WO2023195120A1 - Dispositif d'entraînement, procédé d'entraînement et programme d'entraînement - Google Patents

Dispositif d'entraînement, procédé d'entraînement et programme d'entraînement Download PDF

Info

Publication number
WO2023195120A1
WO2023195120A1 PCT/JP2022/017240 JP2022017240W WO2023195120A1 WO 2023195120 A1 WO2023195120 A1 WO 2023195120A1 JP 2022017240 W JP2022017240 W JP 2022017240W WO 2023195120 A1 WO2023195120 A1 WO 2023195120A1
Authority
WO
WIPO (PCT)
Prior art keywords
learning
model
loss
loss function
training
Prior art date
Application number
PCT/JP2022/017240
Other languages
English (en)
Japanese (ja)
Inventor
真徳 山田
Original Assignee
日本電信電話株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日本電信電話株式会社 filed Critical 日本電信電話株式会社
Priority to PCT/JP2022/017240 priority Critical patent/WO2023195120A1/fr
Publication of WO2023195120A1 publication Critical patent/WO2023195120A1/fr

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning

Definitions

  • the present invention relates to a learning device, a learning method, and a learning program.
  • Adversarial Example there is an attack called Adversarial Example that causes a classifier to make a false judgment by adding noise to the data to be classified.
  • Adversarial Example there is, for example, Adversarial Training in which a model (classifier) is trained using an Adversarial Example.
  • models learned using Adversarial Training have a problem of low generalization performance. This is because the generalization performance of Deep Learning is higher as the loss landscape (the shape of the loss function) with respect to the model's weight is flatter, but learning using Adversarial Training sharpens the model's loss landscape.
  • the present invention aims to solve the above-mentioned problems, improve the generalization performance of the model, and learn a model that is more robust against adversarial examples.
  • the present invention provides a method for learning a model for predicting a label of input data including an Adversarial Example.
  • the present invention is characterized by comprising a learning processing unit that performs learning of the model using a loss function that is regularized so that the loss value does not become less than a predetermined value even if the loss value is a predetermined value.
  • FIG. 1 is a diagram for explaining the loss landscape of the loss function used by the learning device.
  • FIG. 2 is a diagram showing an example of the configuration of the learning device.
  • FIG. 3 is a flowchart showing an example of the processing procedure of the learning device.
  • FIG. 4 is a flowchart showing an example of the processing procedure of the learning device.
  • FIG. 5 is a diagram showing an example of application of the learning device.
  • FIG. 6 is a diagram showing experimental results for the model learned by the learning device.
  • FIG. 7 is a diagram showing experimental results for the model learned by the learning device.
  • FIG. 8 is a diagram showing an example of the configuration of a computer that executes a learning program.
  • the learning device of this embodiment uses a loss function regularized so that the loss does not become less than a predetermined value, as a loss function for calculating the loss with respect to the weight of the model.
  • the learning device uses a loss function in which the loss bottoms out at a predetermined value (for example, b). This flattens the outline of the loss landscape. Therefore, by using the above loss function in Adversarial Training, the learning device can learn a model with high generalization performance. As a result, the learning device can learn a model that is robust to the Adversarial Example.
  • a predetermined value for example, b
  • the learning device 10 includes, for example, an input section 11, an output section 12, a communication control section 13, a storage section 14, and a control section 15.
  • the input unit 11 is an interface that accepts input of various data.
  • the input unit 11 receives input of data used for learning processing and prediction processing, which will be described later.
  • the output unit 12 is an interface that outputs various data.
  • the output unit 12 outputs the label of the data predicted by the control unit 15.
  • the communication control unit 13 is realized by a NIC (Network Interface Card) or the like, and controls communication between the control unit 15 and an external device such as a server via a network.
  • the communication control unit 13 controls communication between the control unit 15 and a data acquisition device (see FIG. 5) that acquires data to be studied.
  • the storage unit 14 is realized by a semiconductor memory device such as a RAM (Random Access Memory) or a flash memory, or a storage device such as a hard disk or an optical disk, and stores the parameters of the model learned by the learning process described later. be remembered.
