WP-GEB-Estimator
-- WP-GEB: Weight-Perturbed Generalization Error Bounds --
This work was supported by the project JPNP20006 commissioned by NEDO
Copyright (C) 2024 AIST
-- WP-GEB: Weight-Perturbed Generalization Error Bounds --
This work was supported by the project JPNP20006 commissioned by NEDO
Copyright (C) 2024 AIST
The "WP-GEB" in the tool name WP-GEB-Estimator stands for weight-perturbed generalization error bounds and WP-GEB-Estimator is a tool for estimating the upper bounds of randomly weight-perturbed generalization errors and the upper bounds of worst weight-perturbed generalization errors for neural classifiers (hereafter called just classifiers). The weight-perturbed generalization errors represent the expected values of the misclassification-rates of classifiers when perturbations are added on weight-parameters between neurons during inferences for any input. Random perturbations are randomly selected from uniform distribution with specified range, while worst perturbations are selected towards misclassification within the range. Although even worst perturbations do not necessarily cause misclassification, perturbations really causing misclassification are called adversarial perturbations . The definitions of weight-perturbed generalization error bounds and the details of WP-GEB-Estimator are explained in the WP-GEB-Estimator User Manual ( English version [PDF:181KB] and Japanese version [PDF:334KB] ).
Machine Learning Quality Management (MLQM) Guideline has been developed to clearly explain the quality of various industrial products including statistical machine learning. This guideline defines an internal quality property, called the stability of trained models, which represents that trained-models reasonably behave even for unseen input data. Figure 1 shows the techniques to evaluate and improve stability for each phase and each level, which is Figure 14 in the MLQM-Guideline ver.4 (The version 3 has already been available from this site and the version 4 will be published soon). WP-GEB-Estimator is a useful tool for evaluating the stability of trained classifiers in the evaluation phase because it has the following functions:
- [Noise robustness] It can measure misclassification-rates of randomly weight-perturbed classifiers for a test-dataset and a perturbation sample.
- [Adversarial attack] It can search for adversarial weight-perturbations for each input in a test-dataset.
- [Adversarial verification] It can statistically guarantee with a confidence for any input that the existence-probability of adversarial weight-perturbations is less than a threshold.
- [Generalization error] It can statistically guarantee with a confidence that the weight-perturbed generalization error (i.e. for any input including unseen input) is less than an upper bound.
WP-GEB-Estimator consists of the four tools for training, measuring, searching, and estimating. These tools are described in the Python language with the TensorFlow/Keras libraries.
- train:
trains classifiers to demonstrate WP-GEB-Estimator. - Input: Train-dataset, Network architecture (CSV format), etc
- Output: Trained classifier (TensorFlow-SavedModel format), etc
- measure:
measures misclassification-errors of trained classifiers for random weight-perturbations. - Input: Test-dataset, Trained classifier (SavedModel format), Perturbation-ratios, etc
- Output: Measurement result (CSV format) of errors for random perturbations, etc
- search:
searches for adversarial weight-perturbations in trained classifiers. - Input: Test-dataset, Trained classifier, Measurement results (CSV format) of errors, etc
- Output: Adversarial search results (CSV format) including measurement results
- estimate:
estimates weight-perturbed generalization error bounds. - Input: Results on search and random perturbation sample (CSV format), etc
- Output: Weight-perturbed generalization error estimate results (CSV format), etc
Figure 2. The relation between in/output files of the four tools that constitute WP-GEB-Estimator
WP-GEB-Estimator is described in the Python language with the libraries TensorFlow and NumPy. The software versions used in the development are Python 3.10.10, TensorFlow 2.13.0, and NumPy 1.23.2.
Figure 3 shows the graph of the estimate results by WP-GEB-Estimator and they are weight-perturbed generalization error bounds (confidence: 90%) and the thresholds of two classifiers. One of them is a classifier trained without regularization and the other one is trained with the L2-regularization coefficient 0.001. The horizontal axis represents the ratio of weight-perturbation to weight. Figure 3 explicitly shows that the classifier with regularization is more robust for weight-perturbations than the classifier without regularization, even though there is no difference between their errors when no perturbation is added. In addition, the worst weight-perturbed generalization error bounds start increasing at the ratio that is two orders less than the randomly weight-perturbed generalization error bounds start increasing.
Figure 3. The estimate results of weight-perturbed generalization errors and the thresholds
Following the ideas of open source software, we allow anyone to use WP-GEB-Estimator without fee, under the Apache License Version 2.0. You have to agree with the license before using WP-GEB-Estimator.
The source code and the user manual of WP-GEB-Estimator are available.
- The Python source code of WP-GEB-Estimator can be download:
- WP-GEB-Estimator User Manual can be downloaded:
Yoshinao Isobe
Cyber Physical Security Research Center
National Institute of Advanced Industrial Science and Technology (AIST), Japan
Cyber Physical Security Research Center
National Institute of Advanced Industrial Science and Technology (AIST), Japan