adversarial robustness for code
play

Adversarial Robustness for Code Pavol Bielik , Martin Vechev - PowerPoint PPT Presentation

Feb 21, 2023 •108 likes •429 views

ICML 2020 Adversarial Robustness for Code Pavol Bielik , Martin Vechev pavol.bielik@inf.ethz.ch, martin.vechev@inf.ethz.ch Department of Computer Science 1 Adversarial Robustness panda gibbon Vision + = Explaining and Harnessing

  1. ICML 2020 Adversarial Robustness for Code Pavol Bielik , Martin Vechev pavol.bielik@inf.ethz.ch, martin.vechev@inf.ethz.ch Department of Computer Science 1

  2. Adversarial Robustness panda gibbon Vision + = Explaining and Harnessing Adversarial Examples. Goodfellow et. al. ICLR’15 + = Sound noise Audio Adversarial Examples: Targeted Attacks on Speech-to-Text. Carlini et. al. ICML’18 workshop 2

  3. Adversarial Robustness for Code panda gibbon Vision + = Explaining and Harnessing Adversarial Examples. Goodfellow et. al. ICLR’15 + = Sound noise Audio Adversarial Examples: Targeted Attacks on Speech-to-Text. Carlini et. al. ICML’18 workshop code Code + = refactoring 3

  4. Deep Learning + Code Bug Detection Loop Invariants Bug Repair Code Classification Code Search Type Inference Neural Decompilation Code Captioning Code Completion Variable Naming Program Translation 2016 2017 2018 2019 Prior Works 90% Accuracy 4

  5. Adversarial Robustness for Code Bug Detection Loop Invariants Bug Repair Code Classification Code Search Type Inference Neural Decompilation Code Captioning Code Completion Variable Naming Program Translation 2016 2017 2018 2019 Prior Works 90% ? Accuracy Robustness 5

  6. Adversarial Robustness for Code Bug Detection Loop Invariants Bug Repair Code Classification Code Search Type Inference Neural Decompilation Code Captioning Code Completion Variable Naming Program Translation 2016 2017 2018 2019 Prior Works This Work 90% 4%-50% 88% 84% Accuracy Robustness Accuracy Robustness 6

  7. Adversarial Robustness Example (Type Inference) Model Program Properties Input Program f( x ) → y y x ... ... v num = parseInt num ( v = parseInt( hex str .substr str (1), hex.substr(1), radix num radix ) ) ... ... Goal (Adversarially Robustness): Model is correct for all label preserving program transformations ... ... ... ... v = parseInt( v = parseInt( v = parseInt( parseInt( color .substr(1), hex.substr( 42 ), hex.substr(1), hex.substr(1), radix radix radix + 0 radix ) ) ) ) ... ... ... ... 7 variable renaming constant replacement semantic equivalence remove assignment

  8. Our Work: Three Key Techniques ... Allows model v = parseInt( not to make hex abs .substr abs (1), radix abs a prediction ) if uncertain ... Abstain 1 8

  9. Our Work: Three Key Techniques ... ... 𝜀 = hex → color v num = parseInt num ( v = parseInt( 54% 54% hex abs .substr abs (1), color .substr(1), radix abs radix robustness robustness ) ) ... ... Abstain Adversarial 1 2 Training 9

  10. Our Work: Three Key Techniques ... ... 𝜀 = hex → color v num = parseInt num ( 𝛽 ( x + 𝜀 ) v = parseInt( parseInt num ( hex abs .substr abs (1), color .substr(1), _, radix abs radix _ ) ) ) ... ... Abstain Adversarial Representation 1 2 3 Training Learning 10

  11. Our Work: Three Key Techniques ... ... 𝜀 = hex → color v num = parseInt num ( 𝛽 ( x + 𝜀 ) v = parseInt( parseInt num ( 84% hex abs .substr abs (1), color .substr(1), _, radix abs radix _ robustness ) ) ) ... ... Abstain Adversarial Representation 1 2 3 Training Learning 11

