WO2023062742A1 - Training device, training method, and training program - Google Patents

Training device, training method, and training program Download PDF

Info

Publication number
WO2023062742A1
WO2023062742A1 PCT/JP2021/037843 JP2021037843W WO2023062742A1 WO 2023062742 A1 WO2023062742 A1 WO 2023062742A1 JP 2021037843 W JP2021037843 W JP 2021037843W WO 2023062742 A1 WO2023062742 A1 WO 2023062742A1
Authority
WO
WIPO (PCT)
Prior art keywords
model
loss
landscape
learning
adversarial
Prior art date
Application number
PCT/JP2021/037843
Other languages
French (fr)
Japanese (ja)
Inventor
真徳 山田
Original Assignee
日本電信電話株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日本電信電話株式会社 filed Critical 日本電信電話株式会社
Priority to JP2023553815A priority Critical patent/JPWO2023062742A1/ja
Priority to PCT/JP2021/037843 priority patent/WO2023062742A1/en
Publication of WO2023062742A1 publication Critical patent/WO2023062742A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning

Definitions

  • the present invention relates to a learning device, a learning method, and a learning program.
  • Adversarial Example causes the classifier to misjudge by adding noise to the data to be classified.
  • Adversarial Training trains a model (classifier) using Adversarial Examples.
  • the model trained by Adversarial Training has the problem of low generalization performance for Adversarial Examples.
  • the flatter the loss landscape (in the form of the loss function) for the weight of the model the smaller the generalization gap.
  • This generalization gap is the difference between train acc (learning data identification accuracy) and test acc (test data identification accuracy).
  • adversarial training there is a technique to flatten the loss landscape for model weights to reduce the generalization gap and improve the generalization performance of adversarial examples.
  • an object of the present invention is to solve the above-described problem and to learn a model with high generalization performance for Adversarial Examples.
  • the present invention recalculates the Adversarial Example for the weight each time the weight of the model is shifted in learning a model for predicting the label of input data containing Adversarial Examples.
  • a calculator using the recalculated Adversarial Example to create a loss landscape of the loss function of the model, flattening the created loss landscape;
  • a second calculator flattening the loss landscape and a learning processing unit that performs learning of the model using the loss function obtained.
  • FIG. 1 is a diagram showing a configuration example of a learning device.
  • FIG. 2 is a flow chart showing an example of the processing procedure of the learning device.
  • FIG. 3 is a flow chart showing an example of a processing procedure of the learning device.
  • FIG. 4 is a diagram showing an application example of the learning device.
  • FIG. 5 is a diagram showing the correlation between the loss landscape used in AWP (Adversarial Weight Perturbation) and the loss landscape created by the learning device and their respective robust gaps.
  • FIG. 6 is a diagram showing experimental results for the model learned by the learning device.
  • FIG. 7 is a diagram showing experimental results for the model learned by the learning device.
  • FIG. 8 is a diagram showing a configuration example of a computer that executes the learning program.
  • the learning device recalculates the Adversarial Example for that weight and creates a loss landscape using the recalculated Adversarial Example.
  • the learning device then normalizes the created loss landscape.
  • the learning device learns the model using the loss function having the loss landscape normalized as described above. As a result, the learning device can learn a model with high generalization performance for Adversarial Examples.
  • the learning device 10 includes an input unit 11, an output unit 12, a communication control unit 13, a storage unit 14, and a control unit 15, for example.
  • the input unit 11 is an interface that receives input of various data.
  • the input unit 11 receives input of data used for learning processing and prediction processing, which will be described later.
  • the output unit 12 is an interface that outputs various data.
  • the output unit 12 outputs the label of data predicted by the control unit 15 .
  • the communication control unit 13 is realized by a NIC (Network Interface Card) or the like, and controls communication between an external device such as a server and the control unit 15 via a network.
  • the communication control unit 13 controls communication between the control unit 15 and a management device (see FIG. 4) that manages learning target data.
  • the storage unit 14 is realized by a semiconductor memory device such as RAM (Random Access Memory) and flash memory, or a storage device such as a hard disk and an optical disk, and stores the parameters of the model learned by the learning process described later. remembered.
  • a semiconductor memory device such as RAM (Random Access Memory) and flash memory
  • a storage device such as a hard disk and an optical disk
  • the control unit 15 is implemented using, for example, a CPU (Central Processing Unit) or the like, and executes a processing program stored in the storage unit 14 . Thereby, the control unit 15 functions as an acquisition unit 15a, a learning unit 15b, and a prediction unit 15c, as illustrated in FIG.
  • a CPU Central Processing Unit
  • the control unit 15 functions as an acquisition unit 15a, a learning unit 15b, and a prediction unit 15c, as illustrated in FIG.
  • the acquisition unit 15a acquires data used for learning processing and prediction processing, which will be described later, via the input unit 11 or the communication control unit 13.
  • the learning unit 15b performs model learning (adversarial training) for predicting the label of input data including adversarial examples.
  • the learning unit 15 b includes a first calculation unit 151 , a second calculation unit 152 and a learning processing unit 153 .
  • the first calculation unit 151 recalculates the Adversarial Example for the weight each time the weight of the model is shifted in learning the model for predicting the label of the input data including the Adversarial Example. For example, the first calculation unit 151 adds noise (v) to the weight of the model and recalculates the Adversarial Example for the noise-added weight.
  • the second calculation unit 152 uses the Adversarial Example recalculated by the first calculation unit 151 to create a loss landscape for the weight of the model, and flattens the created loss landscape.
  • the learning processing unit 153 uses the loss function whose loss landscape is flattened by the second calculation unit 152 to learn the model. For example, the learning processing unit 153 obtains the parameter (weight) of the model.
  • l in formula (1) is the loss function.
  • B(x, ⁇ ) is a set within a distance ⁇ from x, and is a constraint used to make noise imperceptible to the human eye.
  • the L ⁇ norm is used.
  • adversarial training performed by the learning unit 15b is defined as in the following equation (2).
  • the loss landscape sharpness is calculated by the following formula (3).
  • Equation (3) is Gaussian noise randomly sampled from within the region shown in Equation (4).
  • l of w l is calculated for each layer, and the norm of the matrix is measured by the Frobenius norm.
  • equation (5-1) is a term indicating normal Adversarial Training
  • the second and third items are regularization terms that flatten the loss landscape.
  • worst noise for weight(w) is used (see equation (5-3)).
  • the Adversarial Example in the conventional technology is not the optimal attack against w+v. Therefore, the learning unit 15b recalculates the Adversarial Example such that the Adversarial Example is the optimal attack against w+v. Then, the learning unit 15b normalizes (flattens) the loss landscape evaluated by the recalculated Adversarial Example (optimal Adversarial Example).
  • the learning unit 15b adjusts the strength of the loss landscape normalization term in the loss function using the hyperparameter ⁇ . As a result, the learning unit 15b can appropriately adjust the normalization of the loss landscape, and it becomes easier to improve the generalization gap by repeating model learning.
  • the first calculation unit 151 of the learning unit 15b creates v, which is the worst noise for weight (w) (equation (5-3)), and generates Adversarial Example ( ⁇ n (w+v)) for w+v. Calculate (formula (6-3)). Then, the second calculation unit 152 uses the calculated Adversarial Example ( ⁇ n (w+v)) to create a loss landscape of the loss function of the model and flattens the loss landscape (formula ( 6-1), formula (6-2)).
  • the second calculation unit 152 calculates the term for flattening the loss landscape in the loss function (the normalization term ( ⁇ AWP(renoise) (w+v) ⁇ AWP(renoise) ( w))) is adjusted by the hyperparameter ⁇ .
