adversarial attacks beyond the image space
play

Adversarial Attacks Beyond the Image Space Xiaohui Zeng , Chenxi - PowerPoint PPT Presentation

Aug 20, 2022 •255 likes •577 views

Adversarial Attacks Beyond the Image Space Xiaohui Zeng , Chenxi Liu, Yu-Siang Wang, Weichao Qiu, Lingxi Xie, Yu-Wing Tai, Chi Keung Tang, Alan Yuille 06/19/2019 Visual Recognition Pipeline Visual Recognition Pipeline 3D scene Visual

  1. Adversarial Attacks Beyond the Image Space Xiaohui Zeng , Chenxi Liu, Yu-Siang Wang, Weichao Qiu, Lingxi Xie, Yu-Wing Tai, Chi Keung Tang, Alan Yuille 06/19/2019

  2. Visual Recognition Pipeline

  3. Visual Recognition Pipeline 3D scene

  4. Visual Recognition Pipeline projection 3D scene 2D image

  5. Visual Recognition Pipeline car projection recognition 3D scene 2D image label

  6. Adversarial Attacks on 2D Image car projection recognition + bus recognition

  7. Adversarial Attacks ● Can the network fail if we slightly modify 2D pixel values? ○ Yes!

  8. Adversarial Attacks ● Can the network fail if we slightly modify 2D pixel values? ○ Yes! ● Should we be concerned about them in the real world? Well, sort of. ○

  9. Adversarial Attacks ● Can the network fail if we slightly modify 2D pixel values? ○ Yes! ● Should we be concerned about them in the real world? Well, sort of. ○ ○ Potentially dangerous. ○ But require position-wise albedo change, which is unrealistic to implement.

  10. Adversarial Attacks on 3D Scene car projection recognition + ??? rotation, projection recognition translation

  11. Adversarial Attacks on 3D Scene car projection recognition + ??? lighting projection recognition

  12. Adversarial Attacks ● Can the network fail if we ● Can the network fail if we slightly modify 2D pixel values? slightly modify 3D physical ○ Yes! parameters? ● Should we be concerned about ○ Well, let’s find out :) them in the real world? Well, sort of. ○ ○ Potentially dangerous. ○ But require position-wise albedo change, which is unrealistic to implement.

  13. Adversarial Attacks ● Can the network fail if we ● Can the network fail if we slightly modify 2D pixel values? slightly modify 3D physical ○ Yes! parameters? ● Should we be concerned about ○ Well, let’s find out :) them in the real world? ● Should we be concerned about Well, sort of. them in the real world? ○ ○ Potentially dangerous. ○ If they exist, then we should ○ But require position-wise be much more concerned albedo change, which is than before, as they are unrealistic to implement. much more easily realized.

  14. Visual Recognition Pipeline car projection recognition 3D scene 2D image label Physical Image Output Space Space Space

  15. Visual Recognition Pipeline car rendering recognition 3D scene 2D image label Physical Image Output Space Space Space

  16. Visual Recognition Pipeline car rendering CNN 3D scene 2D image label Physical Image Output Space Space Space

  17. Visual Recognition Pipeline car rendering CNN 3D scene 2D image label Physical Image Output Space Space Space

  18. Settings & Tasks Differentiable ● White box attack Renderer Use gradient descent ●

  19. Settings & Tasks Differentiable ● White box attack Renderer Use gradient descent ● Non-Differentiable Black box attack ● Renderer ● Use finite difference for the non-differentiable component Chen, Pin-Yu, et al. "Zoo: Zeroth order optimization based black-box attacks to deep neural networks without training substitute models." Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security. ACM, 2017.

  20. Settings & Tasks Differentiable Renderer Non-Differentiable Renderer

  21. Settings & Tasks Object Classification (ShapeNet) Differentiable Renderer Non-Differentiable Renderer Chang, Angel X., et al. "Shapenet: An information-rich 3d model repository." arXiv preprint arXiv:1512.03012 (2015).

  22. Settings & Tasks Object Classification Visual Question (ShapeNet) Answering (CLEVR) Differentiable Renderer Non-Differentiable Renderer Johnson, Justin, et al. "Clevr: A diagnostic dataset for compositional language and elementary visual reasoning." In CVPR. 2017.

  23. Settings & Tasks Object Classification Visual Question (ShapeNet) Answering (CLEVR) Differentiable Renderer #1 #2 Non-Differentiable Renderer #3 #4

  24. #1: Differentiable + Object Classification ● Differentiable renderer: Liu et al, 2017 surface normal ○ ○ illumination material ○ Liu, Guilin, et al. "Material editing using a physically based rendering network." In ICCV. 2017.