  12. Our Work: Three Key Techniques ... ... v = parseInt num ( 𝜀 = hex → color v num = parseInt num ( 𝛽 ( x + 𝜀 ) parseInt num ( hex abs .substr abs (1), color .substr(1), _, radix abs radix _ ) ) ) ... ... Abstain Adversarial Representation 1 2 3 Training Learning Refinement 4 12

  13. Learning to Abstain Abstains Model should be y 1 y 2 only Robust = + Model should be both abstain Robust and Accurate Predict Class input x i Leads to a simpler Property prediction optimization problem problem is undecidable 13

  14. Learning to Abstain Main Insight Combine Robustness + Learning to Abstain = + Model should be both Deep Gamblers: Learning to Abstain with Portfolio Theory. How to Abstain? abstain Robust and Accurate Liu et. al. NeurIPS’19 Predict Class input x i Leads to a simpler Property prediction optimization problem problem is undecidable 14

  15. Our Work: Three Key Techniques y 1 y 2 ... ... v = parseInt num ( 𝜀 = hex → color v num = parseInt num ( 𝛽 ( x + 𝜀 ) parseInt num ( hex abs .substr abs (1), color .substr(1), _, radix abs radix _ ) ) ) ... ... abstain Abstain Adversarial Representation 1 2 3 Training Learning Learned Jointly Refinement 4 15

  16. Adversarial Training measures the model performance ground-truth label Standard training min loss ( 𝜄 , x , y ) Adversarial training min [max loss ( 𝜄 , x + 𝜀 , y )] 𝜀 ∊ S(x) Label preserving program transformations Define the space S of Solve the inner 2 1 max loss efficiently program transformations 16

  17. Label Preserving Program Transformations Word Substitution Constants, Binary Operators, ... x + 𝜀 tensors + 𝜀 7 42 very fast radix + offset radix - offset Word Renaming Rename Variables, Parameters, Fields, Method Names, ... x + 𝜀 tensors + 𝜀 + analysis def getID() {...} def get_id () {...} fast client.Name client. name Sequence Substitution Adding Dead Code, Reordering Statements, ... x + 𝜀 tensors → code + 𝜀 + analysis → tensors a = get_id() b = 42 slow b = 42 a = get_id() 17

  18. Adversarial Training measures the model performance ground-truth label Standard training min loss ( 𝜄 , x , y ) Adversarial training min [max loss ( 𝜄 , x + 𝜀 , y )] 𝜀 ∊ S(x) Label preserving program transformations Define the space S of Solve the inner 2 1 max loss efficiently program transformations 18

  19. Solving the Inner max loss Efficiently Gradient Based Optimization Limitations 𝜄 ← 𝜄 - ∇ loss ( 𝜄 , x + 𝜀 , y ) 54% 54% 𝜀 ∊ S(x) standard adversarial decision boundary same or worse robustness Discrete and Highly structured S(x) disruptive changes and large programs x + 𝜀 hard optimization problem no structural transformations Adversarial Examples for Models of Code. Yefet et. al. ArXiv’20 19

  20. Solving the Inner max loss Efficiently Gradient Based Optimization Refine S min [max loss ( 𝜄 , x + 𝜀 , y )] 𝜄 ← 𝜄 - ∇ loss ( 𝜄 , x + 𝜀 , y ) 𝜀 ∊ S(x) 𝜀 ∊ S( 𝛽 ( x)) ... v = parseInt( parseInt( color .substr(1), _, radix _ ) ) ... S(x) S( 𝛽 (x)) x + 𝜀 learned representation 20

  21. Solving the Inner max loss Efficiently Gradient Based Optimization Refine S min [max loss ( 𝜄 , x + 𝜀 , y )] 𝜄 ← 𝜄 - ∇ loss ( 𝜄 , x + 𝜀 , y ) 𝜀 ∊ S(x) 𝜀 ∊ S( 𝛽 ( x)) ... v = parseInt( parseInt( color .substr(1), _, radix _ ) ) ... S(x) S( 𝛽 (x)) x + 𝜀 reduces the search space leads to an easier optimization 21

