Kaggleで使用される敵対学習方法AWPの論文解説と実装解説 ~Adversarial Weight Perturbation Helps Robust Generalization~

.BTBLJ"PUB /JLLFJJOD ೔ܦ৽ฉཱڭେֶ߹ಉਂ૚ֶशษڧձ!୍ݚڀࣨ ,BHHMFͰ࢖༻͞ΕΔ   ఢରֶशํ๏"81ͷ   ࿦จղઆͱ࣮૷ղઆ "EWFSTBSJBM8FJHIU1FSUVSCBUJPO)FMQT3PCVTU(FOFSBMJ[BUJPO
ؔ࿈ϦϯΫBS9JW/FVS*14(JU)VC,BHHMF൛

ࣗݾ঺հ ੨ాխً .BTBLJ"PUB w ೔ຊܦࡁ৽ฉࣾ೔ܦΠϊϕʔγϣϯɾϥϘ ݚڀ։ൃ෦ୂ w ࢴ໘ϏϡʔΞʔͷ0$3Τϯδϯ։ൃ
w ΩϟογϡϑϩʔγϛϡϨʔγϣϯͳͲͷࣄۀධՁͳͲ w εΩϧ w "U$PEFSਫ৭ ,BHHMF&YQFSU w ࢿ֨౳Ԡ༻৘ใɺ฽هڃɺ'1ڃ

໨࣍ ఢରతࣄྫͷ঺հ ͓࿩͚ͩ w "EWFSTBSJBM&YBNQMFʹؔ͢Δࣄલ஌ࣝΛಋೖ ࿦จղઆ
਺͕ࣜొ৔ w "EWFSTBSJBM8FJHIU1FSUVSCBUJPO   )FMQT3PCVTU(FOFSBMJ[BUJPO ࣮૷ղઆ ࣮૷͕ొ৔ w ,BHHMFͰ༻͍ΒΕΔ࣮૷Λ࿦จͷ਺ࣜͱରԠͤͯ͞ղઆ

ੈքҰ༗໊ͳςφΨβϧ ఢରతࣄྫͷྫࣔ Ian J. Goodfellow +, Explaining and Harnessing
Adversarial Examples, 2014 ύϯμͷը૾ʹ ਓؒʹ͸Θ͔Βͳ͍ఔ౓ͷ   ઁಈ ϊΠζ ΛՃ͑Δͱ ςφΨβϧͱ ޡೝࣝ͢Δ

ఢରతࣄྫ΋ֶशʹՃ͑Δͱ൚Խੑೳ্͕͕Δ ఢରతࣄྫ͸ֶशΛؤ݈ʹ͢Δ Ian J. Goodfellow +, Explaining and Harnessing
Adversarial Examples, 2014 ྆ํΛQBOEBͱֶͯ͠शͤ͞ΔͱɺఢରతࣄྫҎ֎ʹର͢Δ   ൚Խੑೳ΋޲্͢Δ͜ͱ͕ܦݧతʹ஌ΒΕ͍ͯΔɻ 111.ίϯϖͰ΋ۚϝμϧΛऔͬͨνʔϜͷ൒෼Ҏ্͸   ఢରతࣄྫΛֶशʹՃ͍͑ͯͨɻ

αϯϓϧͷํͰ͸ͳ͘ϞσϧʹޡΒͤΔ͜ͱ΋Մೳ Ϟσϧʹ΋ઁಈΛՃ͑Δ w v w + v ͋ΔϞσϧͷॏΈʹ
͋ΔछͷઁಈΛ   Ճ͑Δͱ ѱ͍ϞσϧʹͳΔ ֶशதʹϞσϧ͕ѱ͘ͳ͍Α͏ʹઁಈΛՃֶ͑ͭͭश͢Δͱɺ ൚Խੑೳ্͕͕Δͱ͍͏࿦จΛ͜Ε͔Βղઆ χϡʔϥϧωοτΛલఏʹ͓࿩͠͠·͢