  • the learning processing unit 153 uses the loss function having the above loss landscape to learn the model. For example, the learning processing unit 153 uses the learning data acquired by the acquisition unit 15a to obtain the weight of the model that minimizes the loss value of the above loss function.
  • the prediction unit 15c uses the model learned by the learning unit 15b to predict the label of the input data. For example, the prediction unit 15c uses the learned model to calculate the probability of each label of newly acquired data, and outputs the label with the highest probability. As a result, the learning device 10 can output a correct label even when the input data is Adversarial Example, for example.
  • FIG. 2 An example of a learning processing procedure by the learning device 10 will be described.
  • the processing shown in FIG. 2 is started, for example, when an operation input instructing the start of learning processing is performed.
  • the acquisition unit 15a acquires learning data including Adversarial Examples (S1).
  • the learning unit 15b learns a model representing the probability distribution of the label of the input data using the learning data and the loss function (S2). Note that this loss function is a loss function whose loss landscape has been flattened by the above equations (6-1) to (6-3).
  • the learning unit 15b stores the model parameters learned in S2 in the storage unit 14 .
  • the acquisition unit 15a acquires label prediction target data (S11).
  • the prediction unit 15c uses the model learned by the learning unit 15b to predict the label of the data acquired in S11 (S12). For example, the prediction unit 15c uses the learned model to calculate p(x') of the data x' acquired in S11, and outputs the label with the highest probability.
  • the learning device 10 can output a correct label.
  • the learning device 10 described above may be applied to data anomaly detection.
  • An application example in this case will be described with reference to FIG.
  • a case where the detection device 20 is equipped with the function of the prediction unit 15c will be described as an example.
  • the learning device 10 learns a model using teacher data (learning data) acquired from a data acquisition device and the loss function described above. After that, when the detection device 20 acquires new data x' from the data acquisition device, it calculates p(x') of the data x' using the trained model. Then, the detection device 20 outputs a report as to whether or not the data x' is abnormal data based on the label with the highest probability.
  • teacher data learning data
  • the detection device 20 calculates p(x') of the data x' using the trained model. Then, the detection device 20 outputs a report as to whether or not the data x' is abnormal data based on the label with the highest probability.
  • Experiment 1 will be described with reference to FIG.
  • the purpose of Experiment 1 is that the sharpness of the loss landscape (landscape (renoise)) created by the learning device 10 is more robust than the sharpness of the loss landscape (landscape (noise)) of AWP. (train robust acc - test robust acc)).
  • the loss landscape created by the learning device 10 can lower the robust gap as the sharpness value is lowered (the loss landscape is made flatter) than the AWP loss landscape. It could be confirmed.
  • Experiment 2 Next, Experiment 2 will be described with reference to FIGS. 6 and 7.
  • FIG. The purpose of Experiment 2 is to perform Test Robust Acc on the model trained by the existing method (AWP) and the model trained by the learning device 10 (the model trained by AWP (renoise)). It is to confirm the generalization performance of the Adversarial Example of the model trained in .
  • ABP existing method
  • AWP learning device 10
  • each constituent element of each part shown in the figure is functionally conceptual, and does not necessarily need to be physically configured as shown in the figure.
  • the specific forms of distribution and integration of each device are not limited to those illustrated, and all or part of them can be functionally or physically distributed and integrated in arbitrary units according to various loads and usage conditions. Can be integrated and configured.
  • all or any part of each processing function performed by each device can be implemented by a CPU and a program executed by the CPU, or implemented as hardware based on wired logic.
  • the learning device 10 described above can be implemented by installing a program on a desired computer as package software or online software.
  • the information processing device can function as the learning device 10 by causing the information processing device to execute the above program.
  • the information processing apparatus referred to here includes a desktop or notebook personal computer.
  • information processing devices include mobile communication terminals such as smartphones, mobile phones and PHS (Personal Handyphone Systems), and terminals such as PDAs (Personal Digital Assistants).
  • the learning device 10 can also be implemented as a server device that uses a terminal device used by a user as a client and provides the client with services related to the above processing.
  • the server device may be implemented as a web server, or may be implemented as a cloud that provides services related to the above processing by outsourcing.
  • FIG. 8 is a diagram showing an example of a computer that executes a learning program.
  • the computer 1000 has a memory 1010 and a CPU 1020, for example.
  • Computer 1000 also has hard disk drive interface 1030 , disk drive interface 1040 , serial port interface 1050 , video adapter 1060 and network interface 1070 . These units are connected by a bus 1080 .
  • the memory 1010 includes a ROM (Read Only Memory) 1011 and a RAM (Random Access Memory) 1012 .
  • the ROM 1011 stores a boot program such as BIOS (Basic Input Output System).
  • BIOS Basic Input Output System
  • Hard disk drive interface 1030 is connected to hard disk drive 1090 .
  • a disk drive interface 1040 is connected to the disk drive 1100 .
  • a removable storage medium such as a magnetic disk or optical disk is inserted into the disk drive 1100 .
  • Serial port interface 1050 is connected to mouse 1110 and keyboard 1120, for example.
  • Video adapter 1060 is connected to display 1130, for example.
  • the hard disk drive 1090 stores, for example, an OS 1091, application programs 1092, program modules 1093, and program data 1094. That is, the program that defines each process executed by the learning device 10 is implemented as a program module 1093 in which computer-executable code is described. Program modules 1093 are stored, for example, on hard disk drive 1090 .
  • the hard disk drive 1090 stores a program module 1093 for executing processing similar to the functional configuration of the learning device 10 .
  • the hard disk drive 1090 may be replaced by an SSD (Solid State Drive).
  • the data used in the processes of the above-described embodiments are stored as program data 1094 in the memory 1010 or the hard disk drive 1090, for example. Then, the CPU 1020 reads out the program modules 1093 and program data 1094 stored in the memory 1010 and the hard disk drive 1090 to the RAM 1012 as necessary and executes them.
  • the program modules 1093 and program data 1094 are not limited to being stored in the hard disk drive 1090, but may be stored in a removable storage medium, for example, and read by the CPU 1020 via the disk drive 1100 or the like. Alternatively, the program modules 1093 and program data 1094 may be stored in another computer connected via a network (LAN (Local Area Network), WAN (Wide Area Network), etc.). Program modules 1093 and program data 1094 may then be read by CPU 1020 through network interface 1070 from other computers.
  • LAN Local Area Network
  • WAN Wide Area Network
  • learning device 11 input unit 12 output unit 13 communication control unit 14 storage unit 15 control unit 15a acquisition unit 15b learning unit 15c prediction unit 20 detection device 151 first calculation unit 152 second calculation unit 153 learning processing unit

Abstract

According to the present invention, every time noise is added to the weight of a model during Adversarial Training, a training device (10) recalculates an Adversarial Example for the weight to which the noise was added. Then the training device (10) creates a loss landscape for a loss function for the model using the recalculated Adversarial Example and flattens (regularizes) the loss landscape using Adversarial Weight Perturbation (AWP). The training device (10) adjusts the strength of the regularization of the loss landscape using a hyperparameter β. Then the training device trains the model using the loss function for which the loss landscape was regularized.

