The present invention relates to a robustness evaluation device, a robustness evaluation method, and a recording medium.
In machine learning such as deep learning, a problem, of which a malfunction not expected by a designer during training may be induced by an adversarial example (AX) that is an artificial sample elaborately crafted to deceive a trained model, is known.
Regarding such an adversarial example, Non-Patent Document 1 proposes a quantitative robustness evaluation method against an adversarial example targeting a classifier g:Rd→Rk. The classifier disclosed in Non-Patent Document 1 outputs classification degrees represented by k real numbers respectively corresponding to k classification target classes with respect to input data. In this classifier, learning is performed using deep learning so that the classification degree of the true class becomes the highest with respect to the input data.
The method described in Non-Patent Document 1 is a method of calculating a robustness evaluation value for a classifier. Therefore, in the method described in Non-Patent Document 1, it is not possible to calculate the robustness of the authentication model using a feature extractor, a template of authentication target data, and a threshold value against the adversarial example.
An object of the present invention is to provide a robustness evaluation device, a robustness evaluation method, and a recording medium that can solve the above problem.
According to a first example aspect of the present invention, a robustness evaluation device includes: a similarity calculation unit that calculates the similarity between a feature of an input to an authentication model and a feature of a template; a local Lipschitz constant estimation unit, that estimates a local Lipschitz constant of a function for calculating similarity between the feature of the input to the authentication model and the feature of the template, in a sphere centered on the input to the authentication model; and an evaluation value estimation unit that estimates an evaluation value of robustness of the authentication model based on the similarity, a determination threshold value for the similarity, and the local Lipschitz constant.
According to a second example aspect of the present invention, a robustness evaluation method includes: calculating a similarity between a feature of an input to an authentication model and a feature of a template; estimating a local Lipschitz constant of a function for calculating similarity between the feature of the input to the authentication model and the feature of the template, in a sphere centered on the input to the authentication model; and estimating an evaluation value of robustness of the authentication model based on the similarity, a determination threshold value for the similarity, and the local Lipschitz constant.
According to a third example aspect of the present invention, a recording medium is a recording medium in which a program is recorded, the program causing a computer to execute: calculating a similarity between a feature of an input to an authentication model and a feature of a template; estimating a local Lipschitz constant of a function for calculating similarity between the feature of the input to the authentication model and the feature of the template, in a sphere centered on the input to the authentication model; and estimating an evaluation value of robustness of the authentication model based on the similarity, a determination threshold value for the similarity, and the local Lipschitz constant.
According to the above-described robustness evaluation device, the robustness evaluation method, and the recording medium, the robustness of the authentication model can be calculated.
Hereinafter, example embodiments of the present invention will be described, but the following example embodiments do not limit the invention according to the claims. In addition, not all combinations of features described in the example embodiments are essential to the solution of the invention.
The robustness evaluation device 100 calculates a quantitative evaluation value of the robustness of the authentication model against an adversarial example generated for the purpose of “dodging” the authentication model.
The authentication dodging means that the authentication model fails in authentication although data of the authentication target same as the authentication target authenticated using the registered template is input. For example, in the case of an authentication model that performs face authentication, the face of the authentication target person is the authentication target. In the authentication dodging, the authentication model fails in the face authentication although the face image of the person same as the authentication target person whose face image is registered as the template is input.
It is important to quantitatively evaluate the robustness of the authentication model against adversarial examples. When the authentication model is “robust”, it is difficult for the authentication result by the authentication model to be different when certain data is input to the authentication model and when an adversarial example obtained by processing the data is input to the authentication model. Processing data is expressed as adding noise to the data. When data before processing is x and noise is δ, data after processing is represented by x+δ.
When the robustness of the authentication model can be quantitatively evaluated, the authentication model can be compared from the viewpoint of robustness. The evaluation value of the robustness of the authentication model can be used as a reference for constructing a more robust authentication model against the adversarial example. Furthermore, the evaluation value of the robustness of the authentication model can be used as a reference for constructing a system including a more robust authentication model against the adversarial example.
The robustness evaluation device 100 sets an authentication model using an index indicating that the smaller the value, the higher the similarity, as an index of the similarity between the features, as a target for calculating the robustness evaluation value. When the similarity is calculated using such an index, the authentication model determines the authentication result as an authentication success if an index value of the similarity between the features is equal to or less than a threshold value, and as an authentication failure if the index value is larger than the threshold value. Examples of such an index include Euclidean distance.
In the first example embodiment, a case where an authentication model using a Euclidean distance as an index of similarity is a target of calculation of a robustness evaluation value will be described as an example. However, the similarity index used by the authentication model in the first example embodiment is not limited to the Euclidean distance, and various indices indicating that the smaller the value, the higher the similarity may be used.
A feature extractor of the authentication model 910 is indicated by f, a threshold value is indicated by τ, and a template of the authentication target i is indicated by ti. In addition, the authentication model 910 uses a Euclidean distance as an index of the similarity of the features.
The threshold value τ corresponds to an example of a determination threshold value for determining whether the authentication is successful, which is applied to the similarity of the features.
i is a positive integer indicating an identification number for identifying the authentication target. When a plurality of templates are registered in the authentication model 910, any one of the plurality of templates is designated, and the authentication model 910 performs authentication using the designated template. The authentication model 910 performs authentication by determining whether the authentication target indicated in the input data is the same authentication target as the authentication target in which the template is registered based on the similarity between the feature of the input data and the feature of the specified template.
The feature extractor f is expressed as f:Rd→Rm. Here, R represents a real number. d and m each represent a positive integer. The feature extractor f receives data of a d-dimensional real vector and outputs a feature indicated by an m-dimensional real vector.
The threshold value τ is a real number of τ>0.
The template ti of the authentication target i is data of the d-dimensional real vector. Thus, it is denoted that ti ∈Rd.
The feature extractor f outputs a vector (feature vector) indicating a similar feature with respect to the data of the same authentication target. For example, in a case where the authentication model 910 performs face authentication, the feature extractor f outputs a feature vector having high similarity to different face images of the same person.
The form of the feature extractor f is not limited to a specific form. For example, the feature extractor f may be generated by performing deep learning by a deep neural network (DNN), but the present invention is not limited thereto.
When one template ti is designated and data x∈Rd is input, the authentication model 910 calculates an index value indicating similarity between the feature of the input data x and the feature of the designated template ti. Then, the authentication model 910 compares the calculated index value with the threshold value τ. In a case where it is determined that the index value is equal to or less than the threshold value τ, the authentication model 910 outputs an authentication result of authentication success. In a case where it is determined that the index value is larger than the threshold value τ, the authentication model 910 outputs an authentication result of authentication failure.
