Page 372 - 《软件学报》2024年第6期

P. 372

2948 软件学报 2024 年第 35 卷第 6 期

表 8 使用其他 OOD 扰动搜索策略对 OOD 检测器鲁棒性的影响 (%)

Clean o PGD o CW o APGD o ACW o APGD t ACW t
Method
AUC TPR-95 AUC TPR-95 AUC TPR-95 AUC TPR-95 AUC TPR-95 AUC TPR-95 AUC TPR-95
Org. 98.89 96.62 97.81 96.62 97.81 96.62 96.89 95.13 97.17 95.46 94.18 78.84 95.07 84.15
Max-MSP 98.84 96.45 98.02 96.44 98.05 96.44 94.35 88.52 91.87 85.58 83.92 67.72 89.38 77.91

5 总结

检测干净 OOD 样本和带恶意扰动的对抗 OOD 样本对 DNN 模型在开放环境下的部署的至关重要. 由于辅助
的 OOD 训练集与原 ID 训练集的分布差异, 仅训练辅助的对抗 OOD 样本不能足够有效地使分布内边界对对抗扰
动足够鲁棒. 从干净 ID 样本的邻域内创建的对抗 ID 样本是一种离分布内区域更近的 OOD 样本. 本文首先实证
了训练辅助的对抗 ID 样本作为分布外样本对提升分布内决策边界鲁棒性的有效性, 然后提出了一种半监督的对
抗训练方法——谛听来提升 OOD 检测的鲁棒性. 谛听把对抗 ID 样本视为“近 OOD”样本, 同时使用辅助的对抗
ID 样本、干净 OOD 样本和对抗 OOD 样本来联合训练 DNN. 实验结果表明, 谛听在不显著损害原分类性能的前

提下, 在检测由更强的攻击产生的对抗 OOD 样本上具备显著的性能优势, 并在检测干净 OOD 样本上保持先进的
性能. 消融实验进一步表明谛听使用额外的多拒绝类来表示分布外样本同样有利于提升 OOD 检测的鲁棒性.

References:
[1] He KM, Zhang XY, Ren SQ, Sun J. Deep residual learning for image recognition. In: Proc. of the 2016 IEEE Conf. on Computer Vision
and Pattern Recognition (CVPR). Las Vegas: IEEE, 2016. 770–778. [doi: 10.1109/CVPR.2016.90]
[2] Bojarski M, Del Testa D, Dworakowski D, Firner B, Flepp B, Goyal P, Jackel LD, Monfort M, Muller U, Zhang JK, Zhang X, Zhao J,
Zieba K. End to end learning for self-driving cars. arXiv:1604.07316, 2016.
[3] Chen JN, Lu YY, Yu QH, Luo XD, Adeli E, Wang Y, Lu L, Yuille AL, Zhou YY. TransUNet: Transformers make strong encoders for
medical image segmentation. arXiv:2102.04306, 2021.
[4] Hendrycks D, Gimpel K. A baseline for detecting misclassified and out-of-distribution examples in neural networks. arXiv:1610.02136,
2018.
[5] Hendrycks D, Gimpel K. Early methods for detecting adversarial images. arXiv:1608.00530, 2017.
[6] Hendrycks D, Mazeika M, Dietterich T. Deep anomaly detection with outlier exposure. arXiv:1812.04606, 2019.
[7] Feinman R, Curtin RR, Shintre S, Gardner AB. Detecting adversarial samples from artifacts. arXiv:1703.00410, 2017.
[8] Lee K, Lee K, Lee H, Shin J. A simple unified framework for detecting out-of-distribution samples and adversarial attacks. In: Proc. of
the 32nd Int’l Conf. on Neural Information Processing Systems. Montréal: Curran Associates Inc., 2018. 7167–7177.
[9] Lee K, Lee H, Lee K, Shin J. Training confidence-calibrated classifiers for detecting out-of-distribution samples. arXiv:1711.09325,
2018.
[10] Goodfellow IJ, Pouget-Abadie J, Mirza M, Xu B, Warde-Farley D, Ozair S, Courville A, Bengio Y. Generative adversarial networks.
arXiv:1406.2661, 2014.
[11] Mohseni S, Pitale M, Yadawa J, Wang ZY. Self-supervised learning for generalizable out-of-distribution detection. Proc. of the AAAI
Conf. on Artificial Intelligence, 2020, 34(4): 5216–5223. [doi: 10.1609/aaai.v34i04.5966]
[12] Chen JF, Li YX, Wu X, Liang YY, Jha S. Robust out-of-distribution detection for neural networks. arXiv:2003.09711, 2021.
[13] Augustin M, Meinke A, Hein M. Adversarial robustness on in- and out-distribution improves explainability. In: Proc. of the 16th
European Conf. on Computer Vision. Glasgow: Springer, 2020. 228–245. [doi: 10.1007/978-3-030-58574-7_14]
[14] Sehwag V, Bhagoji AN, Song LW, Sitawarin C, Cullina D, Chiang M, Mittal P. Analyzing the robustness of open-world machine
learning. In: Proc. of the 12th ACM Workshop on Artificial Intelligence and Security. London: ACM, 2019. 105–116. [doi: 10.1145/
3338501.3357372]
[15] Hein M, Andriushchenko M, Bitterwolf J. Why ReLU networks yield high-confidence predictions far away from the training data and
how to mitigate the problem. In: Proc. of the 2019 IEEE/CVF Conf. on Computer Vision and Pattern Recognition (CVPR). Long Beach:
IEEE, 2019. 41–50. [doi: 10.1109/CVPR.2019.00013]
[16] Chen JF, Li YX, Wu X, Liang YY, Jha S. Atom: Robustifying out-of-distribution detection using outlier mining. In: Proc. of the 2021
European Conf. on Machine Learning and Knowledge Discovery in Databases. Bilbao: Springer, 2021. 430–445. [doi: 10.1007/978-3-030-

367 368 369 370 371 372 373 374 375 376 377