DOCSLIB.ORG

Learning to Generate Adversarial Examples

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Learning to Generate Adversarial Examples Adversarial Transformation Networks: Learning to Generate Adversarial Examples Shumeet Baluja and Ian Fischer Google Research Mountain View, CA. Abstract (2014b), as well as much recent work, has shown that ad- versarial examples are abundant, and that there are many Multiple different approaches of generating ad- ways to discover them. versarial examples have been proposed to attack deep neural networks. These approaches involve Given a classifier f(x): x 2 X ! y 2 Y and orig- either directly computing gradients with respect inal inputs x 2 X , the problem of generating untar- to the image pixels, or directly solving an op- geted adversarial examples can be expressed as the opti- ∗ ∗ timization on the image pixels. In this work, mization: argminx∗ L(x; x ) s:t: f(x ) 6= f(x), where we present a fundamentally new method for gen- L(·) is a distance metric between examples from the in- erating adversarial examples that is fast to exe- put space (e.g., the L2 norm). Similarly, generating a tar- cute and provides exceptional diversity of out- geted adversarial attack on a classifier can be expressed as ∗ ∗ put. We efficiently train feed-forward neural net- argminx∗ L(x; x ) s:t: f(x ) = yt, where yt 2 Y is some 1 works in a self-supervised manner to generate target label chosen by the attacker. adversarial examples against a target network or Until now, these optimization problems have been solved set of networks. We call such a network an Ad- using three broad approaches: (1) By directly using opti- versarial Transformation Network (ATN). ATNs mizers like L-BFGS or Adam (Kingma & Ba, 2015), as are trained to generate adversarial examples that proposed in Szegedy et al.(2013) and Carlini & Wag- minimally modify the classifier’s outputs given ner(2016). Such optimizer-based approaches tend to be the original input, while constraining the new much slower and more powerful than the other approaches. classification to match an adversarial target class. (2) By approximation with single-step gradient-based tech- We present methods to train ATNs and analyze niques like fast gradient sign (Goodfellow et al., 2014b) their effectiveness targeting a variety of MNIST or fast least likely class (Kurakin et al., 2016a). These ap- classifiers as well as the latest state-of-the-art Im- proaches are fast, requiring only a single forward and back- ageNet classifier Inception ResNet v2. ward pass through the target classifier to compute the per- turbation. (3) By approximation with iterative variants of gradient-based techniques (Kurakin et al., 2016a; Moosavi- arXiv:1703.09387v1 [cs.NE] 28 Mar 2017 1. Introduction and Background Dezfooli et al., 2016a;b). These approaches use multiple forward and backward passes through the target network to With the resurgence of deep neural networks for many real- more carefully move an input towards an adversarial clas- world classification tasks, there is an increased interest in sification. methods to generate training data, as well as to find weak- 1 nesses in trained models. An effective strategy to achieve Another axis to compare when considering adversarial at- both goals is to create adversarial examples that trained tacks is whether the adversary has access to the internals of the tar- get model. Attacks without internal access are possible by trans- models will misclassify. Adversarial examples are small ferring successful attacks on one model to another model, as in perturbations of the inputs that are carefully crafted to fool Szegedy et al.(2013); Papernot et al.(2016a), and others. A more the network into producing incorrect outputs. These small challenging class of blackbox attacks involves having no access perturbations can be used both offensively, to fool models to any relevant model, and only getting online access to the tar- into giving the “wrong” answer, and defensively, by pro- get model’s output, as explored in Papernot et al.(2016b); Baluja et al.(2015); Tram er` et al.(2016). See Papernot et al.(2015) for viding training data at weak points in the model. Semi- a detailed discussion of threat models. nal work by Szegedy et al.