Interpreting Adversarial Trained Convolutional Neural Networks - - PowerPoint PPT Presentation

interpreting adversarial trained convolutional neural
SMART_READER_LITE
LIVE PREVIEW

Interpreting Adversarial Trained Convolutional Neural Networks - - PowerPoint PPT Presentation

Jan 23, 2023 451 likes •678 views

Interpreting Adversarial Trained Convolutional Neural Networks Tianyuan Zhang , Zhanxing Zhu Peking University 1600012888@pku.edu.cn zhanxing.zhu@pku.edu.cn Poster: Pacific Ballroom #148 1 Contents Normally trained CNNs typically

slide-1
SLIDE 1

Interpreting Adversarial Trained Convolutional Neural Networks

Tianyuan Zhang, Zhanxing Zhu Peking University

1600012888@pku.edu.cn zhanxing.zhu@pku.edu.cn

  • 1

Poster: Pacific Ballroom #148

slide-2
SLIDE 2
  • Normally trained CNNs typically lack of interpretability
  • Biased towards textures
  • Hypothesis: Adversarially trained CNNs could improve

interpretability

  • Capture more semantic features: shapes.
  • Systematic experiments to validate the hypothesis
  • Discussions

Contents

2

slide-3
SLIDE 3
  • Interpreting normally trained CNN: texture bias

Normally Trained CNN

3

Published as a conference paper at ICLR 2019

IMAGENET-TRAINED CNNS ARE BIASED TOWARDS

TEXTURE; INCREASING SHAPE BIAS IMPROVES ACCURACY AND ROBUSTNESS

Robert Geirhos University of T¨ ubingen & IMPRS-IS robert.geirhos@bethgelab.org Patricia Rubisch University of T¨ ubingen & U. of Edinburgh p.rubisch@sms.ed.ac.uk Claudio Michaelis University of T¨ ubingen & IMPRS-IS claudio.michaelis@bethgelab.org Matthias Bethge∗ University of T¨ ubingen matthias.bethge@bethgelab.org Felix A. Wichmann∗ University of T¨ ubingen felix.wichmann@uni-tuebingen.de Wieland Brendel∗ University of T¨ ubingen wieland.brendel@bethgelab.org

(a) Texture image 81.4% Indian elephant 10.3% indri 8.2% black swan (b) Content image 71.1% tabby cat 17.3% grey fox 3.3% Siamese cat (c) Texture-shape cue conflict 63.9% Indian elephant 26.4% indri 9.6% black swan

slide-4
SLIDE 4

4

0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 1 0.9 0.8 0.7 0.6 0.5 0.4 0.3 0.2 0.1 Fraction of 'texture' decisions Fraction of 'shape' decisions Shape categories

  • 0.1

0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 1 0.9 0.8 0.7 0.6 0.5 0.4 0.3 0.2 0.1 Fraction of 'texture' decisions Fraction of 'shape' decisions Shape categories

  • Augmented Stylized-

ImageNet 
 could improve shape bias.

slide-5
SLIDE 5

Are there any other models that could improve shape bias?

5

Adversarially trained CNNs!

slide-6
SLIDE 6
  • Deep neural networks are easily fooled by adversarial
  • examples. Not robust!

Adversarial Examples

6

f(x;w*)

P(“panda”) = 57.7%

f(x;w*)

P(“gibbon”) = 99.3% ?!

slide-7
SLIDE 7
  • Adversarial training for defensing adversarial examples:
  • A robust optimization problem
  • Interpreting adversarially trained CNNs (AT-CNNs)
  • What have AT-CNNs learned to make them robust?
  • Compared with standard CNNs, AT-CNNs tend to be more

shape-biased.

Adversarial Training

7

min

θ

E(x,y)∼D  max

δ∈S `(f(x + ; ✓), y)

  • min

θ

E(x,y)∼D [`(f(x; ✓), y)]

