Files
logseq/pages/hls__SANER2024_paper_194_1700084424094_0.md
2025-06-05 22:07:12 +02:00

295 lines
12 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
file:: [SANER2024_paper_194_1700084424094_0.pdf](../assets/SANER2024_paper_194_1700084424094_0.pdf)
file-path:: ../assets/SANER2024_paper_194_1700084424094_0.pdf
- Most existing works reveal that the deep learning system is extremely susceptible to adversarial examples (AEs)
ls-type:: annotation
hl-page:: 1
hl-color:: green
id:: 6575f969-93b9-4193-b1e5-fc2d99dd4927
- optimized gradient-based technologies in white-box testing
ls-type:: annotation
hl-page:: 1
hl-color:: purple
id:: 6575f97a-99a2-4368-8506-d1760dd988c5
hl-stamp:: 1702230397595
- formal analysis between gradient-based attack and loss minima of the loss function to prove that powerful adversaries will share similar feature representations with a high probability.
ls-type:: annotation
hl-page:: 1
hl-color:: purple
id:: 6575f9a5-9503-43bc-8289-588ccbb928cd
- our results prove that AEs can efficiently discover the vulnerability of DL model but are not suitable to explore more inner logic as test suites
ls-type:: annotation
hl-page:: 1
hl-color:: purple
id:: 6575f9cb-a047-4cd7-9696-78deac13e7f2
- opacity of DL decisions renders it difficult to understand the trustworthiness of the model in response to open-world scenarios
ls-type:: annotation
hl-page:: 1
hl-color:: green
id:: 6575f9e7-9dfd-46bc-b262-ef059b0946ec
- DL model should have a more rigorous test process and more predictable test outcomes, in order to prove the robustness and security of the model
ls-type:: annotation
hl-page:: 1
hl-color:: green
id:: 6575f9fb-2f6b-414e-a68c-3f04f2841906
- “ISO/IEC TR 2911911 Software Testing - Guidelines on the testing of AI-based systems
ls-type:: annotation
hl-page:: 1
hl-color:: purple
id:: 6575fa27-6d2d-44a0-b41d-4557c3701eff
- DL testing should basically satisfy the following requirements: (1) high defects revealing-ability, (2) test suites should be more diverse (i.e., triggering different logic), and(3) test adequacy assurance (i.e., coverage criteria)
ls-type:: annotation
hl-page:: 1
hl-color:: purple
id:: 6575fa6a-4509-497d-984e-40d247cc0835
- the decision logic of DL model follows a data-driven programming paradigm which is determined by training data rather than code logic
ls-type:: annotation
hl-page:: 1
hl-color:: purple
id:: 6575facc-59b7-43b4-8e16-96651ad23617
- Empirical studies [3] suggest that preventing adversaries from computing effective AEs is unattainable until now, which gives adequate confidence to DL testers that AEs can achieve a high fault-revealing rate whatever the robustness degree of given DL model
ls-type:: annotation
hl-page:: 1
hl-color:: purple
id:: 6575fb8c-c5b4-430f-ade9-bc145a087250
- Following this line, the optimized adversary will perturb the original example along with several specific feature representations to minimize the loss between the correct class and the targeted class.
ls-type:: annotation
hl-page:: 1
hl-color:: green
id:: 6575fc1a-1aae-4a27-9e4f-9ffd4b0db619
- Generally, although adversarial examples can efficiently detect the vulnerability of DL model, they are not suitable to be test suites from the perspective of test adequacy. It remains an open question that what is the best test suites generation technology
ls-type:: annotation
hl-page:: 1
hl-color:: purple
id:: 6575fc29-2ab6-4ff1-9214-c7eeaff40e66
- theoretical understanding of adversarial attacks from the perspective of connections between gradients geometrical properties and local minima of the loss function
ls-type:: annotation
hl-page:: 1
hl-color:: green
id:: 6575fc58-fc9a-47ea-9322-eabb9416f7a5
- optimized AEs tend to fall into several limited local minima.
ls-type:: annotation
hl-page:: 1
hl-color:: green
id:: 6575fc5e-aa50-4a91-aeb7-f7a4d124500e
- we then combine feature visualization technologies[8] and optimized gradient-based attack algorithms to reveal AEs share similar feature representations
ls-type:: annotation
hl-page:: 1
hl-color:: green
id:: 6575fc73-d773-4f24-b1d4-7cebde97d1db
- multi-objective search techniques can produce more diverse test suites and cover more decision logic.