  • a semiconductor memory device such as a RAM (Random Access Memory) or a flash memory
  • a storage device such as a hard disk or an optical disk
  • the control unit 15 is realized using, for example, a CPU (Central Processing Unit) or the like, and executes a processing program stored in the storage unit 14. Thereby, the control unit 15 functions as an acquisition unit 15a, a learning unit 15b, and a prediction unit 15c, as illustrated in FIG.
  • a CPU Central Processing Unit
  • the control unit 15 functions as an acquisition unit 15a, a learning unit 15b, and a prediction unit 15c, as illustrated in FIG.
  • the acquisition unit 15a acquires data used for learning processing and prediction processing, which will be described later, via the input unit 11 or the communication control unit 13.
  • the learning unit 15b performs Adversarial Training of a model for predicting labels of input data including Adversarial Examples.
  • the learning unit 15b performs learning of the model using learning data including the Adversarial Example and a predetermined loss function (details will be described later). For example, the learning unit 15b determines the parameters (weight) of the model.
  • l in formula (1) is a loss function.
  • B(x, ⁇ ) is a set within a distance ⁇ from x, and is a constraint used to make noise invisible to the human eye.
  • the L ⁇ norm is used.
  • Adversarial Training performed by the learning unit 15b is defined as in the following equation (2).
  • v in equation (3) is Gaussian noise randomly sampled from within the region shown in equation (4).
  • l of w l is calculated for each layer, and the norm of the matrix is measured by the Frobenius norm.
  • the learning unit 15b uses a regularized loss function so that the loss value does not become less than a predetermined value no matter what value the weight is.
  • the learning unit 15b performs learning of the model using a loss function shown in equation (5) below.
  • the learning unit 15b uses the learning data acquired by the acquisition unit 15a to determine the weight of a model that minimizes the loss value of the loss function described above based on equation (6).
  • the loss value will not be less than the predetermined value no matter what value the weight is, so the loss landscape will bottom out at the predetermined value (for example, b) as shown in Figure 1. It becomes a flat shape.
  • the learning unit 15b learns the model using the above loss function, thereby improving the generalization performance of the model.
  • the prediction unit 15c predicts the label of the input data using the model learned by the learning unit 15b. For example, the prediction unit 15c uses the learned model to calculate the probability of each label of newly acquired data, and outputs the label with the highest probability. Thereby, the learning device 10 can output a correct label even when the input data is Adversarial Example, for example.
  • FIG. 3 An example of a learning processing procedure by the learning device 10 will be described with reference to FIG. 3.
  • the process shown in FIG. 3 is started, for example, at the timing when an operation input instructing the start of the learning process is received.
  • the acquisition unit 15a acquires learning data including Adversarial Example (S1).
  • the learning unit 15b uses the learning data and the above loss function to learn a model representing the probability distribution of the labels of the input data (S2).
  • the learning unit 15b stores the parameters of the model learned in S2 in the storage unit 14.
  • the acquisition unit 15a acquires data for which a label is to be predicted (S11).
  • the prediction unit 15c predicts the label of the data acquired in S11 using the model learned by the learning unit 15b (S12). For example, the prediction unit 15c uses the learned model to calculate p(x') of the data x' acquired in S11, and outputs the label with the highest probability.
  • the learning device 10 can output a correct label.
  • the learning device 10 described above may be applied to data anomaly detection.
  • An example of application in this case will be described with reference to FIG.
  • the case where the function of the prediction unit 15c described above is installed in the detection device 20 will be explained as an example.
  • the learning device 10 performs model learning using teacher data (learning data) acquired from a data acquisition device and the loss function described above. After that, when the detection device 20 acquires new data x' from the data acquisition device, it calculates p(x') of the data x' using the learned model. Then, the detection device 20 outputs a report indicating whether the data x' is abnormal data based on the label with the highest probability.
  • teacher data learning data
  • the detection device 20 calculates p(x') of the data x' using the learned model. Then, the detection device 20 outputs a report indicating whether the data x' is abnormal data based on the label with the highest probability.
