcome alternative [11, 12, 17].
  • Robustness guarantees aim to provide the so-called robust test error of a classifier under adversarial attacks and are not dependent on the current state of adversarial attacks.
  • The authors cannot use them for the rejection of adversarial examples regarding an arbitrary seminorm without a huge computational overhead
  • Methods:

    In order to verify the presented theoretical results, the authors performed an experimental analysis on the MNIST [64] and CIFAR-10 [65] datasets.
  • Verify Certify Verify Certify Dataset MNIST = 0.3 CIFAR-10 = 8/255 Class Model.
  • GLVQ (128 ppc) RSLVQ (128 ppc) RT [50, Table 3] CAP [12, Table 2 “Small”].
  • GLVQ (64 ppc) RSLVQ (128 ppc) RT [50, Table 3] CAP [12, Table 2 “Resnet”] CTE [%]
  • Results:

    Results of the comparison

    As expected, there is a large difference in robustness between the NPCs trained with a triplet loss (GLVQ and GTLVQ) and those trained with a different loss (RSLVQ), see Table 1.
  • In addition to not being able to provide a guarantee, RSLVQ is not empirically robust—as shown by the trivial LRTE.
  • GLVQ and GTLVQ, on the other hand, do provide a nontrivial robustness certificate comparable to, or even better than, the results of an NN trained with CAP as presented in Table 1 and Table 2.
  • GLVQ (128 ppc) GTLVQ (1 ppc, m = 100) CAP [12, Table 2 “Resnet”].
  • Conclusion:

    The experimental evaluation presents them with the following results: First of all, training NPCs with a triplet loss is an effective robustification strategy.
  • The resulting models are empirically robust and their guaranteed robustness is tight, nontrivial, improves over other certification methods, and yields comparable performance even when compared with verification methods.
  • The authors showed a large difference in computational overhead to derive the guarantees between NN certifiers and the NPC certification.
  • The numerical evaluation of this bound showed that the robustness guarantee of NPCs surpassed other NN-based certification methods and is close to verification methods.
  • Together with their inherent interpretability [20, 22], NPCs are a great alternative for NNs in the adversarial setting and the superior choice when compute time is restricted
表格
  • Table1: Comparison of NPCs trained with the L∞-norm against state-of-the-art methods. Dashes “–” indicate that the quantity is not calculable or reported
  • Table2: Comparison of NPCs trained with the L2-norm against state-of-the-art certification methods based on NNs. Values denoted with ∗ were estimated from figures from the original publication. GTLVQ† was trained with the loss function from Equation (12) with an value of 1.58
Download tables as Excel
相关工作
  • Besides general theoretical work about adversarial robustness [27,28,29,30], the defense investigations can be grouped into three areas: robustification, the research to improve the adversarial robustness of models [8, 10, 11, 31,32,33]; verification (complete or exact methods), the analysis of how to compute the robustness guarantees exact [17, 34, 35]; certification (incomplete methods), the study of fast calculable bounds for the robustness guarantees [36,37,38]. It is important to distinguish between verification methods and certification approaches. Naturally, verification approaches [17] have a combinatorial time complexity even though there are attempts to improve the computational complexity [39]. In contrast, certification methods [12, 40] try to return bounds for the robustness guarantees in polynomial time. Comparing verification and certification results only in terms of the returned robustness guarantees ignores the aspect of time complexity of the methods and is therefore not a fair comparison. We consider this thought carefully throughout the evaluation.
基金
  • Acknowledgments and disclosure of funding We would like to thank Peter Schlicht for his valuable contribution to earlier versions of the manuscript and Eric Wong for his helpful discussion about CAP
  • Moreover, we would like to thank our attentive anonymous AC and reviewers whose comments have greatly improved this manuscript. None of the authors received third party funding or have had any financial relationship with entities that could potentially be perceived to influence the submitted work during the 36 months prior to this submission
引用论文
  • Amir Globerson and Sam Roweis. Nightmare at test time: Robust learning by feature deletion. In William W. Cohen and Andrew W. Moore, editors, Proceedings of the 23rd International Conference on Machine Learning – ICML 2006, pages 353–360, Pittsburgh, PA, USA, 2006. ACM.
