a closer look at adversarial examples for separated data
play

A Closer Look at Adversarial Examples for Separated Data Kamalika - PowerPoint PPT Presentation

Sep 10, 2022 •972 likes •1.41k views

A Closer Look at Adversarial Examples for Separated Data Kamalika Chaudhuri University of California, San Diego Adversarial Examples Gibbon Panda Small perturbation to legitimate inputs causing misclassification Adversarial Examples Can

  1. A Closer Look at Adversarial Examples for Separated Data Kamalika Chaudhuri University of California, San Diego

  2. Adversarial Examples Gibbon Panda Small perturbation to legitimate inputs causing misclassification

  3. Adversarial Examples Can potentially lead to serious safety issues

  4. Adversarial Examples: State of the Art A large number of attacks A few defenses Not much understanding on why adversarial examples arise

  5. Adversarial Examples: State of the Art A large number of attacks A few defenses Not much understanding on why adversarial examples arise This talk: A closer look

  6. Background: Classification Given: ( x i, y i ) Vector of Discrete features Labels Find: Prediction rule in a class to predict y from x

  7. Background: The Statistical Learning Framework - + Training and test data drawn from an underlying distribution D

  8. Background: The Statistical Learning Framework - + Training and test data drawn from an underlying distribution D Goal: Find classifier f to maximize accuracy ( x,y ) ∼ D ( f ( x ) = y ) Pr

  9. Measure of Robustness: L p norm A classifier f is robust with radius r at x if it predicts f(x) for all x’ in k x � x 0 k p  r

  10. Why do we have adversarial examples?

  11. Why do we have adversarial examples? - Data Distributional distribution Robustness +

  12. Why do we have adversarial examples? - Data Distributional distribution Robustness + Too few - Finite Sample samples Robustness +

  13. Why do we have adversarial examples? - Data Distributional distribution Robustness + Too few - Finite Sample samples Robustness + Algorithmic Bad - Robustness algorithm +

  14. Why do we have adversarial examples? - Data Distributional distribution Robustness + Are classes separated in real data?

  15. r-Separation 2r 2r Data distribution D is r-separated if for any (x, y) and (x’, y’) drawn from D y 6 = y 0 = ) k x � x 0 k � 2 r

  16. r-Separation 2r 2r 2r Data distribution D is r-separated if for any (x, y) and (x’, y’) drawn from D y 6 = y 0 = ) k x � x 0 k � 2 r r-separation means accurate and robust at radius r classifier possible!

  17. Real Data is r-Separated Dataset Separation Typical r 0.1 MNIST 0.74 0.03 CIFAR10 0.21 0.03 SVHN* 0.09 0.005 ResImgnet* 0.18 Separation = min distance between any two points in different classes

  18. Robustness for r-separated data: Two Settings Non-parametric Methods

  19. Non-Parametric Methods k-Nearest Neighbors Decision Trees Others: Random Forests, Kernel classifiers, etc

  20. What is known about Nonparametric Methods?

  21. The Bayes Optimal Classifier Classifier with maximum accuracy on data distribution Only reachable in the large sample limit

  22. What is known about Non-Parametrics? With growing training data, accuracy of non-parametric methods converge to accuracy of the Bayes Optimal

  23. What about Robustness? Prior work: Attacks and defenses for specific classifiers Our work: General conditions when we can get robustness

  24. What is the goal of robust classification?

  25. What is the goal of robust classification? Bayes optimal undefined outside distribution Bayes optimal

  26. The r-optimal [YRZC20] Bayes optimal undefined outside distribution x Bayes optimal r-optimal r-optimal = classifier that maximizes accuracy at points that have robustness radius at least r

  27. Convergence Result [BC20] Theorem: For r-separated data, condi- tions when non-parametrics converge 2r to r-optimal in large n limit

  28. Convergence Result [BC20] Theorem: For r-separated data, condi- tions when non-parametrics converge 2r to r-optimal in large n limit Convergence limit: r-optimal: Nearest neighbor, Kernel classifiers

  29. Convergence Result [BC20] Theorem: For r-separated data, condi- tions when non-parametrics converge 2r to r-optimal in large n limit Convergence limit: r-optimal: Nearest neighbor, Kernel classifiers Bayes-optimal but not r-optimal: Histograms, Decision trees

  30. Convergence Result [BC20] Theorem: For r-separated data, condi- tions when non-parametrics converge 2r to r-optimal in large n limit Robustness depends on training algorithm! Convergence limit: r-optimal: Nearest neighbor, Kernel classifiers Bayes-optimal but not r-optimal: Histograms, Decision trees

  31. Robustness for r-separated data: Two Settings Non-parametric Methods Neural Networks

  32. Robustness in Neural Networks A large number of attacks A few defenses All defenses show a robustness-accuracy tradeoff Is this tradeoff necessary?

