WO2023195120A1 - Training device, training method, and training program - Google Patents

Training device, training method, and training program Download PDF

Info

Publication number
WO2023195120A1
WO2023195120A1 PCT/JP2022/017240 JP2022017240W WO2023195120A1 WO 2023195120 A1 WO2023195120 A1 WO 2023195120A1 JP 2022017240 W JP2022017240 W JP 2022017240W WO 2023195120 A1 WO2023195120 A1 WO 2023195120A1
Authority
WO
WIPO (PCT)
Prior art keywords
learning
model
loss
loss function
training
Prior art date
Application number
PCT/JP2022/017240
Other languages
French (fr)
Japanese (ja)
Inventor
真徳 山田
Original Assignee
日本電信電話株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日本電信電話株式会社 filed Critical 日本電信電話株式会社
Priority to PCT/JP2022/017240 priority Critical patent/WO2023195120A1/en
Publication of WO2023195120A1 publication Critical patent/WO2023195120A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning

Definitions

  • the present invention relates to a learning device, a learning method, and a learning program.
  • Adversarial Example there is an attack called Adversarial Example that causes a classifier to make a false judgment by adding noise to the data to be classified.
  • Adversarial Example there is, for example, Adversarial Training in which a model (classifier) is trained using an Adversarial Example.
  • models learned using Adversarial Training have a problem of low generalization performance. This is because the generalization performance of Deep Learning is higher as the loss landscape (the shape of the loss function) with respect to the model's weight is flatter, but learning using Adversarial Training sharpens the model's loss landscape.
  • the present invention aims to solve the above-mentioned problems, improve the generalization performance of the model, and learn a model that is more robust against adversarial examples.
  • the present invention provides a method for learning a model for predicting a label of input data including an Adversarial Example.
  • the present invention is characterized by comprising a learning processing unit that performs learning of the model using a loss function that is regularized so that the loss value does not become less than a predetermined value even if the loss value is a predetermined value.
  • FIG. 1 is a diagram for explaining the loss landscape of the loss function used by the learning device.
  • FIG. 2 is a diagram showing an example of the configuration of the learning device.
  • FIG. 3 is a flowchart showing an example of the processing procedure of the learning device.
  • FIG. 4 is a flowchart showing an example of the processing procedure of the learning device.
  • FIG. 5 is a diagram showing an example of application of the learning device.
  • FIG. 6 is a diagram showing experimental results for the model learned by the learning device.
  • FIG. 7 is a diagram showing experimental results for the model learned by the learning device.
  • FIG. 8 is a diagram showing an example of the configuration of a computer that executes a learning program.
  • the learning device of this embodiment uses a loss function regularized so that the loss does not become less than a predetermined value, as a loss function for calculating the loss with respect to the weight of the model.
  • the learning device uses a loss function in which the loss bottoms out at a predetermined value (for example, b). This flattens the outline of the loss landscape. Therefore, by using the above loss function in Adversarial Training, the learning device can learn a model with high generalization performance. As a result, the learning device can learn a model that is robust to the Adversarial Example.
  • a predetermined value for example, b
  • the learning device 10 includes, for example, an input section 11, an output section 12, a communication control section 13, a storage section 14, and a control section 15.
  • the input unit 11 is an interface that accepts input of various data.
  • the input unit 11 receives input of data used for learning processing and prediction processing, which will be described later.
  • the output unit 12 is an interface that outputs various data.
  • the output unit 12 outputs the label of the data predicted by the control unit 15.
  • the communication control unit 13 is realized by a NIC (Network Interface Card) or the like, and controls communication between the control unit 15 and an external device such as a server via a network.
  • the communication control unit 13 controls communication between the control unit 15 and a data acquisition device (see FIG. 5) that acquires data to be studied.
  • the storage unit 14 is realized by a semiconductor memory device such as a RAM (Random Access Memory) or a flash memory, or a storage device such as a hard disk or an optical disk, and stores the parameters of the model learned by the learning process described later. be remembered.
  • a semiconductor memory device such as a RAM (Random Access Memory) or a flash memory
  • a storage device such as a hard disk or an optical disk
  • the control unit 15 is realized using, for example, a CPU (Central Processing Unit) or the like, and executes a processing program stored in the storage unit 14. Thereby, the control unit 15 functions as an acquisition unit 15a, a learning unit 15b, and a prediction unit 15c, as illustrated in FIG.
  • a CPU Central Processing Unit
  • the control unit 15 functions as an acquisition unit 15a, a learning unit 15b, and a prediction unit 15c, as illustrated in FIG.
  • the acquisition unit 15a acquires data used for learning processing and prediction processing, which will be described later, via the input unit 11 or the communication control unit 13.
  • the learning unit 15b performs Adversarial Training of a model for predicting labels of input data including Adversarial Examples.
  • the learning unit 15b performs learning of the model using learning data including the Adversarial Example and a predetermined loss function (details will be described later). For example, the learning unit 15b determines the parameters (weight) of the model.
  • l in formula (1) is a loss function.
  • B(x, ⁇ ) is a set within a distance ⁇ from x, and is a constraint used to make noise invisible to the human eye.
  • the L ⁇ norm is used.
  • Adversarial Training performed by the learning unit 15b is defined as in the following equation (2).
  • v in equation (3) is Gaussian noise randomly sampled from within the region shown in equation (4).
  • l of w l is calculated for each layer, and the norm of the matrix is measured by the Frobenius norm.
  • the learning unit 15b uses a regularized loss function so that the loss value does not become less than a predetermined value no matter what value the weight is.
  • the learning unit 15b performs learning of the model using a loss function shown in equation (5) below.
  • the learning unit 15b uses the learning data acquired by the acquisition unit 15a to determine the weight of a model that minimizes the loss value of the loss function described above based on equation (6).
  • the loss value will not be less than the predetermined value no matter what value the weight is, so the loss landscape will bottom out at the predetermined value (for example, b) as shown in Figure 1. It becomes a flat shape.
  • the learning unit 15b learns the model using the above loss function, thereby improving the generalization performance of the model.
  • the prediction unit 15c predicts the label of the input data using the model learned by the learning unit 15b. For example, the prediction unit 15c uses the learned model to calculate the probability of each label of newly acquired data, and outputs the label with the highest probability. Thereby, the learning device 10 can output a correct label even when the input data is Adversarial Example, for example.
