distillation as a defense to adversarial perturbations
play

Distillation as a Defense to Adversarial Perturbations against Deep - PowerPoint PPT Presentation

Apr 20, 2023 •966 likes •1.38k views

Distillation as a Defense to Adversarial Perturbations against Deep Neural Networks Nicolas Papernot , Patrick McDaniel, Xi Wu, Somesh Jha, and Ananthram Swami May 24th, 2016 @ 37th IEEE Symposium on Security and Privacy @NicolasPapernot 1 M

  1. Distillation as a Defense to Adversarial Perturbations against Deep Neural Networks Nicolas Papernot , Patrick McDaniel, Xi Wu, Somesh Jha, and Ananthram Swami May 24th, 2016 @ 37th IEEE Symposium on Security and Privacy @NicolasPapernot 1

  2. M components N components p0=0.01 … p1=0.93 “Type a quote here.” … … … p8=0.02 { pN=0.01 –Johnny Appleseed Input Layer Hidden Layers Output Layer (e.g., convolutional, rectified linear, …) Neuron Weighted Link (weight is a parameter part of ) θ O 2

  3. M components N components p0=0.01 … p1=0.02 “Type a quote here.” … … … p8=0.89 { pN=0.01 –Johnny Appleseed Input Layer Hidden Layers Output Layer (e.g., convolutional, rectified linear, …) Neuron Weighted Link (weight is a parameter part of ) θ O 3

  4. 4

  5. Deep Learning for Classification 5

  6. M components N components … … … { Hidden Layers Input Layer Output Layer (e.g., convolutional, rectified linear, …) Neuron Weighted Link (weight is a parameter part of ) θ O 6

  7. M components N components … … … { Hidden Layers Input Layer Output Layer (e.g., convolutional, rectified linear, …) Neuron Weighted Link (weight is a parameter part of ) θ O 7

  8. M components N components … … … { Hidden Layers Input Layer Output Layer (e.g., convolutional, rectified linear, …) Neuron Weighted Link (weight is a parameter part of ) θ O 8

  9. M components N components … … … { Hidden Layers Input Layer Output Layer (e.g., convolutional, rectified linear, …) Neuron Weighted Link (weight is a parameter part of ) θ O 9

  10. M components N components … … … { Hidden Layers Input Layer Output Layer (e.g., convolutional, rectified linear, …) Neuron Weighted Link (weight is a parameter part of ) θ O 10

  11. M components N components … … … { Hidden Layers Input Layer Output Layer (e.g., convolutional, rectified linear, …) Neuron Weighted Link (weight is a parameter part of ) θ O 11

  12. M components N components … … … { Hidden Layers Input Layer Output Layer (e.g., convolutional, rectified linear, …) Neuron Weighted Link (weight is a parameter part of ) θ O 12

  13. M components N components p0=0.01 p1=0.93 … … … p8=0.02 pN=0.01 { Hidden Layers Input Layer Output Layer (e.g., convolutional, rectified linear, …) Neuron Weighted Link (weight is a parameter part of ) θ O 13

  14. Language Model Meaning Decision Trees Sentence Word Feature Extraction Phoneme NLP State Frame Lexicon Audio Acoustic Model Source: Tara N. Sainath, Google @ ICML DL Workshop 2015 14

  15. Adversarial Samples 15

  16. Output classification 0 1 2 3 4 5 6 7 8 9 CIFAR10 Dataset 9 8 7 6 5 4 3 2 1 0 truck automobile bird airplane bird Input class 16

  17. Adversarial strategy 17

  18. Defending against Adversarial Perturbations 18

  19. DNN Robustness 19

  20. Defense Design • Low impact on the architecture • Maintain accuracy • Robust in space relatively close to the legitimate distribution • Maintain speed of network 20

  21. Softmax Layer and Probabilities 21

  22. Defensive Distillation 22

  23. Defensive Distillation 23

  24. Defensive Distillation 24

  25. Defensive Distillation 25

  26. Defensive Distillation 26

  27. Defensive Distillation 27

  28. Defensive Distillation 28

  29. Defensive Distillation Set temperature T=1 for predictions 29

  30. Intuition behind Defensive Distillation Constraining Training Reducing Jacobian Amplitudes 0 if i not correct class never equal to 0 30