  • the evaluation axis is the classification accuracy (0 to 1) of the data with Robust Acc: Adversarial Example.
  • Experiment 1 First, the results of Experiment 1 will be explained using FIG. 6.
  • AWP Advanced Weight Perturbation
  • the model learned by the learning device 10 of this embodiment has a higher Robust Acc when the epoch is 400 or more than the model learned by the existing AT or the model learned by AWP. did it.
  • Experiment 2 Next, Experiment 2 will be explained using FIG.
  • the purpose of Experiment 2 is to confirm that the height of Robust Acc depends on the constant b of the loss function used for model learning.
  • b was set to a value between 0 and 2.
  • the vertical axis of the graph shown in FIG. 7 is Test Robust Acc, and the horizontal axis is the constant b of the loss function.
  • each component of each part shown in the drawings is functionally conceptual, and does not necessarily need to be physically configured as shown in the drawings.
  • the specific form of distributing and integrating each device is not limited to what is shown in the diagram, and all or part of the devices can be functionally or physically distributed or integrated in arbitrary units depending on various loads, usage conditions, etc. Can be integrated and configured.
  • all or any part of each processing function performed by each device may be realized by a CPU and a program executed by the CPU, or may be realized as hardware using wired logic.
  • the learning device 10 described above can be implemented by installing a program on a desired computer as packaged software or online software. For example, by causing the information processing device to execute the above program, the information processing device can be made to function as the learning device 10.
  • the information processing device referred to here includes a desktop or notebook personal computer.
  • information processing devices include mobile communication terminals such as smartphones, mobile phones, and PHS (Personal Handyphone System), as well as terminals such as PDAs (Personal Digital Assistants).
  • the learning device 10 can also be implemented as a server device that uses a terminal device used by a user as a client and provides services related to the above processing to the client.
  • the server device may be implemented as a web server, or may be implemented as a cloud that provides services related to the above processing through outsourcing.
  • FIG. 8 is a diagram showing an example of a computer that executes a learning program.
  • Computer 1000 includes, for example, a memory 1010 and a CPU 1020.
  • the computer 1000 also includes a hard disk drive interface 1030, a disk drive interface 1040, a serial port interface 1050, a video adapter 1060, and a network interface 1070. These parts are connected by a bus 1080.
  • the memory 1010 includes a ROM (Read Only Memory) 1011 and a RAM (Random Access Memory) 1012.
  • the ROM 1011 stores, for example, a boot program such as BIOS (Basic Input Output System).
  • Hard disk drive interface 1030 is connected to hard disk drive 1090.
  • Disk drive interface 1040 is connected to disk drive 1100.
  • Serial port interface 1050 is connected to, for example, mouse 1110 and keyboard 1120.
  • Video adapter 1060 is connected to display 1130, for example.
  • the hard disk drive 1090 stores, for example, an OS 1091, an application program 1092, a program module 1093, and program data 1094. That is, a program that defines each process executed by the learning device 10 described above is implemented as a program module 1093 in which computer-executable code is written.
  • Program module 1093 is stored in hard disk drive 1090, for example.
  • a program module 1093 for executing processing similar to the functional configuration of the learning device 10 is stored in the hard disk drive 1090.
  • the hard disk drive 1090 may be replaced by an SSD (Solid State Drive).
  • the data used in the processing of the embodiment described above is stored as program data 1094 in, for example, the memory 1010 or the hard disk drive 1090. Then, the CPU 1020 reads out the program module 1093 and program data 1094 stored in the memory 1010 and the hard disk drive 1090 to the RAM 1012 and executes them as necessary.
  • program module 1093 and the program data 1094 are not limited to being stored in the hard disk drive 1090, but may be stored in a removable storage medium, for example, and read by the CPU 1020 via the disk drive 1100 or the like.
  • the program module 1093 and the program data 1094 may be stored in another computer connected via a network (LAN (Local Area Network), WAN (Wide Area Network), etc.). The program module 1093 and program data 1094 may then be read by the CPU 1020 from another computer via the network interface 1070.
  • LAN Local Area Network
  • WAN Wide Area Network

