adversarial robustness for aligned ai
play

Adversarial Robustness for Aligned AI Ian Goodfellow, Sta ff - PowerPoint PPT Presentation

Dec 14, 2023 •319 likes •626 views

Adversarial Robustness for Aligned AI Ian Goodfellow, Sta ff Research NIPS 2017 Workshop on Aligned Artificial Intelligence Many thanks to Catherine Olsson for feedback on drafts The Alignment Problem (This is now fixed. Dont try it!)

  1. Adversarial Robustness for Aligned AI Ian Goodfellow, Sta ff Research NIPS 2017 Workshop on Aligned Artificial Intelligence Many thanks to Catherine Olsson for feedback on drafts

  2. The Alignment Problem (This is now fixed. Don’t try it!) (Goodfellow 2017)

  3. Main Takeaway • My claim: if you want to use alignment as a means of guaranteeing safety, you probably need to solve the adversarial robustness problem first (Goodfellow 2017)

  4. Why the “if”? • I don’t want to imply that alignment is the only or best path to providing safety mechanisms • Some problematic aspects of alignment • Di ff erent people have di ff erent values • People can have bad values • Di ffi culty / lower probability of success. Need to model a black box, rather than a first principle (like low-impact, reversibility, etc.) • Alignment may not be necessary • People can coexist and cooperate without being fully aligned (Goodfellow 2017)

  5. Some context: many people have already been working on alignment for decades • Consider alignment to be “learning and respecting human preferences” • Object recognition is “human preferences about how to categorize images” • Sentiment analysis is “human preferences about how to categorize sentences” (Goodfellow 2017)

  6. What do we want from alignment? • Alignment is often suggested as something that is primarily a concern for RL , where an agent maximizes a reward • but we should want alignment for supervised learning too • Alignment can make better products that are more useful • Many want to rely on alignment to make systems safe • Our methods of providing alignment are not (yet?) reliable enough to be used for this purpose (Goodfellow 2017)

  7. Improving RL with human input • Much work focuses on making RL more like supervised learning • Reward based on a model of human preferences • Human demonstrations • Human feedback • This can be good for RL capabilities • The original AlphaGo bootstrapped from observing human games • OpenAI’s “Learning from Human Feedback” shows successful learning to backflip • This makes RL more like supervised learning and makes it work , but does it make it robust ? (Goodfellow 2017)

  8. Adversarial Examples Timeline: “Adversarial Classification” Dalvi et al 2004: fool spam filter “Evasion Attacks Against Machine Learning at Test Time” Biggio 2013: fool neural nets Szegedy et al 2013: fool ImageNet classifiers imperceptibly Goodfellow et al 2014: cheap, closed form attack (Goodfellow 2017)

  9. Maximizing model’s estimate of human preference for input to be categorized as “airplane” (Goodfellow 2017)

  10. Sampling: an easier task? • Absolutely maximizing human satisfaction might to be too hard. What about sampling from the set of things humans have liked before? • Even though this problem is easier, it’s still notoriously di ffi cult (GANs and other generative models) • GANs have a trick to get more data • Start with a small set of data that the human likes • Generate millions of examples and assume that the human dislikes them all (Goodfellow 2017)

  11. Spectrally Normalized GANs Welsh Springer Spaniel Palace Pizza (Miyato et al., 2017) This is better than the adversarial panda, but still not a satisfying safety mechanism. (Goodfellow 2017)

  12. Progressive GAN has learned that humans think cats are furry animals accompanied by floating symbols (Karras et al, 2017) (Goodfellow 2017)

  13. Confidence • Many proposals for achieving aligned behavior rely on accurate estimates of an agents’ confidence, or rely on the agent having low confidence in some scenarios (e.g. Hadfield-Menell et al 2017) • Unfortunately, adversarial examples often have much higher confidence than naturally occurring, correctly processed examples (Goodfellow 2017)

  14. Adversarial Examples for RL (Huang et al., 2017) (Goodfellow 2017)

  15. Summary so Far • High level strategies will fail if low-level building blocks are not robust • Reward maximizing places low-level building blocks under exactly the same situation as adversarial attack • Current ML systems fail frequently and gracelessly under adversarial attack; have higher confidence when wrong (Goodfellow 2017)

  16. What are we doing about it? • Two recent techniques for achieving adversarial robustness: • Thermometer codes • Ensemble adversarial training • A long road ahead (Goodfellow 2017)

  17. Thermometer Encoding: One Hot Way to Resist Adversarial Examples Aurko Roy* Colin Ra ff el Jacob Ian Buckman* Goodfellow *joint first author

  18. Linear Extrapolation Vulnerabilities 4 2 0 − 2 − 4 − 10 . 0 − 7 . 5 − 5 . 0 − 2 . 5 0 . 0 2 . 5 5 . 0 7 . 5 10 . 0 (Goodfellow 2017)

  19. Neural nets are “too linear” Argument to softmax Plot from “Explaining and Harnessing Adversarial Examples”, Goodfellow et al, 2014 (Goodfellow 2017)

  20. (Goodfellow 2017)

  21. (Goodfellow 2017)

  22. Large improvements on SVHN direct (“white box”) attacks 5 years ago, this would have been SOTA on clean data (Goodfellow 2017)

  23. Large Improvements against CIFAR-10 direct (“white box”) attacks 6 years ago, this would have been SOTA on clean data (Goodfellow 2017)

  24. Ensemble Adversarial Training Florian Alexey Nicolas Ian Tramèr Kurakin Papernot Goodfellow Patrick Dan Boneh McDaniel

  25. Cross-model, cross-dataset generalization (Goodfellow 2017)

  26. Ensemble Adversarial Training (Goodfellow 2017)

  27. Transfer Attacks Against Inception ResNet v2 on ImageNet (Goodfellow 2017)

  28. Competition Best defense so far on ImageNet: Ensemble adversarial training. Used as at least part of all top 10 entries in dev round 3 (Goodfellow 2017)

  29. Future Work • Adversarial examples in the max-norm ball are not the real problem • For alignment: formulate the problem in terms of inputs that reward-maximizers will visit • Verification methods • Develop a theory of what kinds of robustness are possible • See “Adversarial Spheres” (Gilmer et al 2017) for some arguments that it may not be feasible to build su ffi ciently accurate models (Goodfellow 2017)

  30. Get involved! https://github.com/tensorflow/cleverhans (Goodfellow 2017)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Reinforcing Adversarial Robustness using Model Confidence Induced by Adversarial Training Xi Wu

Reinforcing Adversarial Robustness using Model Confidence Induced by Adversarial Training Xi Wu

Reinforcing Adversarial Robustness using Model Confidence Induced by Adversarial Training Xi Wu xiwu@cs.wisc.edu Joint work with Uyeong Jang, Jiefeng Chen, Lingjiao Chen, and Somesh Jha July 19, 2018 Xi Wu Model Confidence and Adversarial

740 views • 9 slides
Adversarial Training and Robustness for Multiple Perturbations Poster #87 Florian Tramr &

Adversarial Training and Robustness for Multiple Perturbations Poster #87 Florian Tramr &

Adversarial Training and Robustness for Multiple Perturbations Poster #87 Florian Tramr & Dan Boneh NeurIPS 2019 Adversarial examples 88% Tabby Cat 99% Guacamole Szegedy et al., 2014 Goodfellow et al., 2015 Athalye, 2017 Adversarial

564 views • 23 slides
Adversarial Domain Adaptation and Adversarial Robustness Judy Hoffman + = Big Deep success

Adversarial Domain Adaptation and Adversarial Robustness Judy Hoffman + = Big Deep success

Adversarial Domain Adaptation and Adversarial Robustness Judy Hoffman + = Big Deep success data learning Benchmark Performance 100 95 Accuracy 90 85 Millions of Images 80 Deep models 75 Challenge to recognize 1000

1.2k views • 60 slides
Improving Adversarial Robustness via Promoting Ensemble Diversity Tianyu

Improving Adversarial Robustness via Promoting Ensemble Diversity Tianyu

Improving Adversarial Robustness via Promoting Ensemble Diversity Tianyu Pang, Kun Xu, Chao Du, Ning Chen and Jun Zhu Department of Computer Science and Technology Tsinghua University TSAIL ICML | 2019 Adversarial

864 views • 14 slides
Adversarial Approaches to Bayesian Learning and Bayesian Approaches to Adversarial Robustness

Adversarial Approaches to Bayesian Learning and Bayesian Approaches to Adversarial Robustness

Adversarial Approaches to Bayesian Learning and Bayesian Approaches to Adversarial Robustness Ian Goodfellow, OpenAI Research Scientist NIPS 2016 Workshop on Bayesian Deep Learning Barcelona, 2016-12-10 Speculation on Three Topics Can we

769 views • 21 slides
Limits on Robustness to Adversarial Examples Elvis Dohmatob Criteo AI Lab October 2, 2019 Elvis

Limits on Robustness to Adversarial Examples Elvis Dohmatob Criteo AI Lab October 2, 2019 Elvis