(2013) and Goodfellow et al. Adversarial Transformation Networks 2. Adversarial Transformation Networks Note that training labels for the target network are not re- quired at any point in this process. All that is required is the In this work, we propose Adversarial Transformation Net- target network’s outputs y and y0. It is therefore possible to works (ATNs). An ATN is a neural network that transforms train ATNs in a self-supervised manner, where they use un- an input into an adversarial example against a target net- labeled data as the input and make argmax f(gf;t(x)) = t. work or set of networks. ATNs may be untargeted or tar- geted, and trained in a black-box2 or white-box manner. In Reranking function. There are a variety of options for this work, we will focus on targeted, white-box ATNs. the reranking function. The simplest is to set r(y; t) = Formally, an ATN can be defined as a neural network: onehot(t), but other formulations can make better use of the signal already present in y to encourage better recon- g (x): x 2 X ! x0 (1) f;θ structions. In this work, we look at reranking functions that where θ is the parameter vector of g, f is the target network attempt to keep r(y; t) ∼ y. In particular, we use r(·) that which outputs a probability distribution across class labels, maintains the rank order of all but the targeted class in or- 0 0 0 and x ∼ x, but argmax f(x) 6= argmax f(x ). der to minimize distortions when computing x = gf;t(x). The specific r(·) used in our experiments has the following Training. To find g , we solve the following optimiza- f;θ form: tion: X 0( ) 1 argmin βL (g (x ); x )+L (f(g (x )); f(x )) α ∗ max y if k = t X f;θ i i Y f;θ i i r (y; t) = norm θ x 2X α @ A i yk otherwise (2) k2y (4) where LX is a loss function in the input space (e.g., L2 loss or a perceptual similarity loss like Johnson et al.(2016)), α > 1 is an additional parameter specifying how much larger y should be than the current max classification. LY is a specially-formed loss on the output space of f (de- t scribed below) to avoid learning the identity function, and norm(·) is a normalization function that rescales its input β is a weight to balance the two loss functions. We will to be a valid probability distribution. omit θ from gf when there is no ambiguity. 2.1. Adversarial Example Generation Inference. At inference time, gf can be run on any input There are two approaches to generating adversarial exam- x without requiring further access to f or more gradient ples with an ATN. The ATN can be trained to generate just computations. This means that after being trained, gf can the perturbation to x, or it can be trained to generate an generate adversarial examples against the target network f adversarial autoencoding of x. even faster than the single-step gradient-based approaches, such as fast gradient sign, so long as jjgf jj / jjfjj. • Perturbation ATN (P-ATN): To just generate a per- turbation, it is sufficient to structure the ATN as a vari- Loss Functions. The input-space loss function, LX , would ideally correspond closely to human perception. ation on the residual block (He et al., 2015): gf (x) = tanh(x + G(x)), where G(·) represents the core func- However, for simplicity, L2 is sufficient. LY determines whether or not the ATN is targeted; the target refers to the tion of gf . With small initial weight vectors, this struc- class for which the adversary will cause the classifier to ture makes it easy for the network to learn to generate output the maximum value. In this work, we focus on the small, but effective, perturbations. more challenging case of creating targeted ATNs, which • Adversarial Autoencoding (AAE): AAE ATNs are can be defined similarly to Equation1: similar to standard autoencoders, in that they attempt 0 gf;t(x): x 2 X ! x (3) to accurately reconstruct the original input, subject to regularization, such as weight decay or an added noise where t is the target class, so that argmax f(x0) = t. This signal. For AAE ATNs, the regularizer is LY . This allows us to target the exact class the classifier should mis- imposes an additional requirement on the AAE to add takenly believe the input is. some perturbation p to x such that r(f(x0)) = y0. 0 0 In this work, we define LY;t(y ; y) = L2(y ; r(y; t)), 0 where y = f(x), y = f(gf (x)), and r(·) is a reranking For both ATN approaches, in order to enforce that x0 is function that modifies y such that yk < yt; 8 k 6= t. a plausible member of X , the ATN should only generate 2E.g., using Williams(1992) to generate training gradients values in the valid input range of f. For images, it suffices for the ATN based on a reward signal computed on the result of to set the activation function of the last layer to be the tanh sending the generated adversarial examples to the target network. function; this constrains each output channel to [−1; 1]. Adversarial Transformation Networks Table 1. Baseline Accuracy of Five MNIST Classifiers Architecture Acc. Classifier-Primary (Classifier ) p 98.6% (5x5 Conv)! (5x5 Conv)! FC! FC Classifier-Alternate-0 (Classifier ) a0 98.5% (5x5 Conv)! (5x5 Conv)! FC ! FC Classifier-Alternate-1 (Classifier ) a1 98.9% (4x4 Conv)! (4x4 Conv)! (4x4 Conv)! FC ! FC Classifier-Alternate-2 (Classifier ) a2 99.1% (3x3 Conv)! (3x3 Conv)! (3x3 Conv) ! FC ! FC Classifier-Alternate-3 (Classifier ) a3 98.5% (3x3 Conv) ! FC ! FC ! FC 2.2.
Load more

Recommended publications
  • ML-Based Interactive Data Visualization System for Diversity and Fairness Issues 1
    Jusub Kim : ML-based Interactive Data Visualization System for Diversity and Fairness Issues 1 https://doi.org/10.5392/IJoC.2019.15.4.001 ML-based Interactive Data Visualization System for Diversity and Fairness Issues Sey Min Department of Art & Technology Sogang University, Seoul, Republic of Korea Jusub Kim Department of Art & Technology Sogang University, Seoul, Republic of Korea ABSTRACT As the recent developments of artificial intelligence, particularly machine-learning, impact every aspect of society, they are also increasingly influencing creative fields manifested as new artistic tools and inspirational sources. However, as more artists integrate the technology into their creative works, the issues of diversity and fairness are also emerging in the AI-based creative practice. The data dependency of machine-learning algorithms can amplify the social injustice existing in the real world. In this paper, we present an interactive visualization system for raising the awareness of the diversity and fairness issues. Rather than resorting to education, campaign, or laws on those issues, we have developed a web & ML-based interactive data visualization system. By providing the interactive visual experience on the issues in interesting ways as the form of web content which anyone can access from anywhere, we strive to raise the public awareness of the issues and alleviate the important ethical problems. In this paper, we present the process of developing the ML-based interactive visualization system and discuss the results of this project. The proposed approach can be applied to other areas requiring attention to the issues. Key words: AI Art, Machine Learning, Data Visualization, Diversity, Fairness, Inclusiveness.
    [Show full text]
  • Building Intelligent Systems with Large Scale Deep Learning Jeff Dean Google Brain Team G.Co/Brain
    Building Intelligent Systems with Large Scale Deep Learning Jeff Dean Google Brain team g.co/brain Presenting the work of many people at Google Google Brain Team Mission: Make Machines Intelligent. Improve People’s Lives. How do we do this? ● Conduct long-term research (>200 papers, see g.co/brain & g.co/brain/papers) ○ Unsupervised learning of cats, Inception, word2vec, seq2seq, DeepDream, image captioning, neural translation, Magenta, ML for robotics control, healthcare, … ● Build and open-source systems like TensorFlow (see tensorflow.org and https://github.com/tensorflow/tensorflow) ● Collaborate with others at Google and Alphabet to get our work into the hands of billions of people (e.g., RankBrain for Google Search, GMail Smart Reply, Google Photos, Google speech recognition, Google Translate, Waymo, …) ● Train new researchers through internships and the Google Brain Residency program Main Research Areas ● General Machine Learning Algorithms and Techniques ● Computer Systems for Machine Learning ● Natural Language Understanding ● Perception ● Healthcare ● Robotics ● Music and Art Generation Main Research Areas ● General Machine Learning Algorithms and Techniques ● Computer Systems for Machine Learning ● Natural Language Understanding ● Perception ● Healthcare ● Robotics ● Music and Art Generation research.googleblog.com/2017/01 /the-google-brain-team-looking-ba ck-on.html 1980s and 1990s Accuracy neural networks other approaches Scale (data size, model size) 1980s and 1990s more Accuracy compute neural networks other approaches Scale
    [Show full text]
  • Audio Event Classification Using Deep Learning in an End-To-End Approach
    Audio Event Classification using Deep Learning in an End-to-End Approach Master thesis Jose Luis Diez Antich Aalborg University Copenhagen A. C. Meyers Vænge 15 2450 Copenhagen SV Denmark Title: Abstract: Audio Event Classification using Deep Learning in an End-to-End Approach The goal of the master thesis is to study the task of Sound Event Classification Participant(s): using Deep Neural Networks in an end- Jose Luis Diez Antich to-end approach. Sound Event Classifi- cation it is a multi-label classification problem of sound sources originated Supervisor(s): from everyday environments. An auto- Hendrik Purwins matic system for it would many