<latexit sha1_base64="wZnUQB5AvoGEfSOmTH7qxkynWHw=">AC93icbVJda9RAFJ3Er7pau9VHXy4uhV0sJSmCghSKWvBJKrptYbMNk9lJdujMJGQmswf8QXHxTx1b/im/Gm90t9uGwOHc87c3ExWSWFsFP0Nwlu379y9t3a/8+Dh+qON7ubjI1M2NeNDVsqyPsmo4VJoPrTCSn5S1ZyqTPLj7Oxt2z/+wmsjSv3Zzis+VrTQIheMWqTSzWA9UJDCg4SO+WgodEUTvNMqQOwKfOQR9msA1zGEBihIJW20oYlQjfoQMfn0ie2xFAwqVER96fwetV5gDN6K1FMbXjzhYUqVgmnce4D74fbdcoejp7gA1B7AHSV5T5pK1lbgWZ9S1p8N/H9i5i8JY+80Tm8alTqxF/tTfWMCPF8McCHonBv4tNuLdqJFwXUQr0CPrOow7f5JiVrFNeWSWrMKI4qO3ZtLpPcd5LG8IqyM1rwEUJNFTdjt/hvHraQmUBe1vhqCwv2osNRZcxcZahsF2Wu9lrypt6osfmrsRO6aizXbHlQ3kiwJbSXACai5szKOQLKaoGzAptSXJXFq9LBJcRXP/k6ONrdiRF/fNHbf7Naxp5Sp6RPonJS7JP3pNDMiQsMHX4HvwI5yH38Kf4a+lNAxWnifkUoW/wF5ruXD</latexit><latexit sha1_base64="wZnUQB5AvoGEfSOmTH7qxkynWHw=">AC93icbVJda9RAFJ3Er7pau9VHXy4uhV0sJSmCghSKWvBJKrptYbMNk9lJdujMJGQmswf8QXHxTx1b/im/Gm90t9uGwOHc87c3ExWSWFsFP0Nwlu379y9t3a/8+Dh+qON7ubjI1M2NeNDVsqyPsmo4VJoPrTCSn5S1ZyqTPLj7Oxt2z/+wmsjSv3Zzis+VrTQIheMWqTSzWA9UJDCg4SO+WgodEUTvNMqQOwKfOQR9msA1zGEBihIJW20oYlQjfoQMfn0ie2xFAwqVER96fwetV5gDN6K1FMbXjzhYUqVgmnce4D74fbdcoejp7gA1B7AHSV5T5pK1lbgWZ9S1p8N/H9i5i8JY+80Tm8alTqxF/tTfWMCPF8McCHonBv4tNuLdqJFwXUQr0CPrOow7f5JiVrFNeWSWrMKI4qO3ZtLpPcd5LG8IqyM1rwEUJNFTdjt/hvHraQmUBe1vhqCwv2osNRZcxcZahsF2Wu9lrypt6osfmrsRO6aizXbHlQ3kiwJbSXACai5szKOQLKaoGzAptSXJXFq9LBJcRXP/k6ONrdiRF/fNHbf7Naxp5Sp6RPonJS7JP3pNDMiQsMHX4HvwI5yH38Kf4a+lNAxWnifkUoW/wF5ruXD</latexit><latexit sha1_base64="wZnUQB5AvoGEfSOmTH7qxkynWHw=">AC93icbVJda9RAFJ3Er7pau9VHXy4uhV0sJSmCghSKWvBJKrptYbMNk9lJdujMJGQmswf8QXHxTx1b/im/Gm90t9uGwOHc87c3ExWSWFsFP0Nwlu379y9t3a/8+Dh+qON7ubjI1M2NeNDVsqyPsmo4VJoPrTCSn5S1ZyqTPLj7Oxt2z/+wmsjSv3Zzis+VrTQIheMWqTSzWA9UJDCg4SO+WgodEUTvNMqQOwKfOQR9msA1zGEBihIJW20oYlQjfoQMfn0ie2xFAwqVER96fwetV5gDN6K1FMbXjzhYUqVgmnce4D74fbdcoejp7gA1B7AHSV5T5pK1lbgWZ9S1p8N/H9i5i8JY+80Tm8alTqxF/tTfWMCPF8McCHonBv4tNuLdqJFwXUQr0CPrOow7f5JiVrFNeWSWrMKI4qO3ZtLpPcd5LG8IqyM1rwEUJNFTdjt/hvHraQmUBe1vhqCwv2osNRZcxcZahsF2Wu9lrypt6osfmrsRO6aizXbHlQ3kiwJbSXACai5szKOQLKaoGzAptSXJXFq9LBJcRXP/k6ONrdiRF/fNHbf7Naxp5Sp6RPonJS7JP3pNDMiQsMHX4HvwI5yH38Kf4a+lNAxWnifkUoW/wF5ruXD</latexit><latexit sha1_base64="wZnUQB5AvoGEfSOmTH7qxkynWHw=">AC93icbVJda9RAFJ3Er7pau9VHXy4uhV0sJSmCghSKWvBJKrptYbMNk9lJdujMJGQmswf8QXHxTx1b/im/Gm90t9uGwOHc87c3ExWSWFsFP0Nwlu379y9t3a/8+Dh+qON7ubjI1M2NeNDVsqyPsmo4VJoPrTCSn5S1ZyqTPLj7Oxt2z/+wmsjSv3Zzis+VrTQIheMWqTSzWA9UJDCg4SO+WgodEUTvNMqQOwKfOQR9msA1zGEBihIJW20oYlQjfoQMfn0ie2xFAwqVER96fwetV5gDN6K1FMbXjzhYUqVgmnce4D74fbdcoejp7gA1B7AHSV5T5pK1lbgWZ9S1p8N/H9i5i8JY+80Tm8alTqxF/tTfWMCPF8McCHonBv4tNuLdqJFwXUQr0CPrOow7f5JiVrFNeWSWrMKI4qO3ZtLpPcd5LG8IqyM1rwEUJNFTdjt/hvHraQmUBe1vhqCwv2osNRZcxcZahsF2Wu9lrypt6osfmrsRO6aizXbHlQ3kiwJbSXACai5szKOQLKaoGzAptSXJXFq9LBJcRXP/k6ONrdiRF/fNHbf7Naxp5Sp6RPonJS7JP3pNDMiQsMHX4HvwI5yH38Kf4a+lNAxWnifkUoW/wF5ruXD</latexit>