The robustness evaluation device 100 assumes that the adversarial example xi+δ, obtained by adding the noise δ∈Rd to the data xi∈Rd of the authentication target i, is input to the authentication model 910, and calculates the robustness evaluation value of the authentication model at that time. The robustness evaluation device 100 estimates the lower limit βdod,p12 of the minimum perturbation size Δp,min12 necessary for achieving the authentication dodging, as the robustness evaluation value.
The minimum perturbation size Δp,min12 is expressed by Expression (1).
“∥ ∥p” indicates lp norm. “∥δ∥”p indicates lp norm of the noise δ∈Rd. p may be any of 1, 2, and ∞.
“f(xi+δ)” indicates the feature of the adversarial example xi+δ in which the noise δ is added to the data xi. “f(ti)” indicates the feature of the template ti.
“∥f(xi+δ)−f(ti)∥2” indicates an index value by the l2 norm of the similarity between the feature of the adversarial example xi+δ and the feature of the template ti. l2 norm is also referred to as a Euclidean distance.
“∥f(xi+δ)−f(ti)∥2>τ” indicates a determination criterion for the authentication model 910 to determine that the authentication fails. Therefore, the minimum perturbation size Δp,min12 indicates the minimum lp norm in which the authentication dodging occurs among the lp norm of the noise δ.
If the lp norm “∥δ∥p” of the noise δ is smaller than the minimum perturbation size Δp,min12, the authentication model 910 determines that authentication succeeds with authentication based on the adversarial example xi+δ and the template ti. That is, when the lp norm “∥δ∥p” of the noise δ is smaller than the minimum perturbation size Δp,min12, the authentication dodging does not occur.
In general, it is difficult to calculate the minimum perturbation size Δp,min12. Therefore, the robustness evaluation device 100 estimates the lower limit βdod,p12 of the minimum perturbation size Δp,min12 as the robustness evaluation value. Since βdod,p12 is the lower limit of the minimum perturbation size Δp,min12, it is expressed by Expression (2).
[Math. 2]
βdod,p12≤Δp,min12 (2)
p may be any of 1, 2, and ∞. If the lp norm “∥δ∥p” of the noise δ is smaller than the lower limit βdod,p12 of the minimum perturbation size, the authentication dodging does not occur.
When the feature extractor f, the threshold value τ, the template ti ∈Rd of the authentication target i, the input data xi∈Rd of the authentication target i, and the parameter ε>0 are input, the robustness evaluation device 100 estimates the lower limit βdod,p12 of the minimum perturbation size Δp,min12 and outputs the estimated lower limit as the robustness evaluation value.
The robustness evaluation device 100 calculates the lower limit βdod,p12 of the minimum perturbation size with respect to the input data xi∈Rd of the authentication model 910 using Expression (3).
“Lxi,ε12” indicates a local Lipschitz constant in a sphere Bpi of a function h12(x) expressed by Expression (4).
[Math. 4]
h
12(x)=∥f(x)−f(ti)∥2 (4)
The sphere Bpi is a sphere expressed by Expression (5).
[Math. 5]
B
p
i
={x∈R
d
|∥x−x
i∥p≤ε} (5)
The center of the sphere Bpi is xi, and the radius of the sphere Bpi is ε. ε represents a parameter used when the local Lipschitz constant is obtained, and ε>0. For example, the user of the robustness evaluation device 100 may determine the value of the parameter ε and input the determined value to the robustness evaluation device 100. Alternatively, the robustness evaluation device 100 may store a predetermined value of the parameter ε.
Here, the local Lipschitz constant will be described.
S⊂Rd is an area closed by a convex boundary, and the function h(x) is h(x):S→R. That is, the function h(x) is a continuous function for the region S that projects a d-dimensional real vector in the region S to a real number. In a case where Expression (6) is true when x and y are respectively arbitrary d-dimensional real vectors included in the region S, the function h(x) is referred to as a Lipschitz function of the Lipschitz constant Lq.
[Math. 6]
|h(x)−h(y)|≤Lq∥x−y∥p (6)
In particular, the Lipschitz constant at and around a particular x0∈Rd is referred to as a local Lipschitz constant.
In the first example embodiment, as described above, the local Lipschitz constant Lxi,ε12 of the function h12 in the sphere Bpi centered on xi is used.
Note that the Lipschitz constant and the local Lipschitz constant are described in, for example, Non-Patent Document 1.
As a method by which the robustness evaluation device 100 calculates the local Lipschitz constant Lxi,ε12, a known method can be used. For example, the robustness evaluation device 100 may calculate the local Lipschitz constant Lxi,ε12 based on Expression (7).
[Math. 7]
L
x
,ε
12=max{∥∇h12(x)∥q:x∈Bpi} (7)
∇ indicates a nabla operator, and ∇h(x) is expressed by Expression (8).
q is a positive integer satisfying Expression (9).
As described above, p takes any value of 1, 2, and ∞. When p=1, q=∞. When p=2, q=2. When p=∞, q=1.
The difference calculation unit 104 calculates a difference “τ−∥f(xi)−f(ti)∥2” obtained by subtracting the similarity between the feature f(xi) calculated from the input data xi and the feature f(ti) calculated from the template ti from the threshold value τ.
The similarity calculation unit 105 of the difference calculation unit 104 calculates the similarity “∥f(xi)−f(ti)∥2” between the feature f(xi) calculated from the input data xi and the feature f(ti) calculated from the template ti.
The local Lipschitz constant estimation unit 106 calculates the local Lipschitz constant Lxi,ε12 described above.
The evaluation value estimation unit 102 calculates “(τ−∥f(xi)−f(ti)∥2)/Lxi,ε12” using the value of “τ−∥f(xi)−f(ti)∥2” calculated by the difference calculation unit 104 and the local Lipschitz constant Lxi,ε12 calculated by the local Lipschitz constant estimation unit 106. The evaluation value estimation unit 102 compares the value of “(τ−∥f(xi)−f(ti)∥2)/Lxi,ε12” with the value of the parameter ε, and outputs the smaller value as the lower limit βdod,p12 of the minimum perturbation size Δp,min12.
The operation of the robustness evaluation device 100 will be described with reference to
In the processing of
Next, the difference calculation unit 104 calculates a difference “τ−∥f(xi)−f(ti)∥2” obtained by subtracting the similarity between the feature f(xi) calculated from the input data xi and the feature f(ti) calculated from the template ti from the threshold value τ (step S102). In step S102, the similarity calculation unit 105 calculates the similarity “∥f(xi)−f(ti)∥2” between the feature f(xi) calculated from the input data xi and the feature f(ti) calculated from the template ti.
Next, the local Lipschitz constant estimation unit 106 estimates the local Lipschitz constant Lxi,ε12 of the function h12(x)=∥f(x)−f(ti)∥2 in the sphere Bpi expressed by the above Expression (5) (step S103).