  • FIG. 3 An example of a learning processing procedure by the learning device 10 will be described with reference to FIG. 3.
  • the process shown in FIG. 3 is started, for example, at the timing when an operation input instructing the start of the learning process is received.
  • the acquisition unit 15a acquires learning data including Adversarial Example (S1).
  • the learning unit 15b uses the learning data and the above loss function to learn a model representing the probability distribution of the labels of the input data (S2).
  • the learning unit 15b stores the parameters of the model learned in S2 in the storage unit 14.
  • the acquisition unit 15a acquires data for which a label is to be predicted (S11).
  • the prediction unit 15c predicts the label of the data acquired in S11 using the model learned by the learning unit 15b (S12). For example, the prediction unit 15c uses the learned model to calculate p(x') of the data x' acquired in S11, and outputs the label with the highest probability.
  • the learning device 10 can output a correct label.
  • the learning device 10 described above may be applied to data anomaly detection.
  • An example of application in this case will be described with reference to FIG.
  • the case where the function of the prediction unit 15c described above is installed in the detection device 20 will be explained as an example.
  • the learning device 10 performs model learning using teacher data (learning data) acquired from a data acquisition device and the loss function described above. After that, when the detection device 20 acquires new data x' from the data acquisition device, it calculates p(x') of the data x' using the learned model. Then, the detection device 20 outputs a report indicating whether the data x' is abnormal data based on the label with the highest probability.
  • teacher data learning data
  • the detection device 20 calculates p(x') of the data x' using the learned model. Then, the detection device 20 outputs a report indicating whether the data x' is abnormal data based on the label with the highest probability.
  • the evaluation axis is the classification accuracy (0 to 1) of the data with Robust Acc: Adversarial Example.
  • Experiment 1 First, the results of Experiment 1 will be explained using FIG. 6.
  • AWP Advanced Weight Perturbation
  • the model learned by the learning device 10 of this embodiment has a higher Robust Acc when the epoch is 400 or more than the model learned by the existing AT or the model learned by AWP. did it.
  • Experiment 2 Next, Experiment 2 will be explained using FIG.
  • the purpose of Experiment 2 is to confirm that the height of Robust Acc depends on the constant b of the loss function used for model learning.
  • b was set to a value between 0 and 2.
  • the vertical axis of the graph shown in FIG. 7 is Test Robust Acc, and the horizontal axis is the constant b of the loss function.
  • each component of each part shown in the drawings is functionally conceptual, and does not necessarily need to be physically configured as shown in the drawings.
  • the specific form of distributing and integrating each device is not limited to what is shown in the diagram, and all or part of the devices can be functionally or physically distributed or integrated in arbitrary units depending on various loads, usage conditions, etc. Can be integrated and configured.
  • all or any part of each processing function performed by each device may be realized by a CPU and a program executed by the CPU, or may be realized as hardware using wired logic.
  • the learning device 10 described above can be implemented by installing a program on a desired computer as packaged software or online software. For example, by causing the information processing device to execute the above program, the information processing device can be made to function as the learning device 10.
  • the information processing device referred to here includes a desktop or notebook personal computer.
  • information processing devices include mobile communication terminals such as smartphones, mobile phones, and PHS (Personal Handyphone System), as well as terminals such as PDAs (Personal Digital Assistants).
  • the learning device 10 can also be implemented as a server device that uses a terminal device used by a user as a client and provides services related to the above processing to the client.
  • the server device may be implemented as a web server, or may be implemented as a cloud that provides services related to the above processing through outsourcing.
  • FIG. 8 is a diagram showing an example of a computer that executes a learning program.
  • Computer 1000 includes, for example, a memory 1010 and a CPU 1020.
  • the computer 1000 also includes a hard disk drive interface 1030, a disk drive interface 1040, a serial port interface 1050, a video adapter 1060, and a network interface 1070. These parts are connected by a bus 1080.
  • the memory 1010 includes a ROM (Read Only Memory) 1011 and a RAM (Random Access Memory) 1012.
  • the ROM 1011 stores, for example, a boot program such as BIOS (Basic Input Output System).
  • Hard disk drive interface 1030 is connected to hard disk drive 1090.
  • Disk drive interface 1040 is connected to disk drive 1100.
  • Serial port interface 1050 is connected to, for example, mouse 1110 and keyboard 1120.
  • Video adapter 1060 is connected to display 1130, for example.
  • the hard disk drive 1090 stores, for example, an OS 1091, an application program 1092, a program module 1093, and program data 1094. That is, a program that defines each process executed by the learning device 10 described above is implemented as a program module 1093 in which computer-executable code is written.
  • Program module 1093 is stored in hard disk drive 1090, for example.
  • a program module 1093 for executing processing similar to the functional configuration of the learning device 10 is stored in the hard disk drive 1090.
  • the hard disk drive 1090 may be replaced by an SSD (Solid State Drive).
  • the data used in the processing of the embodiment described above is stored as program data 1094 in, for example, the memory 1010 or the hard disk drive 1090. Then, the CPU 1020 reads out the program module 1093 and program data 1094 stored in the memory 1010 and the hard disk drive 1090 to the RAM 1012 and executes them as necessary.
  • program module 1093 and the program data 1094 are not limited to being stored in the hard disk drive 1090, but may be stored in a removable storage medium, for example, and read by the CPU 1020 via the disk drive 1100 or the like.
  • the program module 1093 and the program data 1094 may be stored in another computer connected via a network (LAN (Local Area Network), WAN (Wide Area Network), etc.). The program module 1093 and program data 1094 may then be read by the CPU 1020 from another computer via the network interface 1070.
  • LAN Local Area Network
  • WAN Wide Area Network

Abstract

A training device for training a model, in training a model for predicting a label of input data including an adversarial example, uses, as a loss function for calculating loss relative to weight in the model, a loss function regularized such that the value of the loss does not fall to or below a prescribed value b for any weight value. This makes it possible for the training device to smooth a loss landscape of the model. As a result, the training device is capable of training a model that is robust with respect to adversarial examples.