    Google ScholarLocate open access versionFindings
  • Huan Xu, Constantine Caramanis, and Shie Mannor. Robustness and regularization of support vector machines. Journal of Machine Learning Research, 10(51):1485–1510, 2009.
    Google ScholarLocate open access versionFindings
  • Battista Biggio, Igino Corona, Blaine Nelson, Benjamin I. P. Rubinstein, Davide Maiorca, Giorgio Fumera, Giorgio Giacinto, and Fabio Roli. Security evaluation of support vector machines in adversarial environments. In Support Vector Machines Applications, pages 105– 153.
    Google ScholarLocate open access versionFindings
  • Christian Szegedy, Wojciech Zaremba, Ilya Sutskever, Joan Bruna, Dumitru Erhan, Ian Goodfellow, and Rob Fergus. Intriguing properties of neural networks. In Yoshua Bengio and Yann LeCun, editors, Proceedings of the 2nd International Conference on Learning Representations – ICLR 2014, Banff, AB, Canada, 2014.
    Google ScholarLocate open access versionFindings
  • Thomas Brunner, Frederik Diehl, Michael Truong Le, and Alois Knoll. Guessing smart: Biased sampling for efficient black-box adversarial attacks. In Proceedings of the IEEE International Conference on Computer Vision – ICCV 2019, pages 4958–4966, Seoul, South Korea, 2019. IEEE.
    Google ScholarLocate open access versionFindings
  • Kevin Eykholt, Ivan Evtimov, Earlence Fernandes, Bo Li, Amir Rahmati, Chaowei Xiao, Atul Prakash, Tadayoshi Kohno, and Dawn Son. Robust physical-world attacks on deep learning visual classification. In Proceedings of the 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition – CVPR 2018, pages 1625–1634, Salt Lake City, UT, USA, 2018. IEEE.
    Google ScholarLocate open access versionFindings
  • Felix Assion, Peter Schlicht, Florens Gressner, Wiebke Günther, Fabian Hüger, Nico Schmidt, and Umair Rasheed. The attack generator: A systematic approach towards constructing adversarial attacks. In Workshop proceedings of the 2016 IEEE Conference on Computer Vision and Pattern Recognition – CVPR 2019 Workshops, Long Beach, CA, USA, 2019.
    Google ScholarLocate open access versionFindings
  • Nicolas Papernot, Patrick McDaniel, Xi Wu, Somesh Jha, and Ananthram Swami. Distillation as a defense to adversarial perturbations against deep neural networks. In Proceedings of the 2016 IEEE Symposium on Security and Privacy – SP 2016, pages 582–597, San Jose, CA, USA, 2016. IEEE.
    Google ScholarLocate open access versionFindings
  • Harini Kannan, Alexey Kurakin, and Ian Goodfellow. Adversarial logit pairing. arXiv preprint arXiv:1803.06373 [cs.LG], 2018.
    Findings
  • Lukas Schott, Jonas Rauber, Matthias Bethge, and Wieland Brendel. Towards the first adversarially robust neural network model on MNIST. In Proceedings of the 7th International Conference on Learning Representations – ICLR 2019, New Orleans, LA, USA, May 2019. OpenReview.net.
    Google ScholarLocate open access versionFindings
  • Francesco Croce, Maksym Andriushchenko, and Matthias Hein. Provable robustness of ReLU networks via maximization of linear regions. In Kamalika Chaudhuri and Masashi Sugiyama, editors, Proceedings of the 22nd International Conference on Artificial Intelligence and Statistics – AISTATS 2019, volume 89 of the Proceedings of Machine Learning Research, pages 2057–2066, Naha, Okinawa, Japan, 2019. PMLR.
