- 學位論文
基於黑盒機器學習模型之對抗重編程
Transfer Learning without Knowing: Adversarial Reprogramming Black-box Machine Learning Models
摘要
現今深度神經網路的遷移學習(Transfer Leaning)方法通常基於微調(fine-tune)預訓練模型(pretrained model),利用原本預訓練模型已有的特徵提取能力,去使模型達到新資料集的識別任務, 而在過去的許多研究中發現,深度學習神經網路(Deep Neural Networks)對於添加特別雜訊的資料(adversarial example)存在不穩定性,其輸入可導致深度學習模型改變最後決策, 在論文中,我們提出了一種對於黑盒模型的新型遷移學習方法,特別對於資料稀少的任務,對抗重編程(black-box adversarial reprogramming, BAR)可以使得黑盒模型改變原分類任務為其他不同的分類任務,利用零階優化法(zeroth order optimization)以及多類別對應(multi-label mapping)技術,BAR可以在不改變任何目標黑盒模型架構或是調整模型參數的情況下,僅用輸入對應輸出結果來改變目標黑盒模型的分類目標。 尤其在資料稀少的情境,例如醫學影像的資料集(自閉症腦部fmri影像、 糖尿病視網膜病變影像、皮膚癌影像),BAR相較於一般遷移學習或是現有的state-of-the-art結果都來得佳。
並列摘要
Current transfer learning methods are mainly based on finetuning a pretrained model with target-domain data. Motivated by the techniques from adversarial machine learning (ML) that are capable of manipulating the model prediction via data perturbations, in this paper we propose a novel approach, black-box adversarial reprogramming (BAR), that repurposes a well-trained black-box ML model (e.g., a prediction API or a proprietary software) for solving different ML tasks, especially in the scenario with scarce data and constrained resources. The rationale lies in exploiting high-performance but unknown ML models to gain learning capability for transfer learning. Using zeroth order optimization and multi-label mapping techniques, BAR can reprogram a black-box ML model solely based on its input-output responses without knowing the model architecture or changing any parameter. More importantly, in the limited medical data setting, on autism spectrum disorder classification, diabetic retinopathy detection, and melanoma detection tasks, BAR outperforms state-of-the-art methods and yields comparable performance to the vanilla adversarial reprogramming method requiring complete knowledge of the target ML model. BAR also outperforms baseline transfer learning approaches by a significant margin, demonstrating cost-effective means and new insights for transfer learning.