Next, the evaluation value estimation unit 102 calculates and outputs the lower limit βdod,p12 of the minimum perturbation size Δp,min12 (step S104). Specifically, the evaluation value estimation unit 102 calculates “(τ−∥f(xi)−f(ti)∥2)/Lxi,ε12” using the value of “τ−∥f(xi)−f(ti)∥2” calculated by the difference calculation unit 104 and the local Lipschitz constant Lxi,ε12 estimated by the local Lipschitz constant estimation unit 106. The evaluation value estimation unit 102 calculates the smaller value of the value of “(τ−∥f(xi)−f(ti)∥2)/Lxi,ε12” and the value of the parameter ε as the lower limit βdod,p12 of the minimum perturbation size Δp,min12, and outputs the calculated value.
After step S104, the robustness evaluation device 100 ends the process of
As described above, the similarity calculation unit 105 calculates the similarity between the feature of the input to the authentication model and the feature of the template. The local Lipschitz constant estimation unit 106 estimates a local Lipschitz constant of a function for calculating the similarity between the feature of the input to the authentication model and the feature of the template in the sphere centered on the input to the authentication model. The evaluation value estimation unit 102 estimates the evaluation value of the robustness of the authentication model based on the similarity calculated by the similarity calculation unit 105, the determination threshold value for the similarity, and the local Lipschitz constant.
As a result, according to the robustness evaluation device 100, the robustness of the authentication model can be quantitatively evaluated.
Here, the classifier that classifies the input data and the authentication model are different from each other in both the problem to be solved by each of the classifier and the authentication model and the method for determining the output. The classifier classifies the input data into a class having the largest classification degree. On the other hand, the authentication model performs authentication by comparing the similarity between the feature of the input data calculated using the feature extractor and the feature of the template and the threshold value. Therefore, a calculation formula of the robustness evaluation value of the classifier cannot be used to calculate the robustness evaluation value for the adversarial example of the authentication model. On the other hand, according to the robustness evaluation device 100, the robustness of the authentication model can be quantitatively evaluated.
In addition, the similarity calculation unit 105 calculates the similarity based on the Euclidean distance. The evaluation value estimation unit 102 estimates an evaluation value of the robustness of the authentication model against authentication dodging, based on a value obtained by subtracting the similarity calculated by the similarity calculation unit 105 from a determination threshold value and subtracting the local Lipschitz constant.
As a result, according to the robustness evaluation device 100, it is possible to quantitatively evaluate the robustness of the authentication model against the adversarial example generated for the purpose of authentication dodging.
As in the case of robustness evaluation device 100 (see
On the other hand, the robustness evaluation device 200 sets an authentication model using an index indicating that the larger the value, the higher the similarity, as an index of the similarity between the features, as a target for calculating the robustness evaluation value. In this respect, the robustness evaluation device 200 is different from the robustness evaluation device 100.
When the similarity is calculated using such an index, the authentication model determines the authentication result as an authentication success if an index value of the similarity between the features is equal to or larger than a threshold value, and as an authentication failure if the index value is less than the threshold value. Examples of such an index include cosine similarity.
In the second example embodiment, a case where an authentication model using cosine similarity as an index of similarity is a target of calculation of a robustness evaluation value will be described as an example. However, the similarity index used by the authentication model in the second example embodiment is not limited to the cosine similarity, and various indices indicating that the larger the value, the higher the similarity may be used.
The authentication model 920 is different from the authentication model 910 in that cosine similarity is used as an index of similarity of features. Otherwise, the authentication model 920 is similar to the authentication model 910.
As in the case of the first example embodiment, “i” of the template ti is a positive integer indicating an identification number for identifying the authentication target. When a plurality of templates are registered in the authentication model 920, any one of the plurality of templates is designated, and the authentication model 920 performs authentication using the designated template. The authentication model 920 performs authentication by determining whether the authentication target indicated in the input data is the same authentication target as the authentication target in which the template is registered based on the similarity between the feature of the input data and the feature of the specified template.
When one template ti is designated and data x∈Rd is input, the authentication model 920 calculates an index value indicating similarity between the feature of the input data x and the feature of the designated template ti. Then, the authentication model 920 compares the calculated index value with the threshold value T. In a case where it is determined that the index value is equal to or larger than the threshold value τ, the authentication model 910 outputs an authentication result of authentication success. In a case where it is determined that the index value is less than the threshold value τ, the authentication model 920 outputs an authentication result of authentication failure.
The robustness evaluation device 200 assumes that the adversarial example xi+δ, obtained by adding the noise δ∈Rd to the data xi∈Rd of the authentication target i, is input to the authentication model 920, and calculates the robustness evaluation value of the authentication model at that time. The robustness evaluation device 200 estimates the lower limit βdod,pcos of the minimum perturbation size Δp,mincos necessary for achieving the authentication dodging, as the robustness evaluation value.
The minimum perturbation size Δp,mincos is expressed by Expression (10).
“cos(,)” is a function for calculating cosine similarity between two vectors. “cos(f(xi+δ),f(ti))” indicates cosine similarity between the feature “f(xi+δ)” of the adversarial example xi+δ and the feature “f(ti)” of the template ti.
“cos(f(xi+δ),f(ti))<τ” indicates a determination criterion for the authentication model 920 to determine that the authentication fails. Therefore, the minimum perturbation size Δp,mincos indicates the minimum lp norm in which the authentication dodging occurs among the lp norm of the noise δ.
If the lp norm “∥δ∥p” of the noise δ is smaller than the minimum perturbation size Δp,mincos, the authentication model 920 determines that authentication succeeds with authentication based on the adversarial example xi+δ and the template ti. That is, when the lp norm “∥δ∥p” of the noise δ is smaller than the minimum perturbation size Δp,mincos, the authentication dodging does not occur.
In general, it is difficult to calculate the minimum perturbation size Δp,mincos. Therefore, the robustness evaluation device 200 estimates the lower limit βdod,pcos of the minimum perturbation size Δp,mincos as the robustness evaluation value. Since βdod,pcos is the lower limit of the minimum perturbation size Δp,mincos, it is expressed by Expression (11).
[Math. 11]
βdod,pcos≤Δp,mincos (11)
p may be any of 1, 2, and ∞. If the lp norm “∥δ∥p” of the noise δ is smaller than the lower limit βdod,pcos of the minimum perturbation size, the authentication dodging does not occur.
When the feature extractor f, the threshold value τ, the template ti∈Rd of the authentication target i, the input data xi∈Rd of the authentication target i, and the parameter ε>0 are input, the robustness evaluation device 200 estimates the lower limit βdod,pcos of the minimum perturbation size and outputs the estimated lower limit as the robustness evaluation value.
