Skip to content

16 (M) 16th February, Friday

PattenR edited this page Feb 18, 2018 · 1 revision

I have been looking more into exactly what conditions cause the best overfitting, and so which would be best suited to a capacity abuse attack. https://arxiv.org/pdf/1706.05394.pdf and https://arxiv.org/pdf/1710.03667.pdf seem to suggest that the best case is when the number of parameters in the model is roughly the same as the number of training points. I've also discovered that a (fairly obvious) way of dealing with the memoization that occurs in these attacks is to use different regularisation techniques - however these only slow/limit the attack rather than stopping it completely.

I have stripped down my own implementation of the capacity abuse and run it for 150 epochs on BC, training on the original data+ synthetic and then only on synthetic during each attack with no regularisation. I found accuracy went from 28% to 54% in this time. Clearly this is fairly unpractical, I'm keen to find ways of making this a lot more effective and I know some of these papers are reporting some good fitting (60-70%+) on random data in only ~20 epochs with no regularisation. I suspect a key problem for me is using the CIFAR10 dataset, with only 10 output labels the rate of data transmission is fairly slow. I also know better results have been recorded on shallower models, this could be something to explore.

As for optimisation of the attack itself, I'm not completely sure how to proceed. I have to determine a stream of synthetic images that will allow for the network to fit these quickest to effectively random labels. The best option seems to be random images, but perhaps if I was able to find a way of generating images in the input space that where the "most different" it would allow for a decision boundary to be created between the points more easily? I had experimented earlier in the week with trying to use three synthetic points per data label, but this didn't seem to offer much improvement however that could be because of the way I generated the triples.

Meeting via Skype today, discussed the attack inefficiency, but decided to keep pushing forward with the aim of the project, with a view to coming back to this at a later date.

Clone this wiki locally