    Google ScholarLocate open access versionFindings
  • Eric Wong, Frank Schmidt, Jan Hendrik Metzen, and J. Zico Kolter. Scaling provable adversarial defenses. In S. Bengio, H. Wallach, H. Larochelle, K. Grauman, N. Cesa-Bianchi, and R. Garnett, editors, Advances in Neural Information Processing Systems 32: Proceedings of the Neural Information Processing Systems Conference – NeurIPS 2019, pages 8400–8409, Vancouver, BC, Canada, 2019. Curran Associates, Inc.
    Google ScholarLocate open access versionFindings
  • Francesco Croce and Matthias Hein. Provable robustness against all adversarial lp-perturbations for p ≥ 1. In Proceedings of the 8th International Conference on Learning Representations – ICLR 2020. OpenReview.net, 2020.
    Google ScholarLocate open access versionFindings
  • Nicholas Carlini and David A. Wagner. Towards evaluating the robustness of neural networks. In Proceedings of the 2017 IEEE Symposium on Security and Privacy – SP 2017, pages 39–57, San Jose, CA, USA, 2017. IEEE.
    Google ScholarLocate open access versionFindings
  • Chawin Sitawarin and David Wagner. On the robustness of deep k-nearest neighbors. In Workshop proceedings of the 2019 IEEE Symposium on Security and Privacy Workshops – SP 2019 Workshops, pages 1–7, San Francisco, CA, USA, 2019. IEEE.
    Google ScholarLocate open access versionFindings
  • Nicholas Carlini. Is AmI (Attacks Meet Interpretability) robust to adversarial examples? arXiv preprint arXiv:1902.02322 [cs.LG], 2019.
    Findings
  • Vincent Tjeng, Kai Y. Xiao, and Russ Tedrake. Evaluating robustness of neural networks with mixed integer programming. In Proceedings of the 7th International Conference on Learning Representations – ICLR 2019, New Orleans, LA, USA, 2019. OpenReview.net.
    Google ScholarLocate open access versionFindings
  • Jeremy Cohen, Elan Rosenfeld, and Zico Kolter. Certified adversarial robustness via randomized smoothing. In Kamalika Chaudhuri and Ruslan Salakhutdinov, editors, Proceedings of the 36th International Conference on Machine Learning – ICML 2019, volume 97 of the Proceedings of Machine Learning Research, pages 1310–1320, Long Beach, CA, USA, 2019. PMLR.
    Google ScholarLocate open access versionFindings
  • Kilian Q. Weinberger and Lawrence K. Saul. Distance metric learning for large margin nearest neighbor classification. Journal of Machine Learning Research, 10:207–244, 2009.
    Google ScholarLocate open access versionFindings
  • Jacob Bien and Robert Tibshirani. Prototype selection for interpretable classification. The Annals of Applied Statistics, 5(4):2403–2424, 2011.
    Google ScholarLocate open access versionFindings
  • David Nova and Pablo A. Estévez. A review of learning vector quantization classifiers. Neural Computing and Applications, 25(3-4):511–524, 2014.
    Google ScholarLocate open access versionFindings
  • Michael Biehl, Barbara Hammer, and Thomas Villmann. Prototype-based models in machine learning. Wiley Interdisciplinary Reviews Cognitive Science, 7(2):92–111, 2016.
    Google ScholarLocate open access versionFindings
  • Cynthia Rudin. Stop explaining black box machine learning models for high stakes decisions and use interpretable models instead. Nature Machine Intelligence, 1:206–215, 2019.
    Google ScholarLocate open access versionFindings
  • Alfredo Vellido. The importance of interpretability and visualization in machine learning for applications in medicine and health care. Neural Computing and Applications, 2019.
    Google ScholarLocate open access versionFindings
  • Jake Snell, Kevin Swersky, and Richard Zemel. Prototypical networks for few-shot learning. In I. Guyon, U. V. Luxburg, S. Bengio, H. Wallach, R. Fergus, S. Vishwanathan, and R. Garnett, editors, Advances in Neural Information Processing Systems 30: Proceedings of the Neural Information Processing Systems Conference – NIPS 2017, pages 4077–4087, Long Beach, CA, USA, 2017. Curran Associates, Inc.