Description

学習装置、学習方法、および、学習プログラムLearning devices, learning methods, and learning programs
 本発明は、学習装置、学習方法、および、学習プログラムに関する。 The present invention relates to a learning device, a learning method, and a learning program.
 従来、分類対象のデータにノイズをのせることで、分類器に誤判定をさせるAdversarial Exampleという攻撃がある。このAdversarial Exampleに対する対策として、例えば、Adversarial Exampleを用いてモデル(分類器)の学習を行うAdversarial Trainingがある。 Conventionally, there is an attack called Adversarial Example that causes a classifier to make a false judgment by adding noise to the data to be classified. As a countermeasure against this Adversarial Example, there is, for example, Adversarial Training in which a model (classifier) is trained using an Adversarial Example.
 しかし、Adversarial Trainingで学習したモデルは、汎化性能が低いという問題がある。これは、Deep Learnigの汎化性能は、モデルのweightに対するloss landscape(loss関数の形)が平らであるほど高いが、Adversarial Trainingによる学習は、モデルのloss landscapeを尖らせてしまうためである。 However, models learned using Adversarial Training have a problem of low generalization performance. This is because the generalization performance of Deep Learning is higher as the loss landscape (the shape of the loss function) with respect to the model's weight is flatter, but learning using Adversarial Training sharpens the model's loss landscape.
 そこで、本発明は、前記した問題を解決し、モデルの汎化性能を向上させ、Adversarial Exampleに対してより頑健なモデルを学習することを課題とする。 Therefore, the present invention aims to solve the above-mentioned problems, improve the generalization performance of the model, and learn a model that is more robust against adversarial examples.
 前記した課題を解決するため、本発明は、Adversarial Exampleを含む入力データのラベルを予測するためのモデルの学習において、前記モデルのweightに対するlossを算出するためのloss関数として、前記weightがいずれの値であっても前記lossの値が所定値以下にならないよう正則化されたloss関数を用いて、前記モデルの学習を行う学習処理部を備えることを特徴とする。 In order to solve the above problems, the present invention provides a method for learning a model for predicting a label of input data including an Adversarial Example. The present invention is characterized by comprising a learning processing unit that performs learning of the model using a loss function that is regularized so that the loss value does not become less than a predetermined value even if the loss value is a predetermined value.
 本発明によれば、Adversarial Exampleに対してより頑健なモデルを学習することができる。 According to the present invention, a model that is more robust to Adversarial Examples can be learned.
図1は、学習装置が用いるloss関数のloss landscapeを説明するための図である。FIG. 1 is a diagram for explaining the loss landscape of the loss function used by the learning device. 図2は、学習装置の構成例を示す図である。FIG. 2 is a diagram showing an example of the configuration of the learning device. 図3は、学習装置の処理手順の例を示すフローチャートである。FIG. 3 is a flowchart showing an example of the processing procedure of the learning device. 図4は、学習装置の処理手順の例を示すフローチャートである。FIG. 4 is a flowchart showing an example of the processing procedure of the learning device. 図5は、学習装置の適用例を示す図である。FIG. 5 is a diagram showing an example of application of the learning device. 図6は、学習装置により学習されたモデルに対する実験結果を示す図である。FIG. 6 is a diagram showing experimental results for the model learned by the learning device. 図7は、学習装置により学習されたモデルに対する実験結果を示す図である。FIG. 7 is a diagram showing experimental results for the model learned by the learning device. 図8は、学習プログラムを実行するコンピュータの構成例を示す図である。FIG. 8 is a diagram showing an example of the configuration of a computer that executes a learning program.
 以下、図面を参照して、本発明の実施の形態(実施形態)を説明する。なお、本発明は以下に説明する実施形態に限定されない。 Hereinafter, embodiments (embodiments) of the present invention will be described with reference to the drawings. Note that the present invention is not limited to the embodiments described below.
[学習装置の概要]
 前記したとおり、Deep Learnigで学習されるモデルの汎化性能は、モデルのweightに対するloss landscape(loss関数の形)が平らであるほど高い。しかし、従来のAdversarial Trainingによる学習は、モデルのloss landscapeを尖らせてしまうので、モデルの汎化性能を向上させることができないという問題があった。 [Overview of learning device]
As mentioned above, the generalization performance of a model learned by Deep Learning is higher as the loss landscape (the shape of the loss function) with respect to the weight of the model is flatter. However, learning using conventional Adversarial Training sharpens the loss landscape of the model, so there is a problem in that it is not possible to improve the generalization performance of the model.
 そこで、本実施形態の学習装置は、Adversarial Trainingにおいて、モデルのweightに対するlossを算出するためのloss関数として、lossが所定値以下にならないよう正則化されたloss関数を用いる。 Therefore, in Adversarial Training, the learning device of this embodiment uses a loss function regularized so that the loss does not become less than a predetermined value, as a loss function for calculating the loss with respect to the weight of the model.
 例えば、図1に示すように、学習装置は、lossが所定値(例えば、b)で底打ちするようなloss関数を用いる。これによりloss landscapeの概形は平らになる。よって、学習装置が、Adversarial Trainingにおいて、上記のようなloss関数を用いることで、汎化性能が高いモデルを学習することができる。その結果、学習装置は、Adversarial Exampleに対して頑健なモデルを学習することができる。 For example, as shown in FIG. 1, the learning device uses a loss function in which the loss bottoms out at a predetermined value (for example, b). This flattens the outline of the loss landscape. Therefore, by using the above loss function in Adversarial Training, the learning device can learn a model with high generalization performance. As a result, the learning device can learn a model that is robust to the Adversarial Example.
[学習装置の構成例]
 図2を用いて、学習装置10の構成例を説明する。学習装置10は、例えば、入力部11、出力部12、通信制御部13、記憶部14、および、制御部15を備える。 [Example of configuration of learning device]
A configuration example of the learning device 10 will be described using FIG. 2. The learning device 10 includes, for example, an input section 11, an output section 12, a communication control section 13, a storage section 14, and a control section 15.
 入力部11は、各種データの入力を受け付けるインタフェースである。例えば、入力部11は、後述する学習処理および予測処理に用いるデータの入力を受け付ける。出力部12は、各種データの出力を行うインタフェースである。例えば、出力部12は、制御部15により予測されたデータのラベルを出力する。 The input unit 11 is an interface that accepts input of various data. For example, the input unit 11 receives input of data used for learning processing and prediction processing, which will be described later. The output unit 12 is an interface that outputs various data. For example, the output unit 12 outputs the label of the data predicted by the control unit 15.