Description

学習装置、学習方法、および、学習プログラムLEARNING DEVICE, LEARNING METHOD AND LEARNING PROGRAM
 本発明は、学習装置、学習方法、および、学習プログラムに関する。 The present invention relates to a learning device, a learning method, and a learning program.
 従来、分類対象のデータにノイズをのせることで、分類器に誤判定をさせるAdversarial Exampleという攻撃がある。このAdversarial Exampleに対する対策として、例えば、Adversarial Exampleを用いてモデル(分類器)の学習を行うAdversarial Trainingがある。 Conventionally, there is an attack called Adversarial Example that causes the classifier to misjudge by adding noise to the data to be classified. As a countermeasure against this Adversarial Example, for example, there is Adversarial Training, which trains a model (classifier) using Adversarial Examples.
 しかし、Adversarial Trainingで学習したモデルは、Adversarial Exampleの汎化性能が低いという問題がある。ここで、モデルのweightに対するloss landscape(loss関数の形)が平らであるほど、汎化ギャップが小さいことが知られている。この汎化ギャップとは、train acc(学習用データの識別精度)と、test acc(テストデータの識別精度)との差である。Adversarial Trainingにおいて、モデルのweightに対するloss landscapeを平らにすることで、汎化ギャップを小さくし、Adversarial Exampleの汎化性能を向上させる技術がある。 However, the model trained by Adversarial Training has the problem of low generalization performance for Adversarial Examples. Here, it is known that the flatter the loss landscape (in the form of the loss function) for the weight of the model, the smaller the generalization gap. This generalization gap is the difference between train acc (learning data identification accuracy) and test acc (test data identification accuracy). In adversarial training, there is a technique to flatten the loss landscape for model weights to reduce the generalization gap and improve the generalization performance of adversarial examples.
 しかし、上記の技術(AWP)でのloss landscapeの作り方に充分ではない点があるため、loss landscapeを平らにしても、Adversarial Exampleの汎化性能が向上しない場合がある。そこで、本発明は、前記した問題を解決し、Adversarial Exampleについて汎化性能が高いモデルを学習することを課題とする。 However, there are some points that are not sufficient to create a loss landscape with the above technology (AWP), so even if the loss landscape is flattened, the generalization performance of the Adversarial Example may not improve. Therefore, an object of the present invention is to solve the above-described problem and to learn a model with high generalization performance for Adversarial Examples.
 前記した課題を解決するため、本発明は、Adversarial Exampleを含む入力データのラベルを予測するためのモデルの学習において、前記モデルのweightをずらすたびに前記weightに対するAdversarial Exampleを再計算する第1の計算部と、前記再計算されたAdversarial Exampleを用いて、前記モデルのloss関数のloss landscapeを作成し、作成された前記loss landscapeを平らにする第2の計算部と、前記loss landscapeが平らにされたloss関数を用いて、前記モデルの学習を行う学習処理部とを備えることを特徴とする。 In order to solve the above-described problems, the present invention recalculates the Adversarial Example for the weight each time the weight of the model is shifted in learning a model for predicting the label of input data containing Adversarial Examples. a calculator, using the recalculated Adversarial Example to create a loss landscape of the loss function of the model, flattening the created loss landscape; a second calculator, flattening the loss landscape and a learning processing unit that performs learning of the model using the loss function obtained.
 本発明によれば、Adversarial Exampleについて汎化性能が高いモデルを学習することができる。 According to the present invention, it is possible to learn a model with high generalization performance for Adversarial Examples.
図1は、学習装置の構成例を示す図である。FIG. 1 is a diagram showing a configuration example of a learning device. 図2は、学習装置の処理手順の例を示すフローチャートである。FIG. 2 is a flow chart showing an example of the processing procedure of the learning device. 図3は、学習装置の処理手順の例を示すフローチャートである。FIG. 3 is a flow chart showing an example of a processing procedure of the learning device. 図4は、学習装置の適用例を示す図である。FIG. 4 is a diagram showing an application example of the learning device. 図5は、AWP(Adversarial Weight Perturbation)で用いたloss landscapeと、学習装置で作成されたloss landscapeそれぞれの、robust gapとの相関を示す図である。FIG. 5 is a diagram showing the correlation between the loss landscape used in AWP (Adversarial Weight Perturbation) and the loss landscape created by the learning device and their respective robust gaps. 図6は、学習装置により学習されたモデルに対する実験結果を示す図である。FIG. 6 is a diagram showing experimental results for the model learned by the learning device. 図7は、学習装置により学習されたモデルに対する実験結果を示す図である。FIG. 7 is a diagram showing experimental results for the model learned by the learning device. 図8は、学習プログラムを実行するコンピュータの構成例を示す図である。FIG. 8 is a diagram showing a configuration example of a computer that executes the learning program.
 以下、図面を参照して、本発明の実施の形態(実施形態)を説明する。なお、本発明は以下に説明する実施形態に限定されない。 Embodiments (embodiments) of the present invention will be described below with reference to the drawings. In addition, the present invention is not limited to the embodiments described below.
[学習装置の概要]
 前記したとおり、AWP(Adversarial Weight Perturbation)でモデルのweightに対するloss landscapeを平らにしても(正規化を行っても)、モデルのAdversarial Exampleの汎化性能が向上しない場合があった。 [Overview of learning device]
As mentioned above, even if the loss landscape for the weight of the model is flattened by AWP (Adversarial Weight Perturbation) (even if normalization is performed), there are cases where the generalization performance of the Adversarial Example of the model does not improve.
 そこで、本実施形態の学習装置は、Adversarial Trainingにおいてloss landscapeが平らであるほど、上記の汎化ギャップが小さくなるような(=loss landscapeのsharpnessの大きさが汎化ギャップの大きさと相関するような)loss landscapeを作成する。そして、学習装置は、そのloss landscapeに対象に正規化を行う。 Therefore, the learning device of this embodiment is designed so that the flatter the loss landscape in adversarial training, the smaller the generalization gap (= the size of the loss landscape sharpness correlates with the size of the generalization gap). n) Create a loss landscape. Then, the learning device performs normalization on the loss landscape.
 例えば、学習装置は、モデルのweightをずらすたびに、そのweightに対するAdversarial Exampleを再計算し、再計算したAdversarial Exampleを用いてloss landscapeを作成する。そして、学習装置は、作成したloss landscapeに対し正規化を行う。学習装置は、上記のようにして正規化されたloss landscapeを持つloss関数を用いてモデルの学習を行う。これにより、学習装置は、Adversarial Exampleについて汎化性能が高いモデルを学習することができる。 For example, every time the weight of the model is shifted, the learning device recalculates the Adversarial Example for that weight and creates a loss landscape using the recalculated Adversarial Example. The learning device then normalizes the created loss landscape. The learning device learns the model using the loss function having the loss landscape normalized as described above. As a result, the learning device can learn a model with high generalization performance for Adversarial Examples.
[学習装置の構成例]
 図1を用いて、学習装置10の構成例を説明する。学習装置10は、例えば、入力部11、出力部12、通信制御部13、記憶部14、および、制御部15を備える。 [Configuration example of learning device]
A configuration example of the learning device 10 will be described with reference to FIG. The learning device 10 includes an input unit 11, an output unit 12, a communication control unit 13, a storage unit 14, and a control unit 15, for example.
 入力部11は、各種データの入力を受け付けるインタフェースである。例えば、入力部11は、後述する学習処理および予測処理に用いるデータの入力を受け付ける。出力部12は、各種データの出力を行うインタフェースである。例えば、出力部12は、制御部15により予測されたデータのラベルを出力する。 The input unit 11 is an interface that receives input of various data. For example, the input unit 11 receives input of data used for learning processing and prediction processing, which will be described later. The output unit 12 is an interface that outputs various data. For example, the output unit 12 outputs the label of data predicted by the control unit 15 .
 通信制御部13は、NIC(Network Interface Card)等で実現され、ネットワークを介したサーバ等の外部の装置と制御部15との通信を制御する。例えば、通信制御部13は、学習対象のデータを管理する管理装置(図4参照)等と制御部15との通信を制御する。 The communication control unit 13 is realized by a NIC (Network Interface Card) or the like, and controls communication between an external device such as a server and the control unit 15 via a network. For example, the communication control unit 13 controls communication between the control unit 15 and a management device (see FIG. 4) that manages learning target data.
