WO2023067669A1 - Learning device, learning method, and learning program - Google Patents

Learning device, learning method, and learning program Download PDF

Info

Publication number
WO2023067669A1
WO2023067669A1 PCT/JP2021/038503 JP2021038503W WO2023067669A1 WO 2023067669 A1 WO2023067669 A1 WO 2023067669A1 JP 2021038503 W JP2021038503 W JP 2021038503W WO 2023067669 A1 WO2023067669 A1 WO 2023067669A1
Authority
WO
WIPO (PCT)
Prior art keywords
learning
model
adversarial
adversarial example
data
Prior art date
Application number
PCT/JP2021/038503
Other languages
French (fr)
Japanese (ja)
Inventor
智也 山下
真徳 山田
Original Assignee
日本電信電話株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日本電信電話株式会社 filed Critical 日本電信電話株式会社
Priority to PCT/JP2021/038503 priority Critical patent/WO2023067669A1/en
Priority to JP2023553921A priority patent/JPWO2023067669A1/ja
Publication of WO2023067669A1 publication Critical patent/WO2023067669A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning

Definitions

  • the present invention relates to a learning device, a learning method, and a learning program.
  • MART is a method of adversarial training, and it is a method of learning a model (adversarial training) based on a policy determined based on the difficulty of model identification for the original input data (data before adding noise).
  • an object of the present invention is to learn a model with high discrimination accuracy for Adversarial Examples.
  • the present invention provides a data acquisition unit that acquires learning data for a model for outputting identification results of input data including adversarial examples, and a determination of the identification difficulty level for the adversarial examples of the model.
  • the higher the discrimination difficulty of the model for the Adversarial Example, the higher the discrimination difficulty for the Adversarial Example of the model, the discrimination result for the Adversarial Example in the loss function used for model learning by MART (Misclassification Aware Adversarial Training) and the It is characterized by having a learning processing unit that increases the weight of the value of the difference between the discrimination result and the data before noise is added to the Adversarial Example, and learns the model.
  • FIG. 1 is a diagram showing a configuration example of a learning device.
  • FIG. 2 is a flow chart showing an example of the processing procedure of the learning device.
  • FIG. 3 is a flow chart showing an example of a processing procedure of the learning device.
  • FIG. 4 is a diagram showing an application example of the learning device.
  • FIG. 5 is a diagram showing experimental results for the model learned by the learning device.
  • FIG. 6 is a diagram showing a configuration example of a computer that executes the learning program.
  • the learning device performs adversarial training of the model by a method improved from the existing method MART.
  • the learning device first determines the identification difficulty level for the Adversarial Example of the learning target model. Then, if the learning target model's difficulty in identifying the Adversarial Example is low, the learning device changes the output of the model for the Adversarial Example to the output of the model for the original input data (the data before noise is added to the Adversarial Example). Model learning focuses on identifying the correct label for the Adversarial Example rather than trying not to deviate greatly from .
  • the learning device will change the model output for the Adversarial Example from the model output for the original input data rather than identifying the correct label for the Adversarial Example.
  • the model is trained with an emphasis on preventing large deviations.
  • the learning device 10 determines the model learning policy and learns the model based on the identification accuracy (Robust Accuracy) for the Adversarial Example, so it is possible to learn a model with high identification accuracy.
  • Adversarial Example is an attack method that causes a model to make an erroneous judgment by adding minute noise that cannot be recognized by the human eye to input data.
  • the objective function of the Adversarial Example is as shown in Equation (1).
  • l( ⁇ , x, y) in the above formula (1) is the loss function of the model.
  • is the parameter of the model
  • x is the input data of the model
  • y is the identification result of the input data x output from the model.
  • Typical algorithms for generating Adversarial Examples include, for example, FGSM (Fast Gradient Sign Method) and PGD (Projection Gradient Descent).
  • FGSM Gradient Sign Method
  • PGD Projection Gradient Descent
  • Equation (2) is the magnitude of noise.
  • noise is added to the input data x so that the value of the loss function of the model increases.
  • PGD adds noise to the input data x according to the algorithm shown in formula (3) below.
  • Adversarial Training is a learning method that learns a robust model for Adversarial Examples.
  • the objective function of Adversarial Training is as shown in Formula (4).
  • the parameter ⁇ of the model is updated according to the algorithm shown in formula (5) below.
  • l( ⁇ ,x,y) is a loss function
  • CE Cross Entropy
  • x' in equation (5) is an adversarial example of input data x. The difference between this algorithm and general learning algorithms is that Adversarial Examples are used as learning data.
  • Equation (6) Equation (6)
  • BCE in this loss function is a Boosted Cross Entropy function and is represented by the following formula (7).
  • Equation (6) the function represented by KL in Equation (6) is the Kullback-Leibler distance, which is used as an index for measuring the distance between probability distributions.
  • MART makes it possible to determine the learning policy of the model based on the classification difficulty (1-p y (x, ⁇ )) for the original input data by using the loss function shown in Equation (6).
  • the loss function used in MART is designed based on the intuition that if the model cannot correctly recognize the original input data, learning to recognize the Adversarial Example as the correct label is too severe a model task. .
  • the learning device of this embodiment determines whether the model's learning to identify the Adversarial Example with the correct label is too strict for the model's learning, based on the model's identification difficulty for the Adversarial Example.
  • the learning device 10 includes an input unit 11, an output unit 12, a communication control unit 13, a storage unit 14, and a control unit 15, for example.
  • the input unit 11 is an interface that receives input of various data.
  • the input unit 11 receives input of data used for learning processing and prediction processing, which will be described later.
  • the output unit 12 is an interface that outputs various data.
  • the output unit 12 outputs the label of data predicted by the control unit 15 .
  • the communication control unit 13 is implemented by a NIC (Network Interface Card) or the like, and controls communication between an external device such as a server and the control unit 15 via a network.
  • the communication control unit 13 controls communication between the control unit 15 and a management device (see FIG. 4) that manages learning target data.
  • the storage unit 14 is realized by a semiconductor memory device such as RAM (Random Access Memory) and flash memory, or a storage device such as a hard disk and an optical disk, and stores the parameters of the model learned by the learning process described later. remembered.
  • a semiconductor memory device such as RAM (Random Access Memory) and flash memory
  • a storage device such as a hard disk and an optical disk
  • the control unit 15 is implemented using, for example, a CPU (Central Processing Unit) or the like, and executes a processing program stored in the storage unit 14 . Thereby, the control unit 15 functions as an acquisition unit 15a, a learning unit 15b, and a prediction unit 15c, as illustrated in FIG.
  • a CPU Central Processing Unit
  • the control unit 15 functions as an acquisition unit 15a, a learning unit 15b, and a prediction unit 15c, as illustrated in FIG.
  • the acquisition unit 15a acquires data used for learning processing and prediction processing, which will be described later, via the input unit 11 or the communication control unit 13.
  • the learning unit 15b performs model learning (adversarial training) for predicting the label of input data including adversarial examples.
  • the learning unit 15 b includes a difficulty level determination unit 151 and a learning processing unit 152 .
  • the difficulty level determination unit 151 determines the difficulty level of identification for the Adversarial Example of the learning target model. For example, the difficulty level determination unit 151 inputs an Adversarial Example for learning to a model to be learned, and obtains the probability p y (x′, ⁇ )) that the model identifies the Adversarial Example as a correct label. Then, the difficulty level determination unit 151 sets (1-p y (x′, ⁇ )) as the identification difficulty level for the Adversarial Example of the learning target model.
  • the learning processing unit 152 determines a learning policy for the model based on the identification difficulty level of the model for the Adversarial Example determined by the difficulty determination unit 151, and performs learning.