 通信制御部13は、NIC(Network Interface Card)等で実現され、ネットワークを介したサーバ等の外部の装置と制御部15との通信を制御する。例えば、通信制御部13は、学習対象のデータ等を取得するデータ取得装置(図5参照)と制御部15との通信を制御する。 The communication control unit 13 is realized by a NIC (Network Interface Card) or the like, and controls communication between the control unit 15 and an external device such as a server via a network. For example, the communication control unit 13 controls communication between the control unit 15 and a data acquisition device (see FIG. 5) that acquires data to be studied.
 記憶部14は、RAM(Random Access Memory)、フラッシュメモリ(Flash Memory)等の半導体メモリ素子、または、ハードディスク、光ディスク等の記憶装置によって実現され、後述する学習処理により学習されたモデルのパラメータ等が記憶される。 The storage unit 14 is realized by a semiconductor memory device such as a RAM (Random Access Memory) or a flash memory, or a storage device such as a hard disk or an optical disk, and stores the parameters of the model learned by the learning process described later. be remembered.
 制御部15は、例えば、CPU(Central Processing Unit)等を用いて実現され、記憶部14に記憶された処理プログラムを実行する。これにより、制御部15は、図2に例示するように、取得部15a、学習部15bおよび予測部15cとして機能する。 The control unit 15 is realized using, for example, a CPU (Central Processing Unit) or the like, and executes a processing program stored in the storage unit 14. Thereby, the control unit 15 functions as an acquisition unit 15a, a learning unit 15b, and a prediction unit 15c, as illustrated in FIG.
 取得部15aは、後述する学習処理および予測処理に用いるデータを、入力部11あるいは通信制御部13を介して取得する。 The acquisition unit 15a acquires data used for learning processing and prediction processing, which will be described later, via the input unit 11 or the communication control unit 13.
 学習部15bは、Adversarial Exampleを含む入力データのラベルを予測するためのモデルの学習(Adversarial Training)を行う。学習部15bは、Adversarial Exampleを含む学習データと、所定のloss関数(詳細は後記)とを用いて、当該モデルの学習を行う。例えば、学習部15bは、当該モデルのパラメータ(weight)を求める。 The learning unit 15b performs Adversarial Training of a model for predicting labels of input data including Adversarial Examples. The learning unit 15b performs learning of the model using learning data including the Adversarial Example and a predetermined loss function (details will be described later). For example, the learning unit 15b determines the parameters (weight) of the model.
 ここで、上記のモデルのweightに対するAdversarial Exampleを、式(1)のように定義する。 Here, an adversarial example for the weight of the above model is defined as in equation (1).
Figure JPOXMLDOC01-appb-M000001
Figure JPOXMLDOC01-appb-M000001
 式(1)におけるlはloss関数である。また、B(x,ε)は、xから距離ε以内の集合であり、ノイズが人間の目ではわからないようにするために使われる制約である。典型的にはL∞ノルムを使う。 l in formula (1) is a loss function. Further, B(x, ε) is a set within a distance ε from x, and is a constraint used to make noise invisible to the human eye. Typically, the L∞ norm is used.
 また、学習部15bが行うAdversarial Trainingを以下の式(2)のように定義する。 Additionally, Adversarial Training performed by the learning unit 15b is defined as in the following equation (2).
Figure JPOXMLDOC01-appb-M000002
Figure JPOXMLDOC01-appb-M000002
 なお、loss landscapeのシャープネス(Sharpness)は、以下の式(3)により計算される。 Note that the sharpness of the loss landscape is calculated by the following equation (3).
Figure JPOXMLDOC01-appb-M000003
Figure JPOXMLDOC01-appb-M000003
 式(3)におけるvは、式(4)に示す領域内からランダムサンプリングされたガウスノイズである。wlのlは、layerごとに計算し、行列のノルムはフロベニウスノルムで測る。 v in equation (3) is Gaussian noise randomly sampled from within the region shown in equation (4). l of w l is calculated for each layer, and the norm of the matrix is measured by the Frobenius norm.
Figure JPOXMLDOC01-appb-M000004
Figure JPOXMLDOC01-appb-M000004
 学習部15bは、モデルのweightに対するlossを算出するためのloss関数として、weightがいずれの値であっても上記のlossの値が所定値以下にならないよう正則化されたloss関数を用いる。 The learning unit 15b uses a regularized loss function so that the loss value does not become less than a predetermined value no matter what value the weight is.
 例えば、学習部15bは、以下の式(5)に示すloss関数を用いて、当該モデルの学習を行う。 For example, the learning unit 15b performs learning of the model using a loss function shown in equation (5) below.
Figure JPOXMLDOC01-appb-M000005
Figure JPOXMLDOC01-appb-M000005
 例えば、学習部15bは、取得部15aにより取得された学習データを用いて、式(6)に基づき、上記のloss関数のloss値を最小化するモデルのweightを求める。 For example, the learning unit 15b uses the learning data acquired by the acquisition unit 15a to determine the weight of a model that minimizes the loss value of the loss function described above based on equation (6).
Figure JPOXMLDOC01-appb-M000006
Figure JPOXMLDOC01-appb-M000006
 上記のloss関数によれば、weightがいずれの値であってもlossの値が所定値以下にならないので、loss landscapeは、例えば、図1に示すように所定値(例えば、b)で底打ちした平らな形になる。その結果、学習部15bが上記のloss関数を用いてモデルの学習を行うことで、モデルの汎化性能を向上させることができる。 According to the above loss function, the loss value will not be less than the predetermined value no matter what value the weight is, so the loss landscape will bottom out at the predetermined value (for example, b) as shown in Figure 1. It becomes a flat shape. As a result, the learning unit 15b learns the model using the above loss function, thereby improving the generalization performance of the model.
 予測部15cは、学習部15bにより学習されたモデルを用いて、入力データのラベルを予測する。例えば、予測部15cは、学習されたモデルを用いて、新たに取得されたデータの各ラベルの確率を算出し、最も確率が高いラベルを出力する。これにより、学習装置10は、例えば、入力データがAdversarial Exampleであった場合にも、正しいラベルを出力することができる。 The prediction unit 15c predicts the label of the input data using the model learned by the learning unit 15b. For example, the prediction unit 15c uses the learned model to calculate the probability of each label of newly acquired data, and outputs the label with the highest probability. Thereby, the learning device 10 can output a correct label even when the input data is Adversarial Example, for example.
[学習処理]
 次に、図3を参照して、学習装置10による学習処理手順の例について説明する。図3に示す処理は、例えば、学習処理の開始を指示する操作入力があったタイミングで開始される。 [Learning process]
Next, an example of a learning processing procedure by the learning device 10 will be described with reference to FIG. 3. The process shown in FIG. 3 is started, for example, at the timing when an operation input instructing the start of the learning process is received.
 まず、取得部15aが、Adversarial Exampleを含む学習データを取得する(S1)。次に、学習部15bが、学習データと、上記のloss関数とを用いて、入力データのラベルの確率分布を表すモデルを学習する(S2)。学習部15bは、S2で学習されたモデルのパラメータを記憶部14に記憶する。 First, the acquisition unit 15a acquires learning data including Adversarial Example (S1). Next, the learning unit 15b uses the learning data and the above loss function to learn a model representing the probability distribution of the labels of the input data (S2). The learning unit 15b stores the parameters of the model learned in S2 in the storage unit 14.
[予測処理]
 次に、図4を参照して、学習装置10による入力データのラベルの予測処理の例について説明する。図4に示す処理は、例えば、予測処理の開始を指示する操作入力があったタイミングで開始される。 [Prediction processing]
