adversarial training
play

Adversarial Training Attacks on Deep Networks and Generative - PowerPoint PPT Presentation

Oct 02, 2022 •379 likes •1.11k views

images from Geris Game (Pixar, 1997) Adversarial Training Attacks on Deep Networks and Generative Adversarial Networks Erkut Erdem Aykut Erdem Levent Karacan Computer Vision Lab, Hacettepe University Outline Part 1: Attacks on

  1. images from Geri’s Game (Pixar, 1997) Adversarial Training Attacks on Deep Networks and Generative Adversarial Networks Erkut Erdem � Aykut Erdem � Levent Karacan Computer Vision Lab, Hacettepe University

  2. Outline • Part 1: Attacks on Deep Networks • Part 2: Generative Adversarial Networks (GANs) 10 Minutes Break • Part 3: Image Editing with GANs 2

  3. John Carpenter’s The Thing (1982) Part 1 – Attacks on Deep Networks Erkut Erdem Computer Vision Lab, Hacettepe University

  4. Deep Convolutional Networks in 10 mins 4

  5. 1 st Era (1940’s-1960’s): Invention • Connectionism (Hebb 1940’s) : complex behaviors arise from interconnected networks of simple units • Artificial neurons (Hebb, McCulloch and Pitts 1940’s-1950’s) • Perceptron (Rosenblatt 1950’s) : Single layer with learning rule linear 
 weighting non-linear 
 1 b accumulation activation w 1 x 1 w 2 Σ S P( y = 1 | x , w , b) x 2 w D ⁞ x D 5 Slide adapted from Rob Fergus

  6. 2 nd Era (1980’s-1990’s): Multi-layered Networks • Back-propagation (Rumelhart, Hinton and Williams 1986 +others) : effective way to train multi-layered networks • Convolutional networks (LeCun et al. 1989) : architecture adapted for images (inspired by Hubel and Wiesel’s simple/complex cells) C3: f. maps 16@10x10 C1: feature maps S4: f. maps 16@5x5 INPUT 6@28x28 32x32 S2: f. maps C5: layer OUTPUT F6: layer 6@14x14 120 10 84 Gaussian connections Full connection Subsampling Subsampling Full connection Convolutions Convolutions 6 Slide adapted from Rob Fergus

  7. The Deep Learning Era (2011-present) • Big gains in performance on perceptual tasks: • Vision • Speech understanding • Natural language processing • Three ingredients: 1. Deep neural network models (supervised training) 2. Big labeled datasets 3. Fast GPU computation 7 Slide credit: Rob Fergus

  8. Powerful Hardware • Deep neural nets highly amenable to implementation on Graphics Processing Units (GPUs) • Matrix multiplication • 2D convolution • Latest generation nVidia GPUs (Pascal) deliver 10 Tflops • Faster than fastest computer in the world in 2000 • 10 million times faster than 1980’s Sun workstation 8 Slide adapted from Rob Fergus

  9. AlexNet: The Model That Changed The History • Krizhevsky, Sutskever and Hinton (2012) − 8 layer Convolutional network model [LeCun et al. 1989] − 7 hidden layers, 650,000 neurons, ~60,000,000 parameters − Trained on 1.2 million ImageNet images (with labels) − GPU implementation (50x speedup over CPU) − Training time: 1 week on pair of GPUs 9 [AlexNet by Krizhevsky et al. 2012]

  10. Supervised Learning: Image Classification “Cat” Joshua Drewe 10

  11. Supervised Learning: Image Classification “Cat” Model [parameters θ] Training: Adjust model parameters θ so predicted labels match true labels across training set Joshua Drewe 11

  12. Modern Convolutional Nets [AlexNet by Krizhevsky et al. 2012] [AlexNet by Krizhevsky et al. 2012] Excellent performance in most image Millions of parameters learned from data understanding tasks The “ meaning ” of the representation is Learn a sequence of general-purpose unclear representations 12 Slide credit: Andrea Vedaldi