  33. The Setting: Neural Networks f(x) f Neural network computes function f(x) 0 Classifier output sign(f(x)) x

  34. The Setting: Neural Networks f(x) f Neural network computes function f(x) 0 Classifier output sign(f(x)) x Robustness comes from Local Smoothness: If f is locally Lipschitz around x, and f(x) is away from 0, then f is robust at x

  35. Robustness and Accuracy Possible through Local Lipschitzness f(x) f Neural network computes function f(x) 0 Classifier output sign(f(x)) x Theorem [YRZSC20] If distribution is r-separated, then there exists an f s.t. f is locally smooth and sign(f) has accuracy 1 and robustness radius r

  36. In principle, no robustness-accuracy tradeoff In practice there is one What accounts for this gap?

  37. Empirical Study 4 standard image datasets 7 models 6 different training methods - Natural, AT, Trades, LLR, GR Measure local Lipschitzness, accuracy and adversarial accuracy

  38. Result: CIFAR 10

  39. Observations Trades and Adversarial training have best local Lipschitzness Overall, local Lipschitzness correlated with robustness and accuracy - until underfitting begins Generalization gap is quite large - possibly a sign of overfitting Overall: robustness/accuracy tradeoff due to imperfect training methods

  40. Conclusion: Why do we have adversarial examples? - Data Distributional distribution Robustness + Too few - Finite Sample samples Robustness + Algorithmic Bad - Robustness algorithm +

  41. References Robustness for Non-parametric Methods: A generic defense and an attack, Y. Yang, C. Rashtchian, Y. Wang, and K. Chaudhuri, AISTATS 2020 When are Non-parametric Methods Robust? R. Bhattacharjee and K. Chaudhuri, Arxiv 2003.06121 Adversarial Robustness through Local Lipschitzness Y. Yang, C. Rashtchian, H. Zhang, R. Salakhutdinov and K. Chaudhuri, Arxiv 2003.02460

  42. Acknowledgements Cyrus Yaoyuan Yizhen Hongyang Robi Ruslan Rashtchian Yang Wang Zhang Bhattacharjee Salakhutdinov

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Neglected topics CS 446 Adversarial examples and deep networks 1 / 23 Adversarial

Neglected topics CS 446 Adversarial examples and deep networks 1 / 23 Adversarial

Neglected topics CS 446 Adversarial examples and deep networks 1 / 23 Adversarial examples? Standard ML setup: We have training data; try to do well on withheld testing data. Adversarial/robust ML setup: We have training

672 views • 27 slides
Adversarial Examples Hanxiao Liu April 2, 2018 1 / 22 Adversarial Examples Inputs to ML

Adversarial Examples Hanxiao Liu April 2, 2018 1 / 22 Adversarial Examples Inputs to ML

Adversarial Examples Hanxiao Liu April 2, 2018 1 / 22 Adversarial Examples Inputs to ML models that an attacker has intentionally designed to cause the model to make a mistake 1 Why this is interesting: Safety. Interpretability.

881 views • 22 slides
Adversarial Examples and Adversarial Training Ian Goodfellow, Sta ff Research Scientist, Google

Adversarial Examples and Adversarial Training Ian Goodfellow, Sta ff Research Scientist, Google

Adversarial Examples and Adversarial Training Ian Goodfellow, Sta ff Research Scientist, Google Brain CS 231n, Stanford University, 2017-05-30 Overview What are adversarial examples? Why do they happen? How can they be used to

866 views • 43 slides
Synthesizing Robust Adversarial Examples Anish Athalye*, Logan Engstrom*, Andrew Ilyas*, Kevin

Synthesizing Robust Adversarial Examples Anish Athalye*, Logan Engstrom*, Andrew Ilyas*, Kevin

Synthesizing Robust Adversarial Examples Anish Athalye*, Logan Engstrom*, Andrew Ilyas*, Kevin Kwok Adversarial examples Adversarial examples Imperceptible perturbations to an input can change a neural network's prediction adversarial

1.06k views • 23 slides
Thermometer Encoding: One Hot Way to Resist Adversarial Examples Stanford, 2017-11-16 Aurko Roy*

Thermometer Encoding: One Hot Way to Resist Adversarial Examples Stanford, 2017-11-16 Aurko Roy*

Thermometer Encoding: One Hot Way to Resist Adversarial Examples Stanford, 2017-11-16 Aurko Roy* Colin Ra ff el Jacob Ian Buckman* Goodfellow *joint first author Adversarial Examples Adversarial Definitely Probably panda perturbation