਺͕ࣜొ৔ w "EWFSTBSJBM8FJHIU1FSUVSCBUJPO   )FMQT3PCVTU(FOFSBMJ[BUJPO ࣮૷ղઆ ࣮૷͕ొ৔ w ,BHHMFͰ༻͍ΒΕΔ࣮૷Λ࿦จͷ਺ࣜͱରԠͤͯ͞ղઆ

࿦จͷ֓ཁ ఢରతࣄྫʹର͢Δؤ݈ੑ͕ߴ·ͬͨ ໨త ఢରతࣄྫʹର͢Δؤ݈ੑΛߴΊ͍ͨ طଘݚڀ ఢରతࣄྫΛ࡞ֶͬͯशʹՃ͑Δख๏͕ଟ͔ͬͨ ܦݧత   ࣄ࣮
ٻ·ͬͨॏΈͷपล͕ΑΓฏΒͳଛࣦʹͳΔ৔߹ɺ ఢରతࣄྫʹର͢Δؤ݈ੑ͕ߴ͍ ख๏ ϞσϧʹఢରతͳઁಈΛՃ͑ͳ͕Βֶश͢Δ ݁Ռ ՝୊఺ ฏΒͳଛࣦͱͳΔΑ͏ͳ௚઀తͳఆࣜԽ͕ͳ͞Ε͍ͯͳ͍

࿦จͷ֓ཁ ໨త ఢରతࣄྫʹର͢Δؤ݈ੑΛߴΊ͍ͨ طଘݚڀ ఢରతࣄྫΛ࡞ֶͬͯशʹՃ͑Δख๏͕ଟ͔ͬͨ ఢରతࣄྫ΋ֶशʹՃ͑Δ͜ͱͰؤ݈ੑ͕޲্

࿦จͷ֓ཁ ఢରతࣄྫʹର͢Δؤ݈ੑ͕ߴ·ͬͨ ໨త ఢରతࣄྫʹର͢Δؤ݈ੑΛߴΊ͍ͨ طଘݚڀ ఢରతࣄྫΛ࡞ֶͬͯशʹՃ͑Δख๏͕ଟ͔ͬͨ ܦݧత   ࣄ࣮
ٻ·ͬͨॏΈͷपล͕ΑΓฏΒͳଛࣦʹͳΔ৔߹ɺ ఢରతࣄྫʹର͢Δؤ݈ੑ͕ߴ͍ ख๏ ϞσϧʹఢରతͳઁಈΛՃ͑ͳ͕Βֶश͢Δ ݁Ռ ՝୊఺ ฏΒͳଛࣦͱͳΔΑ͏ͳ௚઀తͳఆࣜԽ͕ͳ͞Ε͍ͯͳ͍

ฏΒ͞ͷ֬ೝ 8FJHIU-PTT-BOETDBQF ρ(w) = 1 n n ∑ i=1
max ∥x′ i −xi ∥p ≤ϵ ℓ(fw (x′ ), yi ) ఢରతࣄྫΛϞσϧʹೖྗͨ͠৔߹ͷଛࣦ͸ҎԼͷΑ͏ʹఆࣜԽՄೳ ఢରతࣄྫΛೖྗ͢Δͱ͍͏ҙຯ ρ(w + αd) = 1 n n ∑ i=1 max ∥x′ i −xi ∥p ≤ϵ ℓ(fw+αd (x′ ), yi ) ϞσϧͷॏΈͷपลͷଛࣦ͸ҎԼͷΑ͏ʹఆࣜԽՄೳ ύϥϝʔλʔXΛֶ࣋ͭशࡁΈϞσϧ ௕͞Ћํ޲E͚ͩۙ๣ͷଛࣦ͕ܭࢉͰ͖Δ

ฏΒ͞ͷ֬ೝ 8FJHIU-PTT-BOETDBQF Λ ʹ͍ͭͯඳը͢ΔͱɺଛࣦͷฏΒ͞ΛՄࢹԽՄೳ Ed [ρ(w + αd)] α
Ed [ρ(w + αd)] w ॏΈͷपลʹߦ͚͹ߦ͘΄Ͳଛࣦ͕େ͖͘ͳΔ w ख๏ʹΑͬͯฏΒ͞͸ҟͳΓͦ͏ طଘݚڀ

ΑΓฏΒͳଛࣦ͸ؤ݈ੑ͕ߴ͍ طଘݚڀͷ࣮ݧతൺֱ w ଛࣦ͕ฏΒͰͳ͍ख๏͸ɺֶशͱςετͷਫ਼౓ͷHBQ͕େ͖͍ "5 w ଛࣦ͕ฏΒʹͳΔख๏͸ɺֶशͱςετͷਫ਼౓ͷHBQ͕খ͍͞ 345
"5&4 w ϞσϧΛؤ݈ʹ͍ͨ͠   ˠॏΈͷۙ๣ͷଛࣦ͕ฏΒͰ͋ΔΑ͏ͳֶशʹ͍ͨ͠ ֶश࣌ͱςετ࣌ͷੑೳͷΪϟοϓ ଛࣦͷฏΒ͞ طଘݚڀ