  13. 
 Convolutions with Filters • Each filter acts on multiple input channels F − Convolution is local Filters look locally Σ Parameter sharing − Translation invariant x y Filters act the same everywhere 1 lattice 
 multiple 
 b structure feature channels f 1 x 1 f 2 Σ S x 2 F q Σ F q Σ f D ⁞ x D 13 Slide credit: Andrea Vedaldi

  14. Convolution • Convolution = Spatial filtering • Different filters (weights) reveal a different characteristics of the input. 1 0 0 1/8 ∗ 4 1 1 0 1 0 14

  15. Convolution • Convolution = Spatial filtering • Different filters (weights) reveal a different characteristics of the input. -1 0 0 ∗ 4 -1 -1 0 -1 0 15

  16. Convolution • Convolution = Spatial filtering • Different filters (weights) reveal a different characteristics of the input. 0 -1 1 ∗ 0 2 -2 1 0 -1 16

  17. Convolutional Layer • Multiple filters produce multiple output channels • For example, if we had 6 5x5 filters, we’ll get 6 separate activation maps: activation maps 32 28 Convolutional Layer 28 32 3 6 We stack these up to get an output of size 28x28x6. 17 Slide credit: Alex Karpathy

  18. Pooling Layer • makes the representations smaller and more manageable • operates over each activation map independently: • Max pooling, average pooling, etc. Single depth slice x 1 1 2 4 max pool with 2x2 5 6 7 8 filters and stride 2 6 8 3 2 1 0 3 4 1 2 3 4 y 18 Slide adapted from Alex Karpathy

  19. Fully Connected Layer • contains neurons that connect to the entire input volume, as in ordinary Neural Networks 19 20 Slide credit: Alex Karpathy

  20. Feature Learning • Hierarchical layer structure allows to learn hierarchical filters (features). 20 Slide credit: Yann LeCun

  21. Visualizing The Representation t-SNE visualization (van der Maaten & Hinton) • Embed high-dimensional points so that locally, pairwise distances are conserved • i.e. similar things end up in similar places. dissimilar things end up wherever • Right : Example embedding of MNIST digits (0-9) in 2D 21 Slide credit: Alex Karpathy