607 views • 15 slides
Adversarial Examples in NLP Sameer Singh sameer@uci.edu @sameer_ sameersingh.org What are

Adversarial Examples in NLP Sameer Singh sameer@uci.edu @sameer_ sameersingh.org What are

Slides: http://tiny.cc/adversarial Adversarial Examples in NLP Sameer Singh sameer@uci.edu @sameer_ sameersingh.org What are Adversarial Examples? panda gibbon 57.7% confidence 99.3% confidence [Goodfellow et al, ICLR 2015 ]

1.56k views • 43 slides
? AdVersarial: Defeating Perceptual Ad Blocking with Adversarial Examples Florian Tramr

? AdVersarial: Defeating Perceptual Ad Blocking with Adversarial Examples Florian Tramr

Todays Story: How I got my first Death Threat ? AdVersarial: Defeating Perceptual Ad Blocking with Adversarial Examples Florian Tramr October 8 th 2019 Joint work with Pascal Dupr, Gili Rusak, Giancarlo Pellegrino and Dan Boneh The

415 views • 29 slides
Explaining and Harnessing Adversarial Examples Ian J. Goodfellow, Jonathon Shlens, &

Explaining and Harnessing Adversarial Examples Ian J. Goodfellow, Jonathon Shlens, &

Explaining and Harnessing Adversarial Examples Ian J. Goodfellow, Jonathon Shlens, & Christian Szegedy Presented by - Kawin Ethayarajh and Abhishek Tiwari Introduction - adversarial examples : Inputs formed by applying small but

1.49k views • 103 slides
Paraphrase generation: adversarial examples / data augmentation CS 685, Fall 2020 Advanced

Paraphrase generation: adversarial examples / data augmentation CS 685, Fall 2020 Advanced

Paraphrase generation: adversarial examples / data augmentation CS 685, Fall 2020 Advanced Natural Language Processing Mohit Iyyer College of Information and Computer Sciences University of Massachusetts Amherst stuff from last time HW1

692 views • 53 slides
Adversarial Examples and Adversarial Training Ian Goodfellow, OpenAI Research Scientist Security

Adversarial Examples and Adversarial Training Ian Goodfellow, OpenAI Research Scientist Security

Adversarial Examples and Adversarial Training Ian Goodfellow, OpenAI Research Scientist Security Seminar, Stanford University, 2017-01-17 In this presentation Intriguing Properties of Neural Networks Szegedy et al, 2013

939 views • 44 slides
Physical Adversarial Examples Alex Kurakin Ian Goodfellow Output STOP Machine Learning

Physical Adversarial Examples Alex Kurakin Ian Goodfellow Output STOP Machine Learning

Physical Adversarial Examples Alex Kurakin Ian Goodfellow Output STOP Machine Learning Training Examples Hidden units / BICYCLE features CAR PEDESTRIA N Parameters Input ImageNet (Russakovsky et al 2015) Adversarial Examples: Images

369 views • 19 slides
On the Defense Against Adversarial Examples Beyond the Visible Spectrum Anthony Ortiz 1 , Olac

On the Defense Against Adversarial Examples Beyond the Visible Spectrum Anthony Ortiz 1 , Olac

On the Defense Against Adversarial Examples Beyond the Visible Spectrum Anthony Ortiz 1 , Olac Fuentes 1 , Dalton Rosario 2 , Christopher Kiekintveld 1 1 Department of Computer Science, UTEP 2 US Army Research Laboratory Adversarial Examples on

460 views • 19 slides
Adversarial Examples and Adversarial Training Ian Goodfellow, OpenAI Research Scientist Guest

Adversarial Examples and Adversarial Training Ian Goodfellow, OpenAI Research Scientist Guest

Adversarial Examples and Adversarial Training Ian Goodfellow, OpenAI Research Scientist Guest lecture for CS 294-131, UC Berkeley, 2016-10-05 In this presentation Intriguing Properties of Neural Networks Szegedy et al, 2013

660 views • 44 slides
Synthesizing Robust Adversarial Examples Anish Athalye*, Logan Engstrom*, Andrew Ilyas*, Kevin

Synthesizing Robust Adversarial Examples Anish Athalye*, Logan Engstrom*, Andrew Ilyas*, Kevin

Synthesizing Robust Adversarial Examples Anish Athalye*, Logan Engstrom*, Andrew Ilyas*, Kevin Kwok Standard Adversarial Examples Given image x ; target class y Maximize with projected gradient descent: Standard Adversarial Examples Standard

