Files
logseq/pages/hls__SANER2024_paper_194_1700084424094_0.md
T
2025-06-05 22:07:12 +02:00

12 KiB
Raw Blame History

file:: SANER2024_paper_194_1700084424094_0.pdf file-path:: ../assets/SANER2024_paper_194_1700084424094_0.pdf

  • Most existing works reveal that the deep learning system is extremely susceptible to adversarial examples (AEs) ls-type:: annotation hl-page:: 1 hl-color:: green id:: 6575f969-93b9-4193-b1e5-fc2d99dd4927
  • optimized gradient-based technologies in white-box testing ls-type:: annotation hl-page:: 1 hl-color:: purple id:: 6575f97a-99a2-4368-8506-d1760dd988c5 hl-stamp:: 1702230397595
  • formal analysis between gradient-based attack and loss minima of the loss function to prove that powerful adversaries will share similar feature representations with a high probability. ls-type:: annotation hl-page:: 1 hl-color:: purple id:: 6575f9a5-9503-43bc-8289-588ccbb928cd
  • our results prove that AEs can efficiently discover the vulnerability of DL model but are not suitable to explore more inner logic as test suites ls-type:: annotation hl-page:: 1 hl-color:: purple id:: 6575f9cb-a047-4cd7-9696-78deac13e7f2
  • opacity of DL decisions renders it difficult to understand the trustworthiness of the model in response to open-world scenarios ls-type:: annotation hl-page:: 1 hl-color:: green id:: 6575f9e7-9dfd-46bc-b262-ef059b0946ec
  • DL model should have a more rigorous test process and more predictable test outcomes, in order to prove the robustness and security of the model ls-type:: annotation hl-page:: 1 hl-color:: green id:: 6575f9fb-2f6b-414e-a68c-3f04f2841906
  • “ISO/IEC TR 2911911 Software Testing - Guidelines on the testing of AI-based systems ls-type:: annotation hl-page:: 1 hl-color:: purple id:: 6575fa27-6d2d-44a0-b41d-4557c3701eff
  • DL testing should basically satisfy the following requirements: (1) high defects revealing-ability, (2) test suites should be more diverse (i.e., triggering different logic), and(3) test adequacy assurance (i.e., coverage criteria) ls-type:: annotation hl-page:: 1 hl-color:: purple id:: 6575fa6a-4509-497d-984e-40d247cc0835
  • the decision logic of DL model follows a data-driven programming paradigm which is determined by training data rather than code logic ls-type:: annotation hl-page:: 1 hl-color:: purple id:: 6575facc-59b7-43b4-8e16-96651ad23617
  • Empirical studies [3] suggest that preventing adversaries from computing effective AEs is unattainable until now, which gives adequate confidence to DL testers that AEs can achieve a high fault-revealing rate whatever the robustness degree of given DL model ls-type:: annotation hl-page:: 1 hl-color:: purple id:: 6575fb8c-c5b4-430f-ade9-bc145a087250
  • Following this line, the optimized adversary will perturb the original example along with several specific feature representations to minimize the loss between the correct class and the targeted class. ls-type:: annotation hl-page:: 1 hl-color:: green id:: 6575fc1a-1aae-4a27-9e4f-9ffd4b0db619
  • Generally, although adversarial examples can efficiently detect the vulnerability of DL model, they are not suitable to be test suites from the perspective of test adequacy. It remains an open question that what is the best test suites generation technology ls-type:: annotation hl-page:: 1 hl-color:: purple id:: 6575fc29-2ab6-4ff1-9214-c7eeaff40e66
  • theoretical understanding of adversarial attacks from the perspective of connections between gradients geometrical properties and local minima of the loss function ls-type:: annotation hl-page:: 1 hl-color:: green id:: 6575fc58-fc9a-47ea-9322-eabb9416f7a5
  • optimized AEs tend to fall into several limited local minima. ls-type:: annotation hl-page:: 1 hl-color:: green id:: 6575fc5e-aa50-4a91-aeb7-f7a4d124500e
  • we then combine feature visualization technologies[8] and optimized gradient-based attack algorithms to reveal AEs share similar feature representations ls-type:: annotation hl-page:: 1 hl-color:: green id:: 6575fc73-d773-4f24-b1d4-7cebde97d1db