  22. Three Years of Progress • • • AlexNet, 8 layers • rs 3x3 conv, 64 11x11 conv, 96, /4, pool/2 GoogLeNet, VGG, 19 layers softmax2 Soft maxActivat ion • 5x5 conv, 256, pool/2 3x3 conv, 64, pool/2 22 layers FC (ILSVRC 2012) AveragePool • 7x7+ 1(V) (ILSVRC 2014) s 3x3 conv, 384 3x3 conv, 128 DepthConcat Conv Conv Conv Conv • (ILSVRC 2014) 1x1+ 1(S) 3x3+ 1(S) 5x5+ 1(S) 1x1+ 1(S) 3x3 conv, 384 3x3 conv, 128, pool/2 Conv Conv MaxPool 1x1+ 1(S) 1x1+ 1(S) 3x3+ 1(S) • DepthConcat Conv Conv Conv Conv 3x3 conv, 256, pool/2 3x3 conv, 256 softmax1 1x1+ 1(S) 3x3+ 1(S) 5x5+ 1(S) 1x1+ 1(S) Conv Conv MaxPool SoftmaxActivation 1x1+ 1(S) 1x1+ 1(S) 3x3+ 1(S) • fc, 4096 3x3 conv, 256 MaxPool FC 3x3+ 2(S) DepthConcat FC • fc, 4096 3x3 conv, 256 Conv Conv Conv Conv Conv 1x1+ 1(S) 3x3+ 1(S) 5x5+ 1(S) 1x1+ 1(S) 1x1+ 1(S) Conv Conv MaxPool AveragePool 1x1+ 1(S) 1x1+ 1(S) 3x3+ 1(S) • 5x5+ 3(V) fc, 1000 3x3 conv, 256, pool/2 DepthConcat • Conv Conv Conv Conv 1x1+ 1(S) 3x3+ 1(S) 5x5+ 1(S) 1x1+ 1(S) 3x3 conv, 512 Conv Conv MaxPool 1x1+ 1(S) 1x1+ 1(S) 3x3+ 1(S) • DepthConcat softmax0 3x3 conv, 512 Conv Conv Conv Conv • SoftmaxActivation 1x1+ 1(S) 3x3+ 1(S) 5x5+ 1(S) 1x1+ 1(S) Conv Conv MaxPool FC 1x1+ 1(S) 1x1+ 1(S) 3x3+ 1(S) 3x3 conv, 512 DepthConcat FC Conv Conv Conv Conv Conv 1x1+ 1(S) 3x3+ 1(S) 5x5+ 1(S) • 1x1+ 1(S) 1x1+ 1(S) 3x3 conv, 512, pool/2 Conv Conv MaxPool AveragePool 1x1+ 1(S) 1x1+ 1(S) 3x3+ 1(S) 5x5+ 3(V) • DepthConcat 3x3 conv, 512 Conv Conv Conv Conv 1x1+ 1(S) 3x3+ 1(S) 5x5+ 1(S) 1x1+ 1(S) • Conv Conv MaxPool 1x1+ 1(S) 1x1+ 1(S) 3x3+ 1(S) 3x3 conv, 512 • Very deep • Branching MaxPool 3x3+ 2(S) • DepthConcat 3x3 conv, 512 Conv Conv Conv Conv • 1x1+ 1(S) 3x3+ 1(S) 5x5+ 1(S) 1x1+ 1(S) p g Conv Conv MaxPool 1x1+ 1(S) 1x1+ 1(S) 3x3+ 1(S) • Simply deep • Bottleneck 3x3 conv, 512, pool/2 DepthConcat ck Conv Conv Conv Conv 1x1+ 1(S) 3x3+ 1(S) 5x5+ 1(S) 1x1+ 1(S) fc, 4096 Conv Conv MaxPool 1x1+ 1(S) 1x1+ 1(S) 3x3+ 1(S) MaxPool nnection 3x3+ 2(S) • Skip connection fc, 4096 LocalRespNorm Conv 3x3+ 1(S) fc, 1000 Conv 1x1+ 1(V) , Shaoqing Ren, & Jian S LocalRespNorm MaxPool 3x3+ 2(S) 22 Conv 7x7+ 2(S) input Image Recognition”. CVP

  23. Training Deep Neural Networks • The network is trained by stochastic gradient descent. • Backpropagation is used similarly as in a fully connected network. • Pass gradients through element-wise activation function. • We also need to pass gradients through the convolution operation and the pooling operation. 23

  24. Object Detection Networks ImageNet detection data data backbone classification detection structure network network pre-train features fine-tune R-CNN • AlexNet • Fast R-CNN • VGG-16 • Faster R-CNN • GoogleNet • MultiBox • ResNet-101 • SSD • … • … • independently independently “plug-in” “plug-in” “plug-in” developed developed detectors feature detectors features feature 24 Slide credit: Kaiming He

  25. ResNet’s Object Detection Results on COCO Kaiming He, Xiangyu Zhang, Shaoqing Ren, & Jian Sun. Deep Residual Learning for Image Recognition. CVPR 2016. Shaoqing Ren, Kaiming He, Ross Girshick, & Jian Sun. Faster R- CNN: Towards Real-Time Object Detection with Region Proposal Networks. NIPS 2015. 26 Slide credit: Kaiming He

  26. ResNet’s Object Detection Results on COCO Kaiming He, Xiangyu Zhang, Shaoqing Ren, & Jian Sun. Deep Residual Learning for Image Recognition. CVPR 2016. Shaoqing Ren, Kaiming He, Ross Girshick, & Jian Sun. Faster R- CNN: Towards Real-Time Object Detection with Region Proposal Networks. NIPS 2015. 27 Slide credit: Kaiming He *the ori

  27. Story isn't over yet! 27

  28. Story isn't over yet! … we have reached the point where ML works, but let’s see how it can be easily fooled. 28

  29. Adversarial Examples 29

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Friendly Adversarial Training: Attacks Which Do Not Kill Training Make Adversarial Learning

