Try   HackMD

ATOM: Robustifying Out-of-Distribution Detection Using Outlier Mining. ECML PKDD 2021.

Abstract

Detecting out-of-distribution (OOD) inputs is critical for safely deploying deep learning models in an open-world setting. However, existing OOD detection solutions can be brittle in the open world, facing various types of adversarial OOD inputs.

In this paper, we provide a theoretically motivated method, Adversarial Training with informative Outlier Mining (ATOM), which improves the robustness of OOD detection. We show that, by mining informative auxiliary OOD data, one can significantly improve OOD detection performance, and somewhat surprisingly, generalize to unseen adversarial attacks.

Introduction

Out-of-distribution (OOD) detection has become an indispensable part of building reliable open-world machine learning models. An OOD detector determines whether an input is from the same distribution as the training data, or different distribution.

An OOD image (e.g., mailbox) can be perturbed to be misclassified by the OOD detector as in-distribution (traffic sign data). Failing to detect such an adversarial OOD example 1 can be consequential in safety-critical applications.

The authors propose a novel training framework, Adversarial Training with informative Outlier Mining (ATOM). The key idea is to selectively utilize auxiliary outlier data for estimating a tight decision boundary between ID and OOD data, which leads to robust OOD detection performance.

While recent methods have leveraged auxiliary OOD data, they show that randomly selecting outlier samples for training yields a large portion of uninformative samples, which do not meaningfully improve the decision boundary between ID and OOD data.

ATOM demonstrates that by mining low OOD score data for training, one can significantly improve the robustness of an OOD detector, and generalize to unseen adversarial attacks.

The authors extensively evaluate ATOM on common OOD detection benchmarks, as well as a suite of adversarial OOD tasks, as illustrated in Figure 1.

Lastly, the authors provide theoretical analysis for ATOM, characterizing how outlier mining can better shape the decision boundary of the OOD detector.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Fig.1. Robust out-of-distribution detection. When deploying an image classification system (OOD detector
G(x) + image classifier
f(x)) in an open world, there can be multiple types of OOD examples. We consider a broad family of OOD inputs, including (a) Natural OOD, (b)
OOD, © corruption OOD, and (d) Compositional OOD. In (b-d), a perturbed OOD input (e.g., a perturbed mailbox image) can mislead the OOD detec- tor to classify it as an in-distribution sample. This can trigger the downstream image classifier
f(x) to predict it as one of the in-distribution classes (e.g., speed limit 70). Through adversarial training with informative outlier mining (ATOM), our method can robustify the decision boundary of OOD detector
G(x), which leads to improved performance across all types of OOD inputs. Solid lines are actual computation flow.

Preliminaries

Considering a training dataset

D train in drawn i.i.d. from a data distribution
PX,Y , where
X is the sample space and
Y={1,2,,K} is the set of labels. In addition, having an auxiliary outlier data
Doutauxiliary from distribution
UX.

The goal is to learn a detector

G:x{1,1}, which outputs
1 for an indistribution example
x and output
1 for a clean or perturbed OOD example
x.

Let

Ω(x) be a set of small perturbations on an OOD example
x. The detector is evaluated on
x from
PX and on the worst-case input inside
Ω(x) for an OOD example
x from
QX.

The false negative rate (FNR) and false positive rate (FPR) are defined as

FNR(G)=EXPXI[G(x)=1]FPR(G;Qx,Ω)=EXQXmaxδΩ(X)I[G(x+δ)=1]

Methodology

Method Overview

The authors use the terminology outlier mining to denote the process of selecting informative outlier training samples from the pool of auxiliary outlier data. Outlier training data is sampled from a uniform distribution from outside the support of in-distribution.

ATOM: Adversarial Training with Informative Outlier Mining

Training Objective.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Fig.2. A toy example in 2D space for illustration of informative outlier mining. With informative outlier mining, we can tighten the decision boundary and build a robust OOD detector.