 記憶部14は、RAM(Random Access Memory)、フラッシュメモリ(Flash Memory)等の半導体メモリ素子、または、ハードディスク、光ディスク等の記憶装置によって実現され、後述する学習処理により学習されたモデルのパラメータ等が記憶される。 The storage unit 14 is realized by a semiconductor memory device such as RAM (Random Access Memory) and flash memory, or a storage device such as a hard disk and an optical disk, and stores the parameters of the model learned by the learning process described later. remembered.
 制御部15は、例えば、CPU(Central Processing Unit)等を用いて実現され、記憶部14に記憶された処理プログラムを実行する。これにより、制御部15は、図1に例示するように、取得部15a、学習部15bおよび予測部15cとして機能する。 The control unit 15 is implemented using, for example, a CPU (Central Processing Unit) or the like, and executes a processing program stored in the storage unit 14 . Thereby, the control unit 15 functions as an acquisition unit 15a, a learning unit 15b, and a prediction unit 15c, as illustrated in FIG.
 取得部15aは、後述する学習処理および予測処理に用いるデータを、入力部11あるいは通信制御部13を介して取得する。 The acquisition unit 15a acquires data used for learning processing and prediction processing, which will be described later, via the input unit 11 or the communication control unit 13.
 学習部15bは、Adversarial Exampleを含む入力データのラベルを予測するためのモデルの学習(Adversarial Training)を行う。学習部15bは、第1の計算部151と、第2の計算部152と、学習処理部153とを備える。 The learning unit 15b performs model learning (adversarial training) for predicting the label of input data including adversarial examples. The learning unit 15 b includes a first calculation unit 151 , a second calculation unit 152 and a learning processing unit 153 .
 第1の計算部151は、Adversarial Exampleを含む入力データのラベルを予測するためのモデルの学習において、当該モデルのweightをずらすたび、前記weightに対するAdversarial Exampleを再計算する。例えば、第1の計算部151は、当該モデルのweightにノイズ(v)を加え、そのノイズを加えたweightに対するAdversarial Exampleを再計算する。 The first calculation unit 151 recalculates the Adversarial Example for the weight each time the weight of the model is shifted in learning the model for predicting the label of the input data including the Adversarial Example. For example, the first calculation unit 151 adds noise (v) to the weight of the model and recalculates the Adversarial Example for the noise-added weight.
 また、第2の計算部152は、第1の計算部151により再計算されたAdversarial Exampleを用いて、当該モデルのweightに対するloss landscapeを作成し、その作成したloss landscapeを平らにする。 Also, the second calculation unit 152 uses the Adversarial Example recalculated by the first calculation unit 151 to create a loss landscape for the weight of the model, and flattens the created loss landscape.
 学習処理部153は、第2の計算部152により、loss landscapeが平らにされたloss関数を用いて、当該モデルの学習を行う。例えば、学習処理部153は、当該モデルのパラメータ(weight)を求める。 The learning processing unit 153 uses the loss function whose loss landscape is flattened by the second calculation unit 152 to learn the model. For example, the learning processing unit 153 obtains the parameter (weight) of the model.
 ここで、上記のモデルのweightに対するAdversarial Exampleを、式(1)のように定義する。 Here, an adversarial example for the weight of the model above is defined as in formula (1).
Figure JPOXMLDOC01-appb-M000001
Figure JPOXMLDOC01-appb-M000001
 式(1)におけるlはloss関数である。また、B(x,ε)は、xから距離ε以内の集合であり、ノイズが人間の目ではわからないようにするために使われる制約である。典型的にはL∞ノルムを使う。 l in formula (1) is the loss function. Also, B(x, ε) is a set within a distance ε from x, and is a constraint used to make noise imperceptible to the human eye. Typically the L∞ norm is used.
 また、学習部15bが行うAdversarial Trainingを以下の式(2)のように定義する。 Also, adversarial training performed by the learning unit 15b is defined as in the following equation (2).
Figure JPOXMLDOC01-appb-M000002
Figure JPOXMLDOC01-appb-M000002
 さらに、loss landscapeのシャープネス(Sharpness)は、以下の式(3)により計算される。 Furthermore, the loss landscape sharpness is calculated by the following formula (3).
Figure JPOXMLDOC01-appb-M000003
Figure JPOXMLDOC01-appb-M000003
 式(3)におけるvは、式(4)に示す領域内からランダムサンプリングされたガウスノイズである。wlのlは、layerごとに計算し、行列のノルムはフロベニウスノルムで測る。 v in Equation (3) is Gaussian noise randomly sampled from within the region shown in Equation (4). l of w l is calculated for each layer, and the norm of the matrix is measured by the Frobenius norm.
Figure JPOXMLDOC01-appb-M000004
Figure JPOXMLDOC01-appb-M000004
 ここで、従来技術において、モデルのAdversarial Exampleの汎化性能を向上させるため、式(5-1)~式(5-3)に基づき、loss landscapeを平らにする正則化が行われてきた。 Here, in conventional technology, in order to improve the generalization performance of Adversarial Examples of models, regularization has been performed to flatten the loss landscape based on Equations (5-1) to (5-3).
Figure JPOXMLDOC01-appb-M000005
Figure JPOXMLDOC01-appb-M000005
 なお、式(5-1)の左辺の第1項目は、通常のAdversarial Trainingを示す項であり、第2、3項目は、loss landscapeを平らにする正則化項である。vは、例えば、weight(w)へのworstノイズを用いる(式(5-3)参照)。 It should be noted that the first item on the left side of equation (5-1) is a term indicating normal Adversarial Training, and the second and third items are regularization terms that flatten the loss landscape. For v, for example, worst noise for weight(w) is used (see equation (5-3)).
 ここで、従来技術(AWP)におけるAdversarial Exampleは、w+vに対して最適な攻撃になっていない。そこで、学習部15bは、Adversarial Exampleがw+vに対して最適な攻撃になるようなAdversarial Exampleを再計算する。そして、学習部15bは、再計算したAdversarial Example(最適なAdversarial Example)で評価したloss landscapeを正規化する(平らにする)。 Here, the Adversarial Example in the conventional technology (AWP) is not the optimal attack against w+v. Therefore, the learning unit 15b recalculates the Adversarial Example such that the Adversarial Example is the optimal attack against w+v. Then, the learning unit 15b normalizes (flattens) the loss landscape evaluated by the recalculated Adversarial Example (optimal Adversarial Example).
 また、従来技術(AWP)は、loss landscapeの正規化が強すぎるため、モデルの学習を繰り返しても、train accの値が向上しにくく、その結果、汎化ギャップを改善する余地が少なかった。そこで、学習部15bは、loss関数におけるloss landscapeの正規化項の強さをハイパーパラメータβにより調整する。これにより、学習部15bは、loss landscapeの正規化を適切に調整できるので、モデルの学習を繰り返すことで、汎化ギャップを改善しやすくなる。 In addition, since the conventional technology (AWP) normalizes the loss landscape too strongly, it is difficult to improve the value of train acc even if the model is trained repeatedly, and as a result, there is little room to improve the generalization gap. Therefore, the learning unit 15b adjusts the strength of the loss landscape normalization term in the loss function using the hyperparameter β. As a result, the learning unit 15b can appropriately adjust the normalization of the loss landscape, and it becomes easier to improve the generalization gap by repeating model learning.
Figure JPOXMLDOC01-appb-M000006
Figure JPOXMLDOC01-appb-M000006
 学習部15bの第1の計算部151は、weight(w)へのworstノイズであるvを作り(式(5-3))、w+vに対するAdversarial Example(ηn(w+v))を計算する(式(6-3))。そして、第2の計算部152は、計算されたAdversarial Example(ηn(w+v))を用いて、当該モデルのloss関数のloss landscapeを作成し、そのloss landscapeを平らにする(式(6-1)、式(6-2))。このとき、第2の計算部152は、loss関数におけるloss landscapeを平らにする項(式(6-1)の正規化項(ρAWP(renoise)(w+v)-ρAWP(renoise)(w)))を、ハイパーパラメータβにより調整する。 The first calculation unit 151 of the learning unit 15b creates v, which is the worst noise for weight (w) (equation (5-3)), and generates Adversarial Example (η n (w+v)) for w+v. Calculate (formula (6-3)). Then, the second calculation unit 152 uses the calculated Adversarial Example (η n (w+v)) to create a loss landscape of the loss function of the model and flattens the loss landscape (formula ( 6-1), formula (6-2)). At this time, the second calculation unit 152 calculates the term for flattening the loss landscape in the loss function (the normalization term (ρ AWP(renoise) (w+v)−ρ AWP(renoise) ( w))) is adjusted by the hyperparameter β.
 そして、学習処理部153は、上記のloss landscapeを持つloss関数を用いて、当該モデルの学習を行う。例えば、学習処理部153は、取得部15aにより取得された学習データを用いて、上記のloss関数のloss値を最小化するモデルのweightを求める。 Then, the learning processing unit 153 uses the loss function having the above loss landscape to learn the model. For example, the learning processing unit 153 uses the learning data acquired by the acquisition unit 15a to obtain the weight of the model that minimizes the loss value of the above loss function.