  31. Validation 31

  32. Experimental Setup 32

  33. Adversarial Samples Success Rate (MNIST) Adversarial Samples Baseline Rate (MNIST) Adversarial Samples Success Rate (CIFAR10) Adversarial Samples Baseline Rate (CIFAR10) 100 90 Adversarial Sample Success Rate 80 70 60 50 40 30 20 10 0 1 10 100 Distillation Temperature 33

  34. Impact on accuracy 34

  35. Impact on Jacobian Amplitude 35

  36. Estimation of Robustness 36

  37. Conclusions 37

  38. Take aways • Distillation significantly reduces attack success • Yields model smoothness • Easy implementation, low overhead • Acceptable impact on accuracy 38

  39. Questions? https://www.papernot.fr nicolas@papernot.fr @NicolasPapernot

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

On Evaluation of Adversarial Perturbations for Sequence-to-Sequence Models Paul Michel, Xian Li,

On Evaluation of Adversarial Perturbations for Sequence-to-Sequence Models Paul Michel, Xian Li,

On Evaluation of Adversarial Perturbations for Sequence-to-Sequence Models Paul Michel, Xian Li, Graham Neubig, Juan Pino Adversarial Attacks/Perturbations Apply a small (indistinguishable) perturbation to the input that elicit large

908 views • 75 slides
Adversarial Training and Robustness for Multiple Perturbations Poster #87 Florian Tramr &

Adversarial Training and Robustness for Multiple Perturbations Poster #87 Florian Tramr &

Adversarial Training and Robustness for Multiple Perturbations Poster #87 Florian Tramr & Dan Boneh NeurIPS 2019 Adversarial examples 88% Tabby Cat 99% Guacamole Szegedy et al., 2014 Goodfellow et al., 2015 Athalye, 2017 Adversarial

564 views • 23 slides
Fundamental Tradeoffs between Invariance and Sensitivity to Adversarial Perturbations Florian

Fundamental Tradeoffs between Invariance and Sensitivity to Adversarial Perturbations Florian

Fundamental Tradeoffs between Invariance and Sensitivity to Adversarial Perturbations Florian Tramr Jens Behrmann Nicholas Carlini Nicolas Papernot Jrn-Henrik Jacobsen What are Adversarial Examples? any input to a ML model that is

1.13k views • 16 slides
Learning Universal Adversarial Perturbations with Generative Models Jamie Hayes & George

Learning Universal Adversarial Perturbations with Generative Models Jamie Hayes & George

Learning Universal Adversarial Perturbations with Generative Models Jamie Hayes & George Danezis UCL Adversarial examples transfer between different models. An adversarial example crafted against one model will generally fool other models.

515 views • 18 slides
Defense Against Adversarial Images using Web-Scale Nearest-Neighbor Search Abhimanyu Dubey,

Defense Against Adversarial Images using Web-Scale Nearest-Neighbor Search Abhimanyu Dubey,

Defense Against Adversarial Images using Web-Scale Nearest-Neighbor Search Abhimanyu Dubey, Laurens van der Maaten, I. Zeki Yalniz, Yixuan Li and Dhruv Mahajan Adversarial Images adversarial swan pelican perturbation

457 views • 8 slides
Adversarial Perturbations of Opinion Dynamics in Networks Jason Gaitonde (Cornell University)

Adversarial Perturbations of Opinion Dynamics in Networks Jason Gaitonde (Cornell University)

Adversarial Perturbations of Opinion Dynamics in Networks Jason Gaitonde (Cornell University) EC 2020 Joint work with Jon Kleinberg (Cornell) and va Tardos (Cornell) Problem Setup Peoples opinions evolve via their interactions with

519 views • 4 slides
Towards Attack-Agnostic Defense for 2D and 3D Recognition Hao Su Workshop on Adversarial Machine

Towards Attack-Agnostic Defense for 2D and 3D Recognition Hao Su Workshop on Adversarial Machine

