現今深度神經網路的遷移學習(Transfer Leaning)方法通常基於微調(fine-tune)預訓練模型(pretrained model)，利用原本預訓練模型已有的特徵提取能力，去使模型達到新資料集的識別任務，
而在過去的許多研究中發現，深度學習神經網路(Deep Neural Networks)對於添加特別雜訊的資料(adversarial example)存在不穩定性，其輸入可導致深度學習模型改變最後決策，
在論文中，我們提出了一種對於黑盒模型的新型遷移學習方法，特別對於資料稀少的任務，對抗重編程(black-box adversarial reprogramming, BAR)可以使得黑盒模型改變原分類任務為其他不同的分類任務，利用零階優化法(zeroth order optimization)以及多類別對應(multi-label mapping)技術，BAR可以在不改變任何目標黑盒模型架構或是調整模型參數的情況下，僅用輸入對應輸出結果來改變目標黑盒模型的分類目標。
尤其在資料稀少的情境，例如醫學影像的資料集(自閉症腦部fmri影像、 糖尿病視網膜病變影像、皮膚癌影像)，BAR相較於一般遷移學習或是現有的state-of-the-art結果都來得佳。

Current transfer learning methods are mainly based on finetuning a pretrained model with target-domain data. Motivated by the techniques from adversarial machine learning (ML) that are capable of manipulating the model prediction via data perturbations, in this paper we propose a novel approach, black-box adversarial reprogramming (BAR), that repurposes a well-trained black-box ML model (e.g., a prediction API or a proprietary software) for solving different ML tasks, especially in the scenario with scarce data and constrained resources. The rationale lies in exploiting high-performance but unknown ML models to gain learning capability for transfer learning. Using zeroth order optimization and multi-label mapping techniques, BAR can reprogram a black-box ML model solely based on its input-output responses without knowing the model architecture or changing any parameter. More importantly, in the limited medical data setting, on autism spectrum disorder classification, diabetic retinopathy detection, and
melanoma detection tasks, BAR outperforms state-of-the-art methods and yields comparable performance to the vanilla adversarial reprogramming method requiring complete knowledge of the target ML model. BAR also outperforms baseline transfer learning approaches by a significant margin, demonstrating cost-effective means and new insights for transfer learning.

摘要 . . . . . . . . . . . . . . . . . . . .i
Abstract . . . . . . . . . . . . . . . . . . . .ii
Acknowledgement . . . . . . . . . . . . . . . . . . . .iii
1. Introduction. . . . . . . . . . . . . . . . . . . . .1
2. Related Works. . . . . . . . . . . . . . . . . . . . .6
2.1 Adversarial ML and Reprogramming. . . . . . . . . . . . 6
2.2 Zeroth Order Optimization for Black-box Setting . . . . . . 7
3. Proposed Method. . . . . . . . . . . . . . . . . . . . .8
3.1 Problem Formulation . . . . . . . . . . . . . . . . . . 8
3.2 Zeroth Order Optimization for BAR . . . . . . . . . . . .12
4. Experimental Results. . . . . . . . . . . . . . . . . . . . .16
4.1 Training Details of Baselines . . . . . . . . . . . . . 18
4.1.1 Transfer learning (finetuned): . . . . . . . . . . .18
4.1.2 Training from scratch: . . . . . . . . . . . . . . . . .18
4.2 Autism Spectrum Disorder Classification . . . . . . . . . . 19
4.3 Diabetic Retinopathy Detection . . . . . . . . . . . . . 21
4.4 Melanoma Detection . . . . . . . . . . . . . . . . . . .22
4.5 Reprogramming Real-life Prediction APIs . . . . . . .23
4.6 Ablation Study and Sensitivity Analysis . . . . . . . .25
5. Conclusion. . . . . . . . . . . . . . . . . . . . .30
References. . . . . . . . . . . . . . . . . . . . .31

[1] S. J. Pan and Q. Yang, “A survey on transfer learning,” IEEE Transactions on knowledge and data engineering, vol. 22, no. 10, pp. 1345–1359, 2009.