 予測部15cは、学習部15bにより学習されたモデルを用いて、入力データのラベルを予測する。例えば、予測部15cは、学習されたモデルを用いて、新たに取得されたデータの各ラベルの確率を算出し、最も確率が高いラベルを出力する。これにより、学習装置10は、例えば、入力データがAdversarial Exampleであった場合にも、正しいラベルを出力することができる。 The prediction unit 15c uses the model learned by the learning unit 15b to predict the label of the input data. For example, the prediction unit 15c uses the learned model to calculate the probability of each label of newly acquired data, and outputs the label with the highest probability. As a result, the learning device 10 can output a correct label even when the input data is Adversarial Example, for example.
[学習処理]
 次に、図2を参照して、学習装置10による学習処理手順の例について説明する。図2に示す処理は、例えば、学習処理の開始を指示する操作入力があったタイミングで開始される。 [Learning processing]
Next, with reference to FIG. 2, an example of a learning processing procedure by the learning device 10 will be described. The processing shown in FIG. 2 is started, for example, when an operation input instructing the start of learning processing is performed.
 まず、取得部15aが、Adversarial Exampleを含む学習データを取得する(S1)。次に、学習部15bが、学習データと、loss関数とを用いて、入力データのラベルの確率分布を表すモデルを学習する(S2)。なお、このloss関数は、上記の式(6-1)~式(6-3)によりloss landscapeが平らにされたloss関数である。学習部15bは、S2で学習されたモデルのパラメータを記憶部14に記憶する。 First, the acquisition unit 15a acquires learning data including Adversarial Examples (S1). Next, the learning unit 15b learns a model representing the probability distribution of the label of the input data using the learning data and the loss function (S2). Note that this loss function is a loss function whose loss landscape has been flattened by the above equations (6-1) to (6-3). The learning unit 15b stores the model parameters learned in S2 in the storage unit 14 .
[予測処理]
 次に、図3を参照して、学習装置10による入力データのラベルの予測処理の例について説明する。図3に示す処理は、例えば、予測処理の開始を指示する操作入力があったタイミングで開始される。 [Prediction processing]
Next, an example of the input data label prediction processing by the learning device 10 will be described with reference to FIG. The processing shown in FIG. 3 is started, for example, when an operation input instructing the start of prediction processing is performed.
 まず、取得部15aは、ラベルの予測対象のデータを取得する(S11)。次に、予測部15cは、学習部15bにより学習されたモデルを用いて、S11で取得されたデータのラベルを予測する(S12)。例えば、予測部15cは、学習されたモデルを用いて、S11で取得されたデータx’のp(x’)を算出し、最も確率が高いラベルを出力する。 First, the acquisition unit 15a acquires label prediction target data (S11). Next, the prediction unit 15c uses the model learned by the learning unit 15b to predict the label of the data acquired in S11 (S12). For example, the prediction unit 15c uses the learned model to calculate p(x') of the data x' acquired in S11, and outputs the label with the highest probability.
 これにより、例えば、データx’がAdversarial Exampleであった場合でも、学習装置10は、正しいラベルを出力することができる。 As a result, even if the data x' is an Adversarial Example, the learning device 10 can output a correct label.
[学習装置の適用例]
 上記の学習装置10を、データの異常検知に適用してもよい。この場合の適用例を、図4を参照しながら説明する。ここでは、前記した予測部15cの機能が、検知装置20に装備される場合を例に説明する。 [Example of application of learning device]
The learning device 10 described above may be applied to data anomaly detection. An application example in this case will be described with reference to FIG. Here, a case where the detection device 20 is equipped with the function of the prediction unit 15c will be described as an example.
 例えば、学習装置10は、データ取得装置から取得した教師データ(学習データ)と、前記したloss関数とを用いて、モデルの学習を行う。その後、検知装置20は、データ取得装置から新たなデータx’を取得すると、学習済みモデルを用いて、データx’のp(x’)を算出する。そして、検知装置20は、確率が最も高いラベルに基づき、データx’が異常なデータか否かのレポートを出力する。 For example, the learning device 10 learns a model using teacher data (learning data) acquired from a data acquisition device and the loss function described above. After that, when the detection device 20 acquires new data x' from the data acquisition device, it calculates p(x') of the data x' using the trained model. Then, the detection device 20 outputs a report as to whether or not the data x' is abnormal data based on the label with the highest probability.
[実験結果]
 次に、学習装置10により学習されたモデルを評価するために実験1および実験2を行った。なお、landscape(noise)はρAWPのvをガウスノイズで発生させながら、loss landscapeを作成し、上記の式(3)に基づき、上記のloss landscapeのsharpnessを計算したものである。また、landscape(renoise)はρAWP(renoise)のvをガウスノイズで発生させながらloss landscapeを作成し、上記の式(3)に基づき、上記のloss landscapeのsharpnessを計算したものである。 [Experimental result]
Next, Experiments 1 and 2 were conducted to evaluate the model learned by the learning device 10 . Note that landscape(noise) is obtained by creating a loss landscape while generating v of ρ AWP with Gaussian noise, and calculating the sharpness of the loss landscape based on the above equation (3). Landscape(renoise) is obtained by creating a loss landscape while generating v of ρ AWP(renoise) with Gaussian noise, and calculating the sharpness of the loss landscape based on the above equation (3).
[実験条件]
画像のデータセット:Cifar10
Deep learning model: Resnet18
Adversarial Example: PGD
PGDのパラメータ: eps=8/255, train_iter=7, eval_iter=20, eps_iter=0.01, rand_init=True, clip_min=0.0, clip_max=1.0 [Experimental conditions]
Image dataset: Cifar10
Deep learning model: Resnet18
Adversarial Example: PGD
PGD parameters: eps=8/255, train_iter=7, eval_iter=20, eps_iter=0.01, rand_init=True, clip_min=0.0, clip_max=1.0
[実験1]
 図5を用いて、実験1を説明する。実験1の目的は、AWPのloss landscape(landscape (noise))のsharpnessよりも、学習装置10で作成されたloss landscape(landscape(renoise))のsharpnessの方が、ロバスト汎化ギャップ(Robust Gap、(train robust acc‐test robust acc))と相関することを確認することである。 [Experiment 1]
Experiment 1 will be described with reference to FIG. The purpose of Experiment 1 is that the sharpness of the loss landscape (landscape (renoise)) created by the learning device 10 is more robust than the sharpness of the loss landscape (landscape (noise)) of AWP. (train robust acc - test robust acc)).
 本実験では、Adversarial Trainingしたモデルについて、10epochごとに、loss landscapeのsharpnessとRobust Gapとの関係を図5に示すようにプロットした。ここでのloss landscapeは、landscape(noise)およびlandscape(renoise)である。図5のカッコの中の数字は、landscape(noise)およびlandscape(renoise)それぞれのsharpnessと、Robust Gapとの相関係数である。図5に示すように、landscape(noise)のsharpnessよりも、landscape(renoise)のsharpnessの方が、Robust Gapとよく相関していることが分かる。 In this experiment, we plotted the relationship between the sharpness of the loss landscape and the Robust Gap every 10 epochs for the Adversarial Trained model, as shown in Figure 5. The loss landscape here is landscape(noise) and landscape(renoise). The numbers in parentheses in FIG. 5 are the correlation coefficients between sharpness of landscape (noise) and landscape (renoise) and Robust Gap. As shown in FIG. 5, it can be seen that the sharpness of landscape (renoise) correlates better with the robust gap than the sharpness of landscape (noise).
 このことから、AWPのloss landscapeよりも、学習装置10で作成されたloss landscapeの方が、sharpnessの値を低くするほど(loss landscapeを平らにするほど)、Robust Gapを低くすることができることが確認できた。 From this, it can be seen that the loss landscape created by the learning device 10 can lower the robust gap as the sharpness value is lowered (the loss landscape is made flatter) than the AWP loss landscape. It could be confirmed.
[実験2]
 次に、図6および図7を用いて、実験2を説明する。実験2の目的は、既存手法(AWP)により学習されたモデルと、学習装置10により学習されたモデル(AWP(renoise)により学習されたモデル)それぞれのTest Robust Accを行うことにより、学習装置10で学習されたモデルのAdversarial Exampleの汎化性能を確認することである。 [Experiment 2]
Next, Experiment 2 will be described with reference to FIGS. 6 and 7. FIG. The purpose of Experiment 2 is to perform Test Robust Acc on the model trained by the existing method (AWP) and the model trained by the learning device 10 (the model trained by AWP (renoise)). It is to confirm the generalization performance of the Adversarial Example of the model trained in .
 本実験では、前記したβの導入の有効性だけでなく、renoise単体の有効性を示すために既存手法であるAWPにもβを導入し、Test Robust Accの評価を行った。 In this experiment, in order to show not only the effectiveness of introducing β, but also the effectiveness of renoise alone, β was also introduced into the existing method AWP, and Test Robust Acc was evaluated.
