Unifying Adversarial Training Algorithms with Flexible Deep Data Gradient Regularization

01/26/2016 ∙ by Alexander G. Ororbia II, et al. ∙ 0

Many previous proposals for adversarial training of deep neural nets have included di- rectly modifying the gradient, training on a mix of original and adversarial examples, using contractive penalties, and approximately optimizing constrained adversarial ob- jective functions. In this paper, we show these proposals are actually all instances of optimizing a general, regularized objective we call DataGrad. Our proposed DataGrad framework, which can be viewed as a deep extension of the layerwise contractive au- toencoder penalty, cleanly simplifies prior work and easily allows extensions such as adversarial training with multi-task cues. In our experiments, we find that the deep gra- dient regularization of DataGrad (which also has L1 and L2 flavors of regularization) outperforms alternative forms of regularization, including classical L1, L2, and multi- task, both on the original dataset as well as on adversarial sets. Furthermore, we find that combining multi-task optimization with DataGrad adversarial training results in the most robust performance.

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

page 9

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

Deep neural architectures are highly effective at a vast array of tasks, both supervised and unsupervised. However, recently, it has been shown that deep architectures are sensitive to certain kinds of pertubations of the input, which can range from being barely perceptible to quite noticeable (even semi-random noise), as in Nguyen et al. (2014). Samples containing this type of noise are called “adversarial examples” (Szegedy et al., 2013) and can cause a trained network to confidently misclassify its input. While there are a variety of ways to generate adversarial samples, the fastest and most effective approaches in the current literature are based on the idea of using back-propagation to acquire the derivative of the loss with respect to an input image (i.e. the gradient) and adding a small multiple of the gradient to the image.

Earlier work suggested adding a regularization penalty on the deep gradient (Goodfellow et al., 2014; Gu and Rigazio, 2014), but had difficulty in computing the derivative (with respect to the weights) of the gradient, which is necessary for gradient-descent based algorithms. Instead, they utilized approximations such as a shallow layerwise gradient penalty (Gu and Rigazio, 2014), also used for regularizing contractive auto-encoders (Gu and Rigazio, 2014). Meanwhile (Lyu et al., 2015)

also presented a heuristic algorithm for this objective.

Here we provide an efficient, deterministic back-propagation style algorithm for training with a wide variety of gradient (or rather, gradient) penalties. It would seem that the resulting algorithm has the potential for unifying existing approaches for deep adversarial training. In particular, it helps explain some of the newer approaches to adversarial training (Miyato et al., 2015; Huang et al., 2015). These approaches set up an adversarial objective as a constrained optimization problem and then approximate/simplify it using properties that hold for optimal solutions of unconstrained problems. The algorithms then developed approximate optimization (when compared to our algorithms) and can be viewed as regularizations of this deep gradient.

2 The DataGrad Framework

Given a set of loss functions

and regularizers , consider:



where is a data sample, is its corresponding label/target and represents the parameters of a

layer neural network.

111The loss could be a single objective (as in minimizing negative log likelihood for a classification task) or an objective combined with an auxiliary task, as in multi-task learning. In the latter setting, could be the regularizer for the main task and could be an optional regularizer on the secondary task, especially if the model needs to be robust with respect to that task as well. We use to denote the gradient of (the gradient of with respect to ). are the weight coefficients of the terms in the DataGrad loss function. Close to our work, (Lyu et al., 2015) present a heuristic way to optimize a special case of this objective. By directly provding an algorithm, our analysis can explain what their algorithm optimizes.

We denote the entire dataset as

. Following the framework of empirical risk minimization with stochastic gradient descent, the goal is to minimize the objective function:

by iterating the following parameter updates (here is the component of representing the weight of the incoming edge to node of layer from node of layer ):

(1)

where is the step-size coefficient.