applica- tions, for example, it could help users of hearing devices to understand their sur- Page Numbers: 38 roundings or enhance robot navigation systems. The end-to-end approach con- Date of Completion: sists in systems that learn directly from June 16, 2017 data, not from features, and it has been recently applied to audio and its results are remarkable. Even though the re- sults do not show an improvement over standard approaches, the contribution of this thesis is an exploration of deep learning architectures which can be use- ful to understand how networks process audio. The content of this report is freely available, but publication (with reference) may only be pursued due to agreement with the author. Contents 1 Introduction1 1.1 Scope of this work.............................2 2 Deep Learning3 2.1 Overview..................................3 2.2 Multilayer Perceptron...........................4
    [Show full text]
  • Bridging Reinforcement Learning and Creativity: Implementing Reinforcement Learning in Processing
    Bridging Reinforcement Learning and Creativity: Implementing Reinforcement Learning in Processing Jieliang Luo Media Arts & Technology Sam Green Computer Science University of California, Santa Barbara SIGGRAPH Asia 2018 Tokyo, Japan December 6th, 2018 Course Agenda • What is Reinforcement Learning (10 mins) ▪ Introduce the core concepts of reinforcement learning • A Brief Survey of Artworks in Deep Learning (5 mins) • Why Processing Community (5 mins) • A Q-Learning Algorithm (35 mins) ▪ Explain a fundamental reinforcement learning algorithm • Implementing Tabular Q-Learning in P5.js (40 mins) ▪ Discuss how to create a reinforcement learning environment ▪ Show how to implement the tabular q-learning algorithm in P5.js • Questions & Answers (5 mins) Bridging Reinforcement Learning and Creativity, Jieliang Luo & Sam Green Psychology Pictures Bridging Reinforcement Learning and Creativity, Jieliang Luo & Sam Green What is Reinforcement Learning • Branch of machine learning • Learns through trial & error, rewards & punishment • Draws from psychology, neuroscience, computer science, optimization Bridging Reinforcement Learning and Creativity, Jieliang Luo & Sam Green Reinforcement Learning Framework Agent Environment Bridging Reinforcement Learning and Creativity, Jieliang Luo & Sam Green https://www.youtube.com/watch?v=V1eYniJ0Rnk Bridging Reinforcement Learning and Creativity, Jieliang Luo & Sam Green https://www.youtube.com/watch?v=ZhsEKTo7V04 Bridging Reinforcement Learning and Creativity, Jieliang Luo & Sam Green Bridging Reinforcement
    [Show full text]
  • Learning Semantics of Raw Audio
    Learning Semantics of Raw Audio Davis Foote, Daylen Yang, Mostafa Rohaninejad Group name: “Audio Style Transfer” Introduction Variational Inference Numerically modeling semantics has given some useful exciting results in the We would like to have a latent space in which arithmetic operations domains of images [1] and natural language [2]. We would like to be able to correspond to semantic operations in the observed space. To that end, we operate on raw audio signals at a similar level of abstraction. Consider the adopt the following model, adapted from [1]: problem of trying to interpolate two voices into a voice that sounds “in We interpret the hidden variables � as the latent code. between” the two. Averaging the signals will result in the two voices There is a prior over latent codes �� � and a conditional speaking at once. If this operation were performed in a latent space in which distribution �� � � . In order to be able to encode a data dimensions have semantic meaning, then we would see results which match point, we also need to learn an approximation to the human perception of what this interpolation should mean. posterior distribution, �� � � . We can optimize all these We follow two distinct branches in pursuing this goal. First, motivated by parameters at once using the Auto-Encoding Variational aesthetic results in style transfer [3] and generation of novel styles [4], we Bayes algorithm [1]. Some very simple results (ours) of implement a deep classifier for various musical tags in hopes that the various sampling from this model trained on MNIST are shown: layer activations will encode meaningful high-level audio features.