    Google ScholarLocate open access versionFindings
  • Sascha Saralajew, Lars Holdijk, Maike Rees, and Thomas Villmann. Robustness of generalized learning vector quantization models against adversarial attacks. In Alfredo Vellido, Karina Gibert, Cecilio Angulo, and José David Martín-Guerrero, editors, Advances in Self-Organizing Maps, Learning Vector Quantization, Clustering and Data Visualization: Proceedings of the 13th International Workshop, WSOM+ 2019, volume 976 of the Advances in Intelligent Systems and Computing, pages 189–199, Barcelona, Spain, 2019.
    Google ScholarLocate open access versionFindings
  • Alhussein Fawzi, Hamza Fawzi, and Omar Fawzi. Adversarial vulnerability for any classifier. In Samy Bengio, Hanna M. Wallach, Hugo Larochelle, Kristen Grauman, Nicolò Cesa-Bianchi, and Roman Garnett, editors, Advances in Neural Information Processing Systems 31: Proceedings of the Neural Information Processing Systems Conference – NeurIPS 2018, pages 1178–1187, Montréal, QC, Canada, 2018. Curran Associates, Inc.
    Google ScholarLocate open access versionFindings
  • Andrew Ilyas, Shibani Santurkar, Dimitris Tsipras, Logan Engstrom, Brandon Tran, and Aleksander Madry. Adversarial examples are not bugs, they are features. In H. Wallach, H. Larochelle, A. Beygelzimer, F. d'Alché-Buc, E. Fox, and R. Garnett, editors, Advances in Neural Information Processing Systems 32: Proceedings of the Neural Information Processing Systems Conference – NeurIPS 2019, pages 125–136, Vancouver, BC, Canada, 2019. Curran Associates, Inc.
    Google ScholarLocate open access versionFindings
  • Carl-Johann Simon-Gabriel, Yann Ollivier, Leon Bottou, Bernhard Schölkopf, and David Lopez-Paz. First-order adversarial vulnerability of neural networks and input dimension. In Kamalika Chaudhuri and Ruslan Salakhutdinov, editors, Proceedings of the 36th International Conference on Machine Learning – ICML 2019, volume 97 of the Proceedings of Machine Learning Research, pages 5809–5817, Long Beach, CA, USA, 2019. PMLR.
    Google ScholarLocate open access versionFindings
  • Zhuozhuo Tu, Jingwei Zhang, and Dacheng Tao. Theoretical analysis of adversarial learning: A minimax approach. In H. Wallach, H. Larochelle, A. Beygelzimer, F. d'Alché-Buc, E. Fox, and R. Garnett, editors, Advances in Neural Information Processing Systems 32: Proceedings of the Neural Information Processing Systems Conference – NeurIPS 2019, pages 12280–12290, Vancouver, BC, Canada, 2019. Curran Associates, Inc.
    Google ScholarLocate open access versionFindings
  • Moustapha Cisse, Piotr Bojanowski, Edouard Grave, Yann Dauphin, and Nicolas Usunier. Parseval networks: Improving robustness to adversarial examples. In Doina Precup and Yee Whye Teh, editors, Proceedings of the 34th International Conference on Machine Learning – ICML 2017, volume 70 of the Proceedings of Machine Learning Research, pages 854–863, Sydney, NSW, Australia, 2017. PMLR.
    Google ScholarLocate open access versionFindings
  • Gamaleldin F. Elsayed, Dilip Krishnan, Hossein Mobahi, Kevin Regan, and Samy Bengio. Large margin deep networks for classification. In Samy Bengio, Hanna M. Wallach, Hugo Larochelle, Kristen Grauman, Nicolò Cesa-Bianchi, and Roman Garnett, editors, Advances in Neural Information Processing Systems 31: Proceedings of the Neural Information Processing Systems Conference – NeurIPS 2018, pages 842–852, Montréal, QC, Canada, 2018. Curran Associates, Inc.
