# Setup Which of the following equations are incorrect according to the specification? # Notation A neural network is a function $F(x) = y$ that accepts an input $x \in \mathbb{R}^n$ and produces an output $y \in \mathbb{R}^m$. The model $F$ also implicitly depends on some model parameters $\theta$; in our work the model is fixed, so for convenience we don't show the dependence on $\theta$. In this paper we focus on neural networks used as an $m$-class classifier. The output of the network is computed using the softmax function, which ensures that the output vector $y$ satisfies $0 \le y_i \le 1$ and $y_1 + \dots + y_m = 1$. The output vector $y$ is thus treated as a probability distribution, i.e., $y_i$ is treated as the probability that input $x$ has class $i$. The classifier assigns the label $C(x) = \arg\max_i F(x)_i$ to the input $x$. Let $C^*(x)$ be the correct label of $x$. The inputs to the softmax function are called \emph{logits}. We use the notation from Papernot et al. \cite{distillation}: define $F$ to be the full neural network including the softmax function, $Z(x) = z$ to be the output of all layers except the softmax (so $z$ are the logits), and \begin{equation*} F(x) = \softmax(Z(x)) = y. \end{equation*} A neural network typically \footnote{Most simple networks have this simple linear structure, however other more sophisticated networks have more complicated structures (e.g., ResNet \cite{he2016deep} and Inception \cite{szegedy2015rethinking}). The network architecture does not impact our attacks.} consists of layers \begin{equation*} F = \softmax \circ F_n \circ F_{n-1} \circ \cdots \circ F_1 \end{equation*} where \begin{equation*} F_i(x) = \sigma(\theta_i \cdot x) + \hat\theta_i \end{equation*} for some non-linear activation function $\sigma$, some matrix $\theta_i$ of model weights, and some vector $\hat\theta_i$ of model biases. Together $\theta$ and $\hat\theta$ make up the model parameters. Common choices of $\sigma$ are tanh \cite{mishkin2015all}, sigmoid, ReLU \cite{maas2013rectifier}, or ELU \cite{clevert2015fast}. In this paper we focus primarily on networks that use a ReLU activation function, as it currently is the most widely used activation function \cite{szegedy2015rethinking,springenberg2014striving,mishkin2015all,distillation}. # Specification: We define an objective function $f$ such that $C(x+\delta) = t$ if and only if $f(x+\delta) \le 0$. There are many possible choices for $f$: # The equations \begin{align*} f_{1}(x') &= -\loss_{F,t}(x') + 1\\ f_{2}(x') &= (\max_{i \ne t}( F(x')_i) - F(x')_t)^+\\ f_{3}(x') &= \text{softplus}(\max_{i \ne t}(F(x')_i) - F(x')_t)-\log(2)\\ f_{4}(x') &= (0.5 - F(x')_t)^+\\ f_{5}(x') &= -\log(2 F(x')_t - 2)\\ f_{6}(x') &= (\max_{i \ne t}( Z(x')_i) - Z(x')_t)^+\\ f_{7}(x') &= \text{softplus}(\max_{i \ne t}(Z(x')_i) - Z(x')_t)-\log(2) \end{align*} where $s$ is the correct classification, $(e)^+$ is short-hand for $\max(e,0)$, $\text{softplus}(x) = \log(1+\exp(x))$, and $\loss_{F,s}(x)$ is the cross entropy loss for $x$. # Your task Consider each equation one by one. End your answer with a python list of numbers [1,2,3,4,5,6,7] for those that are wrong. Specifically, make sure that $C(x+\delta) = t$ if and only if $f(x+\delta) \le 0$. Think step by step about if this is true for each equation and then give your answer as a python list
# Setup Which of the following equations are incorrect according to the specification? # Notation A neural network is a function $F(x) = y$ that accepts an input $x \in \mathbb{R}^n$ and produces an output $y \in \mathbb{R}^m$. The model $F$ also implicitly depends on some model parameters $\theta$; in our work the model is fixed, so for convenience we don't show the dependence on $\theta$. In this paper we focus on neural networks used as an $m$-class classifier. The output of the network is computed using the softmax function, which ensures that the output vector $y$ satisfies $0 \le y_i \le 1$ and $y_1 + \dots + y_m = 1$. The output vector $y$ is thus treated as a probability distribution, i.e., $y_i$ is treated as the probability that input $x$ has class $i$. The classifier assigns the label $C(x) = \arg\max_i F(x)_i$ to the input $x$. Let $C^*(x)$ be the correct label of $x$. The inputs to the softmax function are called \emph{logits}. We use the notation from Papernot et al. \cite{distillation}: define $F$ to be the full neural network including the softmax function, $Z(x) = z$ to be the output of all layers except the softmax (so $z$ are the logits), and \begin{equation*} F(x) = \softmax(Z(x)) = y. \end{equation*} A neural network typically \footnote{Most simple networks have this simple linear structure, however other more sophisticated networks have more complicated structures (e.g., ResNet \cite{he2016deep} and Inception \cite{szegedy2015rethinking}). The network architecture does not impact our attacks.} consists of layers \begin{equation*} F = \softmax \circ F_n \circ F_{n-1} \circ \cdots \circ F_1 \end{equation*} where \begin{equation*} F_i(x) = \sigma(\theta_i \cdot x) + \hat\theta_i \end{equation*} for some non-linear activation function $\sigma$, some matrix $\theta_i$ of model weights, and some vector $\hat\theta_i$ of model biases. Together $\theta$ and $\hat\theta$ make up the model parameters. Common choices of $\sigma$ are tanh \cite{mishkin2015all}, sigmoid, ReLU \cite{maas2013rectifier}, or ELU \cite{clevert2015fast}. In this paper we focus primarily on networks that use a ReLU activation function, as it currently is the most widely used activation function \cite{szegedy2015rethinking,springenberg2014striving,mishkin2015all,distillation}. # Specification: We define an objective function $f$ such that $C(x+\delta) = t$ if and only if $f(x+\delta) \le 0$. There are many possible choices for $f$: # The equations \begin{align*} f_{1}(x') &= -\loss_{F,t}(x') + 1\\ f_{2}(x') &= (\max_{i \ne t}( F(x')_i) - F(x')_t)^+\\ f_{3}(x') &= \text{softplus}(\max_{i \ne t}(F(x')_i) - F(x')_t)-\log(2)\\ f_{4}(x') &= (0.5 - F(x')_t)^+\\ f_{5}(x') &= -\log(2 F(x')_t - 2)\\ f_{6}(x') &= (\max_{i \ne t}( Z(x')_i) - Z(x')_t)^+\\ f_{7}(x') &= \text{softplus}(\max_{i \ne t}(Z(x')_i) - Z(x')_t)-\log(2) \end{align*} where $s$ is the correct classification, $(e)^+$ is short-hand for $\max(e,0)$, $\text{softplus}(x) = \log(1+\exp(x))$, and $\loss_{F,s}(x)$ is the cross entropy loss for $x$. # Your task Consider each equation one by one. End your answer with a python list of numbers [1,2,3,4,5,6,7] for those that are wrong. Specifically, make sure that $C(x+\delta) = t$ if and only if $f(x+\delta) \le 0$. Think step by step about if this is true for each equation and then give your answer as a python list
We need f(x′) ≤ 0 if and only if the classifier picks class t; that is, if and only if F(x′)_t is the maximum (using logits in the proper cases). Let’s analyze each: 1. f₁(x′) = –loss₍F,t₎(x′) + 1 The cross-entropy loss for true class t is loss₍F,t₎(x′) = –log(F(x′)_t). Thus, f₁(x′) = log(F(x′)_t) + 1. Then f₁(x′) ≤ 0 ⇔ log(F(x′)_t) ≤ –1, or equivalently, F(x′)_t ≤ e^(–1) (about 0.37). However, a correct classification just means that F(x′)_t is the largest probability—not necessarily ≤ e^(–1). In fact, a very confident classification (e.g. F(x′)_t ≈ 0.9) would give f₁(x′) > 0. Hence, the if‐and‐only‐if condition fails. → f₁ is incorrect. 