    [Show full text]
  • Mechanisms of Artistic Creativity in Deep Learning Neural Networks
    Mechanisms of Artistic Creativity in Deep Learning Neural Networks Lonce Wyse Communication and New Media Department National University of Singapore Singapore [email protected] Abstract better be able to build systems that can reflect and com- The generative capabilities of deep learning neural net- municate about their behavior. works (DNNs) have been attracting increasing attention “Mechanisms” have a contested status in the field of for both the remarkable artifacts they produce, but also computational creativity. Fore some, there is a reluctance because of the vast conceptual difference between how to make the recognition of creativity depend on any partic- they are programmed and what they do. DNNs are ular mechanism, and focus is directed to artifacts over pro- “black boxes” where high-level behavior is not explicit- cess (Ritchie 2007). This at least avoids the phenomenon ly programed, but emerges from the complex interac- plaguing classically programmed AI systems identified by tions of thousands or millions of simple computational John McCarthy that, “as soon as it works, no one calls it AI elements. Their behavior is often described in anthro- any more.” Others (Colton 2008) argue that understanding pomorphic terms that can be misleading, seem magical, or stoke fears of an imminent singularity in which ma- the process by which an artifact in generated is important chines become “more” than human. for an assessment of creativity. In this paper, we examine 5 distinct behavioral char- With neural networks, complex behaviors emerge out of acteristics associated with creativity, and provide an ex- the simple interaction between potentially millions of units.
    [Show full text]
  • City Research Online
    City Research Online City, University of London Institutional Repository Citation: Ollero, J. and Child, C. H. T. (2018). Performance Enhancement of Deep Reinforcement Learning Networks using Feature Extraction. Lecture Notes in Computer Science, 10878, pp. 208-218. doi: 10.1007/978-3-319-92537-0_25 This is the accepted version of the paper. This version of the publication may differ from the final published version. Permanent repository link: https://openaccess.city.ac.uk/id/eprint/19526/ Link to published version: http://dx.doi.org/10.1007/978-3-319-92537-0_25 Copyright: City Research Online aims to make research outputs of City, University of London available to a wider audience. Copyright and Moral Rights remain with the author(s) and/or copyright holders. URLs from City Research Online may be freely distributed and linked to. Reuse: Copies of full items can be used for personal research or study, educational, or not-for-profit purposes without prior permission or charge. Provided that the authors, title and full bibliographic details are credited, a hyperlink and/or URL is given for the original metadata page and the content is not changed in any way. City Research Online: http://openaccess.city.ac.uk/ [email protected] Performance Enhancement of Deep Reinforcement Learning Networks using Feature Extraction Joaquin Ollero and Christopher Child City, University of London, United Kingdom Abstract. The combination of Deep Learning and Reinforcement Learning, termed Deep Reinforcement Learning Networks (DRLN), offers the possibility of us- ing a Deep Learning Neural Network to produce an approximate Reinforcement Learning value table that allows extraction of features from neurons in the hidden layers of the network.