  • the learning processing unit 152 determines the identification result for the Adversarial Example in the loss function used for learning the model by MART and the data before the noise of the Adversarial Example is added as the identification difficulty level for the Adversarial Example of the model increases.
  • Model learning is performed by increasing the weight of the value of the difference from the identification result for .
  • the learning processing unit 152 emphasizes identifying the Adversarial Example with the correct label rather than ensuring that the model output for the Adversarial Example does not deviate greatly from the model output for the original input data. Train the model.
  • the learning processing unit 152 determines that the lower the identification difficulty level for the Adversarial Example of the model, the identification result for the Adversarial Example in the loss function used for learning the model by MART and the data before the noise of the Adversarial Example is added. Model learning is performed by reducing the weight of the value of the difference from the identification result for .
  • the learning processing unit 152 puts more emphasis on preventing the model output for the Adversarial Example from deviating significantly from the model output for the original input data, rather than identifying the Adversarial Example with the correct label. study.
  • the learning processing unit 152 performs model learning using the loss function shown in Equation (8) below.
  • the identification difficulty part (1-p y (x, ⁇ )) that determines the learning policy of the model is the identification difficulty for Adversarial Example ( 1-p y (x', ⁇ )).
  • the learning processing unit 152 uses the identification difficulty level for the Adversarial Example of the learning target model when determining the learning policy of the model, so that it is possible to learn a model with high identification accuracy for the Adversarial Example.
  • the prediction unit 15c uses the model learned by the learning unit 15b to predict (identify) the label of the input data. For example, the prediction unit 15c uses the learned model to calculate the probability of each label of newly acquired data, and outputs the label with the highest probability. As a result, the learning device 10 can output a correct label even when the input data is Adversarial Example, for example.
  • FIG. 2 An example of a learning processing procedure by the learning device 10 will be described.
  • the processing shown in FIG. 2 is started, for example, when an operation input instructing the start of learning processing is performed.
  • the acquisition unit 15a acquires learning data including Adversarial Examples (S1).
  • the learning unit 15b learns a model representing the probability distribution of the labels of the input data using the learning data and the loss function (see formula (8)) (S2).
  • the learning unit 15b stores the model parameters learned in S2 in the storage unit 14 .
  • the acquisition unit 15a acquires label prediction target data (S11).
  • the prediction unit 15c uses the model learned by the learning unit 15b to predict the label of the data acquired in S11 (S12).
  • the prediction unit 15c uses the learned model to calculate p(x') of the data x' acquired in S11, and outputs the label with the highest probability.
  • the learning device 10 can output a correct label.
  • the learning device 10 described above may be applied to object recognition processing in an image.
  • An application example in this case will be described with reference to FIG.
  • the learning device 10 uses teacher data (learning data) acquired from the data acquisition device and the loss function described above to perform model learning (adversarial training). After that, when the image data is acquired from the data acquisition device, the learning device 10 predicts the label of the acquired image data using the trained model. Then, the learning device 10 outputs an object recognition result based on the prediction result.
  • teacher data learning data
  • loss function described above
  • model learning by MART and model learning by the learning device 10 were performed on the CIFAR10 data set, and the discrimination accuracy of each model was compared.
  • the model used for the experiment is ResNet18.
  • the learning parameters were set to match the settings in the MART paper (Non-Patent Document 1), and the hyperparameters ⁇ were 1, 2, . . . , 10 used in the above paper.
  • FIG. 5 shows the evaluation results of the model learned by MART and the model (Propose) learned by the learning device 10.
  • NatAcc in FIG. 5 indicates the accuracy rate of the model for the original input data
  • RobAcc indicates the accuracy rate of the model for the Adversarial Example. Note that the accuracy shown in FIG. 5 is the accuracy at the epoch with the highest accuracy for the Adversarial Example.
  • each constituent element of each part shown in the figure is functionally conceptual, and does not necessarily need to be physically configured as shown in the figure.
  • the specific form of distribution and integration of each device is not limited to the illustrated one, and all or part of them can be functionally or physically distributed and integrated in arbitrary units according to various loads and usage conditions. Can be integrated and configured.
  • all or any part of each processing function performed by each device can be implemented by a CPU and a program executed by the CPU, or implemented as hardware based on wired logic.
  • the learning device 10 described above can be implemented by installing a program (learning program) as package software or online software on a desired computer.
  • the information processing device can function as the learning device 10 by causing the information processing device to execute the above program.
  • the information processing apparatus referred to here includes mobile communication terminals such as smart phones, cellular phones, PHS (Personal Handyphone System), and terminals such as PDA (Personal Digital Assistant).
  • FIG. 6 is a diagram showing an example of a computer that executes a learning program.
  • the computer 1000 has a memory 1010 and a CPU 1020, for example.
  • Computer 1000 also has hard disk drive interface 1030 , disk drive interface 1040 , serial port interface 1050 , video adapter 1060 and network interface 1070 . These units are connected by a bus 1080 .
  • the memory 1010 includes a ROM (Read Only Memory) 1011 and a RAM (Random Access Memory) 1012 .
  • the ROM 1011 stores a boot program such as BIOS (Basic Input Output System).
  • BIOS Basic Input Output System
  • Hard disk drive interface 1030 is connected to hard disk drive 1090 .
  • a disk drive interface 1040 is connected to the disk drive 1100 .
  • a removable storage medium such as a magnetic disk or optical disk is inserted into the disk drive 1100 .
  • Serial port interface 1050 is connected to mouse 1110 and keyboard 1120, for example.
  • Video adapter 1060 is connected to display 1130, for example.
  • the hard disk drive 1090 stores, for example, an OS 1091, application programs 1092, program modules 1093, and program data 1094. That is, the program that defines each process executed by the learning device 10 is implemented as a program module 1093 in which computer-executable code is described. Program modules 1093 are stored, for example, on hard disk drive 1090 .
  • the hard disk drive 1090 stores a program module 1093 for executing processing similar to the functional configuration of the learning device 10 .
  • the hard disk drive 1090 may be replaced by an SSD (Solid State Drive).
  • the data used in the processes of the above-described embodiments are stored as program data 1094 in the memory 1010 or the hard disk drive 1090, for example. Then, the CPU 1020 reads out the program module 1093 and the program data 1094 stored in the memory 1010 and the hard disk drive 1090 to the RAM 1012 as necessary and executes them.
  • the program modules 1093 and program data 1094 are not limited to being stored in the hard disk drive 1090, but may be stored in a removable storage medium, for example, and read by the CPU 1020 via the disk drive 1100 or the like. Alternatively, the program modules 1093 and program data 1094 may be stored in another computer connected via a network (LAN (Local Area Network), WAN (Wide Area Network), etc.). Program modules 1093 and program data 1094 may then be read by CPU 1020 through network interface 1070 from other computers.
  • LAN Local Area Network
  • WAN Wide Area Network

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Evolutionary Computation (AREA)
  • Medical Informatics (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Physics (AREA)
  • Artificial Intelligence (AREA)
  • Image Analysis (AREA)

Abstract

A learning device (10) determines an identification difficulty level for an adversarial example of a model. The learning device performs model learning in which with higher determined identification difficulty levels for the adversarial example of the model, there is a progressive increase of the weight of the value of the difference between the identification result for the adversarial example and the identification result for the data before the noise of the adversarial example is added in a loss function used by a MART to learn a model. The learning device (10) then identifies input data using the learned model.