Standard training

kδk  ε

<latexit sha1_base64="u2ls1kIdYnIemBsgoRHdXNC6+s=">ADFnicbVJdi9NAFJ3Er7V+bFcfblYCi2WJVkEBVlY1AWfZEW7u9Dphsl0kg47mcTMZGmJ8yt8a/4oMivopv/htv2i7u1w2Bw7nLm5mbhQ0tg+Ov5167fuHlr7Xbrzt179fbGw/2TV6VXAx5rvLyMGZGKnF0EqrxGFRCpbFShzEx6+a/sGJKI3M9Qc7L8Q4Y6mWieTMIhVteAP6CehEKMugQUp8BHrCSlEYqXLd6tJMaoigBmqnAkUOaMbsNI6R2gUX1TX0YAYDmEMfqJEZNpGwplC+Bod+DhMTuwIgAql0JH0ZvBildlHM3pLmU7tuNWFNJLpNOY+q3rBYOGSzN2tNVHzS5sA01KxmtasNJKPOt9xHuzvtPzNw5YehqjdObKotquR26I31lAjxZDHAm6JTru6jdCTaDRcFlEK5Ah6xqL2r/oZOcV5nQlitmzCgMCjum1yuhGvRyoiC8WOWihFCzTJhxvXitzroIjOBJC/x1RYW7FlHzTJj5lmMymZR5mKvIa/qjSqbPB/XUheVFZovD0oqBTaH5o7ARJaCWzVHwHgpcVbgU4arsniTWriE8OInXwb7W5sh4ndPOzsvV+tYI4/IY9IjIXlGdsgbskeGhHufva/ed+H/8X/5v/0fy2lvrfyPCTnyv/9DwPD8fs=</latexit><latexit sha1_base64="u2ls1kIdYnIemBsgoRHdXNC6+s=">ADFnicbVJdi9NAFJ3Er7V+bFcfblYCi2WJVkEBVlY1AWfZEW7u9Dphsl0kg47mcTMZGmJ8yt8a/4oMivopv/htv2i7u1w2Bw7nLm5mbhQ0tg+Ov5167fuHlr7Xbrzt179fbGw/2TV6VXAx5rvLyMGZGKnF0EqrxGFRCpbFShzEx6+a/sGJKI3M9Qc7L8Q4Y6mWieTMIhVteAP6CehEKMugQUp8BHrCSlEYqXLd6tJMaoigBmqnAkUOaMbsNI6R2gUX1TX0YAYDmEMfqJEZNpGwplC+Bod+DhMTuwIgAql0JH0ZvBildlHM3pLmU7tuNWFNJLpNOY+q3rBYOGSzN2tNVHzS5sA01KxmtasNJKPOt9xHuzvtPzNw5YehqjdObKotquR26I31lAjxZDHAm6JTru6jdCTaDRcFlEK5Ah6xqL2r/oZOcV5nQlitmzCgMCjum1yuhGvRyoiC8WOWihFCzTJhxvXitzroIjOBJC/x1RYW7FlHzTJj5lmMymZR5mKvIa/qjSqbPB/XUheVFZovD0oqBTaH5o7ARJaCWzVHwHgpcVbgU4arsniTWriE8OInXwb7W5sh4ndPOzsvV+tYI4/IY9IjIXlGdsgbskeGhHufva/ed+H/8X/5v/0fy2lvrfyPCTnyv/9DwPD8fs=</latexit><latexit