[2] M. Raghu, C. Zhang, J. Kleinberg, and S. Bengio, “Transfusion: Understanding
transfer learning for medical imaging,” in Advances in Neural Information Processing
Systems, pp. 3342–3352, 2019.

[3] B. Biggio and F. Roli, “Wild patterns: Ten years after the rise of adversarial machine learning,” Pattern Recognition, vol. 84, pp. 317–331, 2018.

[4] C. Szegedy,W. Zaremba, I. Sutskever, J. Bruna, D. Erhan, I. Goodfellow, and R. Fergus, “Intriguing properties of neural networks,” International Conference on Learning Representations, 2014.

[5] G. F. Elsayed, I. Goodfellow, and J. Sohl-Dickstein, “Adversarial reprogramming of neural networks,” in International Conference on Learning Representations, 2019.

[6] S. Ghadimi and G. Lan, “Stochastic first-and zeroth-order methods for nonconvex
stochastic programming,” SIAM Journal on Optimization, vol. 23, no. 4, pp. 2341–
2368, 2013.

[7] B. Biggio, I. Corona, D. Maiorca, B. Nelson, N. ˇ Srndi´c, P. Laskov, G. Giacinto, and F. Roli, “Evasion attacks against machine learning at test time,” in Joint European
conference on machine learning and knowledge discovery in databases, pp. 387–402,
2013.

[8] I. J. Goodfellow, J. Shlens, and C. Szegedy, “Explaining and harnessing adversarial examples,” International Conference on Learning Representations, 2015.

[9] N. Carlini and D. Wagner, “Towards evaluating the robustness of neural networks,” in IEEE Symposium on Security and Privacy, pp. 39–57, 2017.

[10] P.-Y. Chen, Y. Sharma, H. Zhang, J. Yi, and C.-J. Hsieh, “EAD: elastic-net attacks to deep neural networks via adversarial examples,” AAAI, 2018.

[11] L. Mu˜noz-Gonz´alez, B. Biggio, A. Demontis, A. Paudice, V. Wongrassamee, E. C. Lupu, and F. Roli, “Towards poisoning of deep learning algorithms with back-gradient optimization,” in ACM Workshop on Artificial Intelligence and Security, pp. 27–38, 2017.

[12] X. Chen, C. Liu, B. Li, K. Lu, and D. Song, “Targeted backdoor attacks on deep
learning systems using data poisoning,” arXiv preprint arXiv:1712.05526, 2017.

[13] A. Shafahi,W. R. Huang, M. Najibi, O. Suciu, C. Studer, T. Dumitras, and T. Goldstein, “Poison frogs! targeted clean-label poisoning attacks on neural networks,” in NeurIPS, pp. 6103–6113, 2018.

[14] T. Gu, K. Liu, B. Dolan-Gavitt, and S. Garg, “BadNets: Evaluating backdooring
attacks on deep neural networks,” IEEE Access, vol. 7, pp. 47230–47244, 2019.

[15] P. Neekhara, S. Hussain, S. Dubnov, and F. Koushanfar, “Adversarial reprogramming of text classification neural networks,” EMNLP, 2019.

[16] P.-Y. Chen, H. Zhang, Y. Sharma, J. Yi, and C.-J. Hsieh, “ZOO: Zeroth order optimization based black-box attacks to deep neural networks without training substitute models,” in ACM Workshop on Artificial Intelligence and Security, pp. 15–26, 2017.

[17] C.-C. Tu, P. Ting, P.-Y. Chen, S. Liu, H. Zhang, J. Yi, C.-J. Hsieh, and S.-M. Cheng, “Autozoom: Autoencoder-based zeroth order optimization method for attacking blackbox neural networks,” AAAI, 2019.

[18] W. Brendel, J. Rauber, and M. Bethge, “Decision-based adversarial attacks: Reliable attacks against black-box machine learning models,” International Conference on Learning Representations, 2018.

[19] M. Cheng, T. Le, P.-Y. Chen, J. Yi, H. Zhang, and C.-J. Hsieh, “Query-e_cient hardlabel black-box attack: An optimization-based approach,” International Conference on Learning Representations, 2019.