Friendly Adversarial Training: Attacks Which Do Not Kill Training Make Adversarial Learning

Friendly Adversarial Training: Attacks Which Do Not Kill Training Make Adversarial Learning Stronger Jingfeng Zhang 1 * , Xilie Xu 2* , Bo Han 34 , Gang Niu 4 , Lichen Cui 5 , Masashi Sugiyama 46 , and Mohan Kankanhalli 1 1 Department of Computer

376 views • 14 slides
Deep Adversarial Learning for NLP 9:00 10:30 Introduction and Adversarial Training, GANs

Deep Adversarial Learning for NLP 9:00 10:30 Introduction and Adversarial Training, GANs

Deep Adversarial Learning for NLP 9:00 10:30 Introduction and Adversarial Training, GANs William Wang 10:30 11:00 Break - 11:00 12:15 Adversarial Examples Sameer Singh 12:15 12:30 Conclusions and Question Answering William

1.75k views • 105 slides
A-NICE-MC Jiaming Song 1. Motivation 2. Notations and Problem Setup 3. Adversarial Training for

A-NICE-MC Jiaming Song 1. Motivation 2. Notations and Problem Setup 3. Adversarial Training for

Adversarial Training for MCMC Shengjia Zhao Stefano Ermon March 7, 2018 Stanford University A-NICE-MC Jiaming Song 1. Motivation 2. Notations and Problem Setup 3. Adversarial Training for Markov Chains 4. Adversarial Training for MCMC 5.

851 views • 58 slides
Adversarial Examples and Adversarial Training Ian Goodfellow, Sta ff Research Scientist, Google

Adversarial Examples and Adversarial Training Ian Goodfellow, Sta ff Research Scientist, Google

Adversarial Examples and Adversarial Training Ian Goodfellow, Sta ff Research Scientist, Google Brain CS 231n, Stanford University, 2017-05-30 Overview What are adversarial examples? Why do they happen? How can they be used to

866 views • 43 slides
Reinforcing Adversarial Robustness using Model Confidence Induced by Adversarial Training Xi Wu

Reinforcing Adversarial Robustness using Model Confidence Induced by Adversarial Training Xi Wu

Reinforcing Adversarial Robustness using Model Confidence Induced by Adversarial Training Xi Wu xiwu@cs.wisc.edu Joint work with Uyeong Jang, Jiefeng Chen, Lingjiao Chen, and Somesh Jha July 19, 2018 Xi Wu Model Confidence and Adversarial

740 views • 9 slides
Confidence-Calibrated Adversarial Training Generalizing to Unseen Attacks David Stutz, Matthias

Confidence-Calibrated Adversarial Training Generalizing to Unseen Attacks David Stutz, Matthias

Confidence-Calibrated Adversarial Training Generalizing to Unseen Attacks David Stutz, Matthias Hein, Bernt Schiele 2-Minute Overview Problem: Robustness to various adversarial examples. Adversarial training on L adversarial examples:

635 views • 34 slides
Adversarial Training and Robustness for Multiple Perturbations Poster #87 Florian Tramr &

Adversarial Training and Robustness for Multiple Perturbations Poster #87 Florian Tramr &

Adversarial Training and Robustness for Multiple Perturbations Poster #87 Florian Tramr & Dan Boneh NeurIPS 2019 Adversarial examples 88% Tabby Cat 99% Guacamole Szegedy et al., 2014 Goodfellow et al., 2015 Athalye, 2017 Adversarial

564 views • 23 slides
Adversarial Examples and Adversarial Training Ian Goodfellow, OpenAI Research Scientist Security

Adversarial Examples and Adversarial Training Ian Goodfellow, OpenAI Research Scientist Security

Adversarial Examples and Adversarial Training Ian Goodfellow, OpenAI Research Scientist Security Seminar, Stanford University, 2017-01-17 In this presentation Intriguing Properties of Neural Networks Szegedy et al, 2013

