On May 7th, the fifth lesson of “MindSpore Model Robustness Assessment Tool”, an online open course opened by Machine Heart and Huawei Ceng Institute, was completed. Lecturer Liu Zhidan brought the theme sharing “MindSpore Model Robustness Assessment Tool” to everyone. The video review of lesson 5 is as follows:
In the QA section of lesson 5, some questions were widely mentioned, and liu Zhidan made selection and editing again for your reference.Lesson 5 Questions and answers
Q1: Why use the sign function?
Q2: Does accuracy decrease after adding defense algorithms?
Not necessarily. The defense algorithm uses the adversarial training method to generate adversarial samples and add them to the original data set to train the model together. The model parameters obtained are slightly different from those obtained by using the original data set alone. This difference may change the accuracy of the test set, which may decrease or increase.
Q3: What is the effect of adding defense algorithms on training time?
Use confrontation training are the differences, training process training in normal model, increases the generation of the counter sample step, so training to increase the computational overhead is to generate counter samples, with different algorithm, timing is different, if use the simple attack algorithm FGSM, increase the time is very few, if in the CW this stronger attack way, The time cost will be higher. To select an attack algorithm, users need to select an appropriate attack algorithm based on their own requirements, time consumption and security requirements.
Q4: What will be the impact on reasoning time if the training process of confrontation is increased?
It has no effect on reasoning. After the training, the model is the same as the normal model, so the reasoning time is the same as the original model.
Q5: Is the adversarial sample used in adversarial training the same as the adversarial sample used in post-defense testing?
Not the same. Training and testing can use the same method of adversarial sample generation, can also be different.
Q6: What’s the difference with CleverHans?
MindArmour and Cleverhans have the same starting point, both of them are to do research on model security against sample. In terms of features provided, MindArmour is more comprehensive, including the generation and detection of counter samples, model defense, evaluation module of counter attack and defense, as well as model robustness test module by fuzzing method. If you have more questions, please follow MindSpore’s Gitee and Github and raise issues at any time. The official staff will answer them in time:
- Gitee:gitee.com/mindspore
- GitHub:github.com/mindspore-a…
Lesson 5 PPT is as follows: