adversarial examples are not mysterious generalization is
play

Adversarial examples are not mysterious, generalization is Angus - PowerPoint PPT Presentation

Jun 30, 2023 •342 likes •669 views

I NTRODUCTION Theory Trade-offs Practical Attacks DNNs Adversarial examples are not mysterious, generalization is Angus Galloway University of Guelph gallowaa@uoguelph.ca I NTRODUCTION Theory Trade-offs Practical Attacks DNNs T HE

  1. I NTRODUCTION Theory Trade-offs Practical Attacks DNNs Adversarial examples are not mysterious, generalization is Angus Galloway University of Guelph gallowaa@uoguelph.ca

  2. I NTRODUCTION Theory Trade-offs Practical Attacks DNNs T HE ADVERSARIAL EXAMPLES PHENOMENON Machine learning models generalize well to an unseen test set, yet every input of a particular class is extremely close to an input of another class. “Accepted” informal definition : Any input designed to fool a machine learning system.

  3. I NTRODUCTION Theory Trade-offs Practical Attacks DNNs F ORMAL DEFINITIONS A “misclassification” adversarial candidate ˆ x on a neural network F with input x via some perturbation of x by δ : ˆ x = x + δ where δ is usually derived from the gradient of the loss ∇ L ( θ, y , x ) w.r.t x , and for some small scalar ǫ , � δ � p ≤ ǫ, p ∈ { 1 , 2 , ∞} such that F ( x ) � = F (ˆ x )

  4. I NTRODUCTION Theory Trade-offs Practical Attacks DNNs G OODFELLOW ET AL . 2015 For input x ∈ R n , there is an adversarial example ˜ x = x + η subject to the constraint � η � ∞ < ǫ . The dot product between a weight vector w and an adversarial example ˜ x is then: w T · ˜ x = w T · x + w T · η If w has mean m , activation grows linearly with ǫ m n . . .

  5. I NTRODUCTION Theory Trade-offs Practical Attacks DNNs T ANAY & G RIFFIN 2016 But both w T · x and w T · η grow linearly with dimension n , provided that the distribution of w and x do not change.

  6. I NTRODUCTION Theory Trade-offs Practical Attacks DNNs T HE B OUNDARY T ILTING P ERSPECTIVE Submanifold of sampled data Dense distribution of “low probability pockets” The boundary is “outside the box” Image space Image space (a) (b) Recall manifold learning hypothesis : training data sub-manifold exists with finite topological dimension f �� n .

  7. I NTRODUCTION Theory Trade-offs Practical Attacks DNNs C m ( I , C ) m ( i , C ) j J I i (c) B C B m ( i, C ) j = m ( i, B ) m ( I , B ) m ( I , C ) I I j i i J J (d)

  8. I NTRODUCTION Theory Trade-offs Practical Attacks DNNs T AXONOMY er 0.5 titling of L poorly performing classifiers (0 < v z << 1) B Type 0 titling of L Type 1 Type 2 (v z = 0) er min T optimal L classifiers (low reg.) δ 0 π/2

  9. I NTRODUCTION Theory Trade-offs Practical Attacks DNNs A TTACKING B INARIZED N EURAL N ETWORKS tf.sign() tf.sign() Batch Batch Norm Norm Full-Precision Conv2D ReLU ReLU Scalar Binary Conv2D The empirical observation that BNNs with low-precision weights and activations are at least as robust as their full-precision counter parts.

  10. I NTRODUCTION Theory Trade-offs Practical Attacks DNNs A TTACKING B INARIZED N EURAL N ETWORKS (2) 1. Regularizing effect due to decoupling between continuous and quantized parameters used in forward pass, biased gradient estimator (STE?) 2. Strikes better trade-off on IB curve in over-parameterized regime by discarding irrelevant information. (e) (f)

  11. I NTRODUCTION Theory Trade-offs Practical Attacks DNNs W HY ONLY CONSIDER SMALL PERTURBATIONS ? Fault tolerant engineering design: Want performance degradation to be proportional to perturbation magnitude, regardless of an attacker’s strategy.

  12. I NTRODUCTION Theory Trade-offs Practical Attacks DNNs 100 80 Train w/PGD Natural Accuracy (%) 60 40 20 0 0.1 0.3 0.5 0.7 0.9 Shift Magnitude

  13. I NTRODUCTION Theory Trade-offs Practical Attacks DNNs H UMAN -D RIVEN A TTACKS (g) (h)

  14. I NTRODUCTION Theory Trade-offs Practical Attacks DNNs A P RACTICAL B LACK -B OX A TTACK

  15. I NTRODUCTION Theory Trade-offs Practical Attacks DNNs T RADE - OFFS 100 100 Expert-L2 90 80 Natural FGSM Accuracy (%) 80 60 70 40 40 60 20 50 0 0 10 20 30 40 50 0.0 0.1 0.2 0.3 0.4 0.5 Pixels changed FGSM attack epsilon (i) (j)

  16. I NTRODUCTION Theory Trade-offs Practical Attacks DNNs I NTERPRETABILITY OF L OGISTIC R EGRESSION (k) (l) (m) (n)

  17. I NTRODUCTION Theory Trade-offs Practical Attacks DNNs C ANDIDATE E XAMPLES (o) (p) (q) (r) (s)

  18. I NTRODUCTION Theory Trade-offs Practical Attacks DNNs CIFAR-10 ARCHITECTURE Table: Simple fully-convolutional architecture adapted from the CleverHans library. Model uses ReLU activations, and does not use batch normalization or pooling. Layer h w c in c out s params 8 8 3 32 2 6.1k Conv1 6 6 32 64 2 73.7k Conv2 5 5 64 64 1 102.4k Conv3 1 1 256 10 1 2.6k Fc1 Total – – – – – 184.8k Model has 0.4% as many parameters as WideResNet.

  19. I NTRODUCTION Theory Trade-offs Practical Attacks DNNs L ∞ A DVERSARIAL E XAMPLES 100 WRN FGSM WRN PGD 80 CNN-L2 FGSM CNN-L2 PGD WRN-Nat PGD accuracy (%) 60 40 20 0 25 50 75 100 epsilon

  20. I NTRODUCTION Theory Trade-offs Practical Attacks DNNs R OBUSTNESS 100 WRN CNN 80 CNN-L2 WRN-Nat accuracy (%) 60 40 20 0 0.2 0.4 0.6 0.8 fraction of pixels swapped

  21. I NTRODUCTION Theory Trade-offs Practical Attacks DNNs N OISY E XAMPLES

  22. I NTRODUCTION Theory Trade-offs Practical Attacks DNNs W ITH L 2 WEIGHT DECAY The “independent components” of natural scenes are edge filters (Bell & Sejnowski 1997).

  23. I NTRODUCTION Theory Trade-offs Practical Attacks DNNs W ITHOUT WEIGHT DECAY

  24. I NTRODUCTION Theory Trade-offs Practical Attacks DNNs F OOLING I MAGES 4 years ago I didn’t think small-perturbation adversarial examples were going to be so hard to solve. I thought after another n months of working on those, I’d be basically done with them and would move on to fooling attacks . Deep Neural Networks are Easily Fooled: High Confidence Predictions for Unrecognizable Images (CVPR 2015)

  25. I NTRODUCTION Theory Trade-offs Practical Attacks DNNs F OOLING I MAGES (CIFAR-10)

  26. I NTRODUCTION Theory Trade-offs Practical Attacks DNNs F OOLING I MAGES (SVHN)

  27. I NTRODUCTION Theory Trade-offs Practical Attacks DNNs F OOLING I MAGES (SVHN) Robust training procedure does not learn random labels (lower Rademacher complexity).

  28. I NTRODUCTION Theory Trade-offs Practical Attacks DNNs F OOLING I MAGES 100 attack success rate (ASR) - margin (M) WRN ASR WRN M 80 CNN-L2 ASR CNN-L2 M 60 40 20 0 0 50 100 150 200 250 epsilon

  29. I NTRODUCTION Theory Trade-offs Practical Attacks DNNs D IVIDE AND C ONQUER ? Image from Dube (2018).

  30. I NTRODUCTION Theory Trade-offs Practical Attacks DNNs R EMARKS ◮ Test accuracy on popular ML benchmarks a weak measure of generalization. ◮ Plethora of band-aid fixes to std DNNs do not yield compelling results (e.g. provably robust framework). ◮ Incorporate expert knowledge, e.g. by excplicitly modeling part-whole relationships, other priors that relate to the known causal features such as edges in natural scenes. ◮ Good generalization implies some level of privacy, and more “fair” models assuming original intent is fair.