 また、本実験の評価に用いた攻撃手法は、モデルの学習に利用したPGD(Projected Gradient Descent)と、現在最も強力な攻撃であるAuto Attackである。図6、図7に示すように、AWPにより学習されたモデルよりも、AWP(renoise)により学習されたモデルの方が、Test Robust Accが高いことが確認できた。よって、renoiseの導入もβの導入も、モデルのAdversarial Exampleの汎化性能の向上に寄与することが確認できた。 In addition, the attack methods used for the evaluation of this experiment were PGD (Projected Gradient Descent), which was used for model learning, and Auto Attack, which is currently the most powerful attack. As shown in Figures 6 and 7, it was confirmed that the model trained by AWP (renoise) had a higher Test Robust Acc than the model trained by AWP. Therefore, it was confirmed that both the introduction of renoise and the introduction of β contributed to the improvement of the generalization performance of the Adversarial Example of the model.
[システム構成等]
 また、図示した各部の各構成要素は機能概念的なものであり、必ずしも物理的に図示のように構成されていることを要しない。すなわち、各装置の分散・統合の具体的形態は図示のものに限られず、その全部又は一部を、各種の負荷や使用状況等に応じて、任意の単位で機能的又は物理的に分散・統合して構成することができる。さらに、各装置にて行われる各処理機能は、その全部又は任意の一部が、CPU及び当該CPUにて実行されるプログラムにて実現され、あるいは、ワイヤードロジックによるハードウェアとして実現され得る。 [System configuration, etc.]
Also, each constituent element of each part shown in the figure is functionally conceptual, and does not necessarily need to be physically configured as shown in the figure. In other words, the specific forms of distribution and integration of each device are not limited to those illustrated, and all or part of them can be functionally or physically distributed and integrated in arbitrary units according to various loads and usage conditions. Can be integrated and configured. Furthermore, all or any part of each processing function performed by each device can be implemented by a CPU and a program executed by the CPU, or implemented as hardware based on wired logic.
 また、前記した実施形態において説明した処理のうち、自動的に行われるものとして説明した処理の全部又は一部を手動的に行うこともでき、あるいは、手動的に行われるものとして説明した処理の全部又は一部を公知の方法で自動的に行うこともできる。この他、上記文書中や図面中で示した処理手順、制御手順、具体的名称、各種のデータやパラメータを含む情報については、特記する場合を除いて任意に変更することができる。 Further, among the processes described in the above embodiments, all or part of the processes described as being performed automatically can be performed manually, or the processes described as being performed manually can be performed manually. All or part of this can also be done automatically by known methods. In addition, information including processing procedures, control procedures, specific names, and various data and parameters shown in the above documents and drawings can be arbitrarily changed unless otherwise specified.
[プログラム]
 前記した学習装置10は、パッケージソフトウェアやオンラインソフトウェアとしてプログラムを所望のコンピュータにインストールさせることによって実装できる。例えば、上記のプログラムを情報処理装置に実行させることにより、情報処理装置を学習装置10として機能させることができる。ここで言う情報処理装置には、デスクトップ型又はノート型のパーソナルコンピュータが含まれる。また、その他にも、情報処理装置にはスマートフォン、携帯電話機やPHS(Personal Handyphone System)等の移動体通信端末、さらには、PDA(Personal Digital Assistant)等の端末等がその範疇に含まれる。 [program]
The learning device 10 described above can be implemented by installing a program on a desired computer as package software or online software. For example, the information processing device can function as the learning device 10 by causing the information processing device to execute the above program. The information processing apparatus referred to here includes a desktop or notebook personal computer. In addition, information processing devices include mobile communication terminals such as smartphones, mobile phones and PHS (Personal Handyphone Systems), and terminals such as PDAs (Personal Digital Assistants).
 また、学習装置10は、ユーザが使用する端末装置をクライアントとし、当該クライアントに上記の処理に関するサービスを提供するサーバ装置として実装することもできる。この場合、サーバ装置は、Webサーバとして実装することとしてもよいし、アウトソーシングによって上記の処理に関するサービスを提供するクラウドとして実装することとしてもかまわない。 The learning device 10 can also be implemented as a server device that uses a terminal device used by a user as a client and provides the client with services related to the above processing. In this case, the server device may be implemented as a web server, or may be implemented as a cloud that provides services related to the above processing by outsourcing.
 図8は、学習プログラムを実行するコンピュータの一例を示す図である。コンピュータ1000は、例えば、メモリ1010、CPU1020を有する。また、コンピュータ1000は、ハードディスクドライブインターフェース1030、ディスクドライブインターフェース1040、シリアルポートインターフェース1050、ビデオアダプタ1060、ネットワークインターフェース1070を有する。これらの各部は、バス1080によって接続される。 FIG. 8 is a diagram showing an example of a computer that executes a learning program. The computer 1000 has a memory 1010 and a CPU 1020, for example. Computer 1000 also has hard disk drive interface 1030 , disk drive interface 1040 , serial port interface 1050 , video adapter 1060 and network interface 1070 . These units are connected by a bus 1080 .
 メモリ1010は、ROM(Read Only Memory)1011及びRAM(Random Access Memory)1012を含む。ROM1011は、例えば、BIOS(Basic Input Output System)等のブートプログラムを記憶する。ハードディスクドライブインターフェース1030は、ハードディスクドライブ1090に接続される。ディスクドライブインターフェース1040は、ディスクドライブ1100に接続される。例えば磁気ディスクや光ディスク等の着脱可能な記憶媒体が、ディスクドライブ1100に挿入される。シリアルポートインターフェース1050は、例えばマウス1110、キーボード1120に接続される。ビデオアダプタ1060は、例えばディスプレイ1130に接続される。 The memory 1010 includes a ROM (Read Only Memory) 1011 and a RAM (Random Access Memory) 1012 . The ROM 1011 stores a boot program such as BIOS (Basic Input Output System). Hard disk drive interface 1030 is connected to hard disk drive 1090 . A disk drive interface 1040 is connected to the disk drive 1100 . A removable storage medium such as a magnetic disk or optical disk is inserted into the disk drive 1100 . Serial port interface 1050 is connected to mouse 1110 and keyboard 1120, for example. Video adapter 1060 is connected to display 1130, for example.
 ハードディスクドライブ1090は、例えば、OS1091、アプリケーションプログラム1092、プログラムモジュール1093、プログラムデータ1094を記憶する。すなわち、上記の学習装置10が実行する各処理を規定するプログラムは、コンピュータにより実行可能なコードが記述されたプログラムモジュール1093として実装される。プログラムモジュール1093は、例えばハードディスクドライブ1090に記憶される。例えば、学習装置10における機能構成と同様の処理を実行するためのプログラムモジュール1093が、ハードディスクドライブ1090に記憶される。なお、ハードディスクドライブ1090は、SSD(Solid State Drive)により代替されてもよい。 The hard disk drive 1090 stores, for example, an OS 1091, application programs 1092, program modules 1093, and program data 1094. That is, the program that defines each process executed by the learning device 10 is implemented as a program module 1093 in which computer-executable code is described. Program modules 1093 are stored, for example, on hard disk drive 1090 . For example, the hard disk drive 1090 stores a program module 1093 for executing processing similar to the functional configuration of the learning device 10 . The hard disk drive 1090 may be replaced by an SSD (Solid State Drive).
 また、上述した実施形態の処理で用いられるデータは、プログラムデータ1094として、例えばメモリ1010やハードディスクドライブ1090に記憶される。そして、CPU1020が、メモリ1010やハードディスクドライブ1090に記憶されたプログラムモジュール1093やプログラムデータ1094を必要に応じてRAM1012に読み出して実行する。 Also, the data used in the processes of the above-described embodiments are stored as program data 1094 in the memory 1010 or the hard disk drive 1090, for example. Then, the CPU 1020 reads out the program modules 1093 and program data 1094 stored in the memory 1010 and the hard disk drive 1090 to the RAM 1012 as necessary and executes them.
 なお、プログラムモジュール1093やプログラムデータ1094は、ハードディスクドライブ1090に記憶される場合に限らず、例えば着脱可能な記憶媒体に記憶され、ディスクドライブ1100等を介してCPU1020によって読み出されてもよい。あるいは、プログラムモジュール1093及びプログラムデータ1094は、ネットワーク(LAN(Local Area Network)、WAN(Wide Area Network)等)を介して接続される他のコンピュータに記憶されてもよい。そして、プログラムモジュール1093及びプログラムデータ1094は、他のコンピュータから、ネットワークインターフェース1070を介してCPU1020によって読み出されてもよい。 The program modules 1093 and program data 1094 are not limited to being stored in the hard disk drive 1090, but may be stored in a removable storage medium, for example, and read by the CPU 1020 via the disk drive 1100 or the like. Alternatively, the program modules 1093 and program data 1094 may be stored in another computer connected via a network (LAN (Local Area Network), WAN (Wide Area Network), etc.). Program modules 1093 and program data 1094 may then be read by CPU 1020 through network interface 1070 from other computers.
 10 学習装置
 11 入力部
 12 出力部
 13 通信制御部
 14 記憶部
 15 制御部
 15a 取得部
 15b 学習部
 15c 予測部
 20 検知装置
 151 第1の計算部
 152 第2の計算部
 153 学習処理部 10 learning device 11 input unit 12 output unit 13 communication control unit 14 storage unit 15 control unit 15a acquisition unit 15b learning unit 15c prediction unit 20 detection device 151 first calculation unit 152 second calculation unit 153 learning processing unit