  • multi-objective search techniques can produce more diverse test suites and cover more decision logic. ls-type:: annotation hl-page:: 1 hl-color:: purple id:: 6575fd79-3da1-4a44-a4b0-34c40b5bf882
  • theoretical analysis that the optimized AEs have similar feature representation ls-type:: annotation hl-page:: 1 hl-color:: green id:: 6575fdcf-a11b-424d-8d93-2affba291eb3
  • easons of AEs can increase common coverage criteria ls-type:: annotation hl-page:: 1 hl-color:: green id:: 6575fdde-9130-4657-9b00-c2e1f9e5f0c6
  • earch-based technologies have promising performance compared with AEs ls-type:: annotation hl-page:: 2 hl-color:: purple id:: 6575fdfc-9b5b-46e3-8fb7-8d972a9b4ef5
  • F(Θ, x, y) ls-type:: annotation hl-page:: 2 hl-color:: yellow id:: 6575fe4a-23d3-4ef9-a0e0-b2fb8e820abb
  • weight W and gradient G of the trained model. ls-type:: annotation hl-page:: 2 hl-color:: green id:: 6575fe88-160b-4af2-8180-8a09adc28b65
  • s ls-type:: annotation hl-page:: 2 hl-color:: red id:: 6575fe97-bcb4-4ec5-915f-24760ec740fb
  • d ls-type:: annotation hl-page:: 2 hl-color:: red id:: 6575feb6-1a83-4f34-a46f-40f6b918d35e
  • ||δ|| ≤ ϵ ls-type:: annotation hl-page:: 2 hl-color:: green id:: 6575ff2d-8286-4737-b715-cc30c39a854c
  • classification loss L(FΘ(x + δ), y) ls-type:: annotation hl-page:: 2 hl-color:: yellow id:: 6575ff46-9ff0-48a3-9507-d3ceb182b021 hl-stamp:: 1702238837835
  • first-order adversarial attack ls-type:: annotation hl-page:: 2 hl-color:: green id:: 6575ff5d-8dfe-488f-ac51-3ed607dbb67b
  • requires rigorous testing before deployment ls-type:: annotation hl-page:: 3 hl-color:: green id:: 65761905-fe5a-483f-8e0a-e20d76730180
  • Testing is checking whether the actual outputs match the expected ones and ensure that the system is defect free from the perspective of software engineering, which comprises following key test procedures (i) requirement analysis, (ii) test suites generation, (iii) test oracle generation, and (iv) test evaluation ls-type:: annotation hl-page:: 3 hl-color:: green id:: 6576191a-90b8-48a8-9718-961af7dd697f
  • More specifically, there are several optimized gradient-based adversarial attack techniques have successfully proved that neural network is extremely susceptible to adversarial examples, such as PGD, C&W. ls-type:: annotation hl-page:: 3 hl-color:: red id:: 6576193b-cd14-43d8-8c3a-7ba7ec20cf48
  • verage-based test suites generation approaches which intend to explore more internal decision logic of the neural network ls-type:: annotation hl-page:: 3 hl-color:: green id:: 65761943-4b65-420d-aa7f-95498a835ca3
  • [?], [?], [?], [?], ls-type:: annotation hl-page:: 3 hl-color:: red id:: 65761969-09aa-489f-9761-4aadfa2e449a
  • Goodfellow et al. [4] argue that the main reason for AEs comes from the linear part of the model, in which the perturbation can significantly magnify as the dimension of weight increases ls-type:: annotation hl-page:: 3 hl-color:: green id:: 6576198c-cbb9-439a-8fd4-7f00d612118f
  • AEs arise when data lies on a lower dimensional manifold in a high dimensional space. ls-type:: annotation hl-page:: 3 hl-color:: green id:: 657619a1-eaba-4ccd-a331-4ce22784424d
  • some papers explore to explanations in the data, such as insufficient training data, and the extremely exceptional samples in the data se ls-type:: annotation hl-page:: 3 hl-color:: green id:: 657619ba-7612-483c-9911-90b546a309c8
  • robust features (useful and semantic-related) ls-type:: annotation hl-page:: 3 hl-color:: green id:: 657619c7-42fe-4283-80ae-df08a1d051b3
  • Further studies point out that the existence of robust features (useful and semantic-related) and nonrobust features (highly useful yet perturbation-sensitive) in any figures, while non-robust features directly cause the presence of AEs. ls-type:: annotation hl-page:: 3 hl-color:: red id:: 657619d9-8af7-4991-aba7-b3661bafc786
  • training loss ls-type:: annotation hl-page:: 2 hl-color:: green id:: 65761a10-90c0-4c36-9d90-824318e5abe2