Towards Attack-Agnostic Defense for 2D and 3D Recognition Hao Su Workshop on Adversarial Machine Learning in Real-World Computer Vision Systems Long Beach, CA, USA 1 Outline Background and Motivation Project-based Defense Mechanism

760 views • 72 slides
On the Defense Against Adversarial Examples Beyond the Visible Spectrum Anthony Ortiz 1 , Olac

On the Defense Against Adversarial Examples Beyond the Visible Spectrum Anthony Ortiz 1 , Olac

On the Defense Against Adversarial Examples Beyond the Visible Spectrum Anthony Ortiz 1 , Olac Fuentes 1 , Dalton Rosario 2 , Christopher Kiekintveld 1 1 Department of Computer Science, UTEP 2 US Army Research Laboratory Adversarial Examples on

460 views • 19 slides
Synthesizing Robust Adversarial Examples Anish Athalye*, Logan Engstrom*, Andrew Ilyas*, Kevin

Synthesizing Robust Adversarial Examples Anish Athalye*, Logan Engstrom*, Andrew Ilyas*, Kevin

Synthesizing Robust Adversarial Examples Anish Athalye*, Logan Engstrom*, Andrew Ilyas*, Kevin Kwok Adversarial examples Adversarial examples Imperceptible perturbations to an input can change a neural network's prediction adversarial

1.06k views • 23 slides
Mag Net A Two-Pronged Defense against Adversarial Examples Dongyu Meng Hao Chen ShanghaiTech

Mag Net A Two-Pronged Defense against Adversarial Examples Dongyu Meng Hao Chen ShanghaiTech

Mag Net A Two-Pronged Defense against Adversarial Examples Dongyu Meng Hao Chen ShanghaiTech University, China University of California, Davis, USA Neural networks in real-life applications user authentication autonomous

599 views • 30 slides
Defense Against the Dark Arts: An overview of adversarial example security research and future

Defense Against the Dark Arts: An overview of adversarial example security research and future

Defense Against the Dark Arts: An overview of adversarial example security research and future research directions Ian Goodfellow, Sta ff Research Scientist, Google Brain 1st IEEE Deep Learning and Security Workshop, May 24, 2018 This document

726 views • 36 slides
Kevin Roth*, Yannic Kilcher *, Thomas Hofmann ETH Zrich 2 6 # r e t s o p Log-Odds

Kevin Roth*, Yannic Kilcher *, Thomas Hofmann ETH Zrich 2 6 # r e t s o p Log-Odds

Kevin Roth*, Yannic Kilcher *, Thomas Hofmann ETH Zrich 2 6 # r e t s o p Log-Odds & Adversarial Examples Log-Odds & Adversarial Examples Adversarial examples cause atypically large feature space perturbations along the

238 views • 21 slides
Effective Topic Distillation Effective Topic Distillation with Key Resource Pre- -selection

Effective Topic Distillation Effective Topic Distillation with Key Resource Pre- -selection

Effective Topic Distillation Effective Topic Distillation with Key Resource Pre- -selection selection with Key Resource Pre Yiqun Liu, Min Zhang and Shaoping Ma State Key Lab of Intelligent Tech. & Sys. Tsinghua University, Beijing,

266 views • 22 slides
Distillation. Optimal operation using simple control structures Sigurd Skogestad, NTNU, Trondheim

Distillation. Optimal operation using simple control structures Sigurd Skogestad, NTNU, Trondheim

Distillation. Optimal operation using simple control structures Sigurd Skogestad, NTNU, Trondheim EFCE Working Group on Separations, Gteborg, Sweden, June 2019 Distillation is part of the future 1. Its a myth that distillation is bad in

652 views • 53 slides
Certified Adversarial Robustness via Randomized Smoothing Jeremy Cohen Elan Rosenfeld

Certified Adversarial Robustness via Randomized Smoothing Jeremy Cohen Elan Rosenfeld

Certified Adversarial Robustness via Randomized Smoothing Jeremy Cohen Elan Rosenfeld Zico Kolter Carnegie Mellon University Introduction We study a certified adversarial defense in " norm which scales to ImageNet

1.5k views • 12 slides
CVPR 2020 Universal Adversarial Attacks Image agnostic and transferable across networks

CVPR 2020 Universal Adversarial Attacks Image agnostic and transferable across networks

1 1,4 2,3 2 3 4 1 CVPR 2020 Universal Adversarial Attacks Image agnostic and transferable across networks Adversarial No defense: Baseline DNN perturbation Input image Classification Feature extraction dense Perturbed image

592 views • 6 slides
Linking Emissions Trading Systems: Paving the way toward a low-carbon future Damien MEADOWS

Linking Emissions Trading Systems: Paving the way toward a low-carbon future Damien MEADOWS

Linking Emissions Trading Systems: Paving the way toward a low-carbon future Damien MEADOWS Directorate General for Climate Action European Commission 15 November 2017 Context of carbon pricing post-Paris Paris Agreement created momentum

304 views • 6 slides
Deep Prolog: End-to-end Differentiable Proving in Knowledge Bases Tim Rockt aschel University

Deep Prolog: End-to-end Differentiable Proving in Knowledge Bases Tim Rockt aschel University

Deep Prolog: End-to-end Differentiable Proving in Knowledge Bases Tim Rockt aschel University College London Computer Science 2nd Conference on Artificial Intelligence and Theorem Proving 26th of March 2017 Overview Machine Learning

714 views • 40 slides
10703 Deep Reinforcement Learning Policy Gradient Methods Tom Mitchell October 1, 2018 Reading:

10703 Deep Reinforcement Learning Policy Gradient Methods Tom Mitchell October 1, 2018 Reading:

10703 Deep Reinforcement Learning Policy Gradient Methods Tom Mitchell October 1, 2018 Reading: Barto & Sutton, Chapter 13 Used Materials Much of the material and slides for this lecture were taken from Chapter 13 of Barto & Sutton

586 views • 35 slides
Thomas Garnier SkyRecon Systems Recon 2008 05/23/2008 Overview Introduction LPC

Thomas Garnier SkyRecon Systems Recon 2008 05/23/2008 Overview Introduction LPC

Windows privilege escalation Thomas Garnier SkyRecon Systems Recon 2008 05/23/2008 Overview Introduction LPC interface details MS08-002: LSASS privilege escalation Demo: LSASS exploitation Protection against LPC privilege

681 views • 46 slides
Relational Deep Learning: A Deep Latent Variable Model for Link Prediction Hao Wang, Xingjian

Relational Deep Learning: A Deep Latent Variable Model for Link Prediction Hao Wang, Xingjian

Relational Deep Learning: A Deep Latent Variable Model for Link Prediction Hao Wang, Xingjian Shi, Dit-Yan Yeung Motivation Bayesian Deep Learning Relational Deep Learning Parameter Learning Experiments Conclusion

577 views • 40 slides
Deep-Learning: Unsupervised Generative models Deep Belief Networks Deep Stacked AutoEncoders

Deep-Learning: Unsupervised Generative models Deep Belief Networks Deep Stacked AutoEncoders

Deep-Learning: Unsupervised Generative models Deep Belief Networks Deep Stacked AutoEncoders Generative Adversarial Networks Pr. Fabien MOUTARDE Center for Robotics MINES ParisTech PSL Universit Paris Fabien.Moutarde@mines-paristech.fr

777 views • 23 slides
Introduction to Deep Models Part I: Classifiers and Generative Networks Nick Winovich Department

Introduction to Deep Models Part I: Classifiers and Generative Networks Nick Winovich Department

TensorFlow Workshop 2018 Introduction to Deep Models Part I: Classifiers and Generative Networks Nick Winovich Department of Mathematics Purdue University July 2018 SIAM@Purdue 2018 - Nick Winovich Introduction to Deep Models : Part I

554 views • 28 slides
Splines and imaging: From compressed sensing to deep neural nets Michael Unser Biomedical

Splines and imaging: From compressed sensing to deep neural nets Michael Unser Biomedical

Splines and imaging: From compressed sensing to deep neural nets Michael Unser Biomedical Imaging Group EPFL, Lausanne, Switzerland Plenary talk: Int. Conf. Signal Processing and Communications (SPCOM20), IISc Bangalore, July 20-23, 2020

661 views • 22 slides

More recommend