[20] S. Liu, B. Kailkhura, P.-Y. Chen, P. Ting, S. Chang, and L. Amini, “Zeroth-order
stochastic variance reduction for nonconvex optimization,” in NeurIPS, pp. 3731–3741, 2018.

[21] S. Liu, P.-Y. Chen, X. Chen, and M. Hong, “signsgd via zeroth-order oracle,” International Conference on Learning Representations, 2019.

[22] T.-Y. Lin, P. Goyal, R. Girshick, K. He, and P. Doll´ar, “Focal loss for dense object detection,” in Proceedings of the IEEE international conference on computer vision, pp. 2980–2988, 2017. 33

[23] X. Gao, B. Jiang, and S. Zhang, “On the information-adaptive variants of the admm: an iteration complexity perspective,” Optimization Online, vol. 12, 2014.

[24] N.Silberman and S.Guadarrama, “Tensorflow-slim image classification model library,” 2016.

[25] K. He, X. Zhang, S. Ren, and J. Sun, “Deep residual learning for image recognition,” IEEE Conference on Computer Vision and Pattern Recognition (CVPR), pp. 770–778, 2016.

[26] C. Szegedy, V. Vanhoucke, S. Io_e, J. Shlens, and Z. Wojna, “Rethinking the inception architecture for computer vision,” IEEE Conference on Computer Vision and Pattern Recognition (CVPR), pp. 2818–2826, 2016.

[27] F. Iandola, M. Moskewicz, S. Karayev, R. Girshick, T. Darrell, and K. Keutzer,
“Densenet: Implementing e_cient convnet descriptor pyramids,” arXiv preprint
arXiv:1404.1869, 2014.

[28] C. Craddock, Y. Benhajali, C. Chu, F. Chouinard, A. Evans, A. Jakab, B. S. Khundrakpam, J. D. Lewis, Q. Li, M. Milham, C. Yan, and P. Bellec, “The neuro bureau preprocessing initiative: open sharing of preprocessed neuroimaging data and derivatives,” Frontiers in Neuroinformatics, no. 41, 2013.

[29] A. S´olon, A. Franco, C. Craddock, A. Buchweitz, and F. Meneguzzi, “Identification of autism spectrum disorder using deep learning and the abide dataset,” NeuroImage: Clinical, vol. 17, 08 2017.

[30] J. Nielsen, B. A Zielinski, P. Thomas Fletcher, A. L Alexander, N. Lange, E. D Bigler, J. Lainhart, and J. Anderson, “Multisite functional connectivity mri classification of autism: Abide results,” Frontiers in human neuroscience, vol. 7, p. 599, 09 2013.

[31] A. S. Heinsfeld, A. R. Franco, R. C. Craddock, A. Buchweitz, and F. Meneguzzi,
“Identification of autism spectrum disorder using deep learning and the abide dataset,” in NeuroImage: Clinical, 2018.

[32] T. Eslami, V. Mirjalili, A. Fong, A. R. Laird, and F. Saeed, “Asd-diagnet: A hybrid learning approach for detection of autism spectrum disorder using fmri data,” Frontiers in Neuroinformatics, vol. 13, Nov 2019.

[33] N. Codella, V. Rotemberg, P. Tschandl, M. E. Celebi, S. Dusza, D. Gutman, B. Helba, A. Kalloo, K. Liopyris, M. Marchetti, et al., “Skin lesion analysis toward melanoma detection 2018: A challenge hosted by the international skin imaging collaboration (isic),” arXiv preprint arXiv:1902.03368, 2019.

[34] P. Tschandl, C. Rosendahl, and H. Kittler, “The ham10000 dataset: A large collection of multi-source dermatoscopic images of common pigmented skin lesions,” Scientific Data, vol. 5, 03 2018.

[35] K. M. Li and E. C. Li, “Skin lesion analysis towards melanoma detection via end-toend
deep learning of convolutional neural networks,” arXiv preprint arXiv:1807.08332,
2018.