2.1 The Derivation

The first update term of Equation 1, , is provided by standard back-propagation. For the remaining terms, since the gradient of the loss also depends on the current weights , we see that

(2)

where is a variable that takes the current value of . It turns out that these mixed partial derivatives (with respect to weights and with respect to data) have structural similarities to the Hessian (since derivatives with respect to the data are computed almost exactly the same way as the derivatives with respect to the lowest layer weights). Since exact computation of the Hessian is slow (Bishop, 1992)

, we would expect that the computation of this matrix of partial derivatives would also be slow. However, it turns out that we do not need to compute the full matrix – we only need this matrix times a vector, and hence we can use ideas reminiscent of fast Hessian multiplication algorithms

(Pearlmutter, 1994). At points of continuous differentiability, we have:

(3)

evaluated at the point and direction .222Note that Equation 3

follows from the chain rule.

The outer directional derivative with respect to the scalar can be computed using finite differences. Thus, Equations 2 and 3 mean that we can compute the term from the stochastic gradient descent update equation (Equation 1) as follows.

  1. Use standard back-propagation to simultaneously compute the vector derivatives and (note that the latter corresponds to the vector in our derivation).

  2. Analytically determine the gradient of with respect to its immediate inputs. For example, if is the penalty then the immediate gradient would be and if is the penalty, the immediate gradient would be .

  3. Evaluate the immediate gradient of at the vector . This corresponds to the adversarial direction, as is denoted by in our derivation.

  4. Form the adversarial example , where is the result of the previous step and is a small constant.

  5. Use a second back-propagation pass (with as input) to compute and then return the finite difference

2.2 The High-level View: Putting it All Together

At a high level, the loss and regularizer together serve to define an adversarial noise vector and adversarial example (where is a small constant), as explained in the previous section. Different choices of and result in different types of adversarial examples. For example, setting to be the penalty, the resulting adversarial example is the same as the fast gradient sign method of Goodfellow et al. (2014).

Putting together the components of our finite differences algorithm, the stochastic gradient descent update equation becomes:

(4)

where is the adversarial example of resulting from regularizer in conjunction with loss , and the notation here specifically means to compute the derivative using back-propagation with as an input – in other words, is not to be treated as a function of (and its components ) when computing this partial derivative.

2.3 How Prior Works Are Instances of Datagrad

Since the recent discovery of adversarial samples (Szegedy et al., 2013), a variety of remedies have been proposed to make neural architectures robust to this problem. A straightforward solution is to simply add adversarial examples during each training round of stochastic gradient descent (Szegedy et al., 2013). This is exactly what Equation 4 specifies, so that post-hoc solution can be justified as a regularization of the data gradient. Subsequent work (Goodfellow et al., 2014) introduced the objective function , where is the adversarial version of input . A gradient-based method would need to compute the derivative with respect to , which is , since the construction of depends on . Their work approximates the optimization by ignoring the third term, as it is difficult to compute. This approximation then results in an updated equation having the form of Equation 4, and hence actually optimizes the DataGrad objective. Nøkland (2015) present a variant where the deep network is trained using back-propagation only on adversarial examples (rather than a mix of adversarial and original examples). Equation 4 shows that this method optimizes the DataGrad objective with and and chosen so that the term is eliminated.

Both Huang et al. (2015) and Miyato et al. (2015) propose to optimize constrained objective functions that can be put in the form , where represents adversarial noise and the constraint puts a bound on the size of the noise. Letting be the (constrained) optimal value of for each and setting of , this is the same as the objective . The derivative of any term in the summation respect to is then equal to

(5)

Now, if were an unconstrained maximum value of , then would equal and the second term of Equation 5 would disappear. However, since is a constrained optimum and the constraint is active, the second term would generally be nonzero. Since the derivative of the constrained optimum is difficult to compute, Huang et al. (2015) and Miyato et al. (2015) opt to approximate/simplify the derivative making the second term disappear (as it would in the unconstrained case). Comparing the remaining term to Equation 4 shows that they are optimizing the DataGrad objective with and and carefully chosen to eliminate the term.

In an approach that ends up closely related to ours, (Lyu et al., 2015) consider the objective and a linearized inner version . They iteratively select by optimizing the latter and by back-propagation on the former (with fixed). Since the update is not directly minimizing the linearized objective, (Lyu et al., 2015) claimed the procedure was only an approximation of what we call the DataGrad objective. However, their method devolves to training on adversarial examples, so as before, Equation 4 shows they are actually optimizing the DataGrad objective but with and and carefully chosen to eliminate the term.