Description

学習装置、学習方法、および、学習プログラムLEARNING DEVICE, LEARNING METHOD AND LEARNING PROGRAM
 本発明は、学習装置、学習方法、および、学習プログラムに関する。 The present invention relates to a learning device, a learning method, and a learning program.
 従来、データにノイズを加えることでモデル(例えば、分類器)に誤判定させるAdversarial Exampleがある。このAdversarial Exampleに対しロバストなモデルの学習方法として、MART(Misclassification Aware adveRsarial Training)がある。 Conventionally, there is an adversarial example in which noise is added to data to cause a model (for example, a classifier) to make an erroneous decision. MART (Misclassification Aware adversarial training) is a robust model training method for this adversarial example.
 MARTは、Adversarial Trainingの一手法であり、元の入力データ(ノイズを加える前のデータ)に対するモデルの識別難易度を基にして決定した方針に基づき、モデルの学習(Adversarial Training)を行う手法である。 MART is a method of adversarial training, and it is a method of learning a model (adversarial training) based on a policy determined based on the difficulty of model identification for the original input data (data before adding noise). be.
 しかし、MARTは、モデルが元の入力データを正しく認識できる場合であっても、Adversarial Exampleのラベルを正しく識別する学習がモデルの課題として厳しいことがある。その結果、MARTにより学習されたモデルが、Adversarial Exampleを精度よく分類できない場合があるという問題がある。そこで、本発明は、Adversarial Exampleに対し、識別精度の高いモデルの学習を行うことを課題とする。 However, with MART, even if the model can correctly recognize the original input data, learning to correctly identify the labels of the Adversarial Examples can be a difficult task for the model. As a result, there is a problem that the model learned by MART may not be able to accurately classify Adversarial Examples. Therefore, an object of the present invention is to learn a model with high discrimination accuracy for Adversarial Examples.
 前記した課題を解決するため、本発明は、Adversarial Exampleを含む入力データの識別結果を出力するためのモデルの学習用データを取得するデータ取得部と、前記モデルのAdversarial Exampleに対する識別難易度を判定する難易度判定部と、判定された前記モデルのAdversarial Exampleに対する識別難易度が高いほど、MART(Misclassification Aware adveRsarial Training)によるモデルの学習に用いられるloss関数における、前記Adversarial Exampleに対する識別結果と、前記Adversarial Exampleのノイズが付加される前のデータに対する識別結果との差の値の重みを大きくして、前記モデルの学習を行う学習処理部とを備えることを特徴とする。 In order to solve the above-described problems, the present invention provides a data acquisition unit that acquires learning data for a model for outputting identification results of input data including adversarial examples, and a determination of the identification difficulty level for the adversarial examples of the model. The higher the discrimination difficulty of the model for the Adversarial Example, the higher the discrimination difficulty for the Adversarial Example of the model, the discrimination result for the Adversarial Example in the loss function used for model learning by MART (Misclassification Aware Adversarial Training) and the It is characterized by having a learning processing unit that increases the weight of the value of the difference between the discrimination result and the data before noise is added to the Adversarial Example, and learns the model.
 本発明によれば、Adversarial Exampleに対し、識別精度の高いモデルの学習を行うことができる。 According to the present invention, it is possible to learn a model with high discrimination accuracy for Adversarial Examples.
図1は、学習装置の構成例を示す図である。FIG. 1 is a diagram showing a configuration example of a learning device. 図2は、学習装置の処理手順の例を示すフローチャートである。FIG. 2 is a flow chart showing an example of the processing procedure of the learning device. 図3は、学習装置の処理手順の例を示すフローチャートである。FIG. 3 is a flow chart showing an example of a processing procedure of the learning device. 図4は、学習装置の適用例を示す図である。FIG. 4 is a diagram showing an application example of the learning device. 図5は、学習装置により学習されたモデルに対する実験結果を示す図である。FIG. 5 is a diagram showing experimental results for the model learned by the learning device. 図6は、学習プログラムを実行するコンピュータの構成例を示す図である。FIG. 6 is a diagram showing a configuration example of a computer that executes the learning program.
 以下、図面を参照しながら、本発明を実施するための形態(実施形態)について説明する。本発明は、本実施形態に限定されない。 Hereinafter, the form (embodiment) for carrying out the present invention will be described with reference to the drawings. The invention is not limited to this embodiment.
[学習装置の概要]
 まず、図1を用いて、本実施形態の学習装置の概要を説明する。学習装置は、既存手法であるMARTを改善した手法により、モデルのAdversarial Trainingを行う。 [Overview of learning device]
First, with reference to FIG. 1, the outline of the learning device of this embodiment will be described. The learning device performs adversarial training of the model by a method improved from the existing method MART.
 すなわち、学習装置は、まず、学習対象のモデルのAdversarial Exampleに対する識別難易度を判定する。そして、学習対象のモデルのAdversarial Exampleに対する識別難易度が低い場合、学習装置は、Adversarial Exampleに対するモデルの出力が、元の入力データ(Adversarial Exampleのノイズが付加される前のデータ)に対するモデルの出力から大きく外れないようにすることよりも、Adversarial Exampleの正しいラベルを識別することを重視してモデルの学習を行う。 That is, the learning device first determines the identification difficulty level for the Adversarial Example of the learning target model. Then, if the learning target model's difficulty in identifying the Adversarial Example is low, the learning device changes the output of the model for the Adversarial Example to the output of the model for the original input data (the data before noise is added to the Adversarial Example). Model learning focuses on identifying the correct label for the Adversarial Example rather than trying not to deviate greatly from .
 一方、学習対象のモデルのAdversarial Exampleに対する識別難易度が高い場合、学習装置は、Adversarial Exampleの正しいラベルを識別することよりも、Adversarial Exampleに対するモデルの出力が、元の入力データに対するモデルの出力から大きく外れないようにすることを重視してモデルの学習を行う。 On the other hand, if the difficulty of identifying the Adversarial Example of the learning target model is high, the learning device will change the model output for the Adversarial Example from the model output for the original input data rather than identifying the correct label for the Adversarial Example. The model is trained with an emphasis on preventing large deviations.
 このように学習装置10は、Adversarial Exampleに対する識別精度(Robust Accuracy)に基づき、モデルの学習方針を決定し、モデルを学習するので、識別精度の高いモデルの学習を行うことができる。 In this way, the learning device 10 determines the model learning policy and learns the model based on the identification accuracy (Robust Accuracy) for the Adversarial Example, so it is possible to learn a model with high identification accuracy.
[前提知識]
 ここで、本実施形態におけるAdversarial ExampleとAdversarial Trainingについて説明する。 [Prerequisite knowledge]
Here, Adversarial Example and Adversarial Training in this embodiment will be described.
[Adversarial Example]
 Adversarial Exampleは、入力データに対し、人の目では認識できないほどの微小なノイズを乗せることでモデルに誤判断を起こさせる攻撃手法である。Adversarial Exampleの目的関数は式(1)に示す通りである。 [Adversarial Example]
Adversarial Example is an attack method that causes a model to make an erroneous judgment by adding minute noise that cannot be recognized by the human eye to input data. The objective function of the Adversarial Example is as shown in Equation (1).
Figure JPOXMLDOC01-appb-M000001
Figure JPOXMLDOC01-appb-M000001
 上記の式(1)におけるl(θ,x,y)は、モデルのloss関数である。θはモデルのパラメータ、xはモデルの入力データ、yはモデルから出力される入力データxの識別結果である。Adversarial Exampleを生成する代表的なアルゴリズムとして、例えば、FGSM(Fast Gradient Sign Method)、PGD(Projection Gradient Descent)がある。例えば、FGSMでは以下の式(2)に従って、入力データxにノイズを乗せる。 l(θ, x, y) in the above formula (1) is the loss function of the model. θ is the parameter of the model, x is the input data of the model, and y is the identification result of the input data x output from the model. Typical algorithms for generating Adversarial Examples include, for example, FGSM (Fast Gradient Sign Method) and PGD (Projection Gradient Descent). For example, in FGSM, noise is added to input data x according to the following equation (2).
Figure JPOXMLDOC01-appb-M000002
Figure JPOXMLDOC01-appb-M000002
 式(2)におけるεはノイズの大きさである。FGSMでは、モデルのloss関数の値が大きくなるように、入力データxにノイズを乗せる。 ε in Equation (2) is the magnitude of noise. In FGSM, noise is added to the input data x so that the value of the loss function of the model increases.