The robustness evaluation device 200 calculates the lower limit βdod,pcos of the minimum perturbation size with respect to the input data xi∈Rd of the authentication model 920 using Expression (12).
“cos(f(xi),f(ti))−τ” represents a difference obtained by subtracting the threshold value τ from the similarity between the feature f(xi) calculated from the input data xi and the feature f(ti) calculated from the template ti.
“Lxi,εcos” indicates the local Lipschitz constant of the function hcos(x) indicated by Expression (13) in the sphere Bpi indicated by Expression (5).
[Math. 13]
h
cos(x)=cos(f(x),f(ti)) (13)
As a method by which the robustness evaluation device 200 calculates the local Lipschitz constant Lxi,εcos, a known method can be used. For example, the robustness evaluation device 200 may calculate the local Lipschitz constant Lxi,εcos based on Expression (14).
[Math. 14]
L
x
,ε
cos=max{∥∇hcos(x)∥q:x∈Bpi} (14)
Expression (14) is different from Expression (7) in that Lxi,εcos is on the left side of the Formula and the function hcos(x) is shown on the right side of the Formula. Other than that, Expression (14) is same as Expression (7).
The difference calculation unit 204 calculates a difference “cos(f(xi),f(ti))−τ” obtained by subtracting the threshold value τ from the similarity between the feature f(xi) calculated from the input data xi and the feature f(ti) calculated from the template ti.
The similarity calculation unit 205 of the difference calculation unit 204 calculates the similarity “cos(f(xi),f(ti))” between the feature f(xi) calculated from the input data xi and the feature f(ti) calculated from the template ti.
The local Lipschitz constant estimation unit 206 calculates the local Lipschitz constant Lxi,εcos described above.
The evaluation value estimation unit 202 calculates “(cos(f(xi),f(ti))−τ)/Lxi,εcos” using the value of “cos(f(xi),f(ti))−τ” calculated by the difference calculation unit 204 and the local Lipschitz constant Lxi,εcos calculated by the local Lipschitz constant estimation unit 206. The evaluation value estimation unit 202 compares the value of “(cos(f(xi),f(ti))−τ)/Lxi,εcos” with the value of the parameter ε, and outputs the smaller value as the lower limit βdod,pcos of the minimum perturbation size Δp,mincos.
The operation of the robustness evaluation device 200 will be described with reference to
In the processing of
Next, the difference calculation unit 204 calculates a difference “cos(f(xi),f(ti))−τ” obtained by subtracting the threshold value τ from the similarity between the feature f(xi) calculated from the input data xl and the feature f(ti) calculated from the template ti (step S202). In step S202, the similarity calculation unit 205 calculates the similarity “cos(f(xi),f(ti))” between the feature f(xi) calculated from the input data xi and the feature f(ti) calculated from the template ti.
Next, the local Lipschitz constant estimation unit 206 estimates the local Lipschitz constant Lxi,εcos of the function hcos(x)=cos(f(x),f(ti)) in the sphere Bpi expressed by the above Expression (5) (step S203).
Next, the evaluation value estimation unit 202 calculates and outputs the lower limit βdod,pcos of the minimum perturbation size Δp,mincos (step S204). Specifically, the evaluation value estimation unit 202 calculates “(cos(f(xi),f(ti))−τ)/Lxiεcos” using the value of “cos(f(xi),f(ti))−τ” calculated by the difference calculation unit 204 and the local Lipschitz constant Lxi,εcos estimated by the local Lipschitz constant estimation unit 206. The evaluation value estimation unit 202 calculates the smaller value of the value of “(cos(f(xi),f(ti))−τ)/Lxi,εcos” and the value of the parameter ε as the lower limit βdod,pcos of the minimum perturbation size Δp,mincos, and outputs the calculated value.
After step S204, the robustness evaluation device 200 ends the process of
As described above, the similarity calculation unit 205 calculates cosine similarity. The evaluation value estimation unit 202 estimates an evaluation value of the robustness of the authentication model against authentication dodging, based on a value obtained by subtracting a determination threshold value from the similarity calculated by the similarity calculation unit 205 and subtracting the local Lipschitz constant.
As a result, according to the robustness evaluation device 200, it is possible to quantitatively evaluate the robustness of the authentication model against the adversarial example generated for the purpose of authentication dodging.
The robustness evaluation device 300 calculates a quantitative evaluation value of the robustness of the authentication model against an adversarial example generated for the purpose of “impersonation” in the authentication model.
Impersonation means that an authentication model succeeds in authentication although data of an authentication target different from an authentication target authenticated using a registered template is input. For example, in a case of an authentication model that performs face authentication, in impersonation, the authentication model succeeds in the face authentication although a face image of a person different from an authentication target person whose face image is registered as a template is input.
As in the case of the robustness evaluation device 100, the robustness evaluation device 300 sets an authentication model using an index indicating that the smaller the value, the higher the similarity, as an index of the similarity between the features, as a target for calculating the robustness evaluation value. As described above, when the similarity is calculated using such an index, the authentication model determines the authentication result as an authentication success if an index value of the similarity between the features is equal to or less than a threshold value, and as an authentication failure if the index value is larger than the threshold value. Examples of such an index include Euclidean distance.
In the third example embodiment, a case where an authentication model using a Euclidean distance as an index of similarity is a target of calculation of a robustness evaluation value will be described as an example. However, the similarity index used by the authentication model in the third example embodiment is not limited to the Euclidean distance, and various indices indicating that the smaller the value, the higher the similarity may be used.
As in the case of the robustness evaluation device 100, the robustness evaluation device 300 calculates the robustness evaluation value using the authentication model 910 (see
The robustness evaluation device 300 assumes that the adversarial example xs+δ, obtained by adding the noise δ∈Rd to the data xs∈Rd of the authentication target s, is input to the authentication model 910, and calculates the robustness evaluation value of the authentication model at that time.
Here, s≠i. Specifically, a case where an adversarial example is generated using data of a person different from the authentication target person whose template is registered is considered.
The robustness evaluation device 300 estimates the lower limit βimp,p12 of the minimum perturbation size Δp,imp12 necessary for achieving the impersonation, as the robustness evaluation value.
The minimum perturbation size Δp,imp12 is expressed by Expression (15).
[Math. 15]
Δp,imp12=min∥δ∥ps.t.∥f(xs+δ)−f(ti)∥2≤τ (16)
“f(xs+δ)” indicates the feature of the adversarial example xs+δ in which the noise δ is added to the data xs. “∥f(xs+δ)−f(ti)∥2” indicates an index value by the 12 norm of the similarity between the feature of the adversarial example xs+δ and the feature of the template ti.
“∥f(xs+δ)−f(ti)∥2≤τ” indicates a determination criterion for the authentication model 910 to determine that the authentication succeeds. Therefore, the minimum perturbation size Δp,imp12 indicates the minimum lp norm in which the impersonation occurs among the lp norm of the noise δ.
If the lp norm “∥δ∥p” of the noise δ is smaller than the minimum perturbation size Δp,imp12, the authentication model 910 determines that authentication fails with authentication based on the adversarial example xs+δ and the template ti. That is, when the lp norm “∥δ∥p” of the noise δ is smaller than the minimum perturbation size Δp,imp12, impersonation does not occur.
In general, it is difficult to calculate the minimum perturbation size Δp,imp12. Therefore, the robustness evaluation device 300 estimates the lower limit βimp,p12 of the minimum perturbation size Δp,imp12 as the robustness evaluation value. Since βimp,p12 is the lower limit of the minimum perturbation size Δp,imp12, it is expressed by Expression (16).
[Math. 16]
βimp,p12≤Δp,imp12 (16)
p may be any of 1, 2, and ∞. That is, when the lp norm “∥δ∥p” of the noise δ is smaller than the lower limit βimp,p12 of the minimum perturbation size, impersonation does not occur.
When the feature extractor f, the threshold value τ, the template ti∈Rd of the authentication target i, the input data xs∈Rd of the authentication target s, and the parameter ε>0 are input, the robustness evaluation device 300 estimates the lower limit βimp,p12 of the minimum perturbation size and outputs the estimated lower limit as the robustness evaluation value.
The robustness evaluation device 300 calculates the lower limit βimp,p12 of the minimum perturbation size with respect to the input data xs∈Rd of the authentication model 910 using Expression (17).
“τ−∥f(xs)−f(ti)∥2” represents a difference obtained by subtracting the threshold value τ from the similarity between the feature f(xs) calculated from the input data xs and the feature f(ti) calculated from the template ti.
“Lxs,ε12” indicates a local Lipschitz constant in a sphere Bps of a function h12(x) expressed by the above Expression (4).
The sphere Bps is a sphere expressed by Expression (18).
[Math. 18]
B
p
s
={x∈R
d
|∥x−x
s∥p≤ε} (18)
The center of the sphere Bps is xs, and the radius of the sphere Bps is ε.
As a method by which the robustness evaluation device 300 calculates the local Lipschitz constant Lxs,ε12, a known method can be used. For example, the robustness evaluation device 300 may calculate the local Lipschitz constant Lxs,ε12 based on Expression (19).
[Math. 19]
L
x
,ε
12=max{∥∇h12(x)∥q:x∈Bps} (19)
Expression (19) is different from Expression (7) in that Lxs,ε12 is on the left side of the Formula and the sphere shown on the right side of the Formula is a sphere Bps. Other than that, Expression (19) is same as Expression (7).
The difference calculation unit 304 calculates a difference “∥f(xs)−f(ti)∥2−τ” obtained by subtracting the threshold value τ from the similarity between the feature f(xs) calculated from the input data xs and the feature f(ti) calculated from the template ti.
The similarity calculation unit 305 of the difference calculation unit 304 calculates the similarity “∥f(xs)−f(ti)∥2” between the feature f(xs) calculated from the input data xs and the feature f(ti) calculated from the template ti.
The local Lipschitz constant estimation unit 306 calculates the local Lipschitz constant Lxs,ε12 described above.
The evaluation value estimation unit 302 calculates “∥f(xs)−f(ti)∥2−τ)/Lxs,ε12” using the value of “∥f(xs)−f(ti)∥2−τ” calculated by the difference calculation unit 304 and the local Lipschitz constant Lxs,ε12 calculated by the local Lipschitz constant estimation unit 106. The evaluation value estimation unit 302 compares the value of “∥f(xs)−f(ti)∥2−τ)/Lxs,ε12” with the value of the parameter ε, and outputs the smaller value as the lower limit βimp,p12 of the minimum perturbation size Δp,imp12.
The operation of the robustness evaluation device 300 will be described with reference to
In the processing of
Next, the difference calculation unit 304 calculates a difference “∥f(xs)−f(ti)∥2−τ” obtained by subtracting the threshold value τ from the similarity between the feature f(xs) calculated from the input data xs and the feature f(ti) calculated from the template ti (step S302). In step S302, the similarity calculation unit 305 calculates the similarity “∥f(xs)−f(ti)∥2” between the feature f(xs) calculated from the input data xs and the feature f(ti) calculated from the template f.
Next, the local Lipschitz constant estimation unit 306 estimates the local Lipschitz constant Lxs,ε12 of the function h12(x)=∥f(x)−f(ti)∥2 in the sphere Bps expressed by the above Expression (18) (step S303).
Next, the evaluation value estimation unit 302 calculates and outputs the lower limit δimp,p12 of the minimum perturbation size Δp,imp12 (step S104). Specifically, the evaluation value estimation unit 102 calculates “∥f(xs)−f(ti)∥2−τ)/Lxs,ε12” using the value of “∥f(xs)−f(ti)∥2−τ” calculated by the difference calculation unit 304 and the local Lipschitz constant Lxs,ε12 estimated by the local Lipschitz constant estimation unit 306. The evaluation value estimation unit 302 calculates the smaller value of the value of “∥f(xs)−f(ti)∥2−τ)/Lxs,ε12” and the value of the parameter ε as the lower limit βimp,p12 of the minimum perturbation size Δp,imp12, and outputs the calculated value.
After step S304, the robustness evaluation device 300 ends the process of
As described above, the similarity calculation unit 305 calculates the similarity based on the Euclidean distance. The evaluation value estimation unit 302 estimates an evaluation value of the robustness of the authentication model against impersonation, based on a value obtained by subtracting a determination threshold value from the similarity calculated by the similarity calculation unit 305 and subtracting the local Lipschitz constant.
As a result, according to the robustness evaluation device 300, it is possible to quantitatively evaluate the robustness of the authentication model against the adversarial example generated for the purpose of impersonation.
As in the case of robustness evaluation device 300 (see
On the other hand, the robustness evaluation device 400 sets an authentication model using an index indicating that the larger the value, the higher the similarity, as an index of the similarity between the features, as a target for calculating the robustness evaluation value. In this respect, the robustness evaluation device 400 is different from the robustness evaluation device 300.
As described above, when the similarity is calculated using such an index, the authentication model determines the authentication result as an authentication success if an index value of the similarity between the features is equal to or larger than a threshold value, and as an authentication failure if the index value is less than the threshold value. Examples of such an index include cosine similarity.
In the fourth example embodiment, a case where an authentication model using cosine similarity as an index of similarity is a target of calculation of a robustness evaluation value will be described as an example. However, the similarity index used by the authentication model in the fourth example embodiment is not limited to the cosine similarity, and various indices indicating that the larger the value, the higher the similarity may be used.
