John and Jane work on a self-driving car project. They want to classify various traffic signs among 10 different classes. John has trained a deep convolutional neural network (CNN), f, on a dataset with 100,000 samples. Given an input image x, his model predicts ^?= f(x). Overall, it achieves 95.6% test accuracy. (a) Jane has recently heard about adversarial attacks and is worried about the problems they could cause. To show John the potential dangers of adversarial attacks, she decides to design an input x which is classified as a “STOP” sign by John’s CNN. Propose a loss function for this task, and explicitly state the parameter(s) being optimized. You are not allowed to use any images other than x for this optimization. (b) You run the optimization in part (a). Will the generated image look like a real image? Explain why. (c) Jane looks for better evidence to convince John that his trained CNN is not a robust classifier. She decides to take the image x no park, which is a real image of a “No Parking” sign, and finds an input x such that: • x looks like x no park • x is classified by John’s network as a “STOP” sign, i.e., f(x) = ? Give the cost function for an iterative method which will achieve the above two objectives. (d) After seeing the results of Alice’s experiments, Bob decides to retrain the deep convolutional network in a way that the trained classifier would be robust to adversarial attacks. Suggest two different solutions for improving the robustness of his CNN classifier.
John and Jane work on a self-driving car project. They want to classify various traffic signs among 10 different classes. John has trained a deep convolutional neural network (CNN), f, on a dataset with 100,000 samples. Given an input image x, his model predicts ^?= f(x). Overall, it achieves 95.6% test accuracy. (a) Jane has recently heard about adversarial attacks and is worried about the problems they could cause. To show John the potential dangers of adversarial attacks, she decides to design an input x which is classified as a “STOP” sign by John’s CNN. Propose a loss function for this task, and explicitly state the parameter(s) being optimized. You are not allowed to use any images other than x for this optimization. (b) You run the optimization in part (a). Will the generated image look like a real image? Explain why. (c) Jane looks for better evidence to convince John that his trained CNN is not a robust classifier. She decides to take the image x no park, which is a real image of a “No Parking” sign, and finds an input x such that: • x looks like x no park • x is classified by John’s network as a “STOP” sign, i.e., f(x) = ? <STOP> Give the cost function for an iterative method which will achieve the above two objectives. (d) After seeing the results of Alice’s experiments, Bob decides to retrain the deep convolutional network in a way that the trained classifier would be robust to adversarial attacks. Suggest two different solutions for improving the robustness of his CNN classifier.
Trending now
This is a popular solution!
Step by step
Solved in 3 steps