939 views • 44 slides
Adversarial Examples and Adversarial Training Ian Goodfellow, OpenAI Research Scientist Guest

Adversarial Examples and Adversarial Training Ian Goodfellow, OpenAI Research Scientist Guest

Adversarial Examples and Adversarial Training Ian Goodfellow, OpenAI Research Scientist Guest lecture for CS 294-131, UC Berkeley, 2016-10-05 In this presentation Intriguing Properties of Neural Networks Szegedy et al, 2013

660 views • 44 slides
Adversarial Examples and Adversarial Training Ian Goodfellow, OpenAI Research Scientist

Adversarial Examples and Adversarial Training Ian Goodfellow, OpenAI Research Scientist

Adversarial Examples and Adversarial Training Ian Goodfellow, OpenAI Research Scientist Presentation at San Francisco AI Meetup, 2016-08-18 In this presentation Intriguing Properties of Neural Networks Szegedy et al, 2013

690 views • 32 slides
Adversarial Examples and Adversarial Training Innova&ve Technology Leader program January 22

Adversarial Examples and Adversarial Training Innova&ve Technology Leader program January 22

Adversarial Examples and Adversarial Training Innova&ve Technology Leader program January 22 nd 2018 Florian Tramr Stanford Deep Learning is Super Smart! 2 Is it really? + . 007 = Im sure this Im certain this is a panda is

452 views • 12 slides
Adversarial Examples and Adversarial Training Ian Goodfellow, OpenAI Research Scientist

Adversarial Examples and Adversarial Training Ian Goodfellow, OpenAI Research Scientist

Adversarial Examples and Adversarial Training Ian Goodfellow, OpenAI Research Scientist Presentation at HORSE 2016 London, 2016-09-19 In this presentation Intriguing Properties of Neural Networks Szegedy et al, 2013 Explaining

497 views • 22 slides
Neglected topics CS 446 Adversarial examples and deep networks 1 / 23 Adversarial

Neglected topics CS 446 Adversarial examples and deep networks 1 / 23 Adversarial

Neglected topics CS 446 Adversarial examples and deep networks 1 / 23 Adversarial examples? Standard ML setup: We have training data; try to do well on withheld testing data. Adversarial/robust ML setup: We have training

672 views • 27 slides
Adversarial Training for Weakly Supervised Event Detection Xiaozhi Wang 1 , Xu Han 1 , Zhiyuan Liu

Adversarial Training for Weakly Supervised Event Detection Xiaozhi Wang 1 , Xu Han 1 , Zhiyuan Liu

Introduction Adversarial Training Distant Supervision Semi-supervision Summary Adversarial Training for Weakly Supervised Event Detection Xiaozhi Wang 1 , Xu Han 1 , Zhiyuan Liu 1 , Maosong Sun 1 , Peng Li 2 1 Department of Computer Science and

554 views • 22 slides
Introduction to Generative Adversarial Networks Ian Goodfellow, OpenAI Research Scientist NIPS

Introduction to Generative Adversarial Networks Ian Goodfellow, OpenAI Research Scientist NIPS

Introduction to Generative Adversarial Networks Ian Goodfellow, OpenAI Research Scientist NIPS 2016 Workshop on Adversarial Training Barcelona, 2016-12-9 Adversarial Training A phrase whose usage is in flux; a new term that applies to both

792 views • 25 slides
Monge blunts Bayes: Hardness Results for Adversarial Training Zac Cranko Aditya Krishna Menon

Monge blunts Bayes: Hardness Results for Adversarial Training Zac Cranko Aditya Krishna Menon

Monge blunts Bayes: Hardness Results for Adversarial Training Zac Cranko Aditya Krishna Menon Richard Nock Cheng Soon Ong Zhan Shi Christian Walder Overview Hardness results on adversarial training. Key result applicable to a learner:

492 views • 15 slides
Seeking control in Modern Standard Arabic Tali Arad Greshler 1 , Livnat Herzig Sheinfux 1 , Nurit

Seeking control in Modern Standard Arabic Tali Arad Greshler 1 , Livnat Herzig Sheinfux 1 , Nurit

Seeking control in Modern Standard Arabic Tali Arad Greshler 1 , Livnat Herzig Sheinfux 1 , Nurit Melnik 2 and Shuly Wintner 1 1 Department of Computer Science, University of Haifa, Israel 2 Department of Literature, Language and the Arts, The

337 views • 30 slides
Convolutional Neural Networks QSB 2018: Learning and Artificial intelligence Tutorial session

Convolutional Neural Networks QSB 2018: Learning and Artificial intelligence Tutorial session

Convolutional Neural Networks QSB 2018: Learning and Artificial intelligence Tutorial session 3 Giulio Matteucci Neural network architectures for computer vision tasks Images are high dimensional ! input x where n = nx x ny x nc

1.32k views • 29 slides
THE SCAO SYSTEMS ON THE LBT Credits: E. Sacchetti LUCI 1 LUCI 2 SCAO systems 2x systems (S.

THE SCAO SYSTEMS ON THE LBT Credits: E. Sacchetti LUCI 1 LUCI 2 SCAO systems 2x systems (S.

SOUL S ingle Conjugated Adaptive O ptics U pgrade for L BT Presented by: E. Pinna 1 S. Esposito 1 , M. Xompero 1 , P. Hinz 3 , R. Briguglio 1 , G. Agapito 1 , V. Bayley 3 , C. Arcidiacono 2 , M. Montoya 3 A. Puglisi 1 , L. Fini 1 , M. Bonaglia 1 , 1

340 views • 18 slides
CK2 for the identification of CK2 binding partners Anna Nickelsen *, Joachim Jose Institute of

CK2 for the identification of CK2 binding partners Anna Nickelsen *, Joachim Jose Institute of

Photo-crosslinking of human protein kinase regulatory subunit CK2 for the identification of CK2 binding partners Anna Nickelsen *, Joachim Jose Institute of Pharmaceutical and Medicinal Chemistry, PharmaCampus, Westflische

393 views • 10 slides
Circular causality in event structures Tiziana Cimoli Dip. Matematica e Informatica, Universit`

Circular causality in event structures Tiziana Cimoli Dip. Matematica e Informatica, Universit`

Circular causality in event structures Tiziana Cimoli Dip. Matematica e Informatica, Universit` a degli Studi di Cagliari t.cimoli@unica.it (joint work with M. Bartoletti, G.M. Pinna, R. Zunino) 1 / 38 A typical transaction 1. B pays. 2. A

684 views • 47 slides
Tools for tracking impact Blog views (Wordpress) Podcast downloads Social media metrics Reviews

Tools for tracking impact Blog views (Wordpress) Podcast downloads Social media metrics Reviews

Tools for tracking impact Blog views (Wordpress) Podcast downloads Social media metrics Reviews and feedback Altmetric data Google scholar Publons Research gate Create a dissemination portfolio W W The ALiEM Social Media Index A

106 views • 8 slides
Sound Thursday, 8 December 11 CD quality 44.1 kHz, 16-bit, stereo Thursday, 8 December 11

Sound Thursday, 8 December 11 CD quality 44.1 kHz, 16-bit, stereo Thursday, 8 December 11

Sound Thursday, 8 December 11 CD quality 44.1 kHz, 16-bit, stereo Thursday, 8 December 11 Thursday, 8 December 11 Thursday, 8 December 11 Thursday, 8 December 11 Thursday, 8 December 11 Auditory spectrogram of [A] white noise; [B] a pure

569 views • 9 slides
Particle Filtering Sometimes |X| is too big to use exact inference |X| may be too big to

Particle Filtering Sometimes |X| is too big to use exact inference |X| may be too big to

Particle Filtering Sometimes |X| is too big to use exact inference |X| may be too big to even store B(X) E.g. X is continuous |X| 2 may be too big to do updates Solution: approximate inference Track samples of X, not

284 views • 27 slides

More recommend