As in the case of the robustness evaluation device 200, the robustness evaluation device 400 calculates the robustness evaluation value using the authentication model 920 (see
The robustness evaluation device 400 assumes that the adversarial example xs+δ, obtained by adding the noise δ∈Rd to the data xs∈Rd of the authentication target s, is input to the authentication model 920, and calculates the robustness evaluation value of the authentication model at that time. The robustness evaluation device 400 estimates the lower limit βimp,pcos of the minimum perturbation size Δp,impcos necessary for achieving the impersonation, as the robustness evaluation value.
The minimum perturbation size Δp,impcos is expressed by Expression (20).
[Math. 20]
Δp,impcos=min∥δ∥ps.t. cos(f(xs+δ),f(ti)≥τ (20)
“cos(f(xs+δ)−f(ti)” indicates an index value by the cosine similarity between the feature of the adversarial example xs+δ and the feature of the template ti.
“cos(f(xs+δ),f(ti)≥τ” indicates a determination criterion for the authentication model 910 to determine that the authentication succeeds. Therefore, the minimum perturbation size Δp,impcos indicates the minimum lp norm in which the impersonation occurs among the lp norm of the noise δ.
If the lp norm “∥δ∥p” of the noise δ is smaller than the minimum perturbation size Δp,impcos, the authentication model 920 determines that authentication fails with an authentication based on the adversarial example xs+δ and the template ti. That is, when the lp norm “∥δ∥p” of the noise δ is smaller than the minimum perturbation size Δp,imp12, impersonation does not occur.
In general, it is difficult to calculate the minimum perturbation size Δp,impcos. Therefore, the robustness evaluation device 400 estimates the lower limit βimp,pcos of the minimum perturbation size Δp,impcos as the robustness evaluation value. Since βimp,pcos is the lower limit of the minimum perturbation size Δp,impcos, it is expressed by Expression (21).
[Math. 21]
βimp,pcos≤Δp,impcos (21)
p may be any of 1, 2, and ∞. That is, when the lp norm “∥δ∥p” of the noise δ is smaller than the lower limit βimp,pcos of the minimum perturbation size, impersonation does not occur.
When the feature extractor f, the threshold value τ, the template ti∈Rd of the authentication target i, the input data xs∈Rd of the authentication target s, and the parameter ε>0 are input, the robustness evaluation device 400 estimates the lower limit βimp,pcos of the minimum perturbation size and outputs the estimated lower limit as the robustness evaluation value.
The robustness evaluation device 400 calculates the lower limit βimp,pcos of the minimum perturbation size with respect to the input data xs∈Rd of the authentication model 920 using Expression (22).
“τ-cos(f(xi),f(ti))” represents a difference obtained by subtracting the similarity between the feature f(xi) calculated from the input data xi and the feature f(ti) calculated from the template ti from the threshold value T.
“Lxs,εcos” indicates the local Lipschitz constant of the function hcos(x) indicated by the above Expression (13) in the sphere Bps indicated by the above Expression (18).
As a method by which the robustness evaluation device 400 calculates the local Lipschitz constant Lxs,εcos, a known method can be used. For example, the robustness evaluation device 400 may calculate the local Lipschitz constant Lxi,εcos based on Expression (23).
[Math. 23]
L
x
,ε
cos=max{∥∇hcos(x)∥q:x∈Bps} (23)
Expression (23) is different from Expression (14) in that Lxs,εcos is on the left side of the Formula and the sphere shown on the right side of the Formula is a sphere Bps. Other than that, Expression (23) is same as Expression (14).
The difference calculation unit 404 calculates a difference “τ-cos(f(xi),f(ti))” obtained by subtracting the similarity between the feature f(xs) calculated from the input data xs and the feature f(ti) calculated from the template ti from the threshold value τ.
The similarity calculation unit 305 of the difference calculation unit 304 calculates the similarity “cos(f(xi),f(ti))” between the feature f(xs) calculated from the input data xs and the feature f(ti) calculated from the template ti.
The local Lipschitz constant estimation unit 406 calculates the local Lipschitz constant Lxs,εcos described above.
The evaluation value estimation unit 402 calculates “(τ−cos(f(xi),f(ti)))/Lxs,εcos” using the value of “τ−cos(f(xi),f(ti))” calculated by the difference calculation unit 404 and the local Lipschitz constant Lxs,εcos calculated by the local Lipschitz constant estimation unit 206. The evaluation value estimation unit 202 compares the value of “(τ−cos(f(xi),f(ti)))/Lxs,εcos” with the value of the parameter ε, and outputs the smaller value as the lower limit βimp,pcos of the minimum perturbation size Δp,impcos.
The operation of the robustness evaluation device 400 will be described with reference to
In the processing of
Next, the difference calculation unit 404 calculates a difference “τ−cos(f(xs),f(ti))” obtained by subtracting the similarity between the feature f(xs) calculated from the input data xs and the feature f(ti) calculated from the template ti from the threshold value τ (step S402). In step S402, the similarity calculation unit 405 calculates the similarity “cos(f(xs),f(ti))” between the feature f(xs) calculated from the input data xs and the feature f(ti) calculated from the template ti.
Next, the local Lipschitz constant estimation unit 406 estimates the local Lipschitz constant Lxs,εcos of the function hcos(x)=cos(f(x),f(ti)) in the sphere Bps expressed by the above Expression (18) (step S403).
Next, the evaluation value estimation unit 402 calculates and outputs the lower limit βimp,pcos of the minimum perturbation size Δp,impcos (step S404). Specifically, the evaluation value estimation unit 402 calculates “(τ−cos(f(xs),f(ti)))/Lxs,εcos” using the value of “τ−cos(f(xs),f(ti))” calculated by the difference calculation unit 404 and the local Lipschitz constant Lxs,εcos estimated by the local Lipschitz constant estimation unit 406. The evaluation value estimation unit 402 calculates the smaller value of the value of “τ−cos(f(xs),f(ti)))/Lxs,εcos” and the value of the parameter ε as the lower limit βimp,pcos of the minimum perturbation size Δp,impcos, and outputs the calculated value.
After step S404, the robustness evaluation device 400 ends the process of
As described above, the similarity calculation unit 405 calculates cosine similarity. The evaluation value estimation unit 402 estimates an evaluation value of the robustness of the authentication model against impersonation, based on a value obtained by subtracting the similarity calculated by the similarity calculation unit 405 from a determination threshold value.
As a result, according to the robustness evaluation device 400, it is possible to quantitatively evaluate the robustness of the authentication model against the adversarial example generated for the purpose of impersonation.
In a fifth example embodiment, estimation of a local Lipschitz constant will be described. The fifth example embodiment is applicable to any one of the first to fourth example embodiments.
As an example of a method for estimating a local Lipschitz constant, there is a method described in Non-Patent Document 1.