  22. Solving the Inner max loss Efficiently Gradient Based Optimization Refine S min [max loss ( 𝜄 , x + 𝜀 , y )] 𝜄 ← 𝜄 - ∇ loss ( 𝜄 , x + 𝜀 , y ) 𝜀 ∊ S(x) 𝜀 ∊ S( 𝛽 ( x)) ... orthogonal to gradient optimization v = parseInt( parseInt( color .substr(1), _, radix _ supports all transformations ) ) ... S(x) S( 𝛽 (x)) x + 𝜀 reduces the search space leads to an easier optimization 22

  23. Our Work: Three Key Techniques y 1 y 2 ... ... v = parseInt num ( 𝜀 = hex → color v num = parseInt num ( 𝛽 ( x + 𝜀 ) parseInt num ( hex abs .substr abs (1), color .substr(1), _, radix abs radix _ ) ) ) ... ... abstain Abstain Adversarial Representation 1 2 3 Training Learning Learned Jointly Refinement 4 23

  24. Representation Learning = = v + v + v = x + 7 x 7 x 7 nodes attributes 𝛽 : G = 〈 V , E , 𝜊 〉 〈 V , E , 𝜊 〉 → 〈 V , E’ ⊆ E , 𝜊 〉 edges Programs as Graphs Define Refinement 1 2 Learning to Represent Programs with Graphs. Remove Graph Edges Allamanis et. al. ICLR’18 Generative Code Modeling with Graphs. Brockschmidt et. al. ICLR’19 24

  25. Representation Learning All decisions = = are made locally v + v + v = x + 7 x 7 x 7 nodes attributes 𝛽 : G = 〈 V , E , 𝜊 〉 〈 V , E , 𝜊 〉 → 〈 V , E’ ⊆ E , 𝜊 〉 edges Programs as Graphs Define Refinement 1 2 Learning to Represent Programs with Graphs. Remove Graph Edges Allamanis et. al. ICLR’18 Generative Code Modeling with Graphs. Brockschmidt et. al. ICLR’19 25

  26. Representation Learning = = arg min ∑ | 𝛽 ( x )| ( x, y ) ∈ 𝛽 v + v + subject to loss ( 𝜄 , x , y ) ≈ loss ( 𝜄 , 𝛽 ( x ), y ) v = x + 7 x 7 x 7 nodes attributes 𝛽 : G = 〈 V , E , 𝜊 〉 〈 V , E , 𝜊 〉 → 〈 V , E’ ⊆ E , 𝜊 〉 edges Programs as Graphs Define Refinement Optimize 𝛽 1 2 3 Learning to Represent Programs with Graphs. Remove Graph Edges Minimize Graph Size Allamanis et. al. ICLR’18 Generative Code Modeling with Graphs. Brockschmidt et. al. ICLR’19 26

  27. Our Work: Three Key Techniques y 1 y 2 ... ... v = parseInt num ( 𝜀 = hex → color v num = parseInt num ( 𝛽 ( x + 𝜀 ) parseInt num ( hex abs .substr abs (1), color .substr(1), _, radix abs radix _ ) ) ) ... ... abstain Abstain Adversarial Representation 1 2 3 Training Learning Learned Jointly Refinement 4 27

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Reinforcing Adversarial Robustness using Model Confidence Induced by Adversarial Training Xi Wu

Reinforcing Adversarial Robustness using Model Confidence Induced by Adversarial Training Xi Wu

Reinforcing Adversarial Robustness using Model Confidence Induced by Adversarial Training Xi Wu xiwu@cs.wisc.edu Joint work with Uyeong Jang, Jiefeng Chen, Lingjiao Chen, and Somesh Jha July 19, 2018 Xi Wu Model Confidence and Adversarial