Preliminaries on adversarial robustness Classifier-dependent lower bounds Universal lower bounds Limits on Robustness to Adversarial Examples Elvis Dohmatob Criteo AI Lab October 2, 2019 Elvis Dohmatob Limits on Robustness to Adversarial

763 views • 74 slides
Adversarial Robustness for Code Pavol Bielik , Martin Vechev pavol.bielik@inf.ethz.ch,

Adversarial Robustness for Code Pavol Bielik , Martin Vechev pavol.bielik@inf.ethz.ch,

ICML 2020 Adversarial Robustness for Code Pavol Bielik , Martin Vechev pavol.bielik@inf.ethz.ch, martin.vechev@inf.ethz.ch Department of Computer Science 1 Adversarial Robustness panda gibbon Vision + = Explaining and Harnessing

429 views • 32 slides
Certified Adversarial Robustness via Randomized Smoothing Jeremy Cohen Elan Rosenfeld

Certified Adversarial Robustness via Randomized Smoothing Jeremy Cohen Elan Rosenfeld

Certified Adversarial Robustness via Randomized Smoothing Jeremy Cohen Elan Rosenfeld Zico Kolter Carnegie Mellon University Introduction We study a certified adversarial defense in " norm which scales to ImageNet

1.5k views • 12 slides
On the Connection Between Adversarial Robustness and Saliency Map Interpretability Christian

On the Connection Between Adversarial Robustness and Saliency Map Interpretability Christian

On the Connection Between Adversarial Robustness and Saliency Map Interpretability Christian Etmann , 1 , 3 , Sebastian Lunz , 2 , Peter Maass 1 , Carola-Bibiane Sch onlieb 2 13th June, 2019 1: ZeTeM, University of Bremen, 2: Cambridge

673 views • 19 slides
Adversarial Robustness of Machine Learning Models for Graphs Prof. Dr. Stephan Gnnemann

Adversarial Robustness of Machine Learning Models for Graphs Prof. Dr. Stephan Gnnemann

Adversarial Robustness of Machine Learning Models for Graphs Prof. Dr. Stephan Gnnemann Department of Informatics Technical University of Munich 28.10.2019 Adversarial Robustness of Machine Learning Models for Graphs S. Gnnemann Can you

669 views • 27 slides
ON THE ADVERSARIAL ROBUSTNESS OF UNCERTAINTY AWARE DEEP NEURAL NETWORKS APRIL 29 TH , 2019

ON THE ADVERSARIAL ROBUSTNESS OF UNCERTAINTY AWARE DEEP NEURAL NETWORKS APRIL 29 TH , 2019

ON THE ADVERSARIAL ROBUSTNESS OF UNCERTAINTY AWARE DEEP NEURAL NETWORKS APRIL 29 TH , 2019 PREPARED BY: ALI HARAKEH QUESTION Can a neural network mitigate the effects of adversarial attacks by estimating the uncertainty in its predictions ?

1.14k views • 26 slides
Adversarial Robustness: Theory and Practice Zico Kolter Aleksander Mdry madry-lab.ml

Adversarial Robustness: Theory and Practice Zico Kolter Aleksander Mdry madry-lab.ml

Adversarial Robustness: Theory and Practice Zico Kolter Aleksander Mdry madry-lab.ml Tutorial website: @zicokolter @aleks_madry adversarial-ml-tutorial.org Machine Learning: The Success Story Image classification Reinforcement Learning

528 views • 49 slides
Toward Adversarial Robustness by Diversity in an Ensemble of Specialized Deep Neural Networks

Toward Adversarial Robustness by Diversity in an Ensemble of Specialized Deep Neural Networks

Toward Adversarial Robustness by Diversity in an Ensemble of Specialized Deep Neural Networks presented at Canadian AI 2020 Mahdieh Abbasi 1 , Arezoo Rajabi 2 , Christian Gagn 1,3 , and Rakesh B. Bobba 2 1. IID, Universit Laval, Qubec,

728 views • 20 slides
Certified Robustness to Adversarial Examples with Di ff erential Privacy Mathias Lcuyer,

Certified Robustness to Adversarial Examples with Di ff erential Privacy Mathias Lcuyer,

Certified Robustness to Adversarial Examples with Di ff erential Privacy Mathias Lcuyer, Vaggelis Atlidakis, Roxana Geambasu, Daniel Hsu, Suman Jana Columbia University Code: https://github.com/columbia/pixeldp Contact:

680 views • 48 slides
Benchmarking Adversarial Robustness on Image Classification Yinpeng Dong, Qi-An Fu, Xiao Yang,

Benchmarking Adversarial Robustness on Image Classification Yinpeng Dong, Qi-An Fu, Xiao Yang,