Next, with reference to FIG. 4, an example of a process of predicting a label of input data by the learning device 10 will be described. The process shown in FIG. 4 is started, for example, at the timing when an operation input instructing the start of the prediction process is received.
 まず、取得部15aは、ラベルの予測対象のデータを取得する(S11)。次に、予測部15cは、学習部15bにより学習されたモデルを用いて、S11で取得されたデータのラベルを予測する(S12)。例えば、予測部15cは、学習されたモデルを用いて、S11で取得されたデータx’のp(x’)を算出し、最も確率が高いラベルを出力する。 First, the acquisition unit 15a acquires data for which a label is to be predicted (S11). Next, the prediction unit 15c predicts the label of the data acquired in S11 using the model learned by the learning unit 15b (S12). For example, the prediction unit 15c uses the learned model to calculate p(x') of the data x' acquired in S11, and outputs the label with the highest probability.
 これにより、例えば、データx’がAdversarial Exampleであった場合でも、学習装置10は、正しいラベルを出力することができる。 Thereby, for example, even if the data x' is an Adversarial Example, the learning device 10 can output a correct label.
[学習装置の適用例]
 上記の学習装置10を、データの異常検知に適用してもよい。この場合の適用例を、図5を参照しながら説明する。ここでは、前記した予測部15cの機能が、検知装置20に装備される場合を例に説明する。 [Application example of learning device]
The learning device 10 described above may be applied to data anomaly detection. An example of application in this case will be described with reference to FIG. Here, the case where the function of the prediction unit 15c described above is installed in the detection device 20 will be explained as an example.
 例えば、学習装置10は、データ取得装置から取得した教師データ(学習データ)と、前記したloss関数とを用いて、モデルの学習を行う。その後、検知装置20は、データ取得装置から新たなデータx’を取得すると、学習済みモデルを用いて、データx’のp(x’)を算出する。そして、検知装置20は、確率が最も高いラベルに基づき、データx’が異常なデータか否かのレポートを出力する。 For example, the learning device 10 performs model learning using teacher data (learning data) acquired from a data acquisition device and the loss function described above. After that, when the detection device 20 acquires new data x' from the data acquisition device, it calculates p(x') of the data x' using the learned model. Then, the detection device 20 outputs a report indicating whether the data x' is abnormal data based on the label with the highest probability.
[実験結果]
 次に、学習装置10により学習されたモデルの評価実験の結果を説明する。評価軸は、Robust Acc:Adversarial Exampleがのったデータの分類精度(0~1)である。 [Experimental result]
Next, the results of an evaluation experiment of the model learned by the learning device 10 will be explained. The evaluation axis is the classification accuracy (0 to 1) of the data with Robust Acc: Adversarial Example.
[実験条件]
画像のデータセット: cifar10
Deep learning model: Resnet18
Adversarial Example: PGD
PGDのパラメータ: eps=8/255, train_iter=7, eval_iter=20, eps_iter=0.01, rand_init=True, clip_min=0.0, clip_max=1.0 [Experiment conditions]
Image dataset: cifar10
Deep learning model: Resnet18
Adversarial Example: PGD
PGD parameters: eps=8/255, train_iter=7, eval_iter=20, eps_iter=0.01, rand_init=True, clip_min=0.0, clip_max=1.0
[実験1]
 まず、図6を用いて、実験1の結果を説明する。実験1では、本実施形態の学習装置10で学習したモデル(式(6)におけるb=1.2)、既存のAT(Adversarial Training)で学習したモデル、および、AWP(Adversarial Weight Perturbation)で学習したモデルそれぞれのRobust Accの比較を行った。図6に示すグラフの縦軸はTest Robust Accであり、横軸はモデルの学習のepochである。 [Experiment 1]
First, the results of Experiment 1 will be explained using FIG. 6. In Experiment 1, a model learned by the learning device 10 of this embodiment (b=1.2 in equation (6)), a model learned by existing AT (Adversarial Training), and a model learned by AWP (Adversarial Weight Perturbation) were used. We compared each Robust Acc. The vertical axis of the graph shown in FIG. 6 is Test Robust Acc, and the horizontal axis is the epoch of model learning.
 図6に示すように、本実施形態の学習装置10で学習したモデルは、epochが400以上において、既存のATで学習したモデル、AWPで学習したモデルよりも、Robust Accが高くなることが確認できた。 As shown in FIG. 6, it has been confirmed that the model learned by the learning device 10 of this embodiment has a higher Robust Acc when the epoch is 400 or more than the model learned by the existing AT or the model learned by AWP. did it.
[実験2]
 次に、図7を用いて、実験2を説明する。実験2の目的は、Robust Accの高さが、モデルの学習に用いるloss関数の定数bに依存することを確認することである。実験2では、既存のATにおいてloss関数に定数項(b)を設けて学習したモデルと、本実施形態の学習装置10のloss関数(式(5)参照)を用いて学習したモデルそれぞれのRobust Accの比較を行った。それぞれ、bは0~2の値を設定した。図7に示すグラフの縦軸はTest Robust Accであり、横軸はloss関数の定数bである。 [Experiment 2]
Next, Experiment 2 will be explained using FIG. The purpose of Experiment 2 is to confirm that the height of Robust Acc depends on the constant b of the loss function used for model learning. In Experiment 2, we investigated the robustness of the model learned by adding a constant term (b) to the loss function in the existing AT, and the model learned using the loss function (see equation (5)) of the learning device 10 of this embodiment. We compared Acc. In each case, b was set to a value between 0 and 2. The vertical axis of the graph shown in FIG. 7 is Test Robust Acc, and the horizontal axis is the constant b of the loss function.
 図7に示すように、既存のATによりモデルを学習する場合も、本実施形態の学習装置10によりモデルを学習する場合も、Robust Accの高さは、loss関数の定数bに依存することが確認できた。また、本実施形態の学習装置10が用いるloss関数の定数bに適切な値(例えば、b=1、1.2、1.4)を設定することにより、既存のATよりも、モデルのRobust Accが高くなることが確認できた。 As shown in FIG. 7, the height of Robust Acc depends on the constant b of the loss function, whether the model is learned by the existing AT or the learning device 10 of this embodiment. It could be confirmed. Furthermore, by setting an appropriate value (for example, b=1, 1.2, 1.4) to the constant b of the loss function used by the learning device 10 of this embodiment, the Robust Acc of the model can be made higher than that of the existing AT. This was confirmed.
[システム構成等]
 また、図示した各部の各構成要素は機能概念的なものであり、必ずしも物理的に図示のように構成されていることを要しない。すなわち、各装置の分散・統合の具体的形態は図示のものに限られず、その全部又は一部を、各種の負荷や使用状況等に応じて、任意の単位で機能的又は物理的に分散・統合して構成することができる。さらに、各装置にて行われる各処理機能は、その全部又は任意の一部が、CPU及び当該CPUにて実行されるプログラムにて実現され、あるいは、ワイヤードロジックによるハードウェアとして実現され得る。 [System configuration, etc.]
Further, each component of each part shown in the drawings is functionally conceptual, and does not necessarily need to be physically configured as shown in the drawings. In other words, the specific form of distributing and integrating each device is not limited to what is shown in the diagram, and all or part of the devices can be functionally or physically distributed or integrated in arbitrary units depending on various loads, usage conditions, etc. Can be integrated and configured. Furthermore, all or any part of each processing function performed by each device may be realized by a CPU and a program executed by the CPU, or may be realized as hardware using wired logic.
