Spaces:
Running
Running
equation
Browse files- index.html +22 -2
index.html
CHANGED
|
@@ -248,12 +248,12 @@
|
|
| 248 |
<!-- Relations -->
|
| 249 |
<section class="section">
|
| 250 |
<div class="container is-max-desktop">
|
| 251 |
-
<h2 class="title is-3">Neighborhood Relations of
|
| 252 |
<div class="columns is-centered">
|
| 253 |
<div class="column container-centered">
|
| 254 |
<img src="./static/images/relations.jpg" alt="Neighborhood Relations of Benign Examples and AEs"/>
|
| 255 |
<p>
|
| 256 |
-
<strong>Figure 1. Neighborhood Relations of
|
| 257 |
</p>
|
| 258 |
</div>
|
| 259 |
</div>
|
|
@@ -460,6 +460,26 @@
|
|
| 460 |
</div>
|
| 461 |
</div>
|
| 462 |
</div>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 463 |
</div>
|
| 464 |
|
| 465 |
|
|
|
|
| 248 |
<!-- Relations -->
|
| 249 |
<section class="section">
|
| 250 |
<div class="container is-max-desktop">
|
| 251 |
+
<h2 class="title is-3">Neighborhood Relations of AEs and Clean Samples</h2>
|
| 252 |
<div class="columns is-centered">
|
| 253 |
<div class="column container-centered">
|
| 254 |
<img src="./static/images/relations.jpg" alt="Neighborhood Relations of Benign Examples and AEs"/>
|
| 255 |
<p>
|
| 256 |
+
<strong>Figure 1. Neighborhood Relations of AEs and Clean Samples.</strong>
|
| 257 |
</p>
|
| 258 |
</div>
|
| 259 |
</div>
|
|
|
|
| 460 |
</div>
|
| 461 |
</div>
|
| 462 |
</div>
|
| 463 |
+
|
| 464 |
+
<div class="columns is-centered">
|
| 465 |
+
<div class="column">
|
| 466 |
+
<p id="label-loss">
|
| 467 |
+
Attackers can design adaptive attacks to try to bypass BEYOND when the attacker knows all the parameters of the model
|
| 468 |
+
and the detection strategy. For an SSL model with a feature extractor $f$, a projector $h$, and a classification head $g$,
|
| 469 |
+
the classification branch can be formulated as $\mathbb{C} = f\circ g$ and the representation branch as $\mathbb{R} = f\circ h$.
|
| 470 |
+
To attack effectively, the adversary must deceive the target model while guaranteeing the label consistency and representation similarity of the SSL model.
|
| 471 |
+
</p>
|
| 472 |
+
<p id="representation-loss", style="display: none">
|
| 473 |
+
where $\mathcal{S}$ represents cosine similarity, $k$ represents the number of generated neighbors,
|
| 474 |
+
and the linear augmentation function $W(x)=W(x,p);~p\sim P$ randomly samples $p$ from the parameter distribution $P$ to generate different neighbors.
|
| 475 |
+
Note that we guarantee the generated neighbors are fixed each time by fixing the random seed. The adaptive adversaries perform attacks on the following objective function:
|
| 476 |
+
</p>
|
| 477 |
+
|
| 478 |
+
<p id="total-loss", style="display: none;">
|
| 479 |
+
where $\mathcal{L}_C$ indicates classifier's loss function, $y_t$ is the targeted class, and $\alpha$ refers to a hyperparameter.
|
| 480 |
+
</p>
|
| 481 |
+
</div>
|
| 482 |
+
</div>
|
| 483 |
</div>
|
| 484 |
|
| 485 |
|