 また、PGDでは以下の式(3)に示すアルゴリズムに従って、入力データxにノイズを乗せる。 In addition, PGD adds noise to the input data x according to the algorithm shown in formula (3) below.
Figure JPOXMLDOC01-appb-M000003
Figure JPOXMLDOC01-appb-M000003
[Adversarial Training]
 Adversarial Trainingは、Adversarial Exampleに対し、ロバストなモデルを学習する学習方法である。Adversarial Trainingの目的関数は、式(4)に示す通りである。 [Adversarial Training]
Adversarial Training is a learning method that learns a robust model for Adversarial Examples. The objective function of Adversarial Training is as shown in Formula (4).
Figure JPOXMLDOC01-appb-M000004
Figure JPOXMLDOC01-appb-M000004
 一般的なAdversarial Trainingでは、以下の式(5)に示すアルゴリズムに従って、モデルのパラメータθを更新する。 In general adversarial training, the parameter θ of the model is updated according to the algorithm shown in formula (5) below.
Figure JPOXMLDOC01-appb-M000005
Figure JPOXMLDOC01-appb-M000005
 l(θ,x,y)は、loss関数であり、主にCE(Cross Entropy)関数等が用いられる。式(5)におけるx´は、入力データxのAdversarial Exampleである。このアルゴリズムが一般的な学習アルゴリズムと異なる点は、学習データにAdversarial Exampleを利用する点である。  l(θ,x,y) is a loss function, and the CE (Cross Entropy) function is mainly used. x' in equation (5) is an adversarial example of input data x. The difference between this algorithm and general learning algorithms is that Adversarial Examples are used as learning data.
[MART]
 MARTでは以下の式(6)に示すloss関数を用いてモデルの学習を行う。 [MART]
In MART, model learning is performed using the loss function shown in Equation (6) below.
Figure JPOXMLDOC01-appb-M000006
Figure JPOXMLDOC01-appb-M000006
 このloss関数中のBCEはBoosted Cross Entropy関数であり、以下の式(7)により表される。  BCE in this loss function is a Boosted Cross Entropy function and is represented by the following formula (7).
Figure JPOXMLDOC01-appb-M000007
Figure JPOXMLDOC01-appb-M000007
 また、式(6)においてKLで表される関数はカルバックライブラー距離であり、確率分布同士の距離を測る指標として用いられる。 In addition, the function represented by KL in Equation (6) is the Kullback-Leibler distance, which is used as an index for measuring the distance between probability distributions.
 MARTでは、式(6)に示すloss関数を用いることで元の入力データに対する識別難易度(1-p(x,θ))に基づき、モデルの学習の方針を決定することを可能にしている。 MART makes it possible to determine the learning policy of the model based on the classification difficulty (1-p y (x, θ)) for the original input data by using the loss function shown in Equation (6). there is
 ここで、モデルが元の入力データを正しく識別できる場合(つまり、識別難易度が低い場合)、式(6)に示すloss関数の第1項(BCEの項)を重視した学習が行われる。すなわち、モデルがAdversarial Exampleを正しいラベルに識別することを重視した学習が行われる。 Here, when the model can correctly identify the original input data (that is, when the difficulty of identification is low), learning is performed with an emphasis on the first term (BCE term) of the loss function shown in Equation (6). In other words, learning is performed with an emphasis on the model identifying the Adversarial Example with the correct label.
 一方、モデルが元の入力データを正しく識別できない場合(つまり、識別難易度が高い場合)、式(6)に示すloss関数の第2項(KLの項)を重視した学習が行われる。すなわち、Adversarial Exampleに対するモデルの出力が、元の入力データに対するモデルの出力から大きく外れないようにすることを重視した学習が行われる。 On the other hand, when the model cannot correctly identify the original input data (that is, when the identification difficulty is high), learning is performed with emphasis on the second term (KL term) of the loss function shown in Equation (6). In other words, learning is performed with an emphasis on ensuring that the model output for the Adversarial Example does not deviate significantly from the model output for the original input data.
 MARTで用いるloss関数は、モデルが元の入力データを正しく認識できない場合、当該モデルがAdversarial Exampleを正しいラベルに認識するよう学習することはモデルの課題として厳しすぎるという直感に基づいて設計されている。 The loss function used in MART is designed based on the intuition that if the model cannot correctly recognize the original input data, learning to recognize the Adversarial Example as the correct label is too severe a model task. .
 しかし、モデルが元の入力データを正しく認識できる場合でも、Adversarial Exampleの正しいラベルに認識する学習が当該モデルの課題として厳しすぎる可能性もある。 However, even if the model can correctly recognize the original input data, learning to recognize the correct label of the Adversarial Example may be too severe a challenge for the model.
 そこで、本実施形態の学習装置は、モデルのAdversarial Exampleに対する識別難易度を基に、モデルがAdversarial Exampleを正しいラベルに識別する学習が当該モデルの学習として厳しすぎるか否かを判定する。 Therefore, the learning device of this embodiment determines whether the model's learning to identify the Adversarial Example with the correct label is too strict for the model's learning, based on the model's identification difficulty for the Adversarial Example.
[学習装置の構成例]
 図1を用いて、学習装置10の構成例を説明する。学習装置10は、例えば、入力部11、出力部12、通信制御部13、記憶部14、および、制御部15を備える。 [Configuration example of learning device]
A configuration example of the learning device 10 will be described with reference to FIG. The learning device 10 includes an input unit 11, an output unit 12, a communication control unit 13, a storage unit 14, and a control unit 15, for example.
 入力部11は、各種データの入力を受け付けるインタフェースである。例えば、入力部11は、後述する学習処理および予測処理に用いるデータの入力を受け付ける。出力部12は、各種データの出力を行うインタフェースである。例えば、出力部12は、制御部15により予測されたデータのラベルを出力する。 The input unit 11 is an interface that receives input of various data. For example, the input unit 11 receives input of data used for learning processing and prediction processing, which will be described later. The output unit 12 is an interface that outputs various data. For example, the output unit 12 outputs the label of data predicted by the control unit 15 .
 通信制御部13は、NIC(Network Interface Card)等で実現され、ネットワークを介したサーバ等の外部の装置と制御部15との通信を制御する。例えば、通信制御部13は、学習対象のデータを管理する管理装置(図4参照)等と制御部15との通信を制御する。 The communication control unit 13 is implemented by a NIC (Network Interface Card) or the like, and controls communication between an external device such as a server and the control unit 15 via a network. For example, the communication control unit 13 controls communication between the control unit 15 and a management device (see FIG. 4) that manages learning target data.
 記憶部14は、RAM(Random Access Memory)、フラッシュメモリ(Flash Memory)等の半導体メモリ素子、または、ハードディスク、光ディスク等の記憶装置によって実現され、後述する学習処理により学習されたモデルのパラメータ等が記憶される。 The storage unit 14 is realized by a semiconductor memory device such as RAM (Random Access Memory) and flash memory, or a storage device such as a hard disk and an optical disk, and stores the parameters of the model learned by the learning process described later. remembered.
 制御部15は、例えば、CPU(Central Processing Unit)等を用いて実現され、記憶部14に記憶された処理プログラムを実行する。これにより、制御部15は、図1に例示するように、取得部15a、学習部15bおよび予測部15cとして機能する。 The control unit 15 is implemented using, for example, a CPU (Central Processing Unit) or the like, and executes a processing program stored in the storage unit 14 . Thereby, the control unit 15 functions as an acquisition unit 15a, a learning unit 15b, and a prediction unit 15c, as illustrated in FIG.
 取得部15aは、後述する学習処理および予測処理に用いるデータを、入力部11あるいは通信制御部13を介して取得する。 The acquisition unit 15a acquires data used for learning processing and prediction processing, which will be described later, via the input unit 11 or the communication control unit 13.
 学習部15bは、Adversarial Exampleを含む入力データのラベルを予測するためのモデルの学習(Adversarial Training)を行う。学習部15bは、難易度判定部151と、学習処理部152とを備える。 The learning unit 15b performs model learning (adversarial training) for predicting the label of input data including adversarial examples. The learning unit 15 b includes a difficulty level determination unit 151 and a learning processing unit 152 .
 難易度判定部151は、学習対象のモデルのAdversarial Exampleに対する識別難易度を判定する。例えば、難易度判定部151は、学習対象のモデルに、学習用のAdversarial Exampleを入力し、当該モデルがAdversarial Exampleを正しいラベルに識別する確率p(x´,θ))を得る。そして、難易度判定部151は、(1-p(x´,θ))を学習対象のモデルのAdversarial Exampleに対する識別難易度とする。 The difficulty level determination unit 151 determines the difficulty level of identification for the Adversarial Example of the learning target model. For example, the difficulty level determination unit 151 inputs an Adversarial Example for learning to a model to be learned, and obtains the probability p y (x′, θ)) that the model identifies the Adversarial Example as a correct label. Then, the difficulty level determination unit 151 sets (1-p y (x′, θ)) as the identification difficulty level for the Adversarial Example of the learning target model.