 また、前記した実施形態において説明した処理のうち、自動的に行われるものとして説明した処理の全部又は一部を手動的に行うこともでき、あるいは、手動的に行われるものとして説明した処理の全部又は一部を公知の方法で自動的に行うこともできる。この他、上記文書中や図面中で示した処理手順、制御手順、具体的名称、各種のデータやパラメータを含む情報については、特記する場合を除いて任意に変更することができる。 Further, among the processes described in the embodiments described above, all or part of the processes described as being performed automatically can be performed manually, or the processes described as being performed manually can be performed manually. All or part of this can also be performed automatically using known methods. In addition, information including processing procedures, control procedures, specific names, and various data and parameters shown in the above documents and drawings may be changed arbitrarily, unless otherwise specified.
[プログラム]
 前記した学習装置10は、パッケージソフトウェアやオンラインソフトウェアとしてプログラムを所望のコンピュータにインストールさせることによって実装できる。例えば、上記のプログラムを情報処理装置に実行させることにより、情報処理装置を学習装置10として機能させることができる。ここで言う情報処理装置には、デスクトップ型又はノート型のパーソナルコンピュータが含まれる。また、その他にも、情報処理装置にはスマートフォン、携帯電話機やPHS(Personal Handyphone System)等の移動体通信端末、さらには、PDA(Personal Digital Assistant)等の端末等がその範疇に含まれる。 [program]
The learning device 10 described above can be implemented by installing a program on a desired computer as packaged software or online software. For example, by causing the information processing device to execute the above program, the information processing device can be made to function as the learning device 10. The information processing device referred to here includes a desktop or notebook personal computer. In addition, information processing devices include mobile communication terminals such as smartphones, mobile phones, and PHS (Personal Handyphone System), as well as terminals such as PDAs (Personal Digital Assistants).
 また、学習装置10は、ユーザが使用する端末装置をクライアントとし、当該クライアントに上記の処理に関するサービスを提供するサーバ装置として実装することもできる。この場合、サーバ装置は、Webサーバとして実装することとしてもよいし、アウトソーシングによって上記の処理に関するサービスを提供するクラウドとして実装することとしてもかまわない。 The learning device 10 can also be implemented as a server device that uses a terminal device used by a user as a client and provides services related to the above processing to the client. In this case, the server device may be implemented as a web server, or may be implemented as a cloud that provides services related to the above processing through outsourcing.
 図8は、学習プログラムを実行するコンピュータの一例を示す図である。コンピュータ1000は、例えば、メモリ1010、CPU1020を有する。また、コンピュータ1000は、ハードディスクドライブインターフェース1030、ディスクドライブインターフェース1040、シリアルポートインターフェース1050、ビデオアダプタ1060、ネットワークインターフェース1070を有する。これらの各部は、バス1080によって接続される。 FIG. 8 is a diagram showing an example of a computer that executes a learning program. Computer 1000 includes, for example, a memory 1010 and a CPU 1020. The computer 1000 also includes a hard disk drive interface 1030, a disk drive interface 1040, a serial port interface 1050, a video adapter 1060, and a network interface 1070. These parts are connected by a bus 1080.
 メモリ1010は、ROM(Read Only Memory)1011及びRAM(Random Access Memory)1012を含む。ROM1011は、例えば、BIOS(Basic Input Output System)等のブートプログラムを記憶する。ハードディスクドライブインターフェース1030は、ハードディスクドライブ1090に接続される。ディスクドライブインターフェース1040は、ディスクドライブ1100に接続される。例えば磁気ディスクや光ディスク等の着脱可能な記憶媒体が、ディスクドライブ1100に挿入される。シリアルポートインターフェース1050は、例えばマウス1110、キーボード1120に接続される。ビデオアダプタ1060は、例えばディスプレイ1130に接続される。 The memory 1010 includes a ROM (Read Only Memory) 1011 and a RAM (Random Access Memory) 1012. The ROM 1011 stores, for example, a boot program such as BIOS (Basic Input Output System). Hard disk drive interface 1030 is connected to hard disk drive 1090. Disk drive interface 1040 is connected to disk drive 1100. For example, a removable storage medium such as a magnetic disk or an optical disk is inserted into disk drive 1100. Serial port interface 1050 is connected to, for example, mouse 1110 and keyboard 1120. Video adapter 1060 is connected to display 1130, for example.
 ハードディスクドライブ1090は、例えば、OS1091、アプリケーションプログラム1092、プログラムモジュール1093、プログラムデータ1094を記憶する。すなわち、上記の学習装置10が実行する各処理を規定するプログラムは、コンピュータにより実行可能なコードが記述されたプログラムモジュール1093として実装される。プログラムモジュール1093は、例えばハードディスクドライブ1090に記憶される。例えば、学習装置10における機能構成と同様の処理を実行するためのプログラムモジュール1093が、ハードディスクドライブ1090に記憶される。なお、ハードディスクドライブ1090は、SSD(Solid State Drive)により代替されてもよい。 The hard disk drive 1090 stores, for example, an OS 1091, an application program 1092, a program module 1093, and program data 1094. That is, a program that defines each process executed by the learning device 10 described above is implemented as a program module 1093 in which computer-executable code is written. Program module 1093 is stored in hard disk drive 1090, for example. For example, a program module 1093 for executing processing similar to the functional configuration of the learning device 10 is stored in the hard disk drive 1090. Note that the hard disk drive 1090 may be replaced by an SSD (Solid State Drive).
 また、上述した実施形態の処理で用いられるデータは、プログラムデータ1094として、例えばメモリ1010やハードディスクドライブ1090に記憶される。そして、CPU1020が、メモリ1010やハードディスクドライブ1090に記憶されたプログラムモジュール1093やプログラムデータ1094を必要に応じてRAM1012に読み出して実行する。 Furthermore, the data used in the processing of the embodiment described above is stored as program data 1094 in, for example, the memory 1010 or the hard disk drive 1090. Then, the CPU 1020 reads out the program module 1093 and program data 1094 stored in the memory 1010 and the hard disk drive 1090 to the RAM 1012 and executes them as necessary.
 なお、プログラムモジュール1093やプログラムデータ1094は、ハードディスクドライブ1090に記憶される場合に限らず、例えば着脱可能な記憶媒体に記憶され、ディスクドライブ1100等を介してCPU1020によって読み出されてもよい。あるいは、プログラムモジュール1093及びプログラムデータ1094は、ネットワーク(LAN(Local Area Network)、WAN(Wide Area Network)等)を介して接続される他のコンピュータに記憶されてもよい。そして、プログラムモジュール1093及びプログラムデータ1094は、他のコンピュータから、ネットワークインターフェース1070を介してCPU1020によって読み出されてもよい。 Note that the program module 1093 and the program data 1094 are not limited to being stored in the hard disk drive 1090, but may be stored in a removable storage medium, for example, and read by the CPU 1020 via the disk drive 1100 or the like. Alternatively, the program module 1093 and the program data 1094 may be stored in another computer connected via a network (LAN (Local Area Network), WAN (Wide Area Network), etc.). The program module 1093 and program data 1094 may then be read by the CPU 1020 from another computer via the network interface 1070.
 10 学習装置
 11 入力部
 12 出力部
 13 通信制御部
 14 記憶部
 15 制御部
 15a 取得部
 15b 学習部
 15c 予測部
 20 検知装置 10 learning device 11 input section 12 output section 13 communication control section 14 storage section 15 control section 15a acquisition section 15b learning section 15c prediction section 20 detection device