Abstract

L'invention concerne un dispositif d'entraînement pour entraîner un modèle, dans l'entraînement d'un modèle pour prédire une étiquette de données d'entrée comprenant un exemple contradictoire, qui utilise, en tant que fonction de perte pour calculer une perte par rapport au poids dans le modèle, une fonction de perte régularisée de telle sorte que la valeur de la perte ne soit pas inférieure à une valeur prescrite b pour n'importe quelle valeur de poids. Ceci permet au dispositif d'entraînement de lisser un paysage de perte du modèle. Par conséquent, le dispositif d'entraînement est capable d'entraîner un modèle qui est robuste par rapport à des exemples contradictoires.
PCT/JP2022/017240 2022-04-07 2022-04-07 Dispositif d'entraînement, procédé d'entraînement et programme d'entraînement WO2023195120A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/JP2022/017240 WO2023195120A1 (fr) 2022-04-07 2022-04-07 Dispositif d'entraînement, procédé d'entraînement et programme d'entraînement

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2022/017240 WO2023195120A1 (fr) 2022-04-07 2022-04-07 Dispositif d'entraînement, procédé d'entraînement et programme d'entraînement

Publications (1)

Publication Number Publication Date
WO2023195120A1 true WO2023195120A1 (fr) 2023-10-12

Family

ID=88242770

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2022/017240 WO2023195120A1 (fr) 2022-04-07 2022-04-07 Dispositif d'entraînement, procédé d'entraînement et programme d'entraînement

Country Status (1)

Country Link
WO (1) WO2023195120A1 (fr)

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
CHONGLI QIN; JAMES MARTENS; SVEN GOWAL; DILIP KRISHNAN; KRISHNAMURTHY DVIJOTHAM; ALHUSSEIN FAWZI; SOHAM DE; ROBERT STANFORTH; PUS: "Adversarial Robustness through Local Linearization", ARXIV.ORG, CORNELL UNIVERSITY LIBRARY, 201 OLIN LIBRARY CORNELL UNIVERSITY ITHACA, NY 14853, 4 July 2019 (2019-07-04), 201 Olin Library Cornell University Ithaca, NY 14853 , XP081438298 *
SEKITOSHI KANAI; MASANORI YAMADA; HIROSHI TAKAHASHI; YUKI YAMANAKA; YASUTOSHI IDA: "Smoothness Analysis of Adversarial Training", ARXIV.ORG, CORNELL UNIVERSITY LIBRARY, 201 OLIN LIBRARY CORNELL UNIVERSITY ITHACA, NY 14853, 15 June 2021 (2021-06-15), 201 Olin Library Cornell University Ithaca, NY 14853 , XP081979943 *

Similar Documents

Publication Publication Date Title
US11829880B2 (en) Generating trained neural networks with increased robustness against adversarial attacks
US11694109B2 (en) Data processing apparatus for accessing shared memory in processing structured data for modifying a parameter vector data structure
US11381580B2 (en) Machine learning classification using Markov modeling
US11741398B2 (en) Multi-layered machine learning system to support ensemble learning
WO2020090413A1 (fr) Dispositif de classification, procédé de classification et programme de classification
US11847210B2 (en) Detecting device and detecting method
US20230038463A1 (en) Detection device, detection method, and detection program
US11941867B2 (en) Neural network training using the soft nearest neighbor loss
Valizadegan et al. Learning to trade off between exploration and exploitation in multiclass bandit prediction
JP2018200524A (ja) 分類装置、分類方法および分類プログラム
JP2019003274A (ja) 検知システム、検知方法及び検知プログラム
CN104573127B (zh) 评估数据差异性的方法和系统
JP7276483B2 (ja) 学習装置、分類装置、学習方法及び学習プログラム
WO2023195120A1 (fr) Dispositif d'entraînement, procédé d'entraînement et programme d'entraînement
JP2022549006A (ja) 距離に基づく学習信頼度モデル
US11227231B2 (en) Computational efficiency in symbolic sequence analytics using random sequence embeddings
US20230259631A1 (en) Detecting synthetic user accounts using synthetic patterns learned via machine learning
CN114255381B (zh) 图像识别模型的训练方法、图像识别方法、装置及介质
WO2023062742A1 (fr) Dispositif de formation, procédé de formation et programme de formation
JP7331938B2 (ja) 学習装置、推定装置、学習方法及び学習プログラム
US20230027309A1 (en) System and method for image de-identification to humans while remaining recognizable by machines
WO2022264387A1 (fr) Dispositif d'entraînement, procédé d'entraînement, et programme d'entraînement
WO2023067669A1 (fr) Dispositif d'apprentissage, procédé d'apprentissage et programme d'apprentissage
CN112784990A (zh) 一种成员推断模型的训练方法
JP7416255B2 (ja) 学習装置、学習方法および学習プログラム

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22936519

Country of ref document: EP

Kind code of ref document: A1