  25. #1: Differentiable + Object Classification ● Differentiable renderer: Liu et al, 2017 surface normal ○ ○ illumination material ○ ● Can image space adversarial noise be explained by physical space? ○ No for 97% of the case

  26. #1: Differentiable + Object Classification ● Differentiable renderer: Liu et al, 2017 surface normal ○ ○ illumination material ○ ● Can image space adversarial noise be explained by physical space? ○ No for 97% of the case ● Attacking image space vs physical space: Image Surface N. Illumination Material Combined Attack 100.00 89.27 29.61 18.88 94.42 success %

  27. #2: Differentiable + VQA ● Attacking image space vs physical space: Image Surface N. Illumination Material Combined Attack 96.33 83.67 48.67 8.33 90.67 success %

  28. #3: Non-Differentiable + Object Classification ● Non-Differentiable renderer: Blender color ○ ○ rotation translation ○ ○ lighting

  29. #3: Non-Differentiable + Object Classification ● Non-Differentiable renderer: Blender color ○ ○ rotation translation ○ ○ lighting How often does physical space attack succeed? ● ○ ~10% of the time ○ But highly interpretable: Rotate (-2.9, 9.4, 2.5) x 10 -3 rad along x, y, z Move (2.0, 0.0, 0.2) x 10 -3 along x, y, z Change RGB color by (9.1, 5.4, -4.8) x 10 -2 Adjust light source by -0.3 Change the light angle by (9.5, 5.4, 0.6) x 10 -2 cap helmet

  30. #4: Non-Differentiable + VQA ● How often does physical space attack succeed? ~20% of the time ○ ○ But highly interpretable: Q: How many other purple objects have the same shape as the purple matte object? Move light source by (0.0, 3.0, -1.0, -1.7) x 10 -2 Rotate object 2 by (-1.6, 4.1) x 10 -2 Move object 3 by (-3.1, 6.2) x 10 -2 Change RGB of object 9 by (-3.7, -1.1, -4.5) x 10 -2 …… A: 0 A: 1

  31. Conclusion ● We study adversarial attacks beyond the image space on the physical space Such attacks (via rotation, translation, color, lighting etc) can still succeed ● ● They pose more serious threat Rotate (-2.9, 9.4, 2.5) x 10 -3 rad along x, y, z Move (2.0, 0.0, 0.2) x 10 -3 along x, y, z Change RGB color by (9.1, 5.4, -4.8) x 10 -2 Adjust light source by -0.3 Change the light angle by (9.5, 5.4, 0.6) x 10 -2 cap helmet

  32. Thank you!

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CVPR 2020 Universal Adversarial Attacks Image agnostic and transferable across networks

CVPR 2020 Universal Adversarial Attacks Image agnostic and transferable across networks

1 1,4 2,3 2 3 4 1 CVPR 2020 Universal Adversarial Attacks Image agnostic and transferable across networks Adversarial No defense: Baseline DNN perturbation Input image Classification Feature extraction dense Perturbed image

592 views • 6 slides
Adversarial Training Attacks on Deep Networks and Generative Adversarial Networks Erkut Erdem

Adversarial Training Attacks on Deep Networks and Generative Adversarial Networks Erkut Erdem

images from Geris Game (Pixar, 1997) Adversarial Training Attacks on Deep Networks and Generative Adversarial Networks Erkut Erdem Aykut Erdem Levent Karacan Computer Vision Lab, Hacettepe University Outline Part 1: Attacks on

1.11k views • 72 slides
Friendly Adversarial Training: Attacks Which Do Not Kill Training Make Adversarial Learning

Friendly Adversarial Training: Attacks Which Do Not Kill Training Make Adversarial Learning

Friendly Adversarial Training: Attacks Which Do Not Kill Training Make Adversarial Learning Stronger Jingfeng Zhang 1 * , Xilie Xu 2* , Bo Han 34 , Gang Niu 4 , Lichen Cui 5 , Masashi Sugiyama 46 , and Mohan Kankanhalli 1 1 Department of Computer

376 views • 14 slides
Stronger and Faster Wasserstein Adversarial Attacks Kaiwen Wu kaiwen.wu@uwaterloo.ca Joint work

Stronger and Faster Wasserstein Adversarial Attacks Kaiwen Wu kaiwen.wu@uwaterloo.ca Joint work

Stronger and Faster Wasserstein Adversarial Attacks Kaiwen Wu kaiwen.wu@uwaterloo.ca Joint work with Allen Wang and Yaoliang Yu K.Wu, A.Wang and Y.Yu Wasserstein Adversarial Attacks July 29, 2020 1 / 18 Adversarial Examples Adversarial

1.04k views • 38 slides
Confidence-Calibrated Adversarial Training Generalizing to Unseen Attacks David Stutz, Matthias

Confidence-Calibrated Adversarial Training Generalizing to Unseen Attacks David Stutz, Matthias