࿦จͷ֓ཁ ఢରతࣄྫʹର͢Δؤ݈ੑ͕ߴ·ͬͨ ໨త ఢରతࣄྫʹର͢Δؤ݈ੑΛߴΊ͍ͨ طଘݚڀ ఢରతࣄྫΛ࡞ֶͬͯशʹՃ͑Δख๏͕ଟ͔ͬͨ ܦݧత  

໰୊ͷఆࣜԽ ॏΈͷۙ๣ͷଛࣦ͕ฏΒͰ͋ΔΑ͏ͳֶशʹ͍ͨ͠ argmin w max v∈ 𝒱 ρ(w +
v) ۙ๣ʹ͓͚Δଛࣦͷ࠷େ஋Λ ࠷খԽ͢ΔXΛݟ͚ͭΖ argmin w max v∈ 𝒱 1 n n ∑ i=1 max ∥x′ i −xi ∥p ≤ϵ ℓ(fw+v (x′ ), yi ) ЛΛల։ ্ه͕ղ͚Ε͹ɺఢରతࣄྫʹؤ݈ͳX͕ಘΒΕΔ͸ͣ

໰୊ͷղ͖ํ *OQVU1FSUVSCBUJPO argmin w max v∈ 𝒱 1 n
n ∑ i=1 max ∥x′ i −xi ∥p ≤ϵ ℓ(fw+v (x′ ), yi ) ఢରతࣄྫΛೖྗ͢Δͱ͍͏ҙຯ ࠷ॳͷ࠷େԽ໰୊͸طଘݚڀͱಉ͘͡ɺఢରతࣄྫͷೖྗΛҙຯ͢Δ ࿦จͰ༻͍͍ͯͨ1(%BUUBDLͷ৔߹ԼهͷY`Λೖྗ͢Ε͹ྑ͍ x′ i ← Πϵ (x′ i + η1 sign(∇x′ i ℓ(fw+v (x′ i ), yi )) ˞࿦จʹ߹Θͤͨදهʹ͍ͯ͠Δɻ ͸૯৐ͷҙຯͰ͸ͳ͍ɻ   ɹཧղͷͨΊʹແࢹͯ͠΋ྑ͍ɻ Π

argmin w max v∈ 𝒱 1 n n ∑ i=1
max ∥x′ i −xi ∥p ≤ϵ ℓ(fw+v (x′ ), yi ) ໰୊ͷղ͖ํ 8FJHIU1FSUVSCBUJPO ॏΈʹઁಈΛՃ͑ͯ࠷΋ϞσϧΛѱ͍ͨ͘͠ ͭ໨ͷ࠷େԽ໰୊͸Xۙ๣ͰϞσϧGΛ࠷΋ѱ͘͢Δ͜ͱΛҙਤ 8VΒ͸ޯ഑Λ༻͍ͯҎԼͷΑ͏ʹWΛࢉग़ v ← Πγ v + η2 ∇v 1 m ∑m i=1 ℓ(fw+v (x′ i ), yi ) ∇v 1 m ∑m i=1 ℓ(fw+v (x′ i ), yi ) ∥w∥ ˞࿦จʹ߹Θͤͨදهʹ͍ͯ͠Δɻ ͸૯৐ͷҙຯͰ͸ͳ͍ɻ   ɹཧղͷͨΊʹແࢹͯ͠΋ྑ͍ɻ Π

໰୊ͷղ͖ํ 8FJHIU1FSUVSCBUJPO v ← Πγ v + η2 ∇v
1 m ∑m i=1 ℓ(fw+v (x′ i ), yi ) ∇v 1 m ∑m i=1 ℓ(fw+v (x′ i ), yi ) ∥w∥ ˞࿦จʹ߹Θͤͨදهʹ͍ͯ͠Δɻ ͸૯৐ͷҙຯͰ͸ͳ͍ɻ   ɹཧղͷͨΊʹແࢹͯ͠΋ྑ͍ɻ Π ࠷΋ଛࣦΛ࠷େԽ͢Δ୯ҐϕΫτϧ X΁ͷεέʔϧ߹Θͤ ֶश཰