560 views • 15 slides
Adversarial Examples and Adversarial Training Innova&ve Technology Leader program January 22

Adversarial Examples and Adversarial Training Innova&ve Technology Leader program January 22

Adversarial Examples and Adversarial Training Innova&ve Technology Leader program January 22 nd 2018 Florian Tramr Stanford Deep Learning is Super Smart! 2 Is it really? + . 007 = Im sure this Im certain this is a panda is

452 views • 12 slides
Adversarial Examples and Adversarial Training Ian Goodfellow, OpenAI Research Scientist

Adversarial Examples and Adversarial Training Ian Goodfellow, OpenAI Research Scientist

Adversarial Examples and Adversarial Training Ian Goodfellow, OpenAI Research Scientist Presentation at San Francisco AI Meetup, 2016-08-18 In this presentation Intriguing Properties of Neural Networks Szegedy et al, 2013

690 views • 32 slides
Nonce-based Encryption Formalized by Rogaway Primary Condition Uniqueness of the nonce

Nonce-based Encryption Formalized by Rogaway Primary Condition Uniqueness of the nonce

Dhiman Saha 1 , Sukhendu Kuila 2 , Dipanwita Roy Chowdhury 1 1 Dept. Of Computer Science & Engineering, IIT Kharagpur, INDIA 2 Dept. Of Mathematics, Vidyasagar University, INDIA DIAC 2014, Santa Barbara, USA Nonce-based Encryption

298 views • 19 slides
Reinforcing Adversarial Robustness using Model Confidence Induced by Adversarial Training Xi Wu

Reinforcing Adversarial Robustness using Model Confidence Induced by Adversarial Training Xi Wu

Reinforcing Adversarial Robustness using Model Confidence Induced by Adversarial Training Xi Wu xiwu@cs.wisc.edu Joint work with Uyeong Jang, Jiefeng Chen, Lingjiao Chen, and Somesh Jha July 19, 2018 Xi Wu Model Confidence and Adversarial

740 views • 9 slides
Regularization for Deep Learning Lecture slides for Chapter 7 of Deep Learning

Regularization for Deep Learning Lecture slides for Chapter 7 of Deep Learning

Regularization for Deep Learning Lecture slides for Chapter 7 of Deep Learning www.deeplearningbook.org Ian Goodfellow 2016-09-27 Definition Regularization is any modification we make to a learning algorithm that is intended to reduce

179 views • 13 slides
React A"JavaScript"Library"For"Building"User"Interfaces

React A"JavaScript"Library"For"Building"User"Interfaces

React A"JavaScript"Library"For"Building"User"Interfaces React&is&not&FRP [Func&onal]+Reac&ve+programming+is+programming+with+ asynchronous+data+streams. !!"Andr"Staltz 1 1

916 views • 24 slides
AT&T Research at TRECVID 2013: Surveillance Event Detection Xiaodong Yang * , Zhu Liu ,

AT&T Research at TRECVID 2013: Surveillance Event Detection Xiaodong Yang * , Zhu Liu ,

AT&T Research at TRECVID 2013: Surveillance Event Detection Xiaodong Yang * , Zhu Liu , Eric Zavesky , David Gibbon , Behzad Shahraray City College of New York, CUNY AT&T Labs - Research *This work is carried out

637 views • 41 slides
Questioning Question Answering Answers Sameer Singh University of California, Irvine Questioning

Questioning Question Answering Answers Sameer Singh University of California, Irvine Questioning

Questioning Question Answering Answers Sameer Singh University of California, Irvine Questioning Question Answering Answers Sameer Singh University of California, Irvine QA Systems are really good! Is there a moustache in the picture? >

1.1k views • 50 slides
Limit distributions of tree parameters Stephan Wagner Stellenbosch University FPSAC, 4 July 2019

Limit distributions of tree parameters Stephan Wagner Stellenbosch University FPSAC, 4 July 2019

Limit distributions of tree parameters Stephan Wagner Stellenbosch University FPSAC, 4 July 2019 Why study trees? They are simple. They have many nice properties. They are useful. Distribution of tree parameters S. Wagner, Stellenbosch

640 views • 42 slides
ive Init nitiat iativ Henry Neeman, University of Oklahoma Assistant Vice President,

ive Init nitiat iativ Henry Neeman, University of Oklahoma Assistant Vice President,

The he OneOklahoma OneOklahoma Cyber berinf infras astruct uctur ure ive Init nitiat iativ Henry Neeman, University of Oklahoma Assistant Vice President, Information Technology Research Strategy Advisor Director, OU Supercomputing

449 views • 26 slides

More recommend