Benchmarking Adversarial Robustness on Image Classification Yinpeng Dong, Qi-An Fu, Xiao Yang, Tianyu Pang, Zihao Xiao, Hang Su, Jun Zhu Dept. of Comp. Sci. and Tech., BNRist Center, Institute for AI, THBI Lab, Tsinghua University, Beijing,

417 views • 6 slides
Scalable Differential Privacy with Certified Robustness in Adversarial Learning NhatHai Phan 1 ,

Scalable Differential Privacy with Certified Robustness in Adversarial Learning NhatHai Phan 1 ,

The 37th International Conference on Machine Learning (ICML20), Jul 12 th - 18 th , 2020. Scalable Differential Privacy with Certified Robustness in Adversarial Learning NhatHai Phan 1 , My T. Thai 2 , Han Hu 1 , Ruoming Jin 3 , Tong Sun 4 ,

860 views • 23 slides
Slides from: Elena Tsiporkova What is Special about Time Series Data? Gene expression time series

Slides from: Elena Tsiporkova What is Special about Time Series Data? Gene expression time series

Dynamic Time Warping Algorithm Slides from: Elena Tsiporkova What is Special about Time Series Data? Gene expression time series are expected to vary not only in terms of expression amplitudes, but also in terms of time progression since

305 views • 13 slides
Differential Slicing: Identifying Causal Execution Differences for Security Applications Noah M.

Differential Slicing: Identifying Causal Execution Differences for Security Applications Noah M.

2011 IEEE Symposium on Security and Privacy Differential Slicing: Identifying Causal Execution Differences for Security Applications Noah M. Johnson 1 , Juan Caballero 2 , Kevin Zhijie Chen 1 , Stephen McCamant 1 , Pongsin Poosankam 1, 3 , Daniel

1.16k views • 23 slides
Statistical Machine Translation Overview p EM algorithm Lecture 3 Improved word alignment

Statistical Machine Translation Overview p EM algorithm Lecture 3 Improved word alignment

Statistical modeling Statistical Machine Translation Lecture 3: Word Alignment and Phrase Models p Statistical Machine Translation Overview p EM algorithm Lecture 3 Improved word alignment Word Alignment and Phrase Models

456 views • 8 slides
Statistical NLP Spring 2011 Lecture 8: Word Alignment Dan Klein UC Berkeley Phrase-Based

Statistical NLP Spring 2011 Lecture 8: Word Alignment Dan Klein UC Berkeley Phrase-Based

Statistical NLP Spring 2011 Lecture 8: Word Alignment Dan Klein UC Berkeley Phrase-Based Systems cat ||| chat ||| 0.9 the cat ||| le chat ||| 0.8 dog ||| chien ||| 0.8 house ||| maison ||| 0.6 my house ||| ma maison ||| 0.9 language

519 views • 15 slides
Algorithms in Bioinformatics: A Practical Introduction Multiple Sequence Alignment Multiple

Algorithms in Bioinformatics: A Practical Introduction Multiple Sequence Alignment Multiple

Algorithms in Bioinformatics: A Practical Introduction Multiple Sequence Alignment Multiple Sequence Alignment Given k sequences S = { S 1 , S 2 , , S k } . A multiple alignment of S is a set of k equal- length sequences { S 1 ,

652 views • 47 slides
RTCP Extension For Time Alignment draft-taylor-avt-time-align-00.txt Tom Taylor et al IETF 66

RTCP Extension For Time Alignment draft-taylor-avt-time-align-00.txt Tom Taylor et al IETF 66

RTCP Extension For Time Alignment draft-taylor-avt-time-align-00.txt Tom Taylor et al IETF 66 Draft Contents Statement of problem and requirements Definition of a time alignment feedback message Time alignment procedures Sender

611 views • 6 slides
Aims of Session Understand the concept of constructive alignment Identify the benefits

Aims of Session Understand the concept of constructive alignment Identify the benefits

Aims of Session Understand the concept of constructive alignment Identify the benefits of constructive alignment Consider examples of how constructive alignment can enhance the learning and teaching environment Constructive

518 views • 14 slides
Binary Foreground Map Evaluation Deng-Ping Fan Nankai University of Media Computing Lab

Binary Foreground Map Evaluation Deng-Ping Fan Nankai University of Media Computing Lab

Enhanced-alignment Measure for Binary Foreground Map Evaluation Deng-Ping Fan Nankai University of Media Computing Lab IJCAI2018 Oral Presentation http://dpfan.net/e-measure Outline Overview of Binary Foreground Maps Previous Work

1.01k views • 66 slides

More recommend