Finally, Gu and Rigazio (2014) penalizes the Frobenius norm of the deep gradient. However, they do this with a shallow layer-wise approximation. Specifically, they note that shallow contractive auto-encoders optimize the same objective for shallow (1-layer) networks and that the gradient of the gradient can be computed analytically in those cases Gu and Rigazio (2014). Thus, Gu and Rigazio (2014) applies this penalty layer by layer (hence it is a penalty on the derivative of each layer with respect to its immediate inputs) and uses this penalty as an approximation to regularizing the deep gradient. Since DataGrad does regularize the deep gradient, the work of Gu and Rigazio (2014) can also be viewed as an approximation to DataGrad.

Thus, DataGrad provides a unifying view of previously proposed optimizations for training deep architectures that are resilient to adversarial noise.

(a) Performance on L1 adversarial samples.
(b) Performance on L2 adversarial samples.
Figure 1: Model performance when each model is its own adversary. Note that on the x-axis indicates degree of ( or ) noise used to create adversarial samples. Terms in the legend refer to specific architectures (e.g., L2 refers to the L2-regularized network).

3 Experimental Results

Given that we have shown that previous approaches are instances of the general DataGrad framework, it is not our intention to replicate prior work. Rather, we intend to not only test the effectiveness of our finite difference approximation but to also show that one can flexibly use DataGrad in other scenarios, such as adding multi-task cues within the adversarial framework. To test the proposed DataGrad framework, we conduct experiments using the permutation-invariant MNIST data-set 333http://yann.lecun.com/exdb/mnist/., comprised of 60,000 training samples and 10,000 testing samples. A validation subset of 10,000 samples (randomly sampled without replacement from the training split) was used for tuning architecture meta-parameters via a coarse grid-search. Image features were gray-scale pixel values of which we normalized to the range of

. We find that turning our attention first to an image classification problem like MNIST is appropriate since the adversarial problem was first presented in the context of computer vision problems. Investigation of our framework’s usefulness in domains such as text is left for future work.

In this study, we experiment with two concrete instantiations of the DataGrad framework, namely DataGrad-L1 (DGL1) and DataGrad-L2 (DGL2). By setting , letting freely vary as a meta-parameter and for , and , choosing to be the L1 penalty results in DGL1 while choosing the L2 penalty yields DGL2. As a result, DataGrad becomes a regularization algorithm on either the or norm of the gradient of the loss . In this setup, DataGrad requires two forward passes and two backward passes to perform a weight update.

We are interested in evaluating how DataGrad compares to conventional and non-conventional forms of regularization. Beyond traditional and regularization of the network parameters ( and , respectively), we also experimented with the regularizing effect that multi-task learning (M T) has on parameter learning in the interest of testing whether or not having an auxiliary objective could introduce any robustness to adversarial samples in additional to improved generalization. In order to do so, we designed a dual-task rectifier network with two disjoint sets of output units, each connected to the penultimate hidden layer by a separate set of parameters (i.e, for task 0, for task 1). The leftmost branch is trained to predict one of the 10 original target digit labels associated with an image (as in the original MNIST task set-up) which corresponds to loss , while the rightmost branch is trained to predict one of five artificially constructed categories pertaining to the discretized degree of rotation of the image, which corresponds to loss .444This auxiliary task consists of essentially predicting whether a given sample has been artificially rotated , to the left, to the left, to the right, or to the right. To automatically generate these auxiliary labels, we artificially rotate each sample in the training set 5 times (once for each category) and record that rotation as a label. This could be viewed as a form of data-set expansion, which generally leads to improved generalization ability. However, since we assign an artificial label from a different task to accompany each sample, we use the expanded training set to create a different optimization problem. The multi-objective optimization problem for this set-up then becomes:

(6)

where is a coefficient that controls the influence of the auxiliary objective on the overall parameter optimization problem. Note that we have extended Equation 6 to include a DataGrad term, which may either be of L1 form, MT-DGL1, or of L2 form, MT-DGL2. All regularized architectures are compared against the baseline sparse rectifier network, Rect.

(a) Simple rectifier network is the adversary.
(b) Multi-task rectifier network is the adversary.
Figure 2: Model performance when the adversarial architecture is the same, either simple (Rect) or multi-task (MT). Note that on the x-axis indicates degree of noise applied to create adversarial samples.