Confidence-Calibrated Adversarial Training Generalizing to Unseen Attacks David Stutz, Matthias Hein, Bernt Schiele 2-Minute Overview Problem: Robustness to various adversarial examples. Adversarial training on L adversarial examples:

635 views • 34 slides
On Adaptive Attacks to Adversarial Example Defenses Florian Tramr USENIX ScAINet August 10 th

On Adaptive Attacks to Adversarial Example Defenses Florian Tramr USENIX ScAINet August 10 th

On Adaptive Attacks to Adversarial Example Defenses Florian Tramr USENIX ScAINet August 10 th , 2020 Joint work with Nicholas Carlini, Wieland Brendel and Aleksander Madry What Are Adversarial Examples? 88% Tabby Cat 99% Guacamole Biggio

360 views • 21 slides
Attacks Meet Interpretability: Attribute-steered Detection of Adversarial Samples Guanhong Tao ,

Attacks Meet Interpretability: Attribute-steered Detection of Adversarial Samples Guanhong Tao ,

Attacks Meet Interpretability: Attribute-steered Detection of Adversarial Samples Guanhong Tao , Shiqing Ma, Yingqi Liu, Xiangyu Zhang Understanding Adversarial Samples Legitimate input Isla Fisher Model Pixel-wise Differences ( 50 times)

482 views • 34 slides
Unpaired Image-to-Image Translation using Cycle-Consistent Adversarial Networks Jun-Yan Zhu, et,

Unpaired Image-to-Image Translation using Cycle-Consistent Adversarial Networks Jun-Yan Zhu, et,

Unpaired Image-to-Image Translation using Cycle-Consistent Adversarial Networks Jun-Yan Zhu, et, al. ICCV 2017 2018.11.01 20185209 Sangyoon Lee Table of contents **ref: https://www.youtube.com/watch?v=Fkqf3dS9Cqw&t=1700s Before

823 views • 25 slides
Conditional Generative Adversarial Networks (and a brief look at image-to-image translation)

Conditional Generative Adversarial Networks (and a brief look at image-to-image translation)

Conditional Generative Adversarial Networks (and a brief look at image-to-image translation) Final Presentation Peter Bromley Generative Models What is generative modeling? Data: Samples from high dimensional probability distribution p real

621 views • 25 slides
Applications of GANs Photo-Realistic Single Image Super-Resolution Using a Generative

Applications of GANs Photo-Realistic Single Image Super-Resolution Using a Generative

Applications of GANs Photo-Realistic Single Image Super-Resolution Using a Generative Adversarial Network Deep Generative Image Models using a Laplacian Pyramid of Adversarial Networks Generative Adversarial Text to Image Synthesis

614 views • 27 slides
Applications of GANs Photo-Realistic Single Image Super-Resolution Using a Generative

Applications of GANs Photo-Realistic Single Image Super-Resolution Using a Generative

Applications of GANs Photo-Realistic Single Image Super-Resolution Using a Generative Adversarial Network Deep Generative Image Models using a Laplacian Pyramid of Adversarial Networks Generative Adversarial Text to Image Synthesis

666 views • 39 slides
Adversarial Attacks on Probabilistic Autoregressive Forecasting Models 2 (i) Probabilistic

Adversarial Attacks on Probabilistic Autoregressive Forecasting Models 2 (i) Probabilistic

ICML 2020 Raphal Dang-Nhu Gagandeep Singh Pavol Bielik Martin Vechev Department of Computer Science, ETH Zrich dangnhur@ethz.ch 1 Adversarial Attacks on Probabilistic Autoregressive Forecasting Models 2 (i) Probabilistic forecasting

765 views • 45 slides
On Certifying Non-uniform Bounds against Adversarial Attacks Chen Liu , Ryota Tomioka ,

On Certifying Non-uniform Bounds against Adversarial Attacks Chen Liu , Ryota Tomioka ,

On Certifying Non-uniform Bounds against Adversarial Attacks Chen Liu , Ryota Tomioka , Volkan Cevher Ecole Polytechnique F ed erale de Lausanne Microsoft Research Cambridge June 11th, 2019 Liu et al. (EPFL)

557 views • 17 slides
Image Space Occlusion Culling Image Space Occlusion Culling 1 Hudson et al, SoCG 97 Occluder A

Image Space Occlusion Culling Image Space Occlusion Culling 1 Hudson et al, SoCG 97 Occluder A

Image Space Occlusion Culling Image Space Occlusion Culling 1 Hudson et al, SoCG 97 Occluder A Viewpoint umbra B C 2 What Methods are Called Image-Space? Those where the decision to cull or render is done after projection (in image

566 views • 24 slides
15-780 Graduate Artificial Intelligence: Adversarial attacks and provable defenses J. Zico

15-780 Graduate Artificial Intelligence: Adversarial attacks and provable defenses J. Zico