 学習処理部152は、難易度判定部151により判定されたモデルのAdversarial Exampleに対する識別難易度の高さに基づき、当該モデルの学習方針を決定し、学習を行う。 The learning processing unit 152 determines a learning policy for the model based on the identification difficulty level of the model for the Adversarial Example determined by the difficulty determination unit 151, and performs learning.
 例えば、学習処理部152は、モデルのAdversarial Exampleに対する識別難易度が高いほど、MARTによるモデルの学習に用いられるloss関数における、Adversarial Exampleに対する識別結果と、Adversarial Exampleのノイズが付加される前のデータに対する識別結果との差の値の重みを大きくして、モデルの学習を行う。 For example, the learning processing unit 152 determines the identification result for the Adversarial Example in the loss function used for learning the model by MART and the data before the noise of the Adversarial Example is added as the identification difficulty level for the Adversarial Example of the model increases. Model learning is performed by increasing the weight of the value of the difference from the identification result for .
 つまり、学習処理部152は、Adversarial Exampleに対するモデルの出力が、元の入力データに対するモデルの出力から大きく外れないようにすることよりも、Adversarial Exampleを正しいラベルに識別することの方を重視してモデルの学習を行う。 In other words, the learning processing unit 152 emphasizes identifying the Adversarial Example with the correct label rather than ensuring that the model output for the Adversarial Example does not deviate greatly from the model output for the original input data. Train the model.
 また、学習処理部152は、モデルのAdversarial Exampleに対する識別難易度が低いほど、MARTによるモデルの学習に用いられるloss関数における、Adversarial Exampleに対する識別結果と、Adversarial Exampleのノイズが付加される前のデータに対する識別結果との差の値の重みを小さくして、モデルの学習を行う。 In addition, the learning processing unit 152 determines that the lower the identification difficulty level for the Adversarial Example of the model, the identification result for the Adversarial Example in the loss function used for learning the model by MART and the data before the noise of the Adversarial Example is added. Model learning is performed by reducing the weight of the value of the difference from the identification result for .
 つまり、学習処理部152は、Adversarial Exampleを正しいラベルに識別することよりも、Adversarial Exampleに対するモデルの出力が元の入力データに対するモデルの出力から大きく外れないようにすることの方を重視してモデルの学習を行う。 In other words, the learning processing unit 152 puts more emphasis on preventing the model output for the Adversarial Example from deviating significantly from the model output for the original input data, rather than identifying the Adversarial Example with the correct label. study.
 例えば、学習処理部152は、以下の式(8)に示すloss関数を用いてモデルの学習を行う。 For example, the learning processing unit 152 performs model learning using the loss function shown in Equation (8) below.
Figure JPOXMLDOC01-appb-M000008
Figure JPOXMLDOC01-appb-M000008
 MARTで用いられるloss関数(式(6)参照)との違いは、モデルの学習方針を決定する識別難易度の部分(1-p(x,θ))が、Adversarial Exampleに対する識別難易度(1-p(x´,θ))に置き換わっていることである。これにより、学習処理部152は、モデルの学習方針を決定する際、学習対象のモデルのAdversarial Exampleに対する識別難易度を用いるので、Adversarial Exampleに対し識別精度の高いモデルの学習を行うことができる。 The difference from the loss function (see formula (6)) used in MART is that the identification difficulty part (1-p y (x, θ)) that determines the learning policy of the model is the identification difficulty for Adversarial Example ( 1-p y (x', θ)). As a result, the learning processing unit 152 uses the identification difficulty level for the Adversarial Example of the learning target model when determining the learning policy of the model, so that it is possible to learn a model with high identification accuracy for the Adversarial Example.
 予測部15cは、学習部15bにより学習されたモデルを用いて、入力データのラベルを予測(識別)する。例えば、予測部15cは、学習されたモデルを用いて、新たに取得されたデータの各ラベルの確率を算出し、最も確率が高いラベルを出力する。これにより、学習装置10は、例えば、入力データがAdversarial Exampleであった場合にも、正しいラベルを出力することができる。 The prediction unit 15c uses the model learned by the learning unit 15b to predict (identify) the label of the input data. For example, the prediction unit 15c uses the learned model to calculate the probability of each label of newly acquired data, and outputs the label with the highest probability. As a result, the learning device 10 can output a correct label even when the input data is Adversarial Example, for example.
[学習処理]
 次に、図2を参照して、学習装置10による学習処理手順の例について説明する。図2に示す処理は、例えば、学習処理の開始を指示する操作入力があったタイミングで開始される。 [Learning process]
Next, with reference to FIG. 2, an example of a learning processing procedure by the learning device 10 will be described. The processing shown in FIG. 2 is started, for example, when an operation input instructing the start of learning processing is performed.
 まず、取得部15aが、Adversarial Exampleを含む学習データを取得する(S1)。次に、学習部15bが、学習データと、loss関数(式(8)参照)とを用いて、入力データのラベルの確率分布を表すモデルを学習する(S2)。学習部15bは、S2で学習されたモデルのパラメータを記憶部14に記憶する。 First, the acquisition unit 15a acquires learning data including Adversarial Examples (S1). Next, the learning unit 15b learns a model representing the probability distribution of the labels of the input data using the learning data and the loss function (see formula (8)) (S2). The learning unit 15b stores the model parameters learned in S2 in the storage unit 14 .
[予測処理]
 次に、図3を参照して、学習装置10による入力データのラベルの予測処理の例について説明する。図3に示す処理は、例えば、予測処理の開始を指示する操作入力があったタイミングで開始される。 [Prediction processing]
Next, an example of the input data label prediction processing by the learning device 10 will be described with reference to FIG. The processing shown in FIG. 3 is started, for example, when an operation input instructing the start of prediction processing is performed.
 まず、取得部15aは、ラベルの予測対象のデータを取得する(S11)。次に、予測部15cは、学習部15bにより学習されたモデルを用いて、S11で取得されたデータのラベルを予測する(S12)。例えば、予測部15cは、学習されたモデルを用いて、S11で取得されたデータx’のp(x’)を算出し、最も確率が高いラベルを出力する。これにより、例えば、データx’がAdversarial Exampleであった場合でも、学習装置10は、正しいラベルを出力することができる。 First, the acquisition unit 15a acquires label prediction target data (S11). Next, the prediction unit 15c uses the model learned by the learning unit 15b to predict the label of the data acquired in S11 (S12). For example, the prediction unit 15c uses the learned model to calculate p(x') of the data x' acquired in S11, and outputs the label with the highest probability. As a result, for example, even if the data x' is Adversarial Example, the learning device 10 can output a correct label.
[学習装置の適用例]
 上記の学習装置10を、画像中の物体認識処理に適用してもよい。この場合の適用例を、図4を参照しながら説明する。 [Example of application of learning device]
The learning device 10 described above may be applied to object recognition processing in an image. An application example in this case will be described with reference to FIG.
 例えば、学習装置10は、データ取得装置から取得した教師データ(学習データ)と、前記したloss関数とを用いて、モデルの学習(Adversarial Training)を行う。その後、学習装置10は、データ取得装置から画像データを取得すると、学習済みモデルを用いて、取得した画像データのラベルの予測を行う。そして、学習装置10は、予測結果に基づき、物体の認識結果を出力する。 For example, the learning device 10 uses teacher data (learning data) acquired from the data acquisition device and the loss function described above to perform model learning (adversarial training). After that, when the image data is acquired from the data acquisition device, the learning device 10 predicts the label of the acquired image data using the trained model. Then, the learning device 10 outputs an object recognition result based on the prediction result.
[実験]
 次に、学習装置10により学習されたモデルの実験結果を説明する。実験では、CIFAR10のデータセットに対してMARTによるモデルの学習と、学習装置10によるモデルの学習とを行い、それぞれのモデルの識別精度を比較した。実験に用いたモデルは、ResNet18である。学習のパラメータはMARTの論文(非特許文献1)の設定と一致させることとし、ハイパーパラメータλは上記の論文で用いられていた1,2,…,10を用いた。 [experiment]
Next, experimental results of the model learned by the learning device 10 will be described. In the experiment, model learning by MART and model learning by the learning device 10 were performed on the CIFAR10 data set, and the discrimination accuracy of each model was compared. The model used for the experiment is ResNet18. The learning parameters were set to match the settings in the MART paper (Non-Patent Document 1), and the hyperparameters λ were 1, 2, . . . , 10 used in the above paper.