  31. I NTRODUCTION Theory Trade-offs Practical Attacks DNNs F UTURE WORK Information bottleneck (IB) theory seems essential for efficiently learning robust models from finite data. But why do models with no bottleneck generalize well on common machine learning datasets? i -RevNet retains all information until final layer and achieves high accuracy, but is extremely sensitive to adversarial examples.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Adversarial Examples Hanxiao Liu April 2, 2018 1 / 22 Adversarial Examples Inputs to ML

Adversarial Examples Hanxiao Liu April 2, 2018 1 / 22 Adversarial Examples Inputs to ML

Adversarial Examples Hanxiao Liu April 2, 2018 1 / 22 Adversarial Examples Inputs to ML models that an attacker has intentionally designed to cause the model to make a mistake 1 Why this is interesting: Safety. Interpretability.

881 views • 22 slides
Adversarial Examples and Adversarial Training Ian Goodfellow, Sta ff Research Scientist, Google

Adversarial Examples and Adversarial Training Ian Goodfellow, Sta ff Research Scientist, Google

Adversarial Examples and Adversarial Training Ian Goodfellow, Sta ff Research Scientist, Google Brain CS 231n, Stanford University, 2017-05-30 Overview What are adversarial examples? Why do they happen? How can they be used to

866 views • 43 slides
A Closer Look at Adversarial Examples for Separated Data Kamalika Chaudhuri University of

A Closer Look at Adversarial Examples for Separated Data Kamalika Chaudhuri University of

A Closer Look at Adversarial Examples for Separated Data Kamalika Chaudhuri University of California, San Diego Adversarial Examples Gibbon Panda Small perturbation to legitimate inputs causing misclassification Adversarial Examples Can

1.41k views • 42 slides
Synthesizing Robust Adversarial Examples Anish Athalye*, Logan Engstrom*, Andrew Ilyas*, Kevin

Synthesizing Robust Adversarial Examples Anish Athalye*, Logan Engstrom*, Andrew Ilyas*, Kevin

Synthesizing Robust Adversarial Examples Anish Athalye*, Logan Engstrom*, Andrew Ilyas*, Kevin Kwok Adversarial examples Adversarial examples Imperceptible perturbations to an input can change a neural network's prediction adversarial

1.06k views • 23 slides
Thermometer Encoding: One Hot Way to Resist Adversarial Examples Stanford, 2017-11-16 Aurko Roy*

Thermometer Encoding: One Hot Way to Resist Adversarial Examples Stanford, 2017-11-16 Aurko Roy*

Thermometer Encoding: One Hot Way to Resist Adversarial Examples Stanford, 2017-11-16 Aurko Roy* Colin Ra ff el Jacob Ian Buckman* Goodfellow *joint first author Adversarial Examples Adversarial Definitely Probably panda perturbation

607 views • 15 slides
Adversarial Examples in NLP Sameer Singh sameer@uci.edu @sameer_ sameersingh.org What are

Adversarial Examples in NLP Sameer Singh sameer@uci.edu @sameer_ sameersingh.org What are

Slides: http://tiny.cc/adversarial Adversarial Examples in NLP Sameer Singh sameer@uci.edu @sameer_ sameersingh.org What are Adversarial Examples? panda gibbon 57.7% confidence 99.3% confidence [Goodfellow et al, ICLR 2015 ]

1.56k views • 43 slides
? AdVersarial: Defeating Perceptual Ad Blocking with Adversarial Examples Florian Tramr

? AdVersarial: Defeating Perceptual Ad Blocking with Adversarial Examples Florian Tramr

Todays Story: How I got my first Death Threat ? AdVersarial: Defeating Perceptual Ad Blocking with Adversarial Examples Florian Tramr October 8 th 2019 Joint work with Pascal Dupr, Gili Rusak, Giancarlo Pellegrino and Dan Boneh The