ls-type:: annotation
hl-page:: 1
hl-color:: purple
id:: 6575fd79-3da1-4a44-a4b0-34c40b5bf882
- theoretical analysis that the optimized AEs have similar feature representation
ls-type:: annotation
hl-page:: 1
hl-color:: green
id:: 6575fdcf-a11b-424d-8d93-2affba291eb3
- easons of AEs can increase common coverage criteria
ls-type:: annotation
hl-page:: 1
hl-color:: green
id:: 6575fdde-9130-4657-9b00-c2e1f9e5f0c6
- earch-based technologies have promising performance compared with AEs
ls-type:: annotation
hl-page:: 2
hl-color:: purple
id:: 6575fdfc-9b5b-46e3-8fb7-8d972a9b4ef5
- F(Θ, x, y)
ls-type:: annotation
hl-page:: 2
hl-color:: yellow
id:: 6575fe4a-23d3-4ef9-a0e0-b2fb8e820abb
- weight W and gradient G of the trained model.
ls-type:: annotation
hl-page:: 2
hl-color:: green
id:: 6575fe88-160b-4af2-8180-8a09adc28b65
- s
ls-type:: annotation
hl-page:: 2
hl-color:: red
id:: 6575fe97-bcb4-4ec5-915f-24760ec740fb
- d
ls-type:: annotation
hl-page:: 2
hl-color:: red
id:: 6575feb6-1a83-4f34-a46f-40f6b918d35e
- ||δ|| ≤ ϵ
ls-type:: annotation
hl-page:: 2
hl-color:: green
id:: 6575ff2d-8286-4737-b715-cc30c39a854c
- classification loss L(FΘ(x + δ), y)
ls-type:: annotation
hl-page:: 2
hl-color:: yellow
id:: 6575ff46-9ff0-48a3-9507-d3ceb182b021
hl-stamp:: 1702238837835
- first-order adversarial attack
ls-type:: annotation
hl-page:: 2
hl-color:: green
id:: 6575ff5d-8dfe-488f-ac51-3ed607dbb67b
- requires rigorous testing before deployment
ls-type:: annotation
hl-page:: 3
hl-color:: green
id:: 65761905-fe5a-483f-8e0a-e20d76730180
- Testing is checking whether the actual outputs match the expected ones and ensure that the system is defect free from the perspective of software engineering, which comprises following key test procedures (i) requirement analysis, (ii) test suites generation, (iii) test oracle generation, and (iv) test evaluation
ls-type:: annotation
hl-page:: 3
hl-color:: green
id:: 6576191a-90b8-48a8-9718-961af7dd697f
- More specifically, there are several optimized gradient-based adversarial attack techniques have successfully proved that neural network is extremely susceptible to adversarial examples, such as PGD, C&W.
ls-type:: annotation
hl-page:: 3
hl-color:: red
id:: 6576193b-cd14-43d8-8c3a-7ba7ec20cf48
- verage-based test suites generation approaches which intend to explore more internal decision logic of the neural network
ls-type:: annotation
hl-page:: 3
hl-color:: green
id:: 65761943-4b65-420d-aa7f-95498a835ca3
- [?], [?], [?], [?],
ls-type:: annotation
hl-page:: 3
hl-color:: red
id:: 65761969-09aa-489f-9761-4aadfa2e449a
- Goodfellow et al. [4] argue that the main reason for AEs comes from the linear part of the model, in which the perturbation can significantly magnify as the dimension of weight increases
ls-type:: annotation
hl-page:: 3
hl-color:: green
id:: 6576198c-cbb9-439a-8fd4-7f00d612118f
- AEs arise when data lies on a lower dimensional manifold in a high dimensional space.
ls-type:: annotation
hl-page:: 3
hl-color:: green
id:: 657619a1-eaba-4ccd-a331-4ce22784424d
- some papers explore to explanations in the data, such as insufficient training data, and the extremely exceptional samples in the data se
ls-type:: annotation
hl-page:: 3
hl-color:: green
id:: 657619ba-7612-483c-9911-90b546a309c8
- robust features (useful and semantic-related)
ls-type:: annotation
hl-page:: 3
hl-color:: green
id:: 657619c7-42fe-4283-80ae-df08a1d051b3
- Further studies point out that the existence of robust features (useful and semantic-related) and nonrobust features (highly useful yet perturbation-sensitive) in any figures, while non-robust features directly cause the presence of AEs.
ls-type:: annotation
hl-page:: 3
hl-color:: red
id:: 657619d9-8af7-4991-aba7-b3661bafc786
- training loss
ls-type:: annotation
hl-page:: 2
hl-color:: green
id:: 65761a10-90c0-4c36-9d90-824318e5abe2
- RQ1. What is the difference between the adversarial attack and DL test?
