exploring the landscape of spa5al robustness
play

Exploring the Landscape of Spa5al Robustness Logan Engstrom (with - PowerPoint PPT Presentation

Sep 13, 2023 •145 likes •604 views

Exploring the Landscape of Spa5al Robustness Logan Engstrom (with Brandon Tran*, Dimitris Tsipras*, Ludwig Schmidt, Aleksander Mdry) madry-lab.ml ML Glitch: Adversarial Examples ML Glitch: Adversarial Examples pig small,

  1. Exploring the Landscape of Spa5al Robustness Logan Engstrom (with Brandon Tran*, Dimitris Tsipras*, Ludwig Schmidt, Aleksander Mądry) madry-lab.ml

  2. ML “Glitch”: Adversarial Examples

  3. ML “Glitch”: Adversarial Examples “pig” small, nonrandom noise “airliner”

  4. ML “Glitch”: Adversarial Examples “pig” small, non-random noise “airliner”

  5. ML “Glitch”: Adversarial Examples “pig” small, non-random noise “airliner”

  6. ML “Glitch”: Adversarial Examples “pig” small , non-random noise “airliner” What does small mean here?

  7. ML “Glitch”: Adversarial Examples “pig” small , non-random noise “airliner” What does small mean here? Traditionally: perturbations that have small l_p norm

  8. ML “Glitch”: Adversarial Examples “pig” small , non-random noise “airliner” What does small mean here? Traditionally: perturbations that have small l_p norm Do small l_p norms capture every sense of “small”?

  9. Spa5al Perturba5ons

  10. Spa5al Perturba5ons

  11. Spa5al Perturba5ons rotation up to 30°

  12. Spa5al Perturba5ons rotation up to 30° x, y translations up to ~10%

  13. Spa5al Perturba5ons rotation up to 30° x, y translations up to ~10% These are not small l_p perturbations!

  14. Spa5al Perturba5ons rotation up to 30° x, y translations up to ~10% These are not small l_p perturbations! How robust are models to spatial perturbations?

  15. Spa5al Robustness

  16. Spa5al Robustness Spoiler: models are not robust

  17. Spa5al Robustness Spoiler: models are not robust

  18. Spa5al Robustness Spoiler: models are not robust Can we train more spatially robust classifiers?

  19. Spa5al Defenses

  20. Spa5al Defenses Lesson from l_p robustness: use robust optimization (= train on worst-case perturbed inputs) [Goodfellow et al ‘15 ][Madry et al ’18]

  21. Spa5al Defenses Lesson from l_p robustness: use robust optimization (= train on worst-case perturbed inputs) [Goodfellow et al ‘15 ][Madry et al ’18] Key question : how to find worst-case translations, rotations?

  22. Spa5al Defenses Lesson from l_p robustness: use robust optimization (= train on worst-case perturbed inputs) [Goodfellow et al ‘15 ][Madry et al ’18] Key question : how to find worst-case translations, rotations? Attempt #1: first-order methods

  23. Spa5al Defenses Lesson from l_p robustness: use robust optimization (= train on worst-case perturbed inputs) [Goodfellow et al ‘15 ][Madry et al ’18] Key question : how to find worst-case translations, rotations? Attempt #1: first-order methods

  24. Spa5al Defenses Lesson from l_p robustness: use robust optimization (= train on worst-case perturbed inputs) [Goodfellow et al ‘15 ][Madry et al ’18] Key question : how to find worst-case translations, rotations? Attempt #1: first-order methods

  25. Spa5al Defenses Lesson from l_p robustness: use robust optimization (= train on worst-case perturbed inputs) [Goodfellow et al ‘15 ][Madry et al ’18] Key question : how to find worst-case translations, rotations? Attempt #1: first-order methods

  26. Spa5al Defenses Lesson from l_p robustness: use robust optimization (= train on worst-case perturbed inputs) [Goodfellow et al ‘15 ][Madry et al ’18] Key question : how to find worst-case translations, rotations? Attempt #1: first-order methods Attempt #2: exhaustive search

  27. Spa5al Defenses Lesson from l_p robustness: use robust optimization (= train on worst-case perturbed inputs) [Goodfellow et al ‘15 ][Madry et al ’18] Key question : how to find worst-case translations, rotations? Attempt #1: first-order methods Attempt #2: exhaustive search Exhaustive search is feasible, and a strong adversary! (discretize translations and rotations, try every combination)

