Recently, the textual adversarial attack models become increasingly popular due to their successful in estimating the robustness of NLP models. However, existing works have obvious deficiencies. (1) They usually consider only a single granularity of
modification strategies (e.g. word-level or sentence-level), which is insufficient to explore the holistic textual space for generation; (2) They need to query victim models hundreds of times to make a successful attack, which is highly inefficient in practice. To address such problems, in this paper we propose MAYA, a Multi-grAnularitY Attack model to effectively generate high-quality adversarial samples with fewer queries to victim models. Furthermore, we propose a reinforcement-learning based method to train a multi-granularity attack agent through behavior cloning with the expert knowledge from our MAYA algorithm to further reduce the query times. Additionally, we also adapt the agent to attack black-box models that only output labels without confidence scores. We conduct comprehensive experiments to evaluate our attack models by attacking BiLSTM, BERT and RoBERTa in two different black-box attack settings and three benchmark datasets. Experimental results show that our models achieve overall better attacking performance and produce more fluent and grammatical adversarial samples compared to baseline models. Besides, our adversarial attack agent significantly reduces the query times in both attack settings. Our codes are released at https://github.com/Yangyi-Chen/MAYA.
A simple and efficient method to create gap solitons is proposed in a spin-orbit-coupled spin-1 Bose-Einstein condensate. We find that a free expansion along the spin-orbit coupling dimension can generate two moving gap solitons, which are identified
from a generalized massive Thirring model. The dynamics of gap solitons can be controlled by adjusting spin-orbit coupling parameters.
The no-knowledge quantum feedback was proposed by Szigeti et al., Phys. Rev. Lett. 113, 020407 (2014), as a measurement-based feedback protocol for decoherence suppression for an open quantum system. By continuously measuring environmental noises and
feeding back controls on the system, the protocol can completely reverse the measurement backaction and therefore suppress the systems decoherence. However, the complete decoherence cancellation was shown only for the instantaneous feedback, which is impractical in real experiments. Therefore, in this work, we generalize the original work and investigate how the decoherence suppression can be degraded with unavoidable delay times, by analyzing non-Markovian average dynamics. We present analytical expressions for the average dynamics and numerically analyze the effects of the delayed feedback for a coherently driven two-level system, coupled to a bosonic bath via a Hermitian coupling operator. We also find that, when the qubits unitary dynamics does not commute with the measurement and feedback controls, the decoherence rate can be either suppressed or amplified, depending on the delay time.
Predicting where people can walk in a scene is important for many tasks, including autonomous driving systems and human behavior analysis. Yet learning a computational model for this purpose is challenging due to semantic ambiguity and a lack of labe
led data: current datasets only tell you where people are, not where they could be. We tackle this problem by leveraging information from existing datasets, without additional labeling. We first augment the set of valid, labeled walkable regions by propagating person observations between images, utilizing 3D information to create what we call hidden footprints. However, this augmented data is still sparse. We devise a training strategy designed for such sparse labels, combining a class-balanced classification loss with a contextual adversarial loss. Using this strategy, we demonstrate a model that learns to predict a walkability map from a single image. We evaluate our model on the Waymo and Cityscapes datasets, demonstrating superior performance compared to baselines and state-of-the-art models.
Among many possibilities, solar axion has been proposed to explain the electronic recoil events excess observed by Xenon1T collaboration, although it has tension with astrophysical observations. The axion couplings, to photon $g_{agamma}$ and to elec
tron $g_{ae}$ play important roles. These couplings are related to the Peccei-Quinn (PQ) charges $X_f$ for fermions. In most of the calculations, $g_{agamma}$ is obtained by normalizing to the ratio of electromagnetic anomaly factor $E = TrX_f Q^2_f N_c$ ($N_c$ is 3 and 1 for quarks and charged leptons respectively) and QCD anomaly factor $N = TrX_q T(q)$ ($T(q)$ is quarks $SU(3)_c$ index). The broken PQ symmetry generator is used in the calculation which does not seem to extract out the components of broken generator in the axion which are eaten by the $Z$ boson. However, using the physical components of axion or the ratio of anomaly factors should obtain the same results in the DFSZ for $g_{agamma}$. When going beyond the standard DFSZ models, such as variant DFSZ models, where more Higgs doublets and fermions have different PQ charges, one may wonder if the results are different. We show that the two methods obtain the same results as expected, but the axion couplings to quarks and leptons $g_{af}$ (here f indicates one of the fermions in the SM) are more conveniently calculated in the physical axion basis. The result depends on the values of the vacuum expectation values leading to a wider parameter space for $g_{af}$ in beyond the standard DFSZ axion. We also show explicitly how flavor conserving $g_{af}$ couplings can be maintained when there are more than one Higgs doublets couple to the up and down fermion sectors in variant DFSZ models at tree level, and how flavor violating couplings can arise.