໰୊ͷղ͖ํ ॏΈͷߋ৽ argmin w max v∈ 𝒱 1 n
n ∑ i=1 max ∥x′ i −xi ∥p ≤ϵ ℓ(fw+v (x′ ), yi ) *OQVU1FSUVSCBUJPOͱ8FJHIU1FSUVSCBUJPOΛߦ্ͬͨͰɺ ௨ৗͷֶशͱಉ༷ʹόοΫϓϩοϓ͢Ε͹ྑ͍ ղܾ w ← w − η3 ∇w+v 1 m m ∑ i=1 ℓ(fw+v (x′ i ), yi ) *OQVU1FSUVSCBUJPOͱ8FJHIU1FSUVSCBUJPOΛ   ߦͬͨͱ͖ͷXͷޯ഑

໰୊ͷఆࣜԽ ॏΈͷۙ๣ͷଛࣦ͕ฏΒͰ͋ΔΑ͏ͳֶशʹ͍ͨ͠ argmin w max v∈ 𝒱 ρ(w +
v) ۙ๣ʹ͓͚Δଛࣦͷ࠷େ஋Λ ࠷খԽ͢ΔXΛݟ͚ͭΖ ۩ମతʹ͸ w ← w − η3 ∇w+v 1 m m ∑ i=1 ℓ(fw+v (x′ i ), yi ) Ͱύϥϝʔλʔߋ৽Λߦ͑͹͍͍

࣮ݧ݁Ռ ˠͨ͠ɻશউɻ   ɹԼهͷදͷ"5"81͕ఏҊख๏ɻ਺ࣈ͕େ͖͍΄Ͳੑೳ͕ྑ͍ɻ 8FJHIU1FSUVSCBUJPOʹΑͬͯੑೳ޲্͢Δ͔ʁ "5ʜ*OQVU1FSUVSCBUJPOͷΈطଘݚڀͷϕʔεϥΠϯ "5"81ʜ*OQVU1FSUVSCBUJPO 8FJHIU1FSUVSCBUJPO

࣮ݧ݁Ռ طଘݚڀ΁ͷ૊ΈࠐΈ$*'"3Λ༻͍࣮ͨݧ طଘݚڀͰ͸*OQVU1FSUVSCBUJPOͱଛࣦؔ਺Λॻ͖׵͑Δख๏͕ଟ͍ 8FJHIU1FSUVSCBUJPO͸طଘݚڀʹ΋૊ΈࠐΊΔ ֤ྻ͸߈ܸखஈ ֤ߦ͸ख๏໊ "81ͱ͍͍ͭͯΔ΋ͷ͕ఏҊख๏Λ૊ΈೖΕͨ৔߹ͷ݁Ռ

ิ଍ࣄ߲ ,BHHMFͰ͸༻͍ΒΕΔ"81ͷ࣮૷͸ɺ *OQVU1FSUVSCBUJPOΛߦΘͣ ఢରతࣄྫ͸࡞Βͣ ʹɺ 8FJHIU1FSUVSCBUJPO͚ͩߦ͏ͷ͕ओྲྀɻ Ҏ߱ɺ,BHHMFͰ༻͍ΒΕΔ࣮૷Λલఏʹղઆ͠·͢ɻ ࿦จͰ͸ఢରతࣄྫʹର͢Δؤ݈ੑʹ஫໨͍͕ͯͨ͠ɺ ܦݧతʹະ஌ͷσʔλʹର͢Δ൚Խೳྗ΋޲্͢Δɻ

਺͕ࣜొ৔ w "EWFSTBSJBM8FJHIU1FSUVSCBUJPO   )FMQT3PCVTU(FOFSBMJ[BUJPO ࣮૷ղઆ ࣮૷͕ొ৔ w ,BHHMFͰ༻͍ΒΕΔ࣮૷Λ࿦จͷ਺ࣜͱରԠͤͯ͞ղઆ ࿦จΦϦδφϧͰ͸ͳ͘ΧϨʔͪΌΜɺ ⊙✱⊙ ͞ΜͳͲ࣮૷͔Β೿ੜ͍ͯ͠·͢

ҰൠతͳֶशMPPQͷྫ "81࣮૷ͷલ४උ

"81ΛؚΜֶͩशMPPQͷྫ "81࣮૷ͷ֓ཁ ͜ͷߦΛMPPQதʹૠೖ͢Ε͹ྑ͍ "81Ϋϥεͷఆٛ͸ͪ͜Β

"81ΛؚΜֶͩशMPPQͷྫ "81࣮૷ͷ֓ཁͱ਺ࣜͷରԠ ߋ৽ଇͷޯ഑෦෼ΛٻΊ͍ͯΔ ∇w+v 1 m m ∑ i=1
ℓ(fw+v (xi ), yi )