Claims (5)

  1.  Adversarial Exampleを含む入力データのラベルを予測するためのモデルの学習において、前記モデルのweightに対するlossを算出するためのloss関数として、前記weightがいずれの値であっても前記lossの値が所定値以下にならないよう正則化されたloss関数を用いて、前記モデルの学習を行う学習部
     を備えることを特徴とする学習装置。     In learning a model to predict the label of input data including Adversarial Example, the loss value is set to a predetermined value as a loss function to calculate the loss for the weight of the model, regardless of the value of the weight. A learning device comprising: a learning unit that learns the model using a loss function regularized so as not to become the following.
  2.  前記loss関数は、以下の式(1)により表されるloss関数
     |L(x+η,y,w)-b|+b…式(1)
     ただし、x:モデルへの入力データ、y:モデルから出力されるラベルの予測値、w:モデルのweight、η:入力データに加えられるノイズ η∈B(x,ε)、b:定数
     であることを特徴とする請求項1に記載の学習装置。     The loss function is expressed by the following equation (1) |L(x+η,y,w)-b|+b...Equation (1)
    Where, x: input data to the model, y: predicted value of label output from the model, w: weight of the model, η: noise added to the input data η∈B(x,ε), b: constant The learning device according to claim 1, characterized in that:
  3.  前記学習部により学習された前記モデルを用いて、入力データのラベルを予測する予測部
     をさらに備えることを特徴とする請求項1に記載の学習装置。     The learning device according to claim 1, further comprising a prediction unit that predicts a label of input data using the model learned by the learning unit.
  4.  学習装置により実行される学習方法であって、
     Adversarial Exampleを含む入力データのラベルを予測するためのモデルの学習において、前記モデルのweightに対するlossを算出するためのloss関数として、前記weightがいずれの値であっても前記lossの値が所定値以下にならないよう正則化されたloss関数を用いて、前記モデルの学習を行う工程
     を含むことを特徴とする学習方法。     A learning method performed by a learning device, comprising:
    In learning a model to predict the label of input data including Adversarial Example, the loss value is set to a predetermined value as a loss function to calculate the loss for the weight of the model, regardless of the value of the weight. A learning method characterized by comprising the step of learning the model using a loss function regularized so that it does not become the following.
  5.  Adversarial Exampleを含む入力データのラベルを予測するためのモデルの学習において、前記モデルのweightに対するlossを算出するためのloss関数として、前記weightがいずれの値であっても前記lossの値が所定値以下にならないよう正則化されたloss関数を用いて、前記モデルの学習を行う工程
     をコンピュータに実行させるための学習プログラム。     In learning a model to predict the label of input data including Adversarial Example, the loss value is set to a predetermined value as a loss function to calculate the loss for the weight of the model, regardless of the value of the weight. A learning program for causing a computer to perform the step of learning the model using a loss function regularized so as not to become:
PCT/JP2022/017240 2022-04-07 2022-04-07 Training device, training method, and training program WO2023195120A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/JP2022/017240 WO2023195120A1 (en) 2022-04-07 2022-04-07 Training device, training method, and training program