    Google ScholarLocate open access versionFindings
  • Sven Gowal, Krishnamurthy Dvijotham, Robert Stanforth, Rudy Bunel, Chongli Qin, Jonathan Uesato, Relja Arandjelovic, Timothy Mann, and Pushmeet Kohli. On the effectiveness of interval bound propagation for training verifiably robust models. arXiv preprint arXiv:1810.12715v4 [cs.LG], 2019.
    Findings
  • Guy Katz, Clark Barrett, David L. Dill, Kyle Julian, and Mykel J. Kochenderfer. Reluplex: An efficient SMT solver for verifying deep neural networks. In Rupak Majumdar and Viktor Kuncak, editors, 29th International Conference on Computer Aided Verification – CAV 2017, volume 10426 of the Lecture Notes in Computer Science, pages 97–117, Heidelberg, Germany, 2017. Springer International Publishing.
    Google ScholarLocate open access versionFindings
  • Matt Jordan, Justin Lewis, and Alexandros G. Dimakis. Provable certificates for adversarial examples: Fitting a ball in the union of polytopes. In H. Wallach, H. Larochelle, A. Beygelzimer, F. d'Alché-Buc, E. Fox, and R. Garnett, editors, Advances in Neural Information Processing Systems 32: Proceedings of the Neural Information Processing Systems Conference – NeurIPS 2019, pages 14082–14092, Vancouver, BC, Canada, 2019. Curran Associates, Inc.
    Google ScholarLocate open access versionFindings
  • Matthias Hein and Maksym Andriushchenko. Formal guarantees on the robustness of a classifier against adversarial manipulation. In I. Guyon, U. V. Luxburg, S. Bengio, H. Wallach, R. Fergus, S. Vishwanathan, and R. Garnett, editors, Advances in Neural Information Processing Systems 30: Proceedings of the Neural Information Processing Systems Conference – NIPS 2017, pages 2266–2276, Long Beach, CA, USA, 2017. Curran Associates, Inc.
    Google ScholarLocate open access versionFindings
  • Aditi Raghunathan, Jacob Steinhardt, and Percy Liang. Certified defenses against adversarial examples. In Proceedings of the 6th International Conference on Learning Representations – ICLR 2018, Vancouver, BC, Canada, 2018.
    Google ScholarLocate open access versionFindings
  • Huan Zhang, Tsui-Wei Weng, Pin-Yu Chen, Cho-Jui Hsieh, and Luca Daniel. Efficient neural network robustness certification with general activation functions. In Samy Bengio Hanna M. Wallach, Hugo Larochelle, Kristen Grauman, Nicolò Cesa-Bianchi, and Roman Garnett, editors, Advances in Neural Information Processing Systems 31: Proceedings of the Neural Information Processing Systems Conference – NeurIPS 2018, pages 4939–4948, Montréal, QC, Canada, 2018. Curran Associates, Inc.
    Google ScholarLocate open access versionFindings
  • Kai Y. Xiao, Vincent Tjeng, Nur Muhammad (Mahi) Shafiullah, and Aleksander Madry. Training for faster adversarial robustness verification via inducing ReLU stability. In Proceedings of the 7th International Conference on Learning Representations – ICLR 2019, New Orleans, LA, USA, 2019. OpenReview.net.
    Google ScholarLocate open access versionFindings
  • Eric Wong and Zico Kolter. Provable defenses against adversarial examples via the convex outer adversarial polytope. In Jennifer Dy and Andreas Krause, editors, Proceedings of the 35th International Conference on Machine Learning – ICML 2018, volume 80 of the Proceedings of Machine Learning Research, pages 5286–5295, Stockholmsmässan, Stockholm, Sweden, 2018. PMLR.
    Google ScholarLocate open access versionFindings
  • Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, and Adrian Vladu. Towards deep learning models resistant to adversarial attacks. In Proceedings of the 6th International Conference on Learning Representations – ICLR 2018, Vancouver, BC, Canada, 2018. OpenReview.net.