415 views • 29 slides
Explaining and Harnessing Adversarial Examples Ian J. Goodfellow, Jonathon Shlens, &amp;

Explaining and Harnessing Adversarial Examples Ian J. Goodfellow, Jonathon Shlens, &amp;

Explaining and Harnessing Adversarial Examples Ian J. Goodfellow, Jonathon Shlens, &amp; Christian Szegedy Presented by - Kawin Ethayarajh and Abhishek Tiwari Introduction - adversarial examples : Inputs formed by applying small but

1.49k views • 103 slides
Neglected topics CS 446 Adversarial examples and deep networks 1 / 23 Adversarial

Neglected topics CS 446 Adversarial examples and deep networks 1 / 23 Adversarial

Neglected topics CS 446 Adversarial examples and deep networks 1 / 23 Adversarial examples? Standard ML setup: We have training data; try to do well on withheld testing data. Adversarial/robust ML setup: We have training

672 views • 27 slides
Adversarial Examples and Adversarial Training Ian Goodfellow, OpenAI Research Scientist Security

Adversarial Examples and Adversarial Training Ian Goodfellow, OpenAI Research Scientist Security

Adversarial Examples and Adversarial Training Ian Goodfellow, OpenAI Research Scientist Security Seminar, Stanford University, 2017-01-17 In this presentation Intriguing Properties of Neural Networks Szegedy et al, 2013

939 views • 44 slides
Physical Adversarial Examples Alex Kurakin Ian Goodfellow Output STOP Machine Learning

Physical Adversarial Examples Alex Kurakin Ian Goodfellow Output STOP Machine Learning

Physical Adversarial Examples Alex Kurakin Ian Goodfellow Output STOP Machine Learning Training Examples Hidden units / BICYCLE features CAR PEDESTRIA N Parameters Input ImageNet (Russakovsky et al 2015) Adversarial Examples: Images

369 views • 19 slides
On the Defense Against Adversarial Examples Beyond the Visible Spectrum Anthony Ortiz 1 , Olac

On the Defense Against Adversarial Examples Beyond the Visible Spectrum Anthony Ortiz 1 , Olac

On the Defense Against Adversarial Examples Beyond the Visible Spectrum Anthony Ortiz 1 , Olac Fuentes 1 , Dalton Rosario 2 , Christopher Kiekintveld 1 1 Department of Computer Science, UTEP 2 US Army Research Laboratory Adversarial Examples on

460 views • 19 slides
Adversarial Examples and Adversarial Training Ian Goodfellow, OpenAI Research Scientist Guest

Adversarial Examples and Adversarial Training Ian Goodfellow, OpenAI Research Scientist Guest

Adversarial Examples and Adversarial Training Ian Goodfellow, OpenAI Research Scientist Guest lecture for CS 294-131, UC Berkeley, 2016-10-05 In this presentation Intriguing Properties of Neural Networks Szegedy et al, 2013

660 views • 44 slides
Synthesizing Robust Adversarial Examples Anish Athalye*, Logan Engstrom*, Andrew Ilyas*, Kevin

Synthesizing Robust Adversarial Examples Anish Athalye*, Logan Engstrom*, Andrew Ilyas*, Kevin

Synthesizing Robust Adversarial Examples Anish Athalye*, Logan Engstrom*, Andrew Ilyas*, Kevin Kwok Standard Adversarial Examples Given image x ; target class y Maximize with projected gradient descent: Standard Adversarial Examples Standard

560 views • 15 slides
Adversarial Examples and Adversarial Training Innova&amp;ve Technology Leader program January 22

Adversarial Examples and Adversarial Training Innova&amp;ve Technology Leader program January 22

Adversarial Examples and Adversarial Training Innova&amp;ve Technology Leader program January 22 nd 2018 Florian Tramr Stanford Deep Learning is Super Smart! 2 Is it really? + . 007 = Im sure this Im certain this is a panda is

452 views • 12 slides
Adversarial Examples and Adversarial Training Ian Goodfellow, OpenAI Research Scientist

Adversarial Examples and Adversarial Training Ian Goodfellow, OpenAI Research Scientist

