Spaces:
Running
Running
adaptive
Browse files- index.html +25 -15
index.html
CHANGED
@@ -39,17 +39,14 @@
|
|
39 |
e.preventDefault();
|
40 |
if (!$(this).hasClass('selected')) {
|
41 |
|
42 |
-
console.log('event')
|
43 |
$('.formula').hide(200);
|
44 |
$('.formula-list > a').removeClass('selected');
|
45 |
$(this).addClass('selected');
|
46 |
var target = $(this).attr('href');
|
47 |
-
// alert(target)
|
48 |
-
console.log(target)
|
49 |
$(target).show(200);
|
50 |
}
|
51 |
});
|
52 |
-
|
53 |
})
|
54 |
</script>
|
55 |
|
@@ -253,15 +250,11 @@
|
|
253 |
<div class="container is-max-desktop">
|
254 |
<h2 class="title is-3">Neighborhood Relations of Benign Examples and AEs</h2>
|
255 |
<div class="columns is-centered">
|
256 |
-
<div class="column container-centered
|
257 |
<img src="./static/images/relations.jpg" alt="Neighborhood Relations of Benign Examples and AEs"/>
|
258 |
-
|
259 |
-
|
260 |
-
|
261 |
-
<div class="column has-text-justified is-four-fifths">
|
262 |
-
<p>
|
263 |
-
<strong>Figure 1. Neighborhood Relations of Benign Examples and AEs.</strong>
|
264 |
-
</p>
|
265 |
</div>
|
266 |
</div>
|
267 |
<div class="columns is-centered">
|
@@ -422,6 +415,23 @@
|
|
422 |
|
423 |
<div class="container is-max-desktop">
|
424 |
<h2 class="title is-3">Adaptive Attack</h2>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
425 |
<div class="columns is-centered">
|
426 |
<div class="column container-centered">
|
427 |
<div id="adaptive-loss-formula" class="container">
|
@@ -435,17 +445,17 @@
|
|
435 |
<span id="label-loss" class="formula" style="">
|
436 |
$$
|
437 |
\displaystyle
|
438 |
-
Loss_{
|
439 |
$$
|
440 |
</span>
|
441 |
<span id="representation-loss" class="formula" style="display: none;">
|
442 |
$$
|
443 |
\displaystyle
|
444 |
-
Loss_{
|
445 |
$$
|
446 |
</span>
|
447 |
<span id="total-loss" class="formula" style="display: none;">
|
448 |
-
$$\displaystyle \mathcal{L}_C(x+\delta, y_t) +
|
449 |
</span>
|
450 |
</div>
|
451 |
</div>
|
|
|
39 |
e.preventDefault();
|
40 |
if (!$(this).hasClass('selected')) {
|
41 |
|
|
|
42 |
$('.formula').hide(200);
|
43 |
$('.formula-list > a').removeClass('selected');
|
44 |
$(this).addClass('selected');
|
45 |
var target = $(this).attr('href');
|
|
|
|
|
46 |
$(target).show(200);
|
47 |
}
|
48 |
});
|
49 |
+
|
50 |
})
|
51 |
</script>
|
52 |
|
|
|
250 |
<div class="container is-max-desktop">
|
251 |
<h2 class="title is-3">Neighborhood Relations of Benign Examples and AEs</h2>
|
252 |
<div class="columns is-centered">
|
253 |
+
<div class="column container-centered">
|
254 |
<img src="./static/images/relations.jpg" alt="Neighborhood Relations of Benign Examples and AEs"/>
|
255 |
+
<p>
|
256 |
+
<strong>Figure 1. Neighborhood Relations of Benign Examples and AEs.</strong>
|
257 |
+
</p>
|
|
|
|
|
|
|
|
|
258 |
</div>
|
259 |
</div>
|
260 |
<div class="columns is-centered">
|
|
|
415 |
|
416 |
<div class="container is-max-desktop">
|
417 |
<h2 class="title is-3">Adaptive Attack</h2>
|
418 |
+
|
419 |
+
<div class="columns is-centered">
|
420 |
+
<div class="column has-text-justified">
|
421 |
+
<p>
|
422 |
+
Attackers can design adaptive attacks to try to bypass BEYOND when the attacker knows all the parameters of the model
|
423 |
+
and the detection strategy. For an SSL model with a feature extractor $$f$$, a projector $$h$$, and a classification head $$g$$,
|
424 |
+
the classification branch can be formulated as $$\mathbb{C} = f\circ g$$ and the representation branch as $$\mathbb{R} = f\circ h$$.
|
425 |
+
To attack effectively, the adversary must deceive the target model while guaranteeing the label consistency and representation similarity of the SSL model.
|
426 |
+
|
427 |
+
where $$\mathcal{S}$$ represents cosine similarity, $$k$$ represents the number of generated neighbors,
|
428 |
+
and the linear augmentation function $$W(x)=W(x,p);~p\sim P$$ randomly samples $$p$$ from the parameter distribution $$P$$ to generate different neighbors.
|
429 |
+
Note that we guarantee the generated neighbors are fixed each time by fixing the random seed. The adaptive adversaries perform attacks on the following objective function:
|
430 |
+
|
431 |
+
where $$\mathcal{L}_C$$ indicates classifier's loss function, $$y_t$$ is the targeted class, and $$\alpha$$ refers to a hyperparameter.
|
432 |
+
</div>
|
433 |
+
</div>
|
434 |
+
|
435 |
<div class="columns is-centered">
|
436 |
<div class="column container-centered">
|
437 |
<div id="adaptive-loss-formula" class="container">
|
|
|
445 |
<span id="label-loss" class="formula" style="">
|
446 |
$$
|
447 |
\displaystyle
|
448 |
+
Loss_{label} = \frac{1}{k} \sum_{i=1}^{k} \mathcal{L}\left(\mathbb{C}\left(W^i(x+\delta) \right), y_t\right)
|
449 |
$$
|
450 |
</span>
|
451 |
<span id="representation-loss" class="formula" style="display: none;">
|
452 |
$$
|
453 |
\displaystyle
|
454 |
+
Loss_{repre} = \frac{1}{k} \sum_{i=1}^{k}\mathcal{S}(\mathbb{R}(W^i(x+\delta)), \mathbb{R}(x+\delta))
|
455 |
$$
|
456 |
</span>
|
457 |
<span id="total-loss" class="formula" style="display: none;">
|
458 |
+
$$\displaystyle \mathcal{L}_C(x+\delta, y_t) + Loss_{label} - \alpha \cdot Loss_{repre}$$
|
459 |
</span>
|
460 |
</div>
|
461 |
</div>
|