sha1_base64="u2ls1kIdYnIemBsgoRHdXNC6+s=">ADFnicbVJdi9NAFJ3Er7V+bFcfblYCi2WJVkEBVlY1AWfZEW7u9Dphsl0kg47mcTMZGmJ8yt8a/4oMivopv/htv2i7u1w2Bw7nLm5mbhQ0tg+Ov5167fuHlr7Xbrzt179fbGw/2TV6VXAx5rvLyMGZGKnF0EqrxGFRCpbFShzEx6+a/sGJKI3M9Qc7L8Q4Y6mWieTMIhVteAP6CehEKMugQUp8BHrCSlEYqXLd6tJMaoigBmqnAkUOaMbsNI6R2gUX1TX0YAYDmEMfqJEZNpGwplC+Bod+DhMTuwIgAql0JH0ZvBildlHM3pLmU7tuNWFNJLpNOY+q3rBYOGSzN2tNVHzS5sA01KxmtasNJKPOt9xHuzvtPzNw5YehqjdObKotquR26I31lAjxZDHAm6JTru6jdCTaDRcFlEK5Ah6xqL2r/oZOcV5nQlitmzCgMCjum1yuhGvRyoiC8WOWihFCzTJhxvXitzroIjOBJC/x1RYW7FlHzTJj5lmMymZR5mKvIa/qjSqbPB/XUheVFZovD0oqBTaH5o7ARJaCWzVHwHgpcVbgU4arsniTWriE8OInXwb7W5sh4ndPOzsvV+tYI4/IY9IjIXlGdsgbskeGhHufva/ed+H/8X/5v/0fy2lvrfyPCTnyv/9DwPD8fs=</latexit><latexit sha1_base64="u2ls1kIdYnIemBsgoRHdXNC6+s=">ADFnicbVJdi9NAFJ3Er7V+bFcfblYCi2WJVkEBVlY1AWfZEW7u9Dphsl0kg47mcTMZGmJ8yt8a/4oMivopv/htv2i7u1w2Bw7nLm5mbhQ0tg+Ov5167fuHlr7Xbrzt179fbGw/2TV6VXAx5rvLyMGZGKnF0EqrxGFRCpbFShzEx6+a/sGJKI3M9Qc7L8Q4Y6mWieTMIhVteAP6CehEKMugQUp8BHrCSlEYqXLd6tJMaoigBmqnAkUOaMbsNI6R2gUX1TX0YAYDmEMfqJEZNpGwplC+Bod+DhMTuwIgAql0JH0ZvBildlHM3pLmU7tuNWFNJLpNOY+q3rBYOGSzN2tNVHzS5sA01KxmtasNJKPOt9xHuzvtPzNw5YehqjdObKotquR26I31lAjxZDHAm6JTru6jdCTaDRcFlEK5Ah6xqL2r/oZOcV5nQlitmzCgMCjum1yuhGvRyoiC8WOWihFCzTJhxvXitzroIjOBJC/x1RYW7FlHzTJj5lmMymZR5mKvIa/qjSqbPB/XUheVFZovD0oqBTaH5o7ARJaCWzVHwHgpcVbgU4arsniTWriE8OInXwb7W5sh4ndPOzsvV+tYI4/IY9IjIXlGdsgbskeGhHufva/ed+H/8X/5v/0fy2lvrfyPCTnyv/9DwPD8fs=</latexit>

Projected Gradient Descent

slide-8
SLIDE 8
  • Qualitative method (Lots of people did this)
  • Visualizing sensitivity maps

Two ways for interpreting AT-CNNs

8

slide-9
SLIDE 9
  • Grad: input gradient
  • the gradient of the class score function w.r.t. input image
  • SmoothGrad
  • Removing the noise by averaging the noise

Sensitivity Map

9

E = 1 n

n

X

i=1

∂Sc(x + gi) ∂(x + gi)