  • RQ1. What is the difference between the adversarial attack and DL test? ls-type:: annotation hl-page:: 4 hl-color:: green id:: 65761a80-5337-4826-a03f-d2d77606de10
  • AEs can be regarded as test suite ls-type:: annotation hl-page:: 4 hl-color:: green id:: 65761a8f-7cdc-4897-bafb-69f2b2c133d7
  • The relationship between adversarial examples and coverage criteria ls-type:: annotation hl-page:: 4 hl-color:: yellow id:: 65761ab0-87d6-41a4-a44f-0dffbbc27076
  • Theorem 1 ls-type:: annotation hl-page:: 4 hl-color:: yellow id:: 65761af8-a21e-4eba-a0e8-fd173f85cc15
  • highly predictive but non-robust features in standard datasets ls-type:: annotation hl-page:: 4 hl-color:: blue id:: 65761b1b-66fd-44e7-95cc-8b4342c03b98
  • while assumption 2 concentrates on utilizing geometric intuition to show how the decision boundary changed between classes evolves during the training process ls-type:: annotation hl-page:: 4 hl-color:: red id:: 65761b65-7d7f-4620-8bad-add40dcb7321
  • optimized gradient-based adversarial examples are not inappropriate to be test suites in respect of test coverage ls-type:: annotation hl-page:: 4 hl-color:: green id:: 65761b77-2610-4b4b-9a2e-5a8d3ea4a51e
  • Given its mathematical proof and preliminary results showing that an optimized attacker will fall into an artificial large local minimum of the loss function with high probability ls-type:: annotation hl-page:: 4 hl-color:: green id:: 65761b8e-cdfa-484f-b46d-edffbffc7b43
  • given a normal model, the optimized attacker will probabilistic search the perturbation at multiple local minima of the loss function and the conceptual figure is shown in Fig.2 ls-type:: annotation hl-page:: 4 hl-color:: green id:: 65761bac-8ab8-49f5-901d-096c782898e9
  • the smallest loss at x is to label yt. ls-type:: annotation hl-page:: 4 hl-color:: green id:: 65761c1a-1862-4896-89c2-f935c1505df6
  • minimal perturbation δ such that FΘ(x + δ)̸ = FΘ(x) = yt ls-type:: annotation hl-page:: 4 hl-color:: green id:: 65761c2b-8802-4ebb-8aa4-0ad48046add2
  • A(x) is (u, FΘ, yt)-effective ls-type:: annotation hl-page:: 4 hl-color:: green id:: 65761c58-25f6-4184-8b0b-0a75e6937c71
  • Adversarial attacks aim at creating perturbed inputs to achieve two primary objectives-maximizing loss while keeping lp-norm distance from the original inputs. ls-type:: annotation hl-page:: 5 hl-color:: green id:: 65761c8a-4653-4bc6-aa2a-3ea82ab3b522
  • Reference [17] and [18] ls-type:: annotation hl-page:: 5 hl-color:: red id:: 65761cec-9035-43ba-bdfc-4bdc431b5974
  • ithout declaring the usage scope ls-type:: annotation hl-page:: 6 hl-color:: yellow id:: 65761d6a-3ff9-44c8-91a8-8c0072becbf0
  • existing powerful optimized attack searches for small perturbations to minimal loss along the gradient, which means the adversarial inputs generated by the same label have a large possibility to share similar feature representations. ls-type:: annotation hl-page:: 6 hl-color:: green id:: 65761db2-5459-4ea3-8298-8704fddaef3a
  • similar neuron activation pattern ls-type:: annotation hl-page:: 6 hl-color:: green id:: 65761dc1-a97a-465a-8069-cd0f7bd4494b
  • , the adversarial examples can only cover limited several decision logics in the theoretical proof. ls-type:: annotation hl-page:: 6 hl-color:: yellow id:: 65761dcf-0a82-48e4-b519-860b04155856
  • (maximally amplifying its entries to the full range of [0, 1] to make it visually clearer) ls-type:: annotation hl-page:: 6 hl-color:: green id:: 65761e03-5260-47b0-a2fd-bb5759a94536
  • Our theoretically analysis and empirical experiment demonstrate that optimized gradient-based attack methods only cover limited several neuron activate patterns. ls-type:: annotation hl-page:: 9 hl-color:: green id:: 65761ed4-a2c4-482a-abbe-d5a91c056cf3
  • To the best of our knowledge, our work is the first to formally claim the contradiction between the inherent properties of existing AE algorithms and the requirements of DL test. ls-type:: annotation hl-page:: 10 hl-color:: green id:: 65761ee7-72a5-4f71-96b7-4f0dfcec8e5d