Adversarial Examples and Adversarial Training Ian Goodfellow, OpenAI Research Scientist Presentation at San Francisco AI Meetup, 2016-08-18 In this presentation Intriguing Properties of Neural Networks Szegedy et al, 2013

690 views • 32 slides
Transfer Learning Eu Wern Teh What are we covering? Why transfer learning? Fine

Transfer Learning Eu Wern Teh What are we covering? Why transfer learning? Fine

Transfer Learning Eu Wern Teh What are we covering? Why transfer learning? Fine Tuning: how? why? Example Practise: Ants and Bees dataset Caltech 101 dataset Why Transfer Learning? Speedup Training

584 views • 24 slides
Direct calculation of hadronic light-by-light scatering Jeremy Green Nils Asmussen, Oleksii

Direct calculation of hadronic light-by-light scatering Jeremy Green Nils Asmussen, Oleksii

Direct calculation of hadronic light-by-light scatering Jeremy Green Nils Asmussen, Oleksii Gryniuk, Georg von Hippel, Harvey Meyer, Andreas Nyffeler, Vladimir Pascalutsa Institut fr Kernphysik, Johannes Gutenberg-Universitt Mainz The 33rd

297 views • 18 slides
Hadronic contributions to 2 from latice QCD Jeremy Green NIC, DESY, Zeuthen Second annual

Hadronic contributions to 2 from latice QCD Jeremy Green NIC, DESY, Zeuthen Second annual

Hadronic contributions to 2 from latice QCD Jeremy Green NIC, DESY, Zeuthen Second annual symposium Helmholtz Programme Mater and the Universe December 1213, 2016 Outline 1. Brief overview of latice activities at DESY 2.

503 views • 29 slides
What can the IDRS and EDRS tell us about the so-called ice epidemic in Victoria? Shelley

What can the IDRS and EDRS tell us about the so-called ice epidemic in Victoria? Shelley

What can the IDRS and EDRS tell us about the so-called ice epidemic in Victoria? Shelley Cogger, Arthur Truong &amp; Paul Dietze 2014 Drug Trends Conference, Sydney, Australia Background Over 100 articles this year in Victorias

314 views • 10 slides
Electromagnetic Counterparts I M. Benacquista ICE Summer School: Gravitational Wave Astronomy

Electromagnetic Counterparts I M. Benacquista ICE Summer School: Gravitational Wave Astronomy

Electromagnetic Counterparts I M. Benacquista ICE Summer School: Gravitational Wave Astronomy July 3, 2018 What is an electromagnetic counterpart? Source of gravitational waves Source of electromagnetic waves Coincident in time

720 views • 26 slides
Strange and Charmed Mesons in Nuclear Matter and Nuclei _ Laura Tols D, K ICE, IEEC/CSIC,

Strange and Charmed Mesons in Nuclear Matter and Nuclei _ Laura Tols D, K ICE, IEEC/CSIC,

Strange and Charmed Mesons in Nuclear Matter and Nuclei _ Laura Tols D, K ICE, IEEC/CSIC, Barcelona FIAS, University of Frankfurt Understand matter under extreme conditions Pion E beam Kaon FAIR D-meson NuPECC report Strange

304 views • 19 slides
A t r i B h a t t a c h a r y a T a l k a t I n s t i t u t e O f

A t r i B h a t t a c h a r y a T a l k a t I n s t i t u t e O f

D D e e t t e e c c t t i i n n g g T T e e V V - - P P e e V V s s c c a a l l e e d d a a r r k k ma ma t t t t e e r r s s i i g g n n a a t t u u r r e e s s a a t

763 views • 38 slides
LaTeX: Not Just for Papers! Adam McKay 1 1 University of Texas Austin/McDonald Observatory October

LaTeX: Not Just for Papers! Adam McKay 1 1 University of Texas Austin/McDonald Observatory October

First Second Fin LaTeX: Not Just for Papers! Adam McKay 1 1 University of Texas Austin/McDonald Observatory October 24, 2014 - GSPS First Second Fin Outline First 1 Subsection Second 2 Subsection 2 Subsection 3 Fin 3 First Second

566 views • 19 slides

More recommend