740 views • 9 slides
Adversarial Training and Robustness for Multiple Perturbations Poster #87 Florian Tramr &

Adversarial Training and Robustness for Multiple Perturbations Poster #87 Florian Tramr &

Adversarial Training and Robustness for Multiple Perturbations Poster #87 Florian Tramr & Dan Boneh NeurIPS 2019 Adversarial examples 88% Tabby Cat 99% Guacamole Szegedy et al., 2014 Goodfellow et al., 2015 Athalye, 2017 Adversarial

564 views • 23 slides
Certified Robustness to Adversarial Examples with Di ff erential Privacy Mathias Lcuyer,

Certified Robustness to Adversarial Examples with Di ff erential Privacy Mathias Lcuyer,

Certified Robustness to Adversarial Examples with Di ff erential Privacy Mathias Lcuyer, Vaggelis Atlidakis, Roxana Geambasu, Daniel Hsu, Suman Jana Columbia University Code: https://github.com/columbia/pixeldp Contact:

680 views • 48 slides
Adversarial Domain Adaptation and Adversarial Robustness Judy Hoffman + = Big Deep success

Adversarial Domain Adaptation and Adversarial Robustness Judy Hoffman + = Big Deep success

Adversarial Domain Adaptation and Adversarial Robustness Judy Hoffman + = Big Deep success data learning Benchmark Performance 100 95 Accuracy 90 85 Millions of Images 80 Deep models 75 Challenge to recognize 1000

1.2k views • 60 slides
Improving Adversarial Robustness via Promoting Ensemble Diversity Tianyu

Improving Adversarial Robustness via Promoting Ensemble Diversity Tianyu

Improving Adversarial Robustness via Promoting Ensemble Diversity Tianyu Pang, Kun Xu, Chao Du, Ning Chen and Jun Zhu Department of Computer Science and Technology Tsinghua University TSAIL ICML | 2019 Adversarial

864 views • 14 slides
Adversarial Approaches to Bayesian Learning and Bayesian Approaches to Adversarial Robustness

Adversarial Approaches to Bayesian Learning and Bayesian Approaches to Adversarial Robustness

Adversarial Approaches to Bayesian Learning and Bayesian Approaches to Adversarial Robustness Ian Goodfellow, OpenAI Research Scientist NIPS 2016 Workshop on Bayesian Deep Learning Barcelona, 2016-12-10 Speculation on Three Topics Can we

769 views • 21 slides
Limits on Robustness to Adversarial Examples Elvis Dohmatob Criteo AI Lab October 2, 2019 Elvis

Limits on Robustness to Adversarial Examples Elvis Dohmatob Criteo AI Lab October 2, 2019 Elvis

Preliminaries on adversarial robustness Classifier-dependent lower bounds Universal lower bounds Limits on Robustness to Adversarial Examples Elvis Dohmatob Criteo AI Lab October 2, 2019 Elvis Dohmatob Limits on Robustness to Adversarial

763 views • 74 slides
Certified Adversarial Robustness via Randomized Smoothing Jeremy Cohen Elan Rosenfeld

Certified Adversarial Robustness via Randomized Smoothing Jeremy Cohen Elan Rosenfeld

Certified Adversarial Robustness via Randomized Smoothing Jeremy Cohen Elan Rosenfeld Zico Kolter Carnegie Mellon University Introduction We study a certified adversarial defense in " norm which scales to ImageNet

1.5k views • 12 slides
On the Connection Between Adversarial Robustness and Saliency Map Interpretability Christian

On the Connection Between Adversarial Robustness and Saliency Map Interpretability Christian

On the Connection Between Adversarial Robustness and Saliency Map Interpretability Christian Etmann , 1 , 3 , Sebastian Lunz , 2 , Peter Maass 1 , Carola-Bibiane Sch onlieb 2 13th June, 2019 1: ZeTeM, University of Bremen, 2: Cambridge