We implemented several deep sparse rectifier architectures (Glorot et al., 2011) (3 hidden layers, each with 784 latent variables–parameters were initialized following the scheme of He et al. (2015)), which were all to be trained in a gradient descent framework under the various regularization schemes described earlier. Mini-batches of size 100 were used for calculating each parameter update. Hyper-parameters and ranges searched included the and coefficients for controlling DataGrad, the and penalty coefficients (which would simply appear as , as in Appendix A) for controlling the classical regularization terms, the auxiliary objective weight, and the gradient descent step-size . We did not use any additional gradient-descent heuristics (i.e., momentum, adaptive learning rates, drop-out, etc.) for simplicity, since we are interested in investigating the effect that the regularizers have on model robustness to adversarial samples.

To evaluate the above architectures in the adversarial setting, we conduct a series of experiments where each trained model plays the role of “attacker”. An adversarial test-set, comprised of 10,000 samples, is generated from the attacking model via back-propagation, using the derivative of the loss with respect to the model’s inputs followed by the application of the appropriate regularizer function (either or ) to create the noise. The amount of noise applied is controlled by , which we varied along the values , which corresponds to maximal pixel gains of (0 would mean be equivalent to using the original test-set). Generalization performances reported in all figures in this section are of the architectures that achieved best performance on the validation subset (consult Appendix A for a full treatment of performance across a range of and values).

=
0.0
0.005
0.01
0.05
0.1
Rect-MLP
               
=
0.0
0.005
0.01
0.05
0.1
Rect-L1
               
=
0.0
0.005
0.01
0.05
0.1
Rect-DG
               
Figure 3: Adversarial test-set accuracy ( corresponds to original test-split) and samples generated from a deep sparse rectifier network in the case of (starting from top of diagram to bottom): (1), no regularization, (2), L1-regularization, and (3), L1 DataGrad-regularization. The measures reported here are when each model is used to attack itself (akin to the malicious user using the exact same architecture to generate samples).

We observe in Figures 1, 2, and 3 that a DataGrad-regularized architecture outperforms the non-regularized baseline as well as alternatively-regularized ones. Note that the accuracy in Figure 1 only drops to as low as 92% in the worst case, meaning that samples seem to cause only minimal damage and should be much less of a concern than samples (which would be akin to generating noise via the fast gradient sign method).555Note that in the case of noise, DataGrad-L2 yields slightly more robust performance in this scenario, closely followed by DataGrad-L1, which makes intuitive sense. With respect to using only an auxiliary objective to regularize the model (MT), in both Figures 1, 2, we often see that a dual-task model performs the worst when adversarial noise is introduced, surprisingly even more so than the simple rectifier baseline. Figure 2 shows that when the non-regularized multi-task architecture is attacked by itself, its error can drop as low as nearly 1%. However, when a DataGrad term is added to the multi-task objective, we achieve nearly no loss in classification performance. This means that a multi-task, DataGrad-regularized rectifier network appears to be quite robust to adversarial samples (of either or

form) either generated from itself or other perceptron architectures (

DGL1 moreso than DGL2).

Classical and regularizers appear to to mitigate some of the damage in some instances, but seemingly only afford at best only modest robustness to adversarial perturbation. In contrast, the proposed DGL1 and DGL2 regularizers appear to yield a significant reduction in error on all of the various adversarial test-sets, the improvement clearer as is increased (as evidenced in Figure 3). The visualization of some adversarial samples in Figure 3

demonstrates that even when more noise is applied to generate stronger adversarials, the samples themselves are still quite recognizable to the human eye. However, a neural architecture, such as a deep rectifier network, is sensitive to adversarial noise and incorrectly classifies these images. In addition to robustness against adversarial samples, we also observe improved classification error on the original test-set when using

DataGrad or multi-task DataGrad, the DGL1 and MT-DGL1 variants offering the lowest error of all. For further experimental results exploring the performance and sensitivity of DataGrad to its meta-parameters (including when other architectures are the adversary), we defer the reader to Appendix A.

