Article Preview
Top1. Introduction
Generative models have become the dominant form of data generation tool in recent years due to their vastly superior results and optimized method. Goodfellow (2017) showed how Adversarial Learning can be used as a technique by training two networks simultaneously, by training them together under a single loss signal, in order to produce better results. This paper looks into this methodology of adversarially training samples for the use case of producing noisy images for attacking image classifiers. Several previous models using adversarial learning have shown to create images that are extremely close to their original training sample (Arjovsky & Bottou, 2017), which only helps us to use this method for creating a Deep Convolutional Generative Adversarial Network based architecture that can create the aforementioned noisy images. Previously tried and tested models exist that use Generative Adversarial networks as their base networks. These include: Deep Convolutional Generative Adversarial Networks (Radford, Metz, & Chintala, 2015) which use a convolutional neural network as it's discriminator and a deconvolutional neural network as a generator for generating images. Radford et al. (Radford, Metz, & Chintala, 2015) use various techniques for their network, including the All-Convolutional Neural Network (Springenberg, Dosovitskiy, Brox, & Riedmiller, 2014) which replaces the commonly used max-pooling layer with another convolutional layer that contains a stride of 2 that provides the same functionality on their dataset, along with the famously used Batch Normalization(Ioffe & Szegedy, 2015). Earth Mover’s distance (Hou, Yu, & Samaras, 2016) is used in Wasserstein GAN(Arjovsky, Chintala, & Bottou, 2017) as the loss function to compare and analyse the difference between the histogram of the original dataset and the one that needs to be generated; and Bayesian GAN(Saatchi & Wilson, 2017) which takes advantage of the Bayesian function to approximate the probability density of the original dataset and the generated samples uses it as the loss function.
The aforementioned architectures produce remarkable results in their own field of image generation from the original dataset. However, these architectures fail to meet the need for adversarial image generation as the requirement for the same is that the image generated by the network must work in tandem with the original image to produce a new noisy image layer that must then be applied to the original dataset to produce a classification of that same original classifier. this intricate process involves an intermediary step for the generation of the noisy image that these legacy networks cannot make. Hence, this paper takes inspiration from Goodfellow et al. (Goodfellow, Shlens, & Szegedy, 2014), which uses a method called Fast Sign Gradient Method. This method trains the loss function of the classifier and that of the noise generator as a combined function using the following equation:
In the equation above, the noise layer is denoted by , the original image is denoted by x, the magnitude of the perturbations is ϵ, is the truth label y and the noise parameter is Θ. The loss function for the same is given by .
In another method proposed by Papernot et al. (2015), Jacobian-Based Saliency Map, the author of the paper uses an input image xin a model f that has a classification metric j and a target classification t where the difference between the probability of classification t and jis reduced and all other classification differences are increased using the following equation: