Distillation as a Defense to Adversarial Perturbations against Deep - - PowerPoint PPT Presentation

Distillation as a Defense to Adversarial Perturbations against Deep Neural Networks

Nicolas Papernot, Patrick McDaniel, Xi Wu, Somesh Jha, and Ananthram Swami

May 24th, 2016 @ 37th IEEE Symposium on Security and Privacy

1

@NicolasPapernot

–Johnny Appleseed

“Type a quote here.”

2

… … …

Input Layer Output Layer Hidden Layers

(e.g., convolutional, rectified linear, …)

{

p0=0.01 p1=0.93 p8=0.02 pN=0.01

M components N components Neuron Weighted Link (weight is a parameter part of )

θO …

–Johnny Appleseed

“Type a quote here.”

3

… … …

Input Layer Output Layer Hidden Layers

(e.g., convolutional, rectified linear, …)

{

p0=0.01 p1=0.02 p8=0.89 pN=0.01

M components N components Neuron Weighted Link (weight is a parameter part of )

θO …

4

Deep Learning for Classification

5

6

… … …

Input Layer Output Layer Hidden Layers

(e.g., convolutional, rectified linear, …)

{

M components N components Neuron Weighted Link (weight is a parameter part of )

θO

7

… … …

Input Layer Output Layer Hidden Layers

(e.g., convolutional, rectified linear, …)

{

M components N components Neuron Weighted Link (weight is a parameter part of )

θO

8

… … …

Input Layer Output Layer Hidden Layers

(e.g., convolutional, rectified linear, …)

{

M components N components Neuron Weighted Link (weight is a parameter part of )

θO

9

… … …

Input Layer Output Layer Hidden Layers

(e.g., convolutional, rectified linear, …)

{

M components N components Neuron Weighted Link (weight is a parameter part of )

θO

10

… … …

Input Layer Output Layer Hidden Layers

(e.g., convolutional, rectified linear, …)

{

M components N components Neuron Weighted Link (weight is a parameter part of )

θO

11

… … …

Input Layer Output Layer Hidden Layers

(e.g., convolutional, rectified linear, …)

{

M components N components Neuron Weighted Link (weight is a parameter part of )

θO

12

… … …

Input Layer Output Layer Hidden Layers

(e.g., convolutional, rectified linear, …)

{

M components N components Neuron Weighted Link (weight is a parameter part of )

θO

13

… … …

Input Layer Output Layer Hidden Layers

(e.g., convolutional, rectified linear, …)

{

M components N components Neuron Weighted Link (weight is a parameter part of )

θO

p0=0.01 p1=0.93 p8=0.02 pN=0.01

14

Audio Frame State

Phoneme

Word

Sentence Meaning

Feature Extraction Acoustic Model Decision Trees Lexicon Language Model NLP

Source: Tara N. Sainath, Google @ ICML DL Workshop 2015

Adversarial Samples

15

16

CIFAR10 Dataset

bird airplane truck automobile bird

0 1 2 3 4 5 6 7 8 9 Output classification 9 8 7 6 5 4 3 2 1 0 Input class

Adversarial strategy

17

Defending against Adversarial Perturbations

18

DNN Robustness

19

Defense Design

• Low impact on the architecture
• Maintain accuracy
• Robust in space relatively close to the legitimate

distribution

• Maintain speed of network

20

Softmax Layer and Probabilities

21

Defensive Distillation

22

Defensive Distillation

23

Defensive Distillation

24

Defensive Distillation

25

Defensive Distillation

26

Defensive Distillation

27

Defensive Distillation

28

Defensive Distillation

29

Set temperature T=1 for predictions

Intuition behind Defensive Distillation

30

Constraining Training Reducing Jacobian Amplitudes

0 if i not correct class never equal to 0

Validation

31

32

Experimental Setup

33

10 20 30 40 50 60 70 80 90 100 1 10 100 Adversarial Sample Success Rate Distillation Temperature Adversarial Samples Success Rate (MNIST) Adversarial Samples Baseline Rate (MNIST) Adversarial Samples Success Rate (CIFAR10) Adversarial Samples Baseline Rate (CIFAR10)

Impact on accuracy

34

Impact on Jacobian Amplitude

35

Estimation of Robustness

36

Conclusions

37

Take aways

• Distillation significantly reduces attack success
• Yields model smoothness
• Easy implementation, low overhead
• Acceptable impact on accuracy

38

Questions?

@NicolasPapernot nicolas@papernot.fr https://www.papernot.fr