  28. Spa5al Defenses Lesson from l_p robustness: use robust optimization (= train on worst-case perturbed inputs) [Goodfellow et al ‘15 ][Madry et al ’18] Key question : how to find worst-case translations, rotations? Attempt #1: first-order methods Attempt #2: exhaustive search Exhaustive search is feasible, and a strong adversary! (discretize translations and rotations, try every combination)

  29. Spa5al Defenses Lesson from l_p robustness: use robust optimization (= train on worst-case perturbed inputs) [Goodfellow et al ‘15 ][Madry et al ’18] Key question : how to find worst-case translations, rotations? Attempt #1: first-order methods Attempt #2: exhaustive search Exhaustive search is feasible, and a strong adversary! (discretize translations and rotations, try every combination) Train only on “worst” transformed input (highest loss)

  30. Spa5al Defenses Lesson from l_p robustness: use robust optimization (= train on worst-case perturbed inputs) [Goodfellow et al ‘15 ][Madry et al ’18] Key question : how to find worst-case translations, rotations? Attempt #1: first-order methods Attempt #2: exhaustive search Exhaustive search is feasible, and a strong adversary! (discretize translations and rotations, try every combination) (we approximate via 10 random samples to quicken training)

  31. Spa5al Defenses With robust optimization:

  32. Spa5al Defenses With robust optimization: CIFAR classifier accuracy: 3% adversarial to 71% adversarial

  33. Spa5al Defenses With robust optimization: CIFAR classifier accuracy: 3% adversarial to 71% adversarial (compare to 93% standard accuracy)

  34. Spa5al Defenses With robust optimization: CIFAR classifier accuracy: 3% adversarial to 71% adversarial (compare to 93% standard accuracy) ImageNet classifier accuracy: 31% adversarial to 53% adversarial

  35. Spa5al Defenses With robust optimization: CIFAR classifier accuracy: 3% adversarial to 71% adversarial (compare to 93% standard accuracy) ImageNet classifier accuracy: 31% adversarial to 53% adversarial (compare to 76% standard accuracy)

  36. Spa5al Defenses With robust optimization: (+10 sample majority vote) CIFAR classifier accuracy: 3% adversarial to 71% adversarial (compare to 93% standard accuracy) ImageNet classifier accuracy: 31% adversarial to 53% adversarial (compare to 76% standard accuracy)

  37. Spa5al Defenses With robust optimization: 82% (+10 sample majority vote) CIFAR classifier accuracy: 3% adversarial to 71% adversarial (compare to 93% standard accuracy) ImageNet classifier accuracy: 31% adversarial to 53% adversarial (compare to 76% standard accuracy)

  38. Spa5al Defenses With robust optimization: 82% (+10 sample majority vote) CIFAR classifier accuracy: 3% adversarial to 71% adversarial (compare to 93% standard accuracy) 56% ImageNet classifier accuracy: 31% adversarial to 53% adversarial (compare to 76% standard accuracy)

  39. Spa5al Defenses With robust optimization: 82% (+10 sample majority vote) CIFAR classifier accuracy: 3% adversarial to 71% adversarial (compare to 93% standard accuracy) 56% ImageNet classifier accuracy: 31% adversarial to 53% adversarial (compare to 76% standard accuracy) Still significant room for improvement!

  40. Conclusions

  41. Conclusions Robust models need more refined notions of similarity

  42. Conclusions Robust models need more refined notions of similarity We do not have true spatial robustness

  43. Conclusions Robust models need more refined notions of similarity We do not have true spatial robustness Intuitions from l_p robustness do not transfer

  44. Conclusions Robust models need more refined notions of similarity We do not have true spatial robustness Intuitions from l_p robustness do not transfer Come to our poster! Pacific Ballroom #142

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Beyond the Pixels: Exploring the Effect of Video File Corruptions on Model Robustness Trenton

Beyond the Pixels: Exploring the Effect of Video File Corruptions on Model Robustness Trenton

Beyond the Pixels: Exploring the Effect of Video File Corruptions on Model Robustness Trenton Chang Daniel Y. Fu Yixuan Li Christopher R Stanford University Workshop on Adversarial Robustness in the Real World, ECCV 2020

280 views • 13 slides
Todays Energy Landscape: Exploring economic environmental and Exploring economic,