 MARTにより学習されたモデルと、学習装置10により学習されたモデル(Propose)の評価結果を図5に示す。図5におけるNatAccは、元の入力データに対するモデルの正解率、RobAccは、Adversarial Exampleに対するモデルの正解率を示す。なお、図5に示す精度は、Adversarial Exampleに対する精度が最も高いエポックでの精度である。 FIG. 5 shows the evaluation results of the model learned by MART and the model (Propose) learned by the learning device 10. NatAcc in FIG. 5 indicates the accuracy rate of the model for the original input data, and RobAcc indicates the accuracy rate of the model for the Adversarial Example. Note that the accuracy shown in FIG. 5 is the accuracy at the epoch with the highest accuracy for the Adversarial Example.
 図5に示すとおり、λ=7の場合を除き、RobAccについては、ProposeがMARTを上回っていることが確認できた。また、λ=7における、各エポックのRobAccを確認したところ、あるエポックにおいて、大きく上振れたRobAccが存在することが確認できた。 As shown in Figure 5, it was confirmed that Propose exceeded MART for RobAcc, except for the case of λ=7. Also, when RobAcc of each epoch was confirmed at λ=7, it was confirmed that there was a large overshoot of RobAcc in a certain epoch.
[システム構成等]
 また、図示した各部の各構成要素は機能概念的なものであり、必ずしも物理的に図示のように構成されていることを要しない。すなわち、各装置の分散・統合の具体的形態は図示のものに限られず、その全部又は一部を、各種の負荷や使用状況等に応じて、任意の単位で機能的又は物理的に分散・統合して構成することができる。さらに、各装置にて行われる各処理機能は、その全部又は任意の一部が、CPU及び当該CPUにて実行されるプログラムにて実現され、あるいは、ワイヤードロジックによるハードウェアとして実現され得る。 [System configuration, etc.]
Also, each constituent element of each part shown in the figure is functionally conceptual, and does not necessarily need to be physically configured as shown in the figure. In other words, the specific form of distribution and integration of each device is not limited to the illustrated one, and all or part of them can be functionally or physically distributed and integrated in arbitrary units according to various loads and usage conditions. Can be integrated and configured. Furthermore, all or any part of each processing function performed by each device can be implemented by a CPU and a program executed by the CPU, or implemented as hardware based on wired logic.
 また、前記した実施形態において説明した処理のうち、自動的に行われるものとして説明した処理の全部又は一部を手動的に行うこともでき、あるいは、手動的に行われるものとして説明した処理の全部又は一部を公知の方法で自動的に行うこともできる。この他、上記文書中や図面中で示した処理手順、制御手順、具体的名称、各種のデータやパラメータを含む情報については、特記する場合を除いて任意に変更することができる。 Further, among the processes described in the above embodiments, all or part of the processes described as being performed automatically can be performed manually, or the processes described as being performed manually can be performed manually. All or part of this can also be done automatically by known methods. In addition, information including processing procedures, control procedures, specific names, and various data and parameters shown in the above documents and drawings can be arbitrarily changed unless otherwise specified.
[プログラム]
 前記した学習装置10は、パッケージソフトウェアやオンラインソフトウェアとしてプログラム(学習プログラム)を所望のコンピュータにインストールさせることによって実装できる。例えば、上記のプログラムを情報処理装置に実行させることにより、情報処理装置を学習装置10として機能させることができる。ここで言う情報処理装置にはスマートフォン、携帯電話機やPHS(Personal Handyphone System)等の移動体通信端末、さらには、PDA(Personal Digital Assistant)等の端末等がその範疇に含まれる。 [program]
The learning device 10 described above can be implemented by installing a program (learning program) as package software or online software on a desired computer. For example, the information processing device can function as the learning device 10 by causing the information processing device to execute the above program. The information processing apparatus referred to here includes mobile communication terminals such as smart phones, cellular phones, PHS (Personal Handyphone System), and terminals such as PDA (Personal Digital Assistant).
 図6は、学習プログラムを実行するコンピュータの一例を示す図である。コンピュータ1000は、例えば、メモリ1010、CPU1020を有する。また、コンピュータ1000は、ハードディスクドライブインタフェース1030、ディスクドライブインタフェース1040、シリアルポートインタフェース1050、ビデオアダプタ1060、ネットワークインタフェース1070を有する。これらの各部は、バス1080によって接続される。 FIG. 6 is a diagram showing an example of a computer that executes a learning program. The computer 1000 has a memory 1010 and a CPU 1020, for example. Computer 1000 also has hard disk drive interface 1030 , disk drive interface 1040 , serial port interface 1050 , video adapter 1060 and network interface 1070 . These units are connected by a bus 1080 .
 メモリ1010は、ROM(Read Only Memory)1011及びRAM(Random Access Memory)1012を含む。ROM1011は、例えば、BIOS(Basic Input Output System)等のブートプログラムを記憶する。ハードディスクドライブインタフェース1030は、ハードディスクドライブ1090に接続される。ディスクドライブインタフェース1040は、ディスクドライブ1100に接続される。例えば磁気ディスクや光ディスク等の着脱可能な記憶媒体が、ディスクドライブ1100に挿入される。シリアルポートインタフェース1050は、例えばマウス1110、キーボード1120に接続される。ビデオアダプタ1060は、例えばディスプレイ1130に接続される。 The memory 1010 includes a ROM (Read Only Memory) 1011 and a RAM (Random Access Memory) 1012 . The ROM 1011 stores a boot program such as BIOS (Basic Input Output System). Hard disk drive interface 1030 is connected to hard disk drive 1090 . A disk drive interface 1040 is connected to the disk drive 1100 . A removable storage medium such as a magnetic disk or optical disk is inserted into the disk drive 1100 . Serial port interface 1050 is connected to mouse 1110 and keyboard 1120, for example. Video adapter 1060 is connected to display 1130, for example.
 ハードディスクドライブ1090は、例えば、OS1091、アプリケーションプログラム1092、プログラムモジュール1093、プログラムデータ1094を記憶する。すなわち、上記の学習装置10が実行する各処理を規定するプログラムは、コンピュータにより実行可能なコードが記述されたプログラムモジュール1093として実装される。プログラムモジュール1093は、例えばハードディスクドライブ1090に記憶される。例えば、学習装置10における機能構成と同様の処理を実行するためのプログラムモジュール1093が、ハードディスクドライブ1090に記憶される。なお、ハードディスクドライブ1090は、SSD(Solid State Drive)により代替されてもよい。 The hard disk drive 1090 stores, for example, an OS 1091, application programs 1092, program modules 1093, and program data 1094. That is, the program that defines each process executed by the learning device 10 is implemented as a program module 1093 in which computer-executable code is described. Program modules 1093 are stored, for example, on hard disk drive 1090 . For example, the hard disk drive 1090 stores a program module 1093 for executing processing similar to the functional configuration of the learning device 10 . The hard disk drive 1090 may be replaced by an SSD (Solid State Drive).
 また、上述した実施形態の処理で用いられるデータは、プログラムデータ1094として、例えばメモリ1010やハードディスクドライブ1090に記憶される。そして、CPU1020が、メモリ1010やハードディスクドライブ1090に記憶されたプログラムモジュール1093やプログラムデータ1094を必要に応じてRAM1012に読み出して実行する。 Also, the data used in the processes of the above-described embodiments are stored as program data 1094 in the memory 1010 or the hard disk drive 1090, for example. Then, the CPU 1020 reads out the program module 1093 and the program data 1094 stored in the memory 1010 and the hard disk drive 1090 to the RAM 1012 as necessary and executes them.
 なお、プログラムモジュール1093やプログラムデータ1094は、ハードディスクドライブ1090に記憶される場合に限らず、例えば着脱可能な記憶媒体に記憶され、ディスクドライブ1100等を介してCPU1020によって読み出されてもよい。あるいは、プログラムモジュール1093及びプログラムデータ1094は、ネットワーク(LAN(Local Area Network)、WAN(Wide Area Network)等)を介して接続される他のコンピュータに記憶されてもよい。そして、プログラムモジュール1093及びプログラムデータ1094は、他のコンピュータから、ネットワークインタフェース1070を介してCPU1020によって読み出されてもよい。 The program modules 1093 and program data 1094 are not limited to being stored in the hard disk drive 1090, but may be stored in a removable storage medium, for example, and read by the CPU 1020 via the disk drive 1100 or the like. Alternatively, the program modules 1093 and program data 1094 may be stored in another computer connected via a network (LAN (Local Area Network), WAN (Wide Area Network), etc.). Program modules 1093 and program data 1094 may then be read by CPU 1020 through network interface 1070 from other computers.
 10 学習装置
 11 入力部
 12 出力部
 13 通信制御部
 14 記憶部
 15 制御部
 15a 取得部
 15b 学習部
 15c 予測部
 151 難易度判定部
 152 学習処理部 REFERENCE SIGNS LIST 10 learning device 11 input unit 12 output unit 13 communication control unit 14 storage unit 15 control unit 15a acquisition unit 15b learning unit 15c prediction unit 151 difficulty level determination unit 152 learning processing unit