Conclusion

Here we have shown how previous proposals can be viewed as instances of a simple, general framework and provide an efficient, deterministic adversarial training procedure, DataGrad. The simplicity of the framework allows for easy extensions, such as adding multi-task cues as another signal to be combined with adversarial training. Empirically, we found that general DataGrad regularization not only significantly reduces error (especially so when combined with a multi-task learning objective) in classifying adversarial samples but also improves generalization. We postulate a reason for this is that adversarial samples generated during the DataGrad learning phase potentially cover more of the underlying data manifold (yielding benefits similar to data-set expansion).

Since DataGrad is effectively a “deep” data-driven penalty, it may be used in tandem with most training objective functions (whether supervised, unsupervised Bengio et al. (2007), or hybrid Ororbia II et al. (2015)). Future work entails further improving the efficiency of the proposed DataGrad back-propagation procedure and investigating our procedure in a wider variety of settings.

References

Appendix A: Detailed Results

In this appendix, to augment the experimental results presented in Section 3, we present the generalization performances of the regularized (and non-regularized models) under various settings of their key hyper-parameters. This particularly applies to and (when applicable). All model performances reported are those with the learning rate and auxiliary objective weight meta-parameters fixed at the value that yielded best validation set performance. Furthermore, each table represents a different adversarial scenario, where a different architecture was selected to be the generator of adversarial examples. In each table, two lines are bolded, one for the single-task architecture and one for the multi-task model that achieves the most robust performance across all noise values of . We do not report the same adversarial scenarios for noise, as we found that it had little impact on model generalization ability (as was seen in Section 3).

One key observation to take from this set of experiments on the MNIST dataset is that DataGrad, particularly the L1 form, achieves the greatest level of robustness to adversarial samples in all settings when the and are relatively higher. This is especially so when a DataGrad (L1) term is combined with the multi-task objective. Note that this appears to be true no matter the adversary (even a DataGrad- or multi-task-regularized one).

We remark that perhaps even further performance improvement could be obtained if one added an additional DataGrad term to the auxiliary objective. In particular, this would apply to the rarer setting when one would also desire additional adversarial robustness with respect to the auxiliary objective. Tables 1-8, presented over the next several pages, contain the full adversarial setting results.