    [Show full text]
  • Google Deep Dream
    Google Deep Dream Team Number: 12 Course: CSE352 Professor: Anita Wasilewska Presented by: Badr AlKhamissi Sameer Anand Kathryn Blecher Marolyn Liang Diego Santos Campo What Is Google Deep Dream? Deep Dream is a computer vision program created by Google. Uses a convolutional neural network to find and enhance patterns in images with powerful AI algorithms. Creating a dreamlike hallucinogenic appearance in the deliberately over-processed images. Base of Google Deep Dream Inception is fundamental base for Google Deep Dream and is introduced on ILSVRC in 2014. Deep convolutional neural network architecture that achieves the new state of the art for classification and detection. Improved utilization of the computing resources inside the network. Increased the depth and width of the network while keeping the computational budget constant of 1.5 billion multiply-adds at inference time. How Does Deep Dream Work? How Does Deep Dream Work? Deep Dream works on a Neural Network (NN) This is a type of computer system that can learn on its own. Neural networks are modeled after the functionality of the human brain, and tend to be particularly useful for pattern recognition. Biological Inspiration Biological Inspiration Convolutional Neural Network (CNN) Feed forward artificial neural network Inspired by the organization of the animal visual cortex (convolution operation) Designed to use minimal amounts of preprocessing Combine Kernel Convolution and Deep Learning Mostly used in image and video recognition, recommender systems and NLP Why Convolutional Networks? Curse of dimensionality Local connectivity Shared Weights CNN Architecture 5.1% Human Error Rate in Identifying Objects 4.94% Microsoft made it better than humans in 2014 3.46% Google inception-v3 model beat them in 2014 Digging Deeper Into The Neural Network Deep Dream’s Convolutional Neural Network must first be trained.
    [Show full text]
  • Art in Machine Learning
    1 Creativity in Machine Learning w0 x0 w1 x1 w2 Martin Thoma x2 Σ ' w3 E-Mail: [email protected] x3 . wn xn Abstract—Recent machine learning techniques can be modified (a) Example of an artificial neuron unit.(b) A visualization of a simple feed- to produce creative results. Those results did not exist before; it xi are the input signals and wi are forward neural network. The 5 in- is not a trivial combination of the data which was fed into the weights which have to get learned. put nodes are red, the 2 bias nodes machine learning system. The obtained results come in multiple Each input signal gets multiplied are gray, the 3 hidden units are forms: As images, as text and as audio. with its weight, everything gets green and the single output node summed up and the activation func- is blue. This paper gives a high level overview of how they are created tion ' is applied. and gives some examples. It is meant to be a summary of the current work and give people who are new to machine learning Fig. 1: Neural networks are based on simple units which get some starting points. combined to complex networks. I. INTRODUCTION This means that machine learning programs adjust internal parameters to fit the data they are given. Those computer According to [Gad06] creativity is “the ability to use your programs are still developed by software developers, but the imagination to produce new ideas, make things etc.” and developer writes them in a way which makes it possible to imagination is “the ability to form pictures or ideas in your adjust them without having to re-program everything.
    [Show full text]
  • Computer Vision and Computer Hallucinations
    A reprint from American Scientist the magazine of Sigma Xi, The Scientific Research Society This reprint is provided for personal and noncommercial use. For any other use, please send a request Brian Hayes by electronic mail to [email protected]. Computing Science Computer Vision and Computer Hallucinations A peek inside an artificial neural network reveals some pretty freaky images. Brian Hayes eople have an amazing knack images specially designed to fool the network proposes a label. If the choice for image recognition. We networks, much as optical illusions fool is incorrect, an error signal propagates can riffle through a stack of the biological eye and brain. Another backward through the layers, reducing pictures and almost instantly approach runs the neural network in the activation of the wrongly chosen Plabel each one: dog, birthday cake, bi- reverse; instead of giving it an image output neuron. The training process cycle, teapot. What we can’t do is ex- as input and asking for a concept as does not alter the wiring diagram of plain how we perform this feat. When output, we specify a concept and the the network or the internal operations you see a rose, certain neurons in your network generates a corresponding of the individual neurons. Instead, it brain’s visual cortex light up with ac- image. A related technique called deep adjusts the weight, or strength, of the tivity; a tulip stimulates a different set dreaming burst on the scene last spring connections between one neuron and of cells. What distinguishing features following a blog post from Google Re- the next.