Claims (6)

  1.  Adversarial Exampleを含む入力データの識別結果を出力するためのモデルの学習用データを取得するデータ取得部と、
     前記モデルのAdversarial Exampleに対する識別難易度を判定する難易度判定部と、
     判定された前記モデルのAdversarial Exampleに対する識別難易度が高いほど、MART(Misclassification Aware adveRsarial Training)によるモデルの学習に用いられるloss関数における、前記Adversarial Exampleに対する識別結果と、前記Adversarial Exampleのノイズが付加される前のデータに対する識別結果との差の値の重みを大きくして、前記モデルの学習を行う学習処理部と
     を備えることを特徴とする学習装置。     a data acquisition unit that acquires model learning data for outputting identification results of input data including adversarial examples;
    a difficulty determination unit that determines the identification difficulty of the Adversarial Example of the model;
    The higher the discrimination difficulty of the determined model for the Adversarial Example, the more the discrimination result for the Adversarial Example in the loss function used for model learning by MART (Misclassification Aware adveRsarial Training) and the noise for the Adversarial Example are added. a learning processing unit for learning the model by increasing the weight of the value of the difference between the identification result and the data before the learning.
  2.  前記学習処理部は、
     判定された前記モデルのAdversarial Exampleに対する識別難易度が低いほど、前記loss関数における、前記Adversarial Exampleに対する識別結果と、前記Adversarial Exampleのノイズが付加される前のデータに対する識別結果との差の値の重みを小さくして、前記モデルの学習を行うこと
     を特徴とする請求項1に記載の学習装置。     The learning processing unit
    The lower the discrimination difficulty of the determined model for the Adversarial Example, the more the value of the difference between the discrimination result for the Adversarial Example in the loss function and the discrimination result for the data before the noise of the Adversarial Example is added. 2. The learning device according to claim 1, wherein the learning of the model is performed with a small weight.
  3.  前記難易度判定部は、
     学習対象のモデルに、Adversarial Exampleを入力することにより、前記モデルのAdversarial Exampleに対する識別難易度を判定する
     ことを特徴とする請求項1に記載の学習装置。     The difficulty level determination unit
    2. The learning device according to claim 1, wherein an Adversarial Example is input to a model to be learned, and a discrimination difficulty level for the Adversarial Example of the model is determined.
  4.  Adversarial Trainingが行われた前記モデルを用いて、入力データを識別する識別部
     をさらに備えることを特徴とする請求項1に記載の学習装置。     2. The learning device according to claim 1, further comprising an identification unit that identifies input data using the adversarial trained model.
  5.  学習装置により実行される学習方法であって、
     Adversarial Exampleを含む入力データの識別結果を出力するためのモデルの学習用データを取得する工程と、
     前記モデルのAdversarial Exampleに対する識別難易度を判定する工程と、
     判定された前記モデルのAdversarial Exampleに対する識別難易度が高いほど、MART(Misclassification Aware adveRsarial Training)によるモデルの学習に用いられるloss関数における、前記Adversarial Exampleに対する識別結果と、前記Adversarial Exampleのノイズが付加される前のデータに対する識別結果との差の値の重みを大きくして、前記モデルの学習を行う工程と
     を含むことを特徴とする学習方法。     A learning method performed by a learning device,
    Acquiring model learning data for outputting identification results of input data including adversarial examples;
    Determining a discrimination difficulty level for the Adversarial Example of the model;
    The higher the discrimination difficulty of the determined model for the Adversarial Example, the more the discrimination result for the Adversarial Example in the loss function used for model learning by MART (Misclassification Aware adveRsarial Training) and the noise for the Adversarial Example are added. and a step of learning the model by increasing the weight of the value of the difference between the identification result and the data before the training.
  6.  Adversarial Exampleを含む入力データの識別結果を出力するためのモデルの学習用データを取得する工程と、
     前記モデルのAdversarial Exampleに対する識別難易度を判定する工程と、
     判定された前記モデルのAdversarial Exampleに対する識別難易度が高いほど、MART(Misclassification Aware adveRsarial Training)によるモデルの学習に用いられるloss関数における、前記Adversarial Exampleに対する識別結果と、前記Adversarial Exampleのノイズが付加される前のデータに対する識別結果との差の値の重みを大きくして、前記モデルの学習を行う工程と
     をコンピュータに実行させるための学習プログラム。     Acquiring model learning data for outputting identification results of input data including adversarial examples;
    Determining a discrimination difficulty level for the Adversarial Example of the model;
    The higher the discrimination difficulty of the determined model for the Adversarial Example, the more the discrimination result for the Adversarial Example in the loss function used for model learning by MART (Misclassification Aware adveRsarial Training) and the noise for the Adversarial Example are added. A learning program for causing a computer to execute the step of learning the model by increasing the weight of the value of the difference between the identification result and the data before being read.
PCT/JP2021/038503 2021-10-18 2021-10-18 Learning device, learning method, and learning program WO2023067669A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/JP2021/038503 WO2023067669A1 (en) 2021-10-18 2021-10-18 Learning device, learning method, and learning program
JP2023553921A JPWO2023067669A1 (en) 2021-10-18 2021-10-18

