Project 2

深度学习代写 In this part, I implemented a ResNet styled deep learning network to perform the image classification task on CIFAR-10 dataset.

Part (a) ResNet for CIFAR-10

In this part, I implemented a ResNet styled deep learning network to perform the image classification task on CIFAR-10 dataset.

The image size in the CIFAR-10 dataset is 32x32x3. Since the resolution is not high and the number of classes is relatively small, we will use a convolutional neural network with residual connections.

The motivation for convolutional neural network is that the structure of the network is translation-invariant, meaning that if the object in the image can shift positions, the network will still be able to recognize the object. And the motivation for residual connections is that we can train a slightly deeper network than the traditional convolutional network and hopefully get better results.

The full implementation of ResNet as in the original paper [1] seemed too heavy, therefore I took the idea of Residual block, and only stacked 3 layers of these modules to the network. The network has the following modules:

Inside each Residual Block, there are the following modules: 深度学习代写

The model is trained for 10 epochs, the final accuracy we obtained in the test set is 65.18%, and the micro-F1 score is 68.0%, according to the test result. Below are the confusion matrix from our model’s prediction results, and some mistakes it made:

Conv2d(kernel = 3, in=3, out = 16)

- BatchNorm2d

- ReLU activation

3 layers of Residual Block (kernel = 3, in=16, out = 16)

Average Pooling of kernel 8

Fully connected layer (in=256, out = 10)

Inside each Residual Block, there are the following modules: 深度学习代写

Conv2d(kernel = 3, in=16, out=16)

- BatchNorm2d

- ReLU activation

Conv2d(kernel = 3, in=16, out=16)

- BatchNorm(2d)

- ReLU activation
Residual Connection(x)

The model is trained for 10 epochs, the final accuracy we obtained in the test set is 65.18%, and the micro-F1 score is 68.0%, according to the test result. Below are the confusion matrix from our model’s prediction results, and some mistakes it made:

深度学习代写
深度学习代写

1: Deep Residual Learning for Image Recognition, Kaiming He, Xiangyu Zhang, Shaoqing Ren, Jian Sun, [1512.03385] Deep Residual Learning for Image Recognition (arxiv.org)

Part (b) Attack modelsMethod 深度学习代写

In this part, we first trained a similar ResNet network on MNIST dataset for 5 epochs. And we tested its accuracy without any attack for benchmarking, after 5 epochs of training its accuracy on the MNIST test set is 98.28%.

Now we start to attack the model with different methods, in each attack, we will try to set to see their effects, where the parameters are either the noise standard deviation, or the step size the data can deviate. The results are shown in the table below:

深度学习代写
深度学习代写

( * For semantic attack and CW attack , the noise level is not applicable)

The drop is most significant in PGD. The Carlini-Wagner had some hyperparameters for tuning and the search was too exhaustive to perform on my laptop, therefore its attack might not be adequate.

Defense: Interpolated Adversarial Training 深度学习代写

We implemented AT and trained the model again. Then we tested it with the strongest first order attack method PGD again. The adversarial examples are generated using FGSM. After training with FGSM(epsilon=0.2) for 5 epochs, we tested the network with PGD again:

Without PGD: test accuracy = 98.59%

With PGD:

  • Epsilon = 0.01: accuracy = 93.93%
  • Epsilon = 0.1: accuracy = 46.97%
  • Epsilon = 0.2: accuracy = 31.31%

We can see that training with adversarial samples could increase the robustness of the model against adversarial attacks.