(Not too clear, listen later)
1. How to deceive a neural network?
The first part of the study was to explore how neural networks work. As a result, people accidentally found that can only change the original image a little bit, the human eye does not see the change, but the neural network will give a completely different answer. For example, the panda on the left is identified as a panda, but with the same number of small "noises" in the middle, the panda on the right is not recognizable. And this small "noise" is not random, it is more like offset, is some kind of system error, superimposed on the picture, can always deceive the neural network.
2. Neural network mapping from weight to output is non-linear, very complex, very difficult to optimize, training. But the mapping from the input to the output can be considered linear and predictable, and it is much easier to optimize the input than to optimize the weight. You can easily generate a sample of a neural network that can be spoofed (or called an attack) using a linear relationship of input to output.
FGSM (Fast Gradient Step method): A confrontational approach. The core idea of this approach is to add a small amount of noise to each step of the optimization process, allowing the predictions to be shifted toward the target category or, as you wish, away from the right category.
Transferability Attack: Find an example of an attack on your own network, and this sample can often break other neural networks as well.
3. The confrontation example can be used to train the network for better results.
4. Summary
CS231N Spring Lecture16 adversarial Examples and adversarial Training lecture notes