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2021/038503 WO2023067669A1 (en) 2021-10-18 2021-10-18 Learning device, learning method, and learning program

Publications (1)

Publication Number Publication Date
WO2023067669A1 true WO2023067669A1 (en) 2023-04-27

Family

ID=86058898

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2021/038503 WO2023067669A1 (en) 2021-10-18 2021-10-18 Learning device, learning method, and learning program

Country Status (2)

Country Link
JP (1) JPWO2023067669A1 (en)
WO (1) WO2023067669A1 (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113255531A (en) * 2021-05-31 2021-08-13 腾讯科技(深圳)有限公司 Method and device for processing living body detection model, computer equipment and storage medium

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113255531A (en) * 2021-05-31 2021-08-13 腾讯科技(深圳)有限公司 Method and device for processing living body detection model, computer equipment and storage medium

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
WANG YISEN, ZOU DIFAN, YI JINFENG, BAILEY JAMES, MA XINGJUN, GU QUANQUAN: "IMPROVING ADVERSARIAL ROBUSTNESS REQUIRES REVISITING MISCLASSIFIED EXAMPLES", ICLR 2020 CONFERENCE BLIND SUBMISSION, 20 December 2019 (2019-12-20), pages 1 - 14, XP093058462 *

Also Published As

Publication number Publication date
JPWO2023067669A1 (en) 2023-04-27

Similar Documents

Publication Publication Date Title
US10909455B2 (en) Information processing apparatus using multi-layer neural network and method therefor
US20210287136A1 (en) Systems and methods for generating models for classifying imbalanced data
US20150170053A1 (en) Personalized machine learning models
US20180032917A1 (en) Hierarchical classifiers
JP6039768B1 (en) ADJUSTMENT DEVICE, ADJUSTMENT METHOD, AND ADJUSTMENT PROGRAM
WO2020090413A1 (en) Classification device, classification method, and classification program
US11941867B2 (en) Neural network training using the soft nearest neighbor loss
CN108470071B (en) Data processing method and device
JP6450032B2 (en) Creation device, creation method, and creation program
JPWO2019092931A1 (en) Discriminant model generator, discriminant model generation method and discriminant model generation program
JP2009282685A (en) Information processor, information processing method, and program
JP2012048624A (en) Learning device, method and program
WO2021174814A1 (en) Answer verification method and apparatus for crowdsourcing task, computer device, and storage medium
WO2023067669A1 (en) Learning device, learning method, and learning program
CN116340752A (en) Predictive analysis result-oriented data story generation method and system
Liu et al. Evolutionary Voting‐Based Extreme Learning Machines
US20230005122A1 (en) Image forgery detection via pixel-metadata consistency analysis
JP5633424B2 (en) Program and information processing system
US20230027309A1 (en) System and method for image de-identification to humans while remaining recognizable by machines
US11113569B2 (en) Information processing device, information processing method, and computer program product
WO2020040312A1 (en) Learning device, learning method, and prediction system
WO2023195120A1 (en) Training device, training method, and training program
WO2019221206A1 (en) Creation device, creation method, and program
JP2020181265A (en) Information processing device, system, information processing method, and program
KR20200103173A (en) A method for learning documents

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21961322

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 2023553921

Country of ref document: JP

NENP Non-entry into the national phase

Ref country code: DE