    Google ScholarLocate open access versionFindings
  • Florian Tramer and Dan Boneh. Adversarial training and robustness for multiple perturbations. In H. Wallach, H. Larochelle, A. Beygelzimer, F. d'Alché-Buc, E. Fox, and R. Garnett, editors, Advances in Neural Information Processing Systems 32: Proceedings of the Neural Information Processing Systems Conference – NeurIPS 2019, pages 5866–5876, Vancouver, BC, Canada, 2019. Curran Associates, Inc.
    Google ScholarLocate open access versionFindings
  • Nicolas Papernot and Patrick McDaniel. Deep k-nearest neighbors: Towards confident, interpretable and robust deep learning. arXiv preprint arXiv:1803.04765 [cs.LG], 2018.
    Findings
  • Guanhong Tao, Shiqing Ma, Yingqi Liu, and Xiangyu Zhang. Attacks meet interpretability: Attribute-steered detection of adversarial samples. In Samy Bengio, Hanna M. Wallach, Hugo Larochelle, Kristen Grauman, Nicolò Cesa-Bianchi, and Roman Garnett, editors, Advances in Neural Information Processing Systems 31: Proceedings of the Neural Information Processing Systems Conference – NeurIPS 2018, pages 7717–7728, Montréal, QC, Canada, 2018. Curran Associates, Inc.
    Google ScholarLocate open access versionFindings
  • Seyed-Mohsen Moosavi-Dezfooli, Alhussein Fawzi, and Pascal Frossard. DeepFool: A simple and accurate method to fool deep neural networks. In Proceedings of the 2016 IEEE Conference on Computer Vision and Pattern Recognition – CVPR 2016, pages 2574–2582, Las Vegas, NV, USA, 2016. IEEE.
    Google ScholarLocate open access versionFindings
  • Wieland Brendel, Jonas Rauber, and Matthias Bethge. Decision-based adversarial attacks: Reliable attacks against black-box machine learning models. In Proceedings of the 6th International Conference on Learning Representations – ICLR 2018, Vancouver, BC, Canada, 2018. OpenReview.net.
    Google ScholarLocate open access versionFindings
  • Marius Mosbach, Maksym Andriushchenko, Thomas Trost, Matthias Hein, and Dietrich Klakow. Logit pairing methods can fool gradient-based attacks. arXiv preprint arXiv:1810.12042, 2018.
    Findings
  • Guang-He Lee, Yang Yuan, Shiyu Chang, and Tommi Jaakkola. Tight certificates of adversarial robustness for randomly smoothed classifiers. In H. Wallach, H. Larochelle, A. Beygelzimer, F. d'Alché-Buc, E. Fox, and R. Garnett, editors, Advances in Neural Information Processing Systems 32: Proceedings of the Neural Information Processing Systems Conference – NeurIPS 2019, pages 4910–4921, Vancouver, BC, Canada, 2019. Curran Associates, Inc.
    Google ScholarLocate open access versionFindings
  • Bai Li, Changyou Chen, Wenlin Wang, and Lawrence Carin. Certified adversarial robustness with additive noise. In H. Wallach, H. Larochelle, A. Beygelzimer, F. d'Alché-Buc, E. Fox, and R. Garnett, editors, Advances in Neural Information Processing Systems 32: Proceedings of the Neural Information Processing Systems Conference – NeurIPS 2019, pages 9464–9474, Vancouver, BC, Canada, 2019. Curran Associates, Inc.
    Google ScholarLocate open access versionFindings
  • Maksym Andriushchenko and Matthias Hein. Provably robust boosted decision stumps and trees against adversarial attacks. In H. Wallach, H. Larochelle, A. Beygelzimer, F. d'AlchéBuc, E. Fox, and R. Garnett, editors, Advances in Neural Information Processing Systems 32: Proceedings of the Neural Information Processing Systems Conference – NeurIPS 2019, pages 13017–13028, Vancouver, BC, Canada, 2019. Curran Associates, Inc.