673 views • 19 slides
Adversarial Robustness of Machine Learning Models for Graphs Prof. Dr. Stephan Gnnemann

Adversarial Robustness of Machine Learning Models for Graphs Prof. Dr. Stephan Gnnemann

Adversarial Robustness of Machine Learning Models for Graphs Prof. Dr. Stephan Gnnemann Department of Informatics Technical University of Munich 28.10.2019 Adversarial Robustness of Machine Learning Models for Graphs S. Gnnemann Can you

669 views • 27 slides
ON THE ADVERSARIAL ROBUSTNESS OF UNCERTAINTY AWARE DEEP NEURAL NETWORKS APRIL 29 TH , 2019

ON THE ADVERSARIAL ROBUSTNESS OF UNCERTAINTY AWARE DEEP NEURAL NETWORKS APRIL 29 TH , 2019

ON THE ADVERSARIAL ROBUSTNESS OF UNCERTAINTY AWARE DEEP NEURAL NETWORKS APRIL 29 TH , 2019 PREPARED BY: ALI HARAKEH QUESTION Can a neural network mitigate the effects of adversarial attacks by estimating the uncertainty in its predictions ?

1.14k views • 26 slides
Adversarial Robustness: Theory and Practice Zico Kolter Aleksander Mdry madry-lab.ml

Adversarial Robustness: Theory and Practice Zico Kolter Aleksander Mdry madry-lab.ml

Adversarial Robustness: Theory and Practice Zico Kolter Aleksander Mdry madry-lab.ml Tutorial website: @zicokolter @aleks_madry adversarial-ml-tutorial.org Machine Learning: The Success Story Image classification Reinforcement Learning

528 views • 49 slides
Toward Adversarial Robustness by Diversity in an Ensemble of Specialized Deep Neural Networks

Toward Adversarial Robustness by Diversity in an Ensemble of Specialized Deep Neural Networks

Toward Adversarial Robustness by Diversity in an Ensemble of Specialized Deep Neural Networks presented at Canadian AI 2020 Mahdieh Abbasi 1 , Arezoo Rajabi 2 , Christian Gagn 1,3 , and Rakesh B. Bobba 2 1. IID, Universit Laval, Qubec,

728 views • 20 slides
Adversarial Robustness for Aligned AI Ian Goodfellow, Sta ff Research NIPS 2017 Workshop on

Adversarial Robustness for Aligned AI Ian Goodfellow, Sta ff Research NIPS 2017 Workshop on

Adversarial Robustness for Aligned AI Ian Goodfellow, Sta ff Research NIPS 2017 Workshop on Aligned Artificial Intelligence Many thanks to Catherine Olsson for feedback on drafts The Alignment Problem (This is now fixed. Dont try it!)

626 views • 30 slides
Benchmarking Adversarial Robustness on Image Classification Yinpeng Dong, Qi-An Fu, Xiao Yang,

Benchmarking Adversarial Robustness on Image Classification Yinpeng Dong, Qi-An Fu, Xiao Yang,

Benchmarking Adversarial Robustness on Image Classification Yinpeng Dong, Qi-An Fu, Xiao Yang, Tianyu Pang, Zihao Xiao, Hang Su, Jun Zhu Dept. of Comp. Sci. and Tech., BNRist Center, Institute for AI, THBI Lab, Tsinghua University, Beijing,

417 views • 6 slides
Scalable Differential Privacy with Certified Robustness in Adversarial Learning NhatHai Phan 1 ,

Scalable Differential Privacy with Certified Robustness in Adversarial Learning NhatHai Phan 1 ,

The 37th International Conference on Machine Learning (ICML20), Jul 12 th - 18 th , 2020. Scalable Differential Privacy with Certified Robustness in Adversarial Learning NhatHai Phan 1 , My T. Thai 2 , Han Hu 1 , Ruoming Jin 3 , Tong Sun 4 ,

860 views • 23 slides
Amassing and indexing a large sample of version control systems: towards the census of public

Amassing and indexing a large sample of version control systems: towards the census of public

Amassing and indexing a large sample of version control systems: towards the census of public source code history Audris Mockus audris@avaya.com Avaya Labs Research Basking Ridge, NJ 07920 http://mockus.org/ Why global properties of code?