<latexit sha1_base64="0iNAbSn4OeRMa4N0aEYIi7ly8A=">ACNnicbZDLSgMxFIYz9VbrerSTbAILUKZEUE3haIboSK9gKdOmTSTBuayQxJRizDPJUbn8NdNy4UcesjmLajaOuBwM/3n5Pk/G7IqFSmOTIyC4tLyvZ1dza+sbmVn57pyGDSGBSxwELRMtFkjDKSV1RxUgrFAT5LiNd3A+9pv3REga8Fs1DEnHRz1OPYqR0sjJX13ACrQ9gXBsJTFPoC0j34lpxUrueGrYIRKIgZvHFx8gIew51BYSn74NyslTr5gls1JwXlhpaIA0qo5+We7G+DIJ1xhqRsW2aoOvH4XsxIkrMjSUKEB6hH2lpy5BPZiSdrJ/BAky70AqEPV3BCf0/EyJdy6Lu60eqL2e9MfzPa0fKO+3ElIeRIhxPH/IiBlUAxnCLhUEKzbUAmFB9V8h7iMdldJ53QI1uzK86JxVLa0vj4uVM/SOLJgD+yDIrDACaiCS1ADdYDBIxiBV/BmPBkvxrvxMW3NGOnMLvhTxucXbiqdg=</latexit><latexit sha1_base64="0iNAbSn4OeRMa4N0aEYIi7ly8A=">ACNnicbZDLSgMxFIYz9VbrerSTbAILUKZEUE3haIboSK9gKdOmTSTBuayQxJRizDPJUbn8NdNy4UcesjmLajaOuBwM/3n5Pk/G7IqFSmOTIyC4tLyvZ1dza+sbmVn57pyGDSGBSxwELRMtFkjDKSV1RxUgrFAT5LiNd3A+9pv3REga8Fs1DEnHRz1OPYqR0sjJX13ACrQ9gXBsJTFPoC0j34lpxUrueGrYIRKIgZvHFx8gIew51BYSn74NyslTr5gls1JwXlhpaIA0qo5+We7G+DIJ1xhqRsW2aoOvH4XsxIkrMjSUKEB6hH2lpy5BPZiSdrJ/BAky70AqEPV3BCf0/EyJdy6Lu60eqL2e9MfzPa0fKO+3ElIeRIhxPH/IiBlUAxnCLhUEKzbUAmFB9V8h7iMdldJ53QI1uzK86JxVLa0vj4uVM/SOLJgD+yDIrDACaiCS1ADdYDBIxiBV/BmPBkvxrvxMW3NGOnMLvhTxucXbiqdg=</latexit><latexit sha1_base64="0iNAbSn4OeRMa4N0aEYIi7ly8A=">ACNnicbZDLSgMxFIYz9VbrerSTbAILUKZEUE3haIboSK9gKdOmTSTBuayQxJRizDPJUbn8NdNy4UcesjmLajaOuBwM/3n5Pk/G7IqFSmOTIyC4tLyvZ1dza+sbmVn57pyGDSGBSxwELRMtFkjDKSV1RxUgrFAT5LiNd3A+9pv3REga8Fs1DEnHRz1OPYqR0sjJX13ACrQ9gXBsJTFPoC0j34lpxUrueGrYIRKIgZvHFx8gIew51BYSn74NyslTr5gls1JwXlhpaIA0qo5+We7G+DIJ1xhqRsW2aoOvH4XsxIkrMjSUKEB6hH2lpy5BPZiSdrJ/BAky70AqEPV3BCf0/EyJdy6Lu60eqL2e9MfzPa0fKO+3ElIeRIhxPH/IiBlUAxnCLhUEKzbUAmFB9V8h7iMdldJ53QI1uzK86JxVLa0vj4uVM/SOLJgD+yDIrDACaiCS1ADdYDBIxiBV/BmPBkvxrvxMW3NGOnMLvhTxucXbiqdg=</latexit><latexit sha1_base64="0iNAbSn4OeRMa4N0aEYIi7ly8A=">ACNnicbZDLSgMxFIYz9VbrerSTbAILUKZEUE3haIboSK9gKdOmTSTBuayQxJRizDPJUbn8NdNy4UcesjmLajaOuBwM/3n5Pk/G7IqFSmOTIyC4tLyvZ1dza+sbmVn57pyGDSGBSxwELRMtFkjDKSV1RxUgrFAT5LiNd3A+9pv3REga8Fs1DEnHRz1OPYqR0sjJX13ACrQ9gXBsJTFPoC0j34lpxUrueGrYIRKIgZvHFx8gIew51BYSn74NyslTr5gls1JwXlhpaIA0qo5+We7G+DIJ1xhqRsW2aoOvH4XsxIkrMjSUKEB6hH2lpy5BPZiSdrJ/BAky70AqEPV3BCf0/EyJdy6Lu60eqL2e9MfzPa0fKO+3ElIeRIhxPH/IiBlUAxnCLhUEKzbUAmFB9V8h7iMdldJ53QI1uzK86JxVLa0vj4uVM/SOLJgD+yDIrDACaiCS1ADdYDBIxiBV/BmPBkvxrvxMW3NGOnMLvhTxucXbiqdg=</latexit>