    Google ScholarLocate open access versionFindings
  • Hongge Chen, Huan Zhang, Duane Boning, and Cho-Jui Hsieh. Robust decision trees against adversarial examples. In Kamalika Chaudhuri and Ruslan Salakhutdinov, editors, Proceedings of the 36th International Conference on Machine Learning – ICML 2019, volume 97 of the Proceedings of Machine Learning Research, pages 1122–1131, Long Beach, CA, USA, 2019. PMLR.
    Google ScholarLocate open access versionFindings
  • Paolo Russu, Ambra Demontis, Battista Biggio, Giorgio Fumera, and Fabio Roli. Secure kernel machines against evasion attacks. In Proceedings of the 2016 ACM Workshop on Artificial Intelligence and Security – ALSec 2016, pages 59–69, Vienna, Austria, 2016. ACM.
    Google ScholarLocate open access versionFindings
  • Atsushi Sato and Keiji Yamada. Generalized learning vector quantization. In David S. Touretzky, Michael Mozer, and Michael E. Hasselmo, editors, Advances in Neural Information Processing Systems 8: Proceedings of the Neural Information Processing Systems Conference – NIPS 1995, pages 423–429, Denver, CO, USA, 1996. MIT Press.
    Google ScholarLocate open access versionFindings
  • Teuvo Kohonen. Improved versions of learning vector quantization. In Proceedings of the 1990 International Joint Conference on Neural Networks – IJCNN 1990, pages 545–550, San Diego, CA, USA, 1990. IEEE.
    Google ScholarLocate open access versionFindings
  • Teuvo Kohonen. Self-Organizing Maps, volume 30 of the Springer Series in Information Sciences, chapter Learning Vector Quantization, pages 175–189. Springer, Berlin, Heidelberg, 1995.
    Google ScholarLocate open access versionFindings
  • Koby Crammer, Ran Gilad-Bachrach, Amir Navot, and Naftali Tishby. Margin analysis of the LVQ algorithm. In Suzanna Becker, Sebastian Thrun, and Klaus Obermayer, editors, Advances in Neural Information Processing Systems 15: Proceedings of the Neural Information Processing Systems Conference – NIPS 2002, pages 479–486, Vancouver, BC, Canada, 2003. MIT Press.
    Google ScholarLocate open access versionFindings
  • Yizhen Wang, Somesh Jha, and Kamalika Chaudhuri. Analyzing the robustness of nearest neighbors to adversarial examples. In Jennifer Dy and Andreas Krause, editors, Proceedings of the 35th International Conference on Machine Learning – ICML 2018, volume 80 of the Proceedings of Machine Learning Research, pages 5133–5142, Stockholmsmässan, Stockholm, Sweden, 2018. PMLR.
    Google ScholarLocate open access versionFindings
  • Lu Wang, Xuanqing Liu, Jinfeng Yi, Zhi-Hua Zhou, and Cho-Jui Hsieh. Evaluating the robustness of nearest neighbor classifiers: A primal-dual perspective. arXiv preprint arXiv:1906.03972v1 [cs.LG], 2019.
    Findings
  • Yao-Yuan Yang, Cyrus Rashtchian, Yizhen Wang, and Kamalika Chaudhuri. Robustness for non-parametric classification: A generic attack and defense. In Silvia Chiappa and Roberto Calandra, editors, Proceedings of the 23rd International Conference on Artificial Intelligence and Statistics – AISTATS 2020, volume 108 of the Proceedings of Machine Learning Research, pages 941–951, Online, 2020. PMLR.
    Google ScholarLocate open access versionFindings
  • Johannes Brinkrolf and Barbara Hammer. Interpretable machine learning with reject option. at Automatisierungstechnik, 66(4):283 – 290, 2018.
    Google ScholarLocate open access versionFindings
  • Petra Schneider, Michael Biehl, and Barbara Hammer. Adaptive relevance matrices in learning vector quantization. Neural Computation, 21(12):3532–3561, 2009.
    Google ScholarLocate open access versionFindings
  • Sascha Saralajew and Thomas Villmann. Adaptive tangent distances in generalized learning vector quantization for transformation and distortion invariant classification learning. In Proceedings of the 2016 International Joint Conference on Neural Networks – IJCNN 2016, pages 2672–2679, Vancouver, BC, Canada, 2016. IEEE.