Todays Energy Landscape: Exploring economic environmental and Exploring economic,

Todays Energy Landscape: Exploring economic environmental and Exploring economic, environmental and technological trends October 11, 2010 Presentation to the PJM Board Sue Tierney Managing Principal Managing Principal BOSTON CHICAGO

522 views • 35 slides
Function and Robustness of Gene Regulatory Network: Toward the Landscape Picture of Evolution

Function and Robustness of Gene Regulatory Network: Toward the Landscape Picture of Evolution

Function and Robustness of Gene Regulatory Network: Toward the Landscape Picture of Evolution Macoto Kikuchi (Collaborators: S. Nagata and T. Kaneko) 2019/3/7 Contents Motivation 1 Gene

984 views • 57 slides
Conjectures from Quantum Gravity - Exploring the Landscape inside the Swampland - Florian Wolf

Conjectures from Quantum Gravity - Exploring the Landscape inside the Swampland - Florian Wolf

Conjectures from Quantum Gravity - Exploring the Landscape inside the Swampland - Florian Wolf Young Scientists Workshop at Castle Ringberg on July 19, 2017 Swampland vs. Landscape High energy, more dimensions, Quantum Gravity e.g. String

481 views • 33 slides
Exploring the Potential Energy Landscape of Materials: from defected crystals to metallic glasses

Exploring the Potential Energy Landscape of Materials: from defected crystals to metallic glasses

Exploring the Potential Energy Landscape of Materials: from defected crystals to metallic glasses David RODNEY SIMAP, INP Grenoble, FRANCE What is the Potential Energy Landscape (PEL)? Configuration R = 1 , 2 , , a point

997 views • 25 slides
Robustness? Robustness ? Robustness?

Robustness? Robustness ? Robustness?

Robustness? Robustness ? Robustness? Thomas Mandl

245 views • 5 slides
Where Are We? Lecture 9 Robustness through Training 1 Robustness Explicit Handling of Noise

Where Are We? Lecture 9 Robustness through Training 1 Robustness Explicit Handling of Noise

Where Are We? Lecture 9 Robustness through Training 1 Robustness Explicit Handling of Noise and Channel Variations 2 Michael Picheny, Bhuvana Ramabhadran, Stanley F. Chen Robustness via Adaptation 3 IBM T.J. Watson Research Center

256 views • 22 slides
Exploring the National Landscape of Behavioral Screening in US Schools Findings from the NEEDs 2

Exploring the National Landscape of Behavioral Screening in US Schools Findings from the NEEDs 2

Exploring the National Landscape of Behavioral Screening in US Schools Findings from the NEEDs 2 project Funded by the Institute of Education Sciences (R305A140543) Symposium presented at the 2019 NASP Convention Feb. 26, 2019

724 views • 53 slides
Exploring Majorana landscape J.J. Gmez-Cadenas Instituto de Fsica Corpuscular (CSIC &

Exploring Majorana landscape J.J. Gmez-Cadenas Instituto de Fsica Corpuscular (CSIC &

Exploring Majorana landscape J.J. Gmez-Cadenas Instituto de Fsica Corpuscular (CSIC & UVEG) Florence, July, 2012 mircoles 11 de julio de 12 Double beta decay 10 Atomic Mass Difference (MeV) 136 I 8 136 Pr - 6 + /EC

1.07k views • 37 slides
Exploring and optimizing the Dutch Research Data Landscape DTL Partner Advisory Committee 28

Exploring and optimizing the Dutch Research Data Landscape DTL Partner Advisory Committee 28

Exploring and optimizing the Dutch Research Data Landscape DTL Partner Advisory Committee 28 May 2020 By Melle de Vries (Royal Netherlands Academy of Arts and Sciences, project manager for this NPOS-project) National Program for Open

568 views • 10 slides
UCSD Robustness Summer School David Donoho 20190812 David Donoho UCSD Robustness Summer School

UCSD Robustness Summer School David Donoho 20190812 David Donoho UCSD Robustness Summer School

What is Statistics? What is Statistical Research? Paradigm Shifts in Statistics How did Robustness in Statistics Emerge? What has Robustness in Statistics delivered? What has Robustness in Statistics to do with CS? UCSD Robustness

721 views • 26 slides
Robustness and Generalization Huan Xu The University of Texas at Austin Department of Electrical

Robustness and Generalization Huan Xu The University of Texas at Austin Department of Electrical

Robustness and Generalization Huan Xu The University of Texas at Austin Department of Electrical and Computer Engineering COLT, June 29, 2010 Joint work with Shie Mannor What is Robustness? What is Robustness? What is Robustness?