Deep learning, as widely known, is vulnerable to adversarial samples. This paper focuses on the adversarial attack on autoencoders. Safety of the autoencoders (AEs) is important because they are widely used as a compression scheme for data storage an
d transmission, however, the current autoencoders are easily attacked, i.e., one can slightly modify an input but has totally different codes. The vulnerability is rooted the sensitivity of the autoencoders and to enhance the robustness, we propose to adopt double backpropagation (DBP) to secure autoencoder such as VAE and DRAW. We restrict the gradient from the reconstruction image to the original one so that the autoencoder is not sensitive to trivial perturbation produced by the adversarial attack. After smoothing the gradient by DBP, we further smooth the label by Gaussian Mixture Model (GMM), aiming for accurate and robust classification. We demonstrate in MNIST, CelebA, SVHN that our method leads to a robust autoencoder resistant to attack and a robust classifier able for image transition and immune to adversarial attack if combined with GMM.
Generative models are popular tools with a wide range of applications. Nevertheless, it is as vulnerable to adversarial samples as classifiers. The existing attack methods mainly focus on generating adversarial examples by adding imperceptible pertur
bations to input, which leads to wrong result. However, we focus on another aspect of attack, i.e., cheating models by significant changes. The former induces Type II error and the latter causes Type I error. In this paper, we propose Type I attack to generative models such as VAE and GAN. One example given in VAE is that we can change an original image significantly to a meaningless one but their reconstruction results are similar. To implement the Type I attack, we destroy the original one by increasing the distance in input space while keeping the output similar because different inputs may correspond to similar features for the property of deep neural network. Experimental results show that our attack method is effective to generate Type I adversarial examples for generative models on large-scale image datasets.
Adversarial attacks on deep neural networks (DNNs) have been found for several years. However, the existing adversarial attacks have high success rates only when the information of the victim DNN is well-known or could be estimated by the structure s
imilarity or massive queries. In this paper, we propose to Attack on Attention (AoA), a semantic property commonly shared by DNNs. AoA enjoys a significant increase in transferability when the traditional cross entropy loss is replaced with the attention loss. Since AoA alters the loss function only, it could be easily combined with other transferability-enhancement techniques and then achieve SOTA performance. We apply AoA to generate 50000 adversarial samples from ImageNet validation set to defeat many neural networks, and thus name the dataset as DAmageNet. 13 well-trained DNNs are tested on DAmageNet, and all of them have an error rate over 85%. Even with defenses or adversarial training, most models still maintain an error rate over 70% on DAmageNet. DAmageNet is the first universal adversarial dataset. It could be downloaded freely and serve as a benchmark for robustness testing and adversarial training.
Considerable information has been obtained about neutrino mixing matrix. Present data show that in the particle data group (PDG) parameterization, the 2-3 mixing angle and the CP violating phase are consistent with $theta_{23} = pi/4$ and $delta_{PDG
} = -pi/2$, respectively. A lot of efforts have been devoted to constructing models in realizing a mixing matrix with these values. However, the particular angles and phase are parameterization convention dependent. The meaning about the specific values for mixing angle and phase needs to be clarified. Using the well known 9 independent ways of parameterizing the mixing matrix, we show in detail how the mixing angles and phase change with conventions even with the 2-3 mixing angle to be $pi/4$ and the CP violating phase to be $-pi/2$. The original Kaobayashi-Maskawa and an additional one belong to such a category. The other 6 parameterizations have mixing angles and phase very different values from those in the PDG parameterization although the physical effects are the same. Therefore one should give the specific parameterization convention when making statements about values for mixing angles and phase.
In this paper we consider the pricing of variable annuities (VAs) with guaranteed minimum withdrawal benefits. We consider two pricing approaches, the classical risk-neutral approach and the benchmark approach, and we examine the associated static an
d optimal behaviors of both the investor and insurer. The first model considered is the so-called minimal market model, where pricing is achieved using the benchmark approach. The benchmark approach was introduced by Platen in 2001 and has received wide acceptance in the finance community. Under this approach, valuing an asset involves determining the minimum-valued replicating portfolio, with reference to the growth optimal portfolio under the real-world probability measure, and it both subsumes classical risk-neutral pricing as a particular case and extends it to situations where risk-neutral pricing is impossible. The second model is the Black-Scholes model for the equity index, where the pricing of contracts is performed within the risk-neutral framework. Crucially, we demonstrate that when the insurer prices and reserves using the Black-Scholes model, while the insured employs a dynamic withdrawal strategy based on the minimal market model, the insurer may be underestimating the value and associated reserves of the contract.