"81ΛؚΜֶͩशMPPQͷྫ "81࣮૷ͷ֓ཁͱ਺ࣜͷରԠ 8Λ࣮ࡍʹߋ৽͢Δ෦෼ w ← w − η3 ∇w+v
1 m m ∑ i=1 ℓ( fw+v (xi ), yi )

"81ͷ࣮૷ ͍ͭ͜Β͸ԿΛ΍͍ͬͯΔͷ͔ʁ

"81ͷ࣮૷ BUUBDL@CBDLXBSEͰ͸ԿΛ΍͍ͬͯΔͷ͔ʁ Ϟσϧ Λอଘ fw ʹվม fw+v ௚ޙʹCBDLXBSE͍ͯ͠Δͱ͍͏͜ͱ͸
∇w+v 1 m m ∑ i=1 ℓ( fw+v (xi ), yi ) 1 m m ∑ i=1 ℓ( fw+v (xi ), yi ) ΛಘΔ͜ͱʹͳΔ ˠॏΈXۙ๣Ͱ ४ ࠷ѱͷଛࣦΛܭࢉ͍ͯ͠Δ

"81ͷ࣮૷ @BUUBDL@TUFQͰ͸ԿΛ΍͍ͬͯΔͷ͔ʁ ˠ ʹվม͍ͯ͠Δ fw+v v ← η2 ∇v
1 m ∑m i=1 ℓ( fw+v (x′ i ), yi ) ∇v 1 m ∑m i=1 ℓ( fw+v (x′ i ), yi ) ∥w∥

"81ͷ࣮૷ @BUUBDL@TUFQͰ͸ԿΛ΍͍ͬͯΔͷ͔ʁ ˠ ʹվม͍ͯ͠Δ fw+v fw+v

"81ͷ࣮૷ @SFTUPSFͷҙຯ Xۙ๣Ͱѱ͍ଛࣦΛܭࢉ ͦͷͱ͖ʹϞσϧΛ ʹॻ͖׵͑ͯ͠·ͬͨʂ fw+v ʹ໭͢ඞཁ͕͋Δ fw

"81ͷ࣮ફతͳ࢖༻ํ๏ ࣮ફͰ͸Ϟσϧ͕͋Δఔ౓ֶश͔ͯ͠Βಋೖ͢Δ ֶश࣌ؒ΋ϝϞϦ࢖༻ྔ΋ഒఔ౓ͱ͔ͳΓॏ͍

"81ͷಋೖྫ 111.ίϯϖʹ͓͚ΔTDPSFͷਪҠΛՄࢹԽ "81ʹΑΔఢରֶशͷ։࢝ ߴ͍΄Ͳྑ͍ ίϯϖͰ͸ ΄Ͳͷ ਫ਼౓޲্ʹد༩ͨ͠

"EWFSTBSJBM8FJHIU1FSUVSCBUJPO)FMQT3PCVTU(FOFSBMJ[BUJPO ·ͱΊ࿦จΛղઆ͠·ͨ͠ ఢରతࣄྫʹର͢Δؤ݈ੑ͕ߴ·ͬͨ ໨త ఢରతࣄྫʹର͢Δؤ݈ੑΛߴΊ͍ͨ طଘݚڀ ఢରతࣄྫΛ࡞ֶͬͯशʹՃ͑Δख๏͕ଟ͔ͬͨ ܦݧత  
ࣄ࣮ ٻ·ͬͨॏΈͷपล͕ΑΓฏΒͳଛࣦʹͳΔ৔߹ɺ ఢରతࣄྫʹର͢Δؤ݈ੑ͕ߴ͍ ख๏ ϞσϧʹఢରతͳઁಈΛՃ͑ͳ͕Βֶश͢Δ ݁Ռ ՝୊఺ ฏΒͳଛࣦͱͳΔΑ͏ͳ௚઀తͳఆࣜԽ͕ͳ͞Ε͍ͯͳ͍

-PPQͷதʹߦ௥Ճ͢Δ͚ͩͰ࣮૷Մೳ ·ͱΊ࣮૷Λղઆ͠·ͨ͠ ͜ͷߦΛMPPQதʹૠೖ͢Ε͹ྑ͍ "81Ϋϥεͷఆٛ͸ͪ͜Β

Kaggleで使用される敵対学習方法AWPの論文解説と実装解説 ~Adversarial We...

Kaggleで使用される敵対学習方法AWPの論文解説と実装解説 ~Adversarial Weight Perturbation Helps Robust Generalization~

More Decks by Masaki AOTA

Other Decks in Programming

Featured

Transcript