The classification involves using a mixture of ID data and outlier samples. consider a

(K+1)-way classifier network
f, where the
(K+1)-th class label indicates out-of-distribution class. Denote by
Fθ(x) the softmax output of f on x. The robust training objective is given by

minθE(x,y)Dintrain[L(x,y,Fθ)]+λExDouttrainmaxxΩ,ϵ(x)[L(x,K+1;Fθ)]

where

L is the cross entropy loss, and
Douttrain is the OOD training dataset.

The authors use Projected Gradient Descent (PGD) to solve the inner max of the objective, and apply it to half of a minibatch while keeping the other half clean to ensure performance on both clean and perturbed data

Once trained, the OOD detector

G(x) can be constructed

G(x)={1if F(x)K+1γ,1if F(x)K+1<γ,

where

γ is the threshold, and in practice can be chosen on the in-distribution data so that a high fraction of the test examples are correctly classified by
G. And
F(x)K+1 is the OOD score of
x.

For an input labeled as in-distribution by

G, one can obtain its semantic label using
F(x)

F^(x)=maxy{1,2,,K}F(x)y

Informative Outlier Mining.

During each training epoch, we randomly sample

N data points from the auxiliary OOD dataset
Doutauxiliary, and use the current model to infer the OOD score. Next, the authors sort the data points according to the OOD scores and select a subset of
n<N data points, starting with the
qN-th data in the sorted list. We then use the selected samples as OOD training data D
Douttrain for the next epoch of training.

Intuitively,

q determines the informativeness of the sampled points w.r.t the OOD detector. The larger
q is, the less informative those sampled examples become.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Last changed by 
tungsomot
0
155

Read more

Time Series Generative Adversarial Networks. NIPS 2019.

[toc] Abstract A good generative model for time-series data should preserve temporal dynamics, in the sense that new sequences respect the original relationships between variables across time. The authors propose a novel framework for generating realistic time series data that combines the flexibility of the unsupervised paradigm with the control afforded by supervised training. Through a learned embedding space jointly optimized with both supervised and adversarial objectives, the authors encourage the network to adhere to the dynamics of the training data during sampling. Introduction The temporal setting poses a unique challenge to generative modeling. A model is not only tasked with capturing the distributions of features within each time point, it should also capture the potentially complex dynamics of those variables across time. In modeling multivariate sequential data $\mathbf{x}{1:T} = (\mathbf{x}{1}, \ldots, \mathbf{x}{T})$ , we wish to accurately capture the conditional distribution $p(\mathbf{x}{t} |\mathbf{x}_{1:t&#x2212;1})$ of temporal transitions. Contribution First, in addition to the unsupervised adversarial loss on both real and synthetic sequences, we introduce a stepwise supervised loss using the original data as supervision, thereby explicitly encouraging the model to capture the stepwise conditional distributions in the data.

Nov 2, 2022
Practical Adversarial Attacks on Spatiotemporal Traffic Forecasting Models. NIPS 2022.

Abstract Existing traffic forecasting models assume a reliable and unbiased forecasting environment, which is not always available. Investigate the vulnerability of spatiotemporal traffic forecasting models and propose a practical adversarial spatiotemporal attack framework Extensive experiments show that the proposed framework achieves up to 67.8% performance degradation on baselines. Introduction Injecting slight adversarial perturbations on a few randomly selected nodes can significantly degrade the traffic forecasting accuracy of the whole system. Figure 1: An illustration of adversarial attack against spatiotemporal forecasting models on the Bay Area traffic network in California, the data ranges from January 2017 to May 2017. (a) Adversarial attack of geo-distributed data. The malicious attacker may inject adversarial examples into a few randomly selected geo-distributed data sources. (e.g., roadway sensors) to mislead the prediction of the whole traffic forecasting system. (b) Accuracy drop of victim nodes. By adding less than 50% traffic speed perturbations to 10% victim nodes, we observe 60.4% accuracy drop of victim nodes in morning peak hour. (c) Accuracy drop of neighbouring nodes. Due to the information diffusion of spatiotemporal forecasting models, the adversarial attack also leads to up to about 47.23% accuracy drop for neighboring nodes

Nov 1, 2022
Read more from tungsomot
Published on HackMD