Model
= 0.0
= 0.005
= 0.01
= 0.05
= 0.1
DGL1 0.0001 0.01
DGL1 0.0001 0.05
DGL1 0.0001 0.1
DGL1 0.001 0.01
DGL1 0.001 0.05
DGL1 0.001 0.1
DGL1 0.01 0.01
DGL1 0.01 0.05
DGL1 0.01 0.1
DGL2 0.0001 0.01
DGL2 0.0001 0.05
DGL2 0.0001 0.1
DGL2 0.001 0.01
DGL2 0.001 0.05
DGL2 0.001 0.1
DGL2 0.01 0.01
DGL2 0.01 0.05
DGL2 0.01 0.1
L1 0.0001
L1 0.001
L1 0.01
L1 0.1
L2 0.0001
L2 0.001
L2 0.01
L2 0.1
Rect
MT-DGL2 0.001 0.01
MT-DGL2 0.001 0.05
MT-DGL2 0.001 0.1
MT-DGL2 0.01 0.01
MT-DGL2 0.01 0.05
MT-DGL2 0.01 0.1
MT-DGL2 0.1 0.01
MT-DGL2 0.1 0.05
MT-DGL2 0.1 0.1
MT-DGL1 0.001 0.01
MT-DGL1 0.001 0.05
MT-DGL1 0.001 0.1
MT-DGL1 0.01 0.01
MT-DGL1 0.01 0.05
MT-DGL1 0.01 0.1
MT-DGL1 0.1 0.01
MT-DGL1 0.1 0.05
MT-DGL1 0.1 0.1
MT
Table 1: Comparative results where all models are attacked by a simple rectifier network, Rect, using Laplacian () adversarial noise.
Model
= 0.0
= 0.005
= 0.01
= 0.05
= 0.1
DGL1 0.0001 0.01
DGL1 0.0001 0.05
DGL1 0.0001 0.1
DGL1 0.001 0.01
DGL1 0.001 0.05
DGL1 0.001 0.1
DGL1 0.01 0.01
DGL1 0.01 0.05
DGL1 0.01 0.1
DGL2 0.0001 0.01
DGL2 0.0001 0.05
DGL2 0.0001 0.1
DGL2 0.001 0.01
DGL2 0.001 0.05
DGL2 0.001 0.1
DGL2 0.01 0.01
DGL2 0.01 0.05
DGL2 0.01 0.1
L1 0.0001
L1 0.001
L1 0.01
L1 0.1
L2 0.0001
L2 0.001
L2 0.01
L2 0.1
Rect
MT-DGL2 0.001 0.01
MT-DGL2 0.001 0.05
MT-DGL2 0.001 0.1
MT-DGL2 0.01 0.01
MT-DGL2 0.01 0.05
MT-DGL2 0.01 0.1
MT-DGL2 0.1 0.01
MT-DGL2 0.1 0.05
MT-DGL2 0.1 0.1
MT-DGL1 0.001 0.01
MT-DGL1 0.001 0.05
MT-DGL1 0.001 0.1
MT-DGL1 0.01 0.01
MT-DGL1 0.01 0.05
MT-DGL1 0.01 0.1
MT-DGL1 0.1 0.01
MT-DGL1 0.1 0.05
MT-DGL1 0.1 0.1
MT
Table 2: Comparative results where all models are attacked by the L1-regularized rectifier network, L1, using Laplacian () adversarial noise..
Model
= 0.0
= 0.005
= 0.01
= 0.05
= 0.1
DGL1 0.0001 0.01
DGL1 0.0001 0.05
DGL1 0.0001 0.1
DGL1 0.001 0.01
DGL1 0.001 0.05
DGL1 0.001 0.1
DGL1 0.01 0.01
DGL1 0.01 0.05
DGL1 0.01 0.1
DGL2 0.0001 0.01
DGL2 0.0001 0.05
DGL2 0.0001 0.1
DGL2 0.001 0.01
DGL2 0.001 0.05
DGL2 0.001 0.1
DGL2 0.01 0.01
DGL2 0.01 0.05
DGL2 0.01 0.1
L1 0.0001
L1 0.001
L1 0.01
L1 0.1
L2 0.0001
L2 0.001
L2 0.01
L2 0.1
Rect
MT-DGL2 0.001 0.01
MT-DGL2 0.001 0.05
MT-DGL2 0.001 0.1
MT-DGL2 0.01 0.01
MT-DGL2 0.01 0.05
MT-DGL2 0.01 0.1
MT-DGL2 0.1 0.01
MT-DGL2 0.1 0.05
MT-DGL2 0.1 0.1
MT-DGL1 0.001 0.01
MT-DGL1 0.001 0.05
MT-DGL1 0.001 0.1
MT-DGL1 0.01 0.01
MT-DGL1 0.01 0.05
MT-DGL1 0.01 0.1
MT-DGL1 0.1 0.01
MT-DGL1 0.1 0.05
MT-DGL1 0.1 0.1
MT
Table 3: Comparative results where all models are attacked by the L2-regularized rectifier network, L2, using Laplacian () adversarial noise.
Model
= 0.0
= 0.005
= 0.01
= 0.05
= 0.1
DGL1 0.0001 0.01
DGL1 0.0001 0.05
DGL1 0.0001 0.1
DGL1 0.001 0.01
DGL1 0.001 0.05
DGL1 0.001 0.1
DGL1 0.01 0.01
DGL1 0.01 0.05
DGL1 0.01 0.1
DGL2 0.0001 0.01
DGL2 0.0001 0.05
DGL2 0.0001 0.1
DGL2 0.001 0.01
DGL2 0.001 0.05
DGL2 0.001 0.1
DGL2 0.01 0.01
DGL2 0.01 0.05
DGL2 0.01 0.1
L1 0.0001
L1 0.001
L1 0.01
L1 0.1
L2 0.0001
L2 0.001
L2 0.01
L2 0.1
Rect
MT-DGL2 0.001 0.01
MT-DGL2 0.001 0.05
MT-DGL2 0.001 0.1
MT-DGL2 0.01 0.01
MT-DGL2 0.01 0.05
MT-DGL2 0.01 0.1
MT-DGL2 0.1 0.01
MT-DGL2 0.1 0.05
MT-DGL2 0.1 0.1