Claims (5)

  1.  Adversarial Exampleを含む入力データのラベルを予測するためのモデルの学習において、前記モデルのweightをずらすたびに前記weightに対するAdversarial Exampleを再計算する第1の計算部と、
     前記再計算されたAdversarial Exampleを用いて、前記モデルのloss関数のloss landscapeを作成し、作成された前記loss landscapeを平らにする第2の計算部と、
     前記loss landscapeが平らにされたloss関数を用いて、前記モデルの学習を行う学習処理部と
     を備えることを特徴とする学習装置。     a first calculation unit that recalculates the Adversarial Example for the weight each time the weight of the model is shifted in learning a model for predicting the label of input data including the Adversarial Example;
    a second calculator that uses the recalculated Adversarial Example to create a loss landscape of the loss function of the model and flattens the created loss landscape;
    a learning processing unit that performs learning of the model using a loss function in which the loss landscape is flattened.
  2.  前記第2の計算部は、
     前記loss landscapeを平らにする強さを、ハイパーパラメータにより調整する
     ことを特徴とする請求項1に記載の学習装置。     The second calculation unit
    2. The learning device according to claim 1, wherein the strength of flattening the loss landscape is adjusted by a hyperparameter.
  3.  学習された前記モデルを用いて、入力データのラベルを予測する予測部
     をさらに備えることを特徴とする請求項1に記載の学習装置。     2. The learning device according to claim 1, further comprising a prediction unit that predicts a label of input data using the learned model.
  4.  学習装置により実行される学習方法であって、
     Adversarial Exampleを含む入力データのラベルを予測するためのモデルの学習において、前記モデルのweightをずらすたびに前記weightに対するAdversarial Exampleを再計算する工程と、
     前記再計算されたAdversarial Exampleを用いて、前記モデルのloss関数のloss landscapeを作成し、作成された前記loss landscapeを平らにする工程と、
     前記loss landscapeが平らにされたloss関数を用いて、前記モデルの学習を行う工程と
     を含むことを特徴とする学習方法。     A learning method performed by a learning device,
    recalculating the Adversarial Example for the weight each time the weight of the model is shifted in learning a model for predicting the label of input data containing Adversarial Examples;
    creating a loss landscape of the loss function of the model using the recomputed Adversarial Example and flattening the created loss landscape;
    training the model using a loss function in which the loss landscape has been flattened.
  5.  Adversarial Exampleを含む入力データのラベルを予測するためのモデルの学習において、前記モデルのweightをずらすたびに前記weightに対するAdversarial Exampleを再計算する工程と、
     前記再計算されたAdversarial Exampleを用いて、前記モデルのloss関数のloss landscapeを作成、作成された前記loss landscapeを平らにする工程と、
     前記loss landscapeが平らにされたloss関数を用いて、前記モデルの学習を行う工程と
     をコンピュータに実行させるための学習プログラム。
          recalculating the Adversarial Example for the weight each time the weight of the model is shifted in learning a model for predicting the label of input data containing Adversarial Examples;
    creating a loss landscape of the loss function of the model using the recomputed Adversarial Example, flattening the created loss landscape;
    a training program for causing a computer to perform the steps of: training said model using said loss landscape flattened loss function.
PCT/JP2021/037843 2021-10-13 2021-10-13 Training device, training method, and training program WO2023062742A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
JP2023553815A JPWO2023062742A1 (en) 2021-10-13 2021-10-13
PCT/JP2021/037843 WO2023062742A1 (en) 2021-10-13 2021-10-13 Training device, training method, and training program