E = ∂Sc(x) ∂x

<latexit sha1_base64="G6T+lQ6EdBC8SU6bB25AvjfYDgQ=">ACXnicbVFdS8MwFE3r1+ycTn0RfAmOwYwWhH0RiK4ONEp4O1ljRLZzBNS5Ko/RP+ia+FNMt8nmtguBw7npucBAmjUtn2l2GurW9sbpW2rfJOZXevun/wJONUYNLFMYtFL0CSMpJV1HFSC8RBEUBI8/B203Rf34nQtKYP6pRQrwIDTkNKUZKU341vYVX0A0FwpmbIKEoYvDBx42PZj4jPnKrPtM5ecZz6Mo08jN65eQvfKUBPIVDn8I5nz+umfvVmt2yxwWXgTMFNTCtjl/9dAcxTiPCFWZIyr5jJ8rLCl/MSG65qSQJwm9oSPoachQR6WXjeHJY18wAhrHQhys4ZucnMhRJOYoCrYyQepWLvYJc1eunKrz0MsqTVBGOJ4vClEVwyJrOKCYMVGiAsqL4rxK9IR6X0j1g6BGfxycvg6azlaHx/XmtfT+MogWNwAhrARegDe5AB3QBt+GYVhG2fgxN82KuTeRmsZ05hD8K/PoF9qrsw4=</latexit><latexit sha1_base64="G6T+lQ6EdBC8SU6bB25AvjfYDgQ=">ACXnicbVFdS8MwFE3r1+ycTn0RfAmOwYwWhH0RiK4ONEp4O1ljRLZzBNS5Ko/RP+ia+FNMt8nmtguBw7npucBAmjUtn2l2GurW9sbpW2rfJOZXevun/wJONUYNLFMYtFL0CSMpJV1HFSC8RBEUBI8/B203Rf34nQtKYP6pRQrwIDTkNKUZKU341vYVX0A0FwpmbIKEoYvDBx42PZj4jPnKrPtM5ecZz6Mo08jN65eQvfKUBPIVDn8I5nz+umfvVmt2yxwWXgTMFNTCtjl/9dAcxTiPCFWZIyr5jJ8rLCl/MSG65qSQJwm9oSPoachQR6WXjeHJY18wAhrHQhys4ZucnMhRJOYoCrYyQepWLvYJc1eunKrz0MsqTVBGOJ4vClEVwyJrOKCYMVGiAsqL4rxK9IR6X0j1g6BGfxycvg6azlaHx/XmtfT+MogWNwAhrARegDe5AB3QBt+GYVhG2fgxN82KuTeRmsZ05hD8K/PoF9qrsw4=</latexit><latexit sha1_base64="G6T+lQ6EdBC8SU6bB25AvjfYDgQ=">ACXnicbVFdS8MwFE3r1+ycTn0RfAmOwYwWhH0RiK4ONEp4O1ljRLZzBNS5Ko/RP+ia+FNMt8nmtguBw7npucBAmjUtn2l2GurW9sbpW2rfJOZXevun/wJONUYNLFMYtFL0CSMpJV1HFSC8RBEUBI8/B203Rf34nQtKYP6pRQrwIDTkNKUZKU341vYVX0A0FwpmbIKEoYvDBx42PZj4jPnKrPtM5ecZz6Mo08jN65eQvfKUBPIVDn8I5nz+umfvVmt2yxwWXgTMFNTCtjl/9dAcxTiPCFWZIyr5jJ8rLCl/MSG65qSQJwm9oSPoachQR6WXjeHJY18wAhrHQhys4ZucnMhRJOYoCrYyQepWLvYJc1eunKrz0MsqTVBGOJ4vClEVwyJrOKCYMVGiAsqL4rxK9IR6X0j1g6BGfxycvg6azlaHx/XmtfT+MogWNwAhrARegDe5AB3QBt+GYVhG2fgxN82KuTeRmsZ05hD8K/PoF9qrsw4=</latexit><latexit sha1_base64="G6T+lQ6EdBC8SU6bB25AvjfYDgQ=">ACXnicbVFdS8MwFE3r1+ycTn0RfAmOwYwWhH0RiK4ONEp4O1ljRLZzBNS5Ko/RP+ia+FNMt8nmtguBw7npucBAmjUtn2l2GurW9sbpW2rfJOZXevun/wJONUYNLFMYtFL0CSMpJV1HFSC8RBEUBI8/B203Rf34nQtKYP6pRQrwIDTkNKUZKU341vYVX0A0FwpmbIKEoYvDBx42PZj4jPnKrPtM5ecZz6Mo08jN65eQvfKUBPIVDn8I5nz+umfvVmt2yxwWXgTMFNTCtjl/9dAcxTiPCFWZIyr5jJ8rLCl/MSG65qSQJwm9oSPoachQR6WXjeHJY18wAhrHQhys4ZucnMhRJOYoCrYyQepWLvYJc1eunKrz0MsqTVBGOJ4vClEVwyJrOKCYMVGiAsqL4rxK9IR6X0j1g6BGfxycvg6azlaHx/XmtfT+MogWNwAhrARegDe5AB3QBt+GYVhG2fgxN82KuTeRmsZ05hD8K/PoF9qrsw4=</latexit>