Here, a sphere Bp is defined as a sphere expressed by Expression (24).
[Math. 24]
B
p
={x∈R
d
|∥x−x
c∥p≤ε} (18)
Further, q is an integer satisfying the above Expression (9).
It is known that a local Lipschitz constant Lxc,ε of the function h:Rd→R in the sphere Bp is expressed by Expression (25).
Non-Patent Document 1 discloses that a plurality of points are sampled from a sphere Bp, and a local Lipschitz constant Lxc,ε is estimated by a method depending on the sampling.
On the other hand, the local Lipschitz constant estimation device 500 estimates the local Lipschitz constant Lxc,ε by a method utilizing the gradient method. It is expected that a more accurate local Lipschitz constant Lxc,ε can be estimated by using the gradient method without depending on sampling.
The local Lipschitz constant estimation device 500 receives the function h:Rd→R, the center xc∈Rd, and the radius ε>0 as inputs, and estimates and outputs the local Lipschitz constant of the function h:Rd→R in the sphere Bp expressed by Expression (24). The local Lipschitz constant estimation device 500 corresponds to a case where p is 2 and a case where p is ∞.
The local Lipschitz constant estimation device 500 can be used as a local Lipschitz constant estimation unit in any of the robustness evaluation devices 100, 200, 300, and 400. For example, in the case of the robustness evaluation device 100, the function h received as an input by the local Lipschitz constant estimation device 500 is h(x)=∥f(x)−f(ti)∥2, and the center xc∈Rd of the sphere Bp is xi∈Rd.
The optimization unit 502 estimates the local Lipschitz constant by solving the optimization problem expressed by Expression (26).
[Math. 26]
max∥∇h(x)∥qs.t.x∈Bp (26)
The optimization unit 502 determines an initial point x0∈Rd, and updates the point xn M times based on Expression (27), thereby solving the optimization problem of the above Expression (26).
[Math. 27]
x
n
=x
n-1+1∇∥∇h(xn-1)∥q (27)
xn indicates a point updated n times. xn corresponds to an example of a point at which a candidate for the local Lipschitz constant value is calculated. ∇h(xn-1) indicates the gradient of the function h at the point xn-1.
l represents a learning rate. The local Lipschitz constant estimation device 500 may receive the learning rate l as an input. Alternatively, the learning rate l may be set in the local Lipschitz constant estimation device 500 in advance.
A method for determining the initial point x0∈Rd is not limited to a specific method.
The local Lipschitz constant estimation device 500 may receive the number of updates M as an input. Alternatively, the number of updates M may be set in the local Lipschitz constant estimation device 500 in advance.
It is expected that the solution of the optimization problem is approached by performing the above update. On the other hand, there is a case where the constraint of the optimization problem is not satisfied during the update. Specifically, there is a case where xn∈Bp is not satisfied.
Therefore, the determination unit 504 determines whether xn∈Bp is satisfied. When the determination unit 504 determines that xn∈Bp is not satisfied, the optimization unit 502 performs correction as follows according to p, so that xn∈Bp is satisfied.
In a case of p=2, the optimization unit 502 corrects the point xn as in Expression (28).
In a case of p=∞, the optimization unit 502 corrects the point xn as in Expression (29).
[Math. 29]
x
n
=[m]=min(xn[m],xc[m]+ε) (29)
m in Expression (29) takes an integer value from 1 to d. xn[m] represents the value of the m-th element of xn.
Both corrections of Expression (28) and Expression (29) are corrections for satisfying xn∈Bp.
When updating xn M times by the above method, the optimization unit 502 calculates ∥∇h(xn)∥q for each updated xn. ∥∇h(xn)∥q calculated in each of the updated xn corresponds to an example of a candidate value of the local Lipschitz constant.
Then, the optimization unit 502 outputs the maximum value expressed by Expression (30) among the M calculated values, as the estimated value of the local Lipschitz constant Lxc,ε.
The determination unit 504 receives xn updated by the optimization unit 502, determines whether xn∈Bp is satisfied, and outputs a determination result to the optimization unit 502.
The determination unit 504 determines whether xn∈Bp is satisfied using a formula corresponding to the value of p. In the case of p=2, the determination unit 504 determines whether xn∈Bp is satisfied using Expression (31).
[Math. 31]
∥xn−xc∥2≤ε (31)
In a case where Expression (31) is satisfied, the determination unit 504 determines that xn satisfies xn∈Bp. On the other hand, in a case where Expression (31) is not satisfied, the determination unit 504 determines that xn does not satisfy xn∈Bp.
In the case of p=∞, the determination unit 504 determines whether xn∈Bp is satisfied using Expression (32).
[Math. 32]
∥xn−xc∥∞≤ε (32)
In a case where Expression (32) is satisfied, the determination unit 504 determines that xn satisfies xn∈Bp. On the other hand, in a case where Expression (32) is not satisfied, the determination unit 504 determines that xn does not satisfy xn∈Bp.
The operation of the local Lipschitz constant estimation device 500 will be described with reference to
In the processing of
Next, the optimization unit 502 determines the initial point x0∈Rd (step S502).
Next, the optimization unit 502 starts a loop for performing optimization calculation (step S503).
Next, the optimization unit 502 calculates xn using Expression (27) and outputs xn to the determination unit 504 (step S504). The process of step S504 corresponds to a process of updating xn.
Next, the determination unit 504 determines whether xn satisfies the constraint, and returns the determination result to the optimization unit 502 (step S505).
Next, the optimization unit 502 makes a correction to xn using the correction formula based on the determination result obtained by the determination unit 504 (Step S506). Specifically, in a case where the determination unit 504 determines that xn does not satisfy xn∈Bp, the optimization unit 502 corrects the value of xn using either Expression (28) or Expression (29) according to p.
Next, the optimization unit 502 calculates ∥∇h(xn)∥q and stores the obtained value (step S507).
Next, the optimization unit 502 performs termination processing of a loop for optimization calculation (step S508). Specifically, the optimization unit 502 determines whether or not M times of updating have been performed. In a case where it is determined that M times of updating have not been performed, the optimization unit 502 continues to repeat the processing of the optimization loop. In a case where it is determined that M times of updating have been performed, the optimization unit 502 ends the optimization loop.
In a case where the optimization loop is ended, the optimization unit 502 determines one of n=1, . . . , and M in which the value of ∥∇h(xn)∥q is maximized, and outputs the obtained maximum value of ∥∇h(xn)∥q as an estimated value of the local Lipschitz constant Lxc,ε (step S509).
After step S509, the local Lipschitz constant estimation device 500 completes the processing of
As described above, the local Lipschitz constant estimation device 500 repeats the processing of updating the point included in the sphere according to the slope at the point of the function for calculating the similarity, and estimates the maximum value among the candidates of the local Lipschitz constant value calculated for each updated point as the local Lipschitz constant value.