15-780 Graduate Artificial Intelligence: Adversarial attacks and provable defenses J. Zico Kolter (this lecture) and Ariel Procaccia Carnegie Mellon University Spring 2018 Portions base upon joint work with Eric Wong 1 Outline Adverarial

710 views • 39 slides
Overview What is Adversarial Attack? Why should we care? How does it work? Real

Overview What is Adversarial Attack? Why should we care? How does it work? Real

Adversarial Attacks on Phishing Detection Ryan Chang Overview What is Adversarial Attack? Why should we care? How does it work? Real World Demo on Phishing Detection Model How to defend? Adversarial Examples on

610 views • 26 slides
Is there a magnetic field on asteroid (4) Vesta? t Carry 1 , 2 by Beno in collaboration with:

Is there a magnetic field on asteroid (4) Vesta? t Carry 1 , 2 by Beno in collaboration with:

Asteroid (4) Vesta SINFONI Mineralogy Spectral slope Magnetic field Conclusion Is there a magnetic field on asteroid (4) Vesta? t Carry 1 , 2 by Beno in collaboration with: P. Vernazza (ESA/ESTEC), C. Dumas (ESO) & M. Fulchignoni

585 views • 31 slides
Unsupervised Learning of Probably Symmetric Deformable 3D Objects from Images in the Wild

Unsupervised Learning of Probably Symmetric Deformable 3D Objects from Images in the Wild

Unsupervised Learning of Probably Symmetric Deformable 3D Objects from Images in the Wild Shangzhe Wu Christian Rupprecht Andrea Vedaldi V ISUAL G EOMETRY G ROUP , U NIVERSITY OF O XFORD Agenda v Problem Introduction v Method Overview v Results

3.49k views • 59 slides
The climate cooling potential of different geoengineering options Tim Lenton & Naomi Vaughan G

The climate cooling potential of different geoengineering options Tim Lenton & Naomi Vaughan G

The climate cooling potential of different geoengineering options Tim Lenton & Naomi Vaughan G eo E ngineering A ssessment & R esearch ( GEAR ) initiative School of Environmental Sciences, University of East Anglia, Norwich, UK

562 views • 30 slides
Climate Sensitivity We consider climate sensitivity in a very simple context. Climate Sensitivity

Climate Sensitivity We consider climate sensitivity in a very simple context. Climate Sensitivity

Climate Sensitivity We consider climate sensitivity in a very simple context. Climate Sensitivity We consider climate sensitivity in a very simple context. We consider a single-layer isothermal atmosphere. Climate Sensitivity We consider

1.09k views • 81 slides
P RINCIPLED K ERNEL P REDICTION FOR S PATIALLY V ARYING BSSRDF S Oskar Elek and Jaroslav K

P RINCIPLED K ERNEL P REDICTION FOR S PATIALLY V ARYING BSSRDF S Oskar Elek and Jaroslav K

P RINCIPLED K ERNEL P REDICTION FOR S PATIALLY V ARYING BSSRDF S Oskar Elek and Jaroslav K ivnek This project has received funding from the European Unions Horizon 2020 research and innovation programme under the Charles University, Prague

315 views • 30 slides
Solving the Uncalibrated Photometric Stereo problem using Total Variation eau 1 cois Lauze 2

Solving the Uncalibrated Photometric Stereo problem using Total Variation eau 1 cois Lauze 2

Solving the Uncalibrated Photometric Stereo problem using Total Variation eau 1 cois Lauze 2 Jean-Denis Durou 1 Yvain Qu Fran IRIT 1 DIKU 2 Toulouse, France Copenhagen, Denmark Yvain Qu eau TV - Uncalibrated Photometric Stereo 1 / 26

775 views • 32 slides
D4.2, D4.3 EUMETSAT, UCL, BC, NPL, JRC, RF QA4ECV Mid-Term Review Meeting, MSSL, 14-16 June 2016

D4.2, D4.3 EUMETSAT, UCL, BC, NPL, JRC, RF QA4ECV Mid-Term Review Meeting, MSSL, 14-16 June 2016

QA4ECV WP4 T4.2 - Development of harmonised retrieval for surface BRDF/albedo, D4.2, D4.3 EUMETSAT, UCL, BC, NPL, JRC, RF QA4ECV Mid-Term Review Meeting, MSSL, 14-16 June 2016 BRDF/Albedo Plan A Overview Development of GlobAlbedo approach

906 views • 62 slides
1 The appearance of colours Reflected light at each wavelength is the product of illumination

1 The appearance of colours Reflected light at each wavelength is the product of illumination

Measurements of Colour relative spectral power of sunlight, made by J. Reading: Chapter 6 Parkkinen and P. Silfsten. Relative spectral power is plotted against wavelength in nm. The visible range is Light is produced in different

466 views • 9 slides

More recommend