    [Show full text]
  • Robust Or Private? Adversarial Training Makes Models More Vulnerable to Privacy Attacks
    Robust or Private? Adversarial Training Makes Models More Vulnerable to Privacy Attacks Felipe A. Mejia1, Paul Gamble2, Zigfried Hampel-Arias1, Michael Lomnitz1, Nina Lopatina1, Lucas Tindall1, and Maria Alejandra Barrios2 1Lab41, In-Q-Tel, Menlo Park, USA 2Previously at Lab41, In-Q-Tel, Menlo Park, USA June 18, 2019 Abstract tomer photos. As we increasingly rely on machine learning, it is critical to assess the dangers of the Adversarial training was introduced as a way to im- vulnerabilities in these models. prove the robustness of deep learning models to ad- In a supervised learning environment several com- versarial attacks. This training method improves ro- ponents make up the learning pipeline of a machine bustness against adversarial attacks, but increases the learning model: collection of training data, definition models vulnerability to privacy attacks. In this work of model architecture, model training, and model out- we demonstrate how model inversion attacks, extract- puts { test and evaluation. This pipeline presents a ing training data directly from the model, previously broader attack surface, where adversaries can lever- thought to be intractable become feasible when at- age system vulnerabilities to compromise data privacy tacking a robustly trained model. The input space for and/or model performance. There are four main types a traditionally trained model is dominated by adver- of attacks discussed in literature: sarial examples - data points that strongly activate a certain class but lack semantic meaning - this makes • model fooling { small perturbation to the user it difficult to successfully conduct model inversion at- input leads to large changes in the model output tacks.
    [Show full text]
  • Lecture 9: Visualizing Cnns and Recurrent Neural Networks
    Lecture 9: Visualizing CNNs and Recurrent Neural Networks Tuesday February 28, 2017 * Original slides borrowed from Andrej Karpathy 1 and Li Fei-Fei, Stanford cs231n comp150dl Announcements! - HW #3 is out - Final Project proposals due this Thursday March 2 - Papers to read: Students should read all papers on the Schedule tab, and are encouraged to read as many papers as possible from the Papers tab. - Next paper: March 7 You Only Look Once: Unified, Real-Time Object Detection. If this paper seems too deep or confusing, look at Fast R-CNN, Faster R-CNN comp150dl 2 Python/Numpy of the Day • t-SNE (t-Distributed Stochastic Nearest Neighbor Embedding) • Scikit-Learn t-SNE • Examples of 2D Embedding Visualizations of MNIST dataset • Other Embedding functions in Scikit-Learn comp150dl 3 Visualizing CNN Behavior - How can we see what’s going on in a CNN? - Stuff we’ve already done: - Visualize the weights - Occlusion experiments — ex. Jason and Lisa’s AlexNet Occlusion Tests comp150dl 4 Visualizing CNN Behavior - How can we see what’s going on in a CNN? - Straightforward stuff to try in the future: - Visualize the representation space (e.g. with t-SNE) - Human experiment comparisons comp150dl 5 Visualizing CNN Behavior - How can we see what’s going on in a CNN? - More sophisticated approaches (HW #4) - Visualize patches that maximally activate neurons - Optimization over image approaches (optimization) - Deconv approaches (single backward pass) comp150dl 6 Deconv approaches - projecting backward from one neuron to see what is activating it 1. Feed image into net Q: how can we compute the gradient of any arbitrary neuron in the network w.r.t.
    [Show full text]