559 views • 11 slides
Inject Security into Source Code How 2018 Will Shift Your Security Priorities Panelists F a

Inject Security into Source Code How 2018 Will Shift Your Security Priorities Panelists F a

Inject Security into Source Code How 2018 Will Shift Your Security Priorities Panelists F a rsha d Ab a si, CT O Mira i Se c urity Ja c e k Ma te rna , CT O Asse mb la Je ff Ro use , Dir. Pro duc t Ma na g e me nt Ac tive Sta te Wher e

772 views • 50 slides
Exploiting Correcting Codes: On the Effectiveness of ECC Memory Against Rowhammer Attacks Lucian

Exploiting Correcting Codes: On the Effectiveness of ECC Memory Against Rowhammer Attacks Lucian

Exploiting Correcting Codes: On the Effectiveness of ECC Memory Against Rowhammer Attacks Lucian Cojocar, Kaveh Razavi, Cristiano Giuffrida, Herbert Bos Rowhammer (RH) causes bits to flip Exploit to escalate privilege [Seaborn 15]

437 views • 41 slides
Code review for Beginners and Experts: Tips & Tricks ukasz K kol Who am I?

Code review for Beginners and Experts: Tips & Tricks ukasz K kol Who am I?

Code review for Beginners and Experts: Tips & Tricks ukasz K kol Who am I? Software Engineer Technical Team Leader Author of "Idiomatic Python Performance" (Apress) Speaker @ EuroPython, PyCon UK, PySS &

320 views • 15 slides
FALCON: AN OPTIMIZING JAVA JIT Philip Reames Azul Systems AGENDA Intro to Falcon Why

FALCON: AN OPTIMIZING JAVA JIT Philip Reames Azul Systems AGENDA Intro to Falcon Why

FALCON: AN OPTIMIZING JAVA JIT Philip Reames Azul Systems AGENDA Intro to Falcon Why you should use LLVM to build a JIT Common Objections (and why theyre mostly wrong) 2 WHAT IS FALCON? Falcon is an LLVM based

1.01k views • 66 slides
Mining Source Code Repositories at Massive Scale using Language Modeling Miltos Allamanis,

Mining Source Code Repositories at Massive Scale using Language Modeling Miltos Allamanis,

Mining Source Code Repositories at Massive Scale using Language Modeling Miltos Allamanis, Charles Sutton m.allamanis@ed.ac.uk csutton@inf.ed.ac.uk University of Edinburgh Supported by: Polyglot programmers Multitude of APIs &

2.69k views • 22 slides
Heat of the Moment: Characterizing the Efficacy of Thermal Camera-Based Attacks Keaton Mowery (UC

Heat of the Moment: Characterizing the Efficacy of Thermal Camera-Based Attacks Keaton Mowery (UC

Heat of the Moment: Characterizing the Efficacy of Thermal Camera-Based Attacks Keaton Mowery (UC San Diego) Sarah Meiklejohn (UC San Diego) Stefan Savage (UC San Diego) 1 Code-based access control 2 Code-based access control 2 Code-based

1.2k views • 102 slides
TODAYS PROGRAM: Career Development Steve, ~ 25 min Theme: Capitalize on your

TODAYS PROGRAM: Career Development Steve, ~ 25 min Theme: Capitalize on your

@SDFLIES #BGSORIENTATION TODAYS PROGRAM: Career Development Steve, ~ 25 min Theme: Capitalize on your Skills & Traits. Time Management Julie Blendy, ~ 30 min Theme: Organize; setting boundaries. Student

734 views • 28 slides

More recommend