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2022/017240 WO2023195120A1 (en) 2022-04-07 2022-04-07 Training device, training method, and training program

Publications (1)

Publication Number Publication Date
WO2023195120A1 true WO2023195120A1 (en) 2023-10-12

Family

ID=88242770

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2022/017240 WO2023195120A1 (en) 2022-04-07 2022-04-07 Training device, training method, and training program

Country Status (1)

Country Link
WO (1) WO2023195120A1 (en)

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
CHONGLI QIN; JAMES MARTENS; SVEN GOWAL; DILIP KRISHNAN; KRISHNAMURTHY DVIJOTHAM; ALHUSSEIN FAWZI; SOHAM DE; ROBERT STANFORTH; PUS: "Adversarial Robustness through Local Linearization", ARXIV.ORG, CORNELL UNIVERSITY LIBRARY, 201 OLIN LIBRARY CORNELL UNIVERSITY ITHACA, NY 14853, 4 July 2019 (2019-07-04), 201 Olin Library Cornell University Ithaca, NY 14853 , XP081438298 *
SEKITOSHI KANAI; MASANORI YAMADA; HIROSHI TAKAHASHI; YUKI YAMANAKA; YASUTOSHI IDA: "Smoothness Analysis of Adversarial Training", ARXIV.ORG, CORNELL UNIVERSITY LIBRARY, 201 OLIN LIBRARY CORNELL UNIVERSITY ITHACA, NY 14853, 15 June 2021 (2021-06-15), 201 Olin Library Cornell University Ithaca, NY 14853 , XP081979943 *

Similar Documents

Publication Publication Date Title
US11829880B2 (en) Generating trained neural networks with increased robustness against adversarial attacks
US11381580B2 (en) Machine learning classification using Markov modeling
US20190057320A1 (en) Data processing apparatus for accessing shared memory in processing structured data for modifying a parameter vector data structure
US11741398B2 (en) Multi-layered machine learning system to support ensemble learning
WO2020090413A1 (en) Classification device, classification method, and classification program
US11847210B2 (en) Detecting device and detecting method
US20230038463A1 (en) Detection device, detection method, and detection program
JP6767312B2 (en) Detection system, detection method and detection program
US11941867B2 (en) Neural network training using the soft nearest neighbor loss
Valizadegan et al. Learning to trade off between exploration and exploitation in multiclass bandit prediction
JP2018200524A (en) Classification device, classification method, and classification program
CN104573127B (en) Assess the method and system of data variance
JP7276483B2 (en) LEARNING DEVICE, CLASSIFIER, LEARNING METHOD AND LEARNING PROGRAM
WO2023195120A1 (en) Training device, training method, and training program
US11227231B2 (en) Computational efficiency in symbolic sequence analytics using random sequence embeddings
US20230259631A1 (en) Detecting synthetic user accounts using synthetic patterns learned via machine learning
CN114255381B (en) Training method of image recognition model, image recognition method, device and medium
WO2023062742A1 (en) Training device, training method, and training program
JP7331938B2 (en) LEARNING DEVICE, ESTIMATION DEVICE, LEARNING METHOD, AND LEARNING PROGRAM
US20230027309A1 (en) System and method for image de-identification to humans while remaining recognizable by machines
WO2022264387A1 (en) Training device, training method, and training program
WO2023067669A1 (en) Learning device, learning method, and learning program
CN112784990A (en) Training method of member inference model
JP7416255B2 (en) Learning devices, learning methods and learning programs
US20220391765A1 (en) Systems and Methods for Semi-Supervised Active Learning

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22936519

Country of ref document: EP

Kind code of ref document: A1