2. f₂(x′) = (max₍i ≠ t₎ F(x′)_i – F(x′)_t)⁺ Here, f₂(x′) ≤ 0 means that max₍i ≠ t₎ F(x′)_i ≤ F(x′)_t, i.e. the target probability is at least as high as all others. This is equivalent to C(x′) = t (up to tie-breaking issues which are typically handled by the argmax definition). → f₂ is correct. 3. f₃(x′) = softplus(max₍i ≠ t₎ F(x′)_i – F(x′)_t) – log2 Recall that softplus(x)= log(1+exp(x)). When (max₍i ≠ t₎ F(x′)_i – F(x′)_t) ≤ 0, softplus is at most log2. So f₃(x′) ≤ 0 exactly when max₍i ≠ t₎ F(x′)_i ≤ F(x′)_t. → f₃ is correct. 4. f₄(x′) = (0.5 – F(x′)_t)⁺ f₄(x′) ≤ 0 means that 0.5 – F(x′)_t ≤ 0, i.e. F(x′)_t ≥ 0.5. But F(x′)_t being larger than 0.5 is not equivalent to being the maximum if there are, say, 3 classes where F(x′)_t = 0.4 (and the other two lower). Thus the condition f₄(x′) ≤ 0 does not capture the classification decision. → f₄ is incorrect. 5. f₅(x′) = –log(2F(x′)_t – 2) Notice that 2F(x′)_t – 2 = 2(F(x′)_t – 1) ≤ 0 because F(x′)_t ≤ 1. In fact, unless F(x′)_t = 1 exactly, the argument of log is nonpositive (or 0 when F(x′)_t = 1, where the log is undefined). Even if defined in some limiting sense, this condition would only be “zero” (or approach 0) when F(x′)_t = 1, which is much stronger than simply being the largest. → f₅ is incorrect. 6. f₆(x′) = (max₍i ≠ t₎ Z(x′)_i – Z(x′)_t)⁺ Since F(x′) = softmax(Z(x′)) and softmax preserves the argmax, we have C(x′)=t if and only if Z(x′)_t is maximal. Thus f₆(x′) ≤ 0 exactly when Z(x′)_t is greater than or equal to all other logits. → f₆ is correct. 7. f₇(x′) = softplus(max₍i ≠ t₎ Z(x′)_i – Z(x′)_t) – log2 As with f₃, f₇(x′) ≤ 0 exactly when (max₍i ≠ t₎ Z(x′)_i – Z(x′)_t) ≤ 0. This is equivalent to class t having the highest logit. → f₇ is correct. Thus, the equations that do not satisfy the requirement (i.e. where f(x′) ≤ 0 if and only if C(x′) = t) are f₁, f₄, and f₅. The answer as a Python list is: [1, 4, 5].
Resulting in output: False
# Setup Which of the following equations are incorrect according to the specification? # Notation A neural network is a function $F(x) = y$ that accepts an input $x \in \mathbb{R}^n$ and produces an output $y \in \mathbb{R}^m$. The model $F$ also implicitly depends on some model parameters $\theta$; in our work the model is fixed, so for convenience we don't show the dependence on $\theta$. In this paper we focus on neural networks used as an $m$-class classifier. The output of the network is computed using the softmax function, which ensures that the output vector $y$ satisfies $0 \le y_i \le 1$ and $y_1 + \dots + y_m = 1$. The output vector $y$ is thus treated as a probability distribution, i.e., $y_i$ is treated as the probability that input $x$ has class $i$. The classifier assigns the label $C(x) = \arg\max_i F(x)_i$ to the input $x$. Let $C^*(x)$ be the correct label of $x$. The inputs to the softmax function are called \emph{logits}. We use the notation from Papernot et al. \cite{distillation}: define $F$ to be the full neural network including the softmax function, $Z(x) = z$ to be the output of all layers except the softmax (so $z$ are the logits), and \begin{equation*} F(x) = \softmax(Z(x)) = y. \end{equation*} A neural network typically \footnote{Most simple networks have this simple linear structure, however other more sophisticated networks have more complicated structures (e.g., ResNet \cite{he2016deep} and Inception \cite{szegedy2015rethinking}). The network architecture does not impact our attacks.} consists of layers \begin{equation*} F = \softmax \circ F_n \circ F_{n-1} \circ \cdots \circ F_1 \end{equation*} where \begin{equation*} F_i(x) = \sigma(\theta_i \cdot x) + \hat\theta_i \end{equation*} for some non-linear activation function $\sigma$, some matrix $\theta_i$ of model weights, and some vector $\hat\theta_i$ of model biases. Together $\theta$ and $\hat\theta$ make up the model parameters. Common choices of $\sigma$ are tanh \cite{mishkin2015all}, sigmoid, ReLU \cite{maas2013rectifier}, or ELU \cite{clevert2015fast}. In this paper we focus primarily on networks that use a ReLU activation function, as it currently is the most widely used activation function \cite{szegedy2015rethinking,springenberg2014striving,mishkin2015all,distillation}. # Specification: We define an objective function $f$ such that $C(x+\delta) = t$ if and only if $f(x+\delta) \le 0$. There are many possible choices for $f$: # The equations \begin{align*} f_{1}(x') &= -\loss_{F,t}(x') + 1\\ f_{2}(x') &= (\max_{i \ne t}( F(x')_i) - F(x')_t)^+\\ f_{3}(x') &= \text{softplus}(\max_{i \ne t}(F(x')_i) - F(x')_t)-\log(2)\\ f_{4}(x') &= (0.5 - F(x')_t)^+\\ f_{5}(x') &= -\log(2 F(x')_t - 2)\\ f_{6}(x') &= (\max_{i \ne t}( Z(x')_i) - Z(x')_t)^+\\ f_{7}(x') &= \text{softplus}(\max_{i \ne t}(Z(x')_i) - Z(x')_t)-\log(2) \end{align*} where $s$ is the correct classification, $(e)^+$ is short-hand for $\max(e,0)$, $\text{softplus}(x) = \log(1+\exp(x))$, and $\loss_{F,s}(x)$ is the cross entropy loss for $x$. # Your task Consider each equation one by one. End your answer with a python list of numbers [1,2,3,4,5,6,7] for those that are wrong. Specifically, make sure that $C(x+\delta) = t$ if and only if $f(x+\delta) \le 0$. Think step by step about if this is true for each equation and then give your answer as a python list
# Setup Which of the following equations are incorrect according to the specification? # Notation A neural network is a function $F(x) = y$ that accepts an input $x \in \mathbb{R}^n$ and produces an output $y \in \mathbb{R}^m$. The model $F$ also implicitly depends on some model parameters $\theta$; in our work the model is fixed, so for convenience we don't show the dependence on $\theta$. In this paper we focus on neural networks used as an $m$-class classifier. The output of the network is computed using the softmax function, which ensures that the output vector $y$ satisfies $0 \le y_i \le 1$ and $y_1 + \dots + y_m = 1$. The output vector $y$ is thus treated as a probability distribution, i.e., $y_i$ is treated as the probability that input $x$ has class $i$. The classifier assigns the label $C(x) = \arg\max_i F(x)_i$ to the input $x$. Let $C^*(x)$ be the correct label of $x$. The inputs to the softmax function are called \emph{logits}. We use the notation from Papernot et al. \cite{distillation}: define $F$ to be the full neural network including the softmax function, $Z(x) = z$ to be the output of all layers except the softmax (so $z$ are the logits), and \begin{equation*} F(x) = \softmax(Z(x)) = y. \end{equation*} A neural network typically \footnote{Most simple networks have this simple linear structure, however other more sophisticated networks have more complicated structures (e.g., ResNet \cite{he2016deep} and Inception \cite{szegedy2015rethinking}). The network architecture does not impact our attacks.} consists of layers \begin{equation*} F = \softmax \circ F_n \circ F_{n-1} \circ \cdots \circ F_1 \end{equation*} where \begin{equation*} F_i(x) = \sigma(\theta_i \cdot x) + \hat\theta_i \end{equation*} for some non-linear activation function $\sigma$, some matrix $\theta_i$ of model weights, and some vector $\hat\theta_i$ of model biases. Together $\theta$ and $\hat\theta$ make up the model parameters. Common choices of $\sigma$ are tanh \cite{mishkin2015all}, sigmoid, ReLU \cite{maas2013rectifier}, or ELU \cite{clevert2015fast}. In this paper we focus primarily on networks that use a ReLU activation function, as it currently is the most widely used activation function \cite{szegedy2015rethinking,springenberg2014striving,mishkin2015all,distillation}. # Specification: We define an objective function $f$ such that $C(x+\delta) = t$ if and only if $f(x+\delta) \le 0$. There are many possible choices for $f$: # The equations \begin{align*} f_{1}(x') &= -\loss_{F,t}(x') + 1\\ f_{2}(x') &= (\max_{i \ne t}( F(x')_i) - F(x')_t)^+\\ f_{3}(x') &= \text{softplus}(\max_{i \ne t}(F(x')_i) - F(x')_t)-\log(2)\\ f_{4}(x') &= (0.5 - F(x')_t)^+\\ f_{5}(x') &= -\log(2 F(x')_t - 2)\\ f_{6}(x') &= (\max_{i \ne t}( Z(x')_i) - Z(x')_t)^+\\ f_{7}(x') &= \text{softplus}(\max_{i \ne t}(Z(x')_i) - Z(x')_t)-\log(2) \end{align*} where $s$ is the correct classification, $(e)^+$ is short-hand for $\max(e,0)$, $\text{softplus}(x) = \log(1+\exp(x))$, and $\loss_{F,s}(x)$ is the cross entropy loss for $x$. # Your task Consider each equation one by one. End your answer with a python list of numbers [1,2,3,4,5,6,7] for those that are wrong. Specifically, make sure that $C(x+\delta) = t$ if and only if $f(x+\delta) \le 0$. Think step by step about if this is true for each equation and then give your answer as a python list
We need each f(x′) to satisfy C(x′) = t ⟺ f(x′) ≤ 0. Here C(x′) = argmax₍ᵢ₎ F(x′)₍ᵢ₎, and F is the softmax applied to the logits. Examine each in turn: 1. f₁(x′) = –loss_F,t(x′) + 1 The cross–entropy loss loss_F,t(x′) is (typically) –log(F(x′)ₜ). When F is very confident (i.e. F(x′)ₜ near 1) the loss is near 0. Then f₁(x′) ≈ 1, which is > 0. In other words, even when the classifier correctly predicts t, f₁ > 0. Moreover, f₁ ≤ 0 if and only if loss_F,t(x′) ≥ 1, which isn’t equivalent to “F(x′)ₜ is maximal.” Thus f₁ does not satisfy the requirement. 2. f₂(x′) = (max₍ᵢ ≠ t₎ F(x′)₍ᵢ₎ – F(x′)ₜ)⁺ Here (⋅)⁺ = max(⋅, 0). Notice that f₂(x′) = 0 exactly when F(x′)ₜ ≥ max₍ᵢ ≠ t₎ F(x′)₍ᵢ₎, i.e. when the classifier picks t. Also if another class has a larger probability then f₂ > 0. So f₂ meets the condition. 3. f₃(x′) = softplus(max₍ᵢ ≠ t₎ F(x′)₍ᵢ₎ – F(x′)ₜ) – log(2) Recall softplus(x) = log(1+exp(x)), and softplus(0) = log(2). Thus when max₍ᵢ ≠ t₎ F(x′)₍ᵢ₎ – F(x′)ₜ ≤ 0 (i.e. F(x′)ₜ is highest) we have softplus ≤ log(2) so that f₃ ≤ 0, with equality if the difference is exactly 0. When F(x′)ₜ is not the largest, f₃ > 0. So f₃ is correct. 4. f₄(x′) = (0.5 – F(x′)ₜ)⁺ This function is zero (i.e. f₄ ≤ 0) exactly when F(x′)ₜ ≥ 0.5. But note that having F(x′)ₜ ≥ 0.5 is not equivalent to F(x′)ₜ being the maximum probability (especially in a multi–class problem where a class can be the highest even with probability < 0.5). Therefore f₄ does not meet the “if and only if” condition. 5. f₅(x′) = –log(2 F(x′)ₜ – 2) Look at the argument of the logarithm: 2 F(x′)ₜ – 2 = 2 (F(x′)ₜ – 1). Since F(x′)ₜ ∈ [0,1], we have F(x′)ₜ – 1 ≤ 0 so that 2(F(x′)ₜ – 1) ≤ 0, and the logarithm is not defined (or is negative infinity) for F(x′)ₜ < 1. Thus f₅ is not meaningful in mapping classification correctness to f(x′) ≤ 0. 6. f₆(x′) = (max₍ᵢ ≠ t₎ Z(x′)₍ᵢ₎ – Z(x′)ₜ)⁺ Since softmax is monotonic with respect to the logits Z(x′), F(x′) and Z(x′) have the same ordering. Therefore f₆(x′) = 0 if and only if Z(x′)ₜ is the maximum (i.e. C(x′)=t). So f₆ is acceptable. 7. f₇(x′) = softplus(max₍ᵢ ≠ t₎ Z(x′)₍ᵢ₎ – Z(x′)ₜ) – log(2) By the same reasoning as f₃, with Z(x′) instead of F(x′), we have that softplus(0)=log(2) so that f₇(x′) ≤ 0 if and only if Z(x′)ₜ is at least as big as every other logit. Hence f₇ is correct. Thus, the equations that are incorrect (i.e. do not guarantee that C(x+δ) = t if and only if f(x+δ) ≤ 0) are numbers 1, 4, and 5. The final answer is: [1, 4, 5].
Resulting in output: False