ls-type:: annotation
hl-page:: 4
hl-color:: green
id:: 65761a80-5337-4826-a03f-d2d77606de10
- AEs can be regarded as test suite
ls-type:: annotation
hl-page:: 4
hl-color:: green
id:: 65761a8f-7cdc-4897-bafb-69f2b2c133d7
- The relationship between adversarial examples and coverage criteria
ls-type:: annotation
hl-page:: 4
hl-color:: yellow
id:: 65761ab0-87d6-41a4-a44f-0dffbbc27076
- Theorem 1
ls-type:: annotation
hl-page:: 4
hl-color:: yellow
id:: 65761af8-a21e-4eba-a0e8-fd173f85cc15
- highly predictive but non-robust features in standard datasets
ls-type:: annotation
hl-page:: 4
hl-color:: blue
id:: 65761b1b-66fd-44e7-95cc-8b4342c03b98
- while assumption 2 concentrates on utilizing geometric intuition to show how the decision boundary changed between classes evolves during the training process
ls-type:: annotation
hl-page:: 4
hl-color:: red
id:: 65761b65-7d7f-4620-8bad-add40dcb7321
- optimized gradient-based adversarial examples are not inappropriate to be test suites in respect of test coverage
ls-type:: annotation
hl-page:: 4
hl-color:: green
id:: 65761b77-2610-4b4b-9a2e-5a8d3ea4a51e
- Given its mathematical proof and preliminary results showing that an optimized attacker will fall into an artificial large local minimum of the loss function with high probability
ls-type:: annotation
hl-page:: 4
hl-color:: green
id:: 65761b8e-cdfa-484f-b46d-edffbffc7b43
- given a normal model, the optimized attacker will probabilistic search the perturbation at multiple local minima of the loss function and the conceptual figure is shown in Fig.2
ls-type:: annotation
hl-page:: 4
hl-color:: green
id:: 65761bac-8ab8-49f5-901d-096c782898e9
- the smallest loss at x is to label yt.
ls-type:: annotation
hl-page:: 4
hl-color:: green
id:: 65761c1a-1862-4896-89c2-f935c1505df6
- minimal perturbation δ such that FΘ(x + δ)̸ = FΘ(x) = yt
ls-type:: annotation
hl-page:: 4
hl-color:: green
id:: 65761c2b-8802-4ebb-8aa4-0ad48046add2
- A(x) is (u, FΘ, yt)-effective
ls-type:: annotation
hl-page:: 4
hl-color:: green
id:: 65761c58-25f6-4184-8b0b-0a75e6937c71
- Adversarial attacks aim at creating perturbed inputs to achieve two primary objectives-maximizing loss while keeping lp-norm distance from the original inputs.
ls-type:: annotation
hl-page:: 5
hl-color:: green
id:: 65761c8a-4653-4bc6-aa2a-3ea82ab3b522
- Reference [17] and [18]
ls-type:: annotation
hl-page:: 5
hl-color:: red
id:: 65761cec-9035-43ba-bdfc-4bdc431b5974
- ithout declaring the usage scope
ls-type:: annotation
hl-page:: 6
hl-color:: yellow
id:: 65761d6a-3ff9-44c8-91a8-8c0072becbf0
- existing powerful optimized attack searches for small perturbations to minimal loss along the gradient, which means the adversarial inputs generated by the same label have a large possibility to share similar feature representations.
ls-type:: annotation
hl-page:: 6
hl-color:: green
id:: 65761db2-5459-4ea3-8298-8704fddaef3a
- similar neuron activation pattern
ls-type:: annotation
hl-page:: 6
hl-color:: green
id:: 65761dc1-a97a-465a-8069-cd0f7bd4494b
- , the adversarial examples can only cover limited several decision logics in the theoretical proof.
ls-type:: annotation
hl-page:: 6
hl-color:: yellow
id:: 65761dcf-0a82-48e4-b519-860b04155856
- (maximally amplifying its entries to the full range of [0, 1] to make it visually clearer)
ls-type:: annotation
hl-page:: 6
hl-color:: green
id:: 65761e03-5260-47b0-a2fd-bb5759a94536
- Our theoretically analysis and empirical experiment demonstrate that optimized gradient-based attack methods only cover limited several neuron activate patterns.
ls-type:: annotation
hl-page:: 9
hl-color:: green
id:: 65761ed4-a2c4-482a-abbe-d5a91c056cf3
- To the best of our knowledge, our work is the first to formally claim the contradiction between the inherent properties of existing AE algorithms and the requirements of DL test.
ls-type:: annotation
hl-page:: 10
hl-color:: green
id:: 65761ee7-72a5-4f71-96b7-4f0dfcec8e5d