and the noise level , the Sc(x) = log pc(x), class assigned by a classifier

gi ∼ N(0, σ2)

<latexit sha1_base64="rBzp7w0hjl7DZN3B0cfHKP7YSIM=">ACg3icbVFdSysxEM2uetVevVZ9CVYlBZFd4ugLwVRBJ9E8VaFbl1m02wNJtklyYplyR/xZ/nmvzFbK34OBA5nZs5MziQ5Z9oEwYvnT03P/Jmdm6/9XVj8t1RfXrnSWaEI7ZKMZ+omAU05k7RrmOH0JlcURMLpdXJ/XOWvH6jSLJP/zSinfQFDyVJGwDgqrj8NY4YjzQSOBJg7Arw8s81gu+KGAm7brdoGPsEdHKUKSBnloAwDji9j0nxs2Q/i0X4pDG0prRMpRFyTmhv5a8KeAtXC3wSeudaNq43gp1gHPgnCegSZxHtefo0FGCkGlIRy07oVBbvplpUs4tbWo0DQHcg9D2nNQgqC6X49tHjDMQOcZso9afCY/dxRgtB6JBJXWRmlv+cq8rdcrzDpQb9kMi8MleRtUFpwbDJcHQPmKLE8JEDQBRzu2JyB84q485WcyaE37/8E1y1d0KHL/Yah0cTO+bQGlpHTRSifXSITtE56iLiIW/T2/UCf8bf8tv+3lup7016VtGX8DuvOZS+Sw=</latexit><latexit sha1_base64="rBzp7w0hjl7DZN3B0cfHKP7YSIM=">ACg3icbVFdSysxEM2uetVevVZ9CVYlBZFd4ugLwVRBJ9E8VaFbl1m02wNJtklyYplyR/xZ/nmvzFbK34OBA5nZs5MziQ5Z9oEwYvnT03P/Jmdm6/9XVj8t1RfXrnSWaEI7ZKMZ+omAU05k7RrmOH0JlcURMLpdXJ/XOWvH6jSLJP/zSinfQFDyVJGwDgqrj8NY4YjzQSOBJg7Arw8s81gu+KGAm7brdoGPsEdHKUKSBnloAwDji9j0nxs2Q/i0X4pDG0prRMpRFyTmhv5a8KeAtXC3wSeudaNq43gp1gHPgnCegSZxHtefo0FGCkGlIRy07oVBbvplpUs4tbWo0DQHcg9D2nNQgqC6X49tHjDMQOcZso9afCY/dxRgtB6JBJXWRmlv+cq8rdcrzDpQb9kMi8MleRtUFpwbDJcHQPmKLE8JEDQBRzu2JyB84q485WcyaE37/8E1y1d0KHL/Yah0cTO+bQGlpHTRSifXSITtE56iLiIW/T2/UCf8bf8tv+3lup7016VtGX8DuvOZS+Sw=</latexit><latexit sha1_base64="rBzp7w0hjl7DZN3B0cfHKP7YSIM=">ACg3icbVFdSysxEM2uetVevVZ9CVYlBZFd4ugLwVRBJ9E8VaFbl1m02wNJtklyYplyR/xZ/nmvzFbK34OBA5nZs5MziQ5Z9oEwYvnT03P/Jmdm6/9XVj8t1RfXrnSWaEI7ZKMZ+omAU05k7RrmOH0JlcURMLpdXJ/XOWvH6jSLJP/zSinfQFDyVJGwDgqrj8NY4YjzQSOBJg7Arw8s81gu+KGAm7brdoGPsEdHKUKSBnloAwDji9j0nxs2Q/i0X4pDG0prRMpRFyTmhv5a8KeAtXC3wSeudaNq43gp1gHPgnCegSZxHtefo0FGCkGlIRy07oVBbvplpUs4tbWo0DQHcg9D2nNQgqC6X49tHjDMQOcZso9afCY/dxRgtB6JBJXWRmlv+cq8rdcrzDpQb9kMi8MleRtUFpwbDJcHQPmKLE8JEDQBRzu2JyB84q485WcyaE37/8E1y1d0KHL/Yah0cTO+bQGlpHTRSifXSITtE56iLiIW/T2/UCf8bf8tv+3lup7016VtGX8DuvOZS+Sw=</latexit><latexit sha1_base64="rBzp7w0hjl7DZN3B0cfHKP7YSIM=">ACg3icbVFdSysxEM2uetVevVZ9CVYlBZFd4ugLwVRBJ9E8VaFbl1m02wNJtklyYplyR/xZ/nmvzFbK34OBA5nZs5MziQ5Z9oEwYvnT03P/Jmdm6/9XVj8t1RfXrnSWaEI7ZKMZ+omAU05k7RrmOH0JlcURMLpdXJ/XOWvH6jSLJP/zSinfQFDyVJGwDgqrj8NY4YjzQSOBJg7Arw8s81gu+KGAm7brdoGPsEdHKUKSBnloAwDji9j0nxs2Q/i0X4pDG0prRMpRFyTmhv5a8KeAtXC3wSeudaNq43gp1gHPgnCegSZxHtefo0FGCkGlIRy07oVBbvplpUs4tbWo0DQHcg9D2nNQgqC6X49tHjDMQOcZso9afCY/dxRgtB6JBJXWRmlv+cq8rdcrzDpQb9kMi8MleRtUFpwbDJcHQPmKLE8JEDQBRzu2JyB84q485WcyaE37/8E1y1d0KHL/Yah0cTO+bQGlpHTRSifXSITtE56iLiIW/T2/UCf8bf8tv+3lup7016VtGX8DuvOZS+Sw=</latexit>