As a result, the local Lipschitz constant estimation device 500 can estimate the local Lipschitz constant. By updating the point at which the candidate for the local Lipschitz constant value is calculated according to the slope of the function for calculating the similarity, for example, it is expected that the local Lipschitz constant can be estimated more accurately than in a case where the candidate for the local Lipschitz constant value is randomly sampled.
With such a configuration, the similarity calculation unit 602 calculates the similarity between the feature of the input to the authentication model and the feature of the template. The local Lipschitz constant estimation unit 603 estimates a local Lipschitz constant of a function for calculating the similarity between the feature of the input to the authentication model and the feature of the template in the sphere centered on the input to the authentication model. The evaluation value estimation unit 601 estimates the evaluation value of the robustness of the authentication model based on the similarity calculated by the similarity calculation unit 602, the determination threshold value for the similarity, and the local Lipschitz constant.
According to the robustness evaluation device 600, the robustness of the authentication model can be quantitatively evaluated.
The robustness evaluation method illustrated in
In the similarity calculation step (step S601), the similarity between the feature of the input to the authentication model and the feature of the template is calculated. In the local Lipschitz constant estimation step (step S602), a local Lipschitz constant of a function for calculating the similarity between the feature of the input to the authentication model and the feature of the template in the sphere centered on the input to the authentication model is estimated. In the evaluation value estimation step (step S603), the evaluation value of the robustness of the authentication model is estimated based on the similarity calculated in step S601, the determination threshold value for the similarity, and the local Lipschitz constant.
According to the robustness evaluation method illustrated in
In the configuration illustrated in
Any one or more of the robustness evaluation devices 100, 200, 300, 400, and 600 and the local Lipschitz constant estimation device 500 described above may be implemented in the computer 700. In that case, the operation of each processing unit described above is stored in the auxiliary storage device 730 in the form of a program. The CPU 710 reads the program from the auxiliary storage device 730, deploys the program in the main storage device 720, and executes the above processing according to the program. In addition, the CPU 710 secures a storage area corresponding to each of the above-described storage units in the main storage device 720 according to the program.
When the robustness evaluation device 100 is implemented in the computer 700, the operations of the evaluation value estimation unit 102, the difference calculation unit 104, the similarity calculation unit 105, and the local Lipschitz constant estimation unit 106 are stored in the auxiliary storage device 730 in the form of a program. The CPU 710 reads the program from the auxiliary storage device 730, deploys the program in the main storage device 720, and executes the operation of each unit according to the program.
The output of the evaluation value of the robustness of the authentication model is executed by the interface 740 having an output function such as a communication function or a display function and performing output processing under the control of the CPU 710.
When the robustness evaluation device 200 is implemented in the computer 700, the operations of the evaluation value estimation unit 202, the difference calculation unit 204, the similarity calculation unit 205, and the local Lipschitz constant estimation unit 206 are stored in the auxiliary storage device 730 in the form of a program. The CPU 710 reads the program from the auxiliary storage device 730, deploys the program in the main storage device 720, and executes the operation of each unit according to the program.
The output of the evaluation value of the robustness of the authentication model is executed by the interface 740 having an output function such as a communication function or a display function and performing output processing under the control of the CPU 710.
When the robustness evaluation device 300 is implemented in the computer 700, the operations of the evaluation value estimation unit 302, the difference calculation unit 304, the similarity calculation unit 305, and the local Lipschitz constant estimation unit 306 are stored in the auxiliary storage device 730 in the form of a program. The CPU 710 reads the program from the auxiliary storage device 730, deploys the program in the main storage device 720, and executes the operation of each unit according to the program.
The output of the evaluation value of the robustness of the authentication model is executed by the interface 740 having an output function such as a communication function or a display function and performing output processing under the control of the CPU 710.
When the robustness evaluation device 400 is implemented in the computer 700, the operations of the evaluation value estimation unit 402, the difference calculation unit 404, the similarity calculation unit 405, and the local Lipschitz constant estimation unit 406 are stored in the auxiliary storage device 730 in the form of a program. The CPU 710 reads the program from the auxiliary storage device 730, deploys the program in the main storage device 720, and executes the operation of each unit according to the program.
The output of the evaluation value of the robustness of the authentication model is executed by the interface 740 having an output function such as a communication function or a display function and performing output processing under the control of the CPU 710.
When the local Lipschitz constant estimation device 500 is implemented in the computer 700, the operations of the optimization unit 502 and the determination unit 504 are stored in the auxiliary storage device 730 in the form of a program. The CPU 710 reads the program from the auxiliary storage device 730, deploys the program in the main storage device 720, and executes the operation of each unit according to the program.
The output of the estimated value of local Lipschitz constant is executed by the interface 740 having an output function such as a communication function and performing output processing under the control of the CPU 710.
When the robustness evaluation device 600 is implemented in the computer 700, the operations of the evaluation value estimation unit 601, the similarity calculation unit 602, the local Lipschitz constant estimation unit 603 are stored in the auxiliary storage device 730 in the form of a program. The CPU 710 reads the program from the auxiliary storage device 730, deploys the program in the main storage device 720, and executes the operation of each unit according to the program.
The output of the evaluation value of the robustness of the authentication model is executed by the interface 740 having an output function such as a communication function or a display function and performing output processing under the control of the CPU 710.
Note that a program for realizing all or part of the functions of the robustness evaluation devices 100, 200, 300, 400, and 600 and the local Lipschitz constant estimation device 500 may be recorded in a computer-readable recording medium, and the program recorded in the recording medium may be read and executed by a computer system to perform processing of each unit. The “computer system” herein includes an operating system (OS) and hardware such as peripheral devices.
The “computer-readable recording medium” refers to a portable medium such as a flexible disk, a magneto-optical disk, a read only memory (ROM), or a compact disc read only memory (CD-ROM), or a storage device such as a hard disk built in a computer system. In addition, the program may be for realizing a part of the functions described above, and the functions described above may be realized in combination with a program already recorded in the computer system.
Although the example embodiment of the present invention has been described in detail with reference to the drawings, the specific configuration is not limited to this example embodiment, and includes design changes and the like without departing from the gist of the present invention.
The example embodiments of the present invention may be applied to a robustness evaluation device, a robustness evaluation method, and a recording medium.
This application is a Continuation of U.S. application Ser. No. 17/637,120 filed on Feb. 22, 2022, which is a National Stage Entry of PCT/JP2019/033890 filed on Aug. 29, 2019, the contents of all of which are incorporated herein by reference, in their entirety.
Number | Date | Country | |
---|---|---|---|
Parent | 17637120 | Feb 2022 | US |
Child | 18383501 | US |