571 views • 53 slides
Being on the Beach Being on the Beach Exploring Sensomotoric Awareness Exploring Sensomotoric

Being on the Beach Being on the Beach Exploring Sensomotoric Awareness Exploring Sensomotoric

Being on the Beach Being on the Beach Exploring Sensomotoric Awareness Exploring Sensomotoric Awareness in a Landscape in a Landscape Aesth/Ethics in Environmental Change Aesth/Ethics in Environmental Change Hiddensee, 24-28 May 2010

407 views • 30 slides
Robustness and SMC Adam Pechner Overview What is Robustness and why do we care? Different

Robustness and SMC Adam Pechner Overview What is Robustness and why do we care? Different

Robustness and SMC Adam Pechner Overview What is Robustness and why do we care? Different types of Robust Control Techniques Sliding Mode Control (SMC) Definition and Benefits Drawbacks and Requirements Applications of SMC

538 views • 40 slides
Exploring Drupal 8 FrontEnd Landscape through Polymer ~Saket & Piyuesh Drupalcon New Orleans

Exploring Drupal 8 FrontEnd Landscape through Polymer ~Saket & Piyuesh Drupalcon New Orleans

Exploring Drupal 8 FrontEnd Landscape through Polymer ~Saket & Piyuesh Drupalcon New Orleans History of Web Drupalcon New Orleans Front End World - We have a plethora of tools, frameworks, languages, abstractions etc. Drupalcon New

772 views • 44 slides
EXPLORING THE MEDICAID REFORM LANDSCAPE Kathleen Nolan FEDERAL DIRECTION AND VISION 2017-18

EXPLORING THE MEDICAID REFORM LANDSCAPE Kathleen Nolan FEDERAL DIRECTION AND VISION 2017-18

W W W . H E A L T H M A N A G E M E N T . C O M EXPLORING THE MEDICAID REFORM LANDSCAPE Kathleen Nolan FEDERAL DIRECTION AND VISION 2017-18 2017 + Transition has been long and rocky + Congressional debate ruled in

347 views • 9 slides
Quaternary ammonium sophorolipids as renewable based antimicrobial products E.I.P. Delbeke 1 ,

Quaternary ammonium sophorolipids as renewable based antimicrobial products E.I.P. Delbeke 1 ,

Quaternary ammonium sophorolipids as renewable based antimicrobial products E.I.P. Delbeke 1 , B.I. Roman 1 , S.L.K.W. Roelants 2,3 , I.N.A. Van Bogaert 2 , G.B. Marin 4 , K.M. Van Geem 4 and C.V. Stevens 1, * 1 SynBioC, Department of Sustainable

1.43k views • 17 slides
Mitosis & Meiosis Practice Questions www.njctl.org Slide 3 / 68 1 Identify two differences

Mitosis & Meiosis Practice Questions www.njctl.org Slide 3 / 68 1 Identify two differences

Slide 1 / 68 New Jersey Center for Teaching and Learning Progressive Science Initiative This material is made freely available at www.njctl.org and is intended for the non-commercial use of students and teachers. These materials may not be

491 views • 23 slides
The Legitimacy of professional conduct Analysis of practitioner-specific Peer Review

The Legitimacy of professional conduct Analysis of practitioner-specific Peer Review

What is peer review? Collection and organization of information pertaining to the competence and The Legitimacy of professional conduct Analysis of practitioner-specific Peer Review information by individuals (peers) from the

347 views • 7 slides
Be Beha havi vior Adv Advantage: Building legally defensible & & clinically sound b

Be Beha havi vior Adv Advantage: Building legally defensible & & clinically sound b

Be Beha havi vior Adv Advantage: Building legally defensible & & clinically sound b beh ehavi vior r support s t systems Presented by Aaron Stabel, BCBA Behavior Advantage We know w what w works! 1. Positive behavior

632 views • 22 slides
BLOG: Probabilistic Models with Unknown Objects Milch et. al. 2005 574 Presentation - Brian

BLOG: Probabilistic Models with Unknown Objects Milch et. al. 2005 574 Presentation - Brian

BLOG: Probabilistic Models with