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2021/037843 WO2023062742A1 (en) 2021-10-13 2021-10-13 Training device, training method, and training program

Publications (1)

Publication Number Publication Date
WO2023062742A1 true WO2023062742A1 (en) 2023-04-20

Family

ID=85987332

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2021/037843 WO2023062742A1 (en) 2021-10-13 2021-10-13 Training device, training method, and training program

Country Status (2)

Country Link
JP (1) JPWO2023062742A1 (en)
WO (1) WO2023062742A1 (en)

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
FUXUN YU; CHENCHEN LIU; YANZHI WANG; XIANG CHEN: "Interpreting Adversarial Robustness: A View from Decision Surface in Input Space", ARXIV.ORG, 29 September 2018 (2018-09-29), pages 1 - 15, XP081422375 *

Also Published As

Publication number Publication date
JPWO2023062742A1 (en) 2023-04-20

Similar Documents

Publication Publication Date Title
US11829880B2 (en) Generating trained neural networks with increased robustness against adversarial attacks
US20210150355A1 (en) Training machine learning models using task selection policies to increase learning progress
CN108197652B (en) Method and apparatus for generating information
WO2021179587A1 (en) Neural network model quantification method and apparatus, electronic device and computer-readable storage medium
US11741398B2 (en) Multi-layered machine learning system to support ensemble learning
JP6870508B2 (en) Learning programs, learning methods and learning devices
WO2020090413A1 (en) Classification device, classification method, and classification program
US11847210B2 (en) Detecting device and detecting method
EP2506167A1 (en) Method and system for comparing documents based on different document-similarity calculation methods using adapted weighting
US20210034976A1 (en) Framework for Learning to Transfer Learn
US11637858B2 (en) Detecting malware with deep generative models
US11941867B2 (en) Neural network training using the soft nearest neighbor loss
US20230038463A1 (en) Detection device, detection method, and detection program
Valizadegan et al. Learning to trade off between exploration and exploitation in multiclass bandit prediction
JP2018200524A (en) Classification device, classification method, and classification program
WO2023062742A1 (en) Training device, training method, and training program
JP7276483B2 (en) LEARNING DEVICE, CLASSIFIER, LEARNING METHOD AND LEARNING PROGRAM
US11227231B2 (en) Computational efficiency in symbolic sequence analytics using random sequence embeddings
WO2023195120A1 (en) Training device, training method, and training program
US20230027309A1 (en) System and method for image de-identification to humans while remaining recognizable by machines
WO2022264387A1 (en) Training device, training method, and training program
CN112784990A (en) Training method of member inference model
WO2023067669A1 (en) Learning device, learning method, and learning program
US20240046631A1 (en) Neural network system using separable convolution
US11816243B2 (en) Preserving user-entity differential privacy in natural language modeling

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21960601

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 2023553815

Country of ref document: JP