    Google ScholarLocate open access versionFindings
  • Sambu Seo and Klaus Obermayer. Soft learning vector quantization. Neural Computation, 15(7):1589–1604, 2003.
    Google ScholarLocate open access versionFindings
  • Yann LeCun, Corinna Cortes, and Christopher J.C. Burges. The MNIST database of handwritten digits. 1998. http://yann.lecun.com/exdb/mnist/.
    Findings
  • Alex Krizhevsky. Learning multiple layers of features from tiny images. techreport, Department of Computer Science, University of Toronto, Toronto, ON, Canada, 2009.
    Google ScholarFindings
  • Jia Deng, Wei Dong, Richard Socher, Li-Jia Li, Kai Li, and Li Fei-Fei. ImageNet: A large-scale hierarchical image database. In Proceedings of the 2009 IEEE Conference on Computer Vision and Pattern Recognition – CVPR 2009, pages 248–255, Miami, Florida, USA, 2009. IEEE.
    Google ScholarLocate open access versionFindings
  • Irina Bancos, Angela E. Taylor, Vasileios Chortis, Alice J. Sitch, Carl Jenkinson, Caroline J. Davidge-Pitts, Katharina Lang, Stylianos Tsagarakis, Magdalena Macech, Anna Riester, et al. Urine steroid metabolomics for the differential diagnosis of adrenal incidentalomas in the eurine-act study: a prospective test validation study. The Lancet Diabetes & Endocrinology, 8(9):773–781, 2020.
    Google ScholarLocate open access versionFindings
  • Wiebke Arlt, Michael Biehl, Angela E. Taylor, Stefanie Hahner, Rossella Libé, Beverly A. Hughes, Petra Schneider, David J. Smith, Han Stiekema, Nils Krone, Emilio Porfiri, Giuseppe Opocher, Jerôme Bertherat, Franco Mantero, Bruno Allolio, Massimo Terzolo, Peter Nightingale, Cedric H. L. Shackleton, Xavier Bertagna, Martin Fassnacht, and Paul M. Stewart. Urine steroid metabolomics as a biomarker tool for detecting malignancy in adrenal tumors. The Journal of Clinical Endocrinology & Metabolism, 96(12):3775–3784, 2011.
    Google ScholarLocate open access versionFindings
  • Wojciech Samek, Grégoire Montavon, Andrea Vedaldi, Lars Kai Hansen, and Klaus-Robert Müller, editors. Explainable AI: Interpreting, Explaining and Visualizing Deep Learning, volume 11700 of the Lecture Notes in Computer Science. Springer, 2019.
    Google ScholarLocate open access versionFindings
  • Diogo V. Carvalho, Eduardo M. Pereira, and Jaime S. Cardoso. Machine learning interpretability: A survey on methods and metrics. Electronics, 8(8):832, 2019.
    Google ScholarLocate open access versionFindings
  • Sascha Saralajew, Lars Holdijk, Maike Rees, Ebubekir Asan, and Thomas Villmann. Classification-by-components: Probabilistic modeling of reasoning over a set of components. In H. Wallach, H. Larochelle, A. Beygelzimer, F. d'Alché-Buc, E. Fox, and R. Garnett, editors, Advances in Neural Information Processing Systems 32: Proceedings of the Neural Information Processing Systems Conference – NeurIPS 2019, pages 2792–2803, Vancouver, BC, Canada, 2019. Curran Associates, Inc.
    Google ScholarLocate open access versionFindings
作者
Sascha Saralajew
Sascha Saralajew
Lars Holdijk
Lars Holdijk
您的评分 :
0

 

标签
评论
数据免责声明
页面数据均来自互联网公开来源、合作出版商和通过AI技术自动分析结果,我们不对页面数据的有效性、准确性、正确性、可靠性、完整性和及时性做出任何承诺和保证。若有疑问,可以通过电子邮件方式联系我们:report@aminer.cn
小科