Input image Grad SmoothGrad

Smilkov et.al (2017) SmoothGrad: removing noise by adding noise

slide-10
SLIDE 10

Sensitivity maps of AT-CNNs

10

Original

Saturated Stylized

CNN Underfitting CNN AT-CNN PGD CNN Underfitting CNN SmoothGrad AT-CNN PGD

slide-11
SLIDE 11
  • Qualitative method
  • Visualizing sensitivity maps (Lots of people did this)
  • Quantitative method
  • Evaluate the generalization performance on either

shape or texture preserved data sets

Two ways for interpreting AT-CNNs

11

slide-12
SLIDE 12
  • 1. Stylizing: shape preserved, texture destroyed
  • 2. Saturating: shape preserved, texture destroyed
  • 3. Patch-shuffling: shape destructed, texture preserved

Constructing Datasets

12

(a) Original (b) Stylized (c) Saturated 8 (d) Saturated 1024 (e) patch-shuffle 2 (f) patch-shuffle 4

Figure 1. Visualization of three transformations. Original images are from Caltech-256. From left to right, original, stylized, saturation level as 8, 1024, 2 × 2 patch-shuffling, 4 × 4 patch-shuffling.

slide-13
SLIDE 13
  • Patch-shuffled test data

13

(a) Original Image (b) Patch-Shuffle 2 (c) Patch-Shuffle 4 (d) Patch-Shuffle 8

slide-14
SLIDE 14

14

Caltech-256 Tiny-ImageNet

slide-15
SLIDE 15
  • Saturated test data

15

Loosing both texture and shape info. Loosing texture and preserve shape info. Caltech-256 Tiny ImageNet

slide-16
SLIDE 16
  • Stylized test data

Generalization on Constructed Datasets

16

Accuracy on correctly classified images

slide-17
SLIDE 17
  • Interpreting adversarially trained CNNs
  • Adversarial training helps capturing global structures, a

more shape-based representation

  • We provide both qualitative and quantitive ways for

model interpretation.

Discussions

17

slide-18
SLIDE 18
  • Insights for defensing adversarial examples
  • Whether models better capturing long-range

representation tend to be more robust (e.g, non-local, Xie, et al 2018) ?

  • Interpreting AT-CNNs based on other types of adversarial

attacks

  • Spatially transformed adv. examples (Xiao et.al 2018)
  • GAN-based adv. examples (Song et.al 2018)

Discussions

18

slide-19
SLIDE 19
  • PGD attack often change local features
  • Adversarial training acts like data augmentation, which

can effectively increase invariance against corruptions of local features

Why?

19

slide-20
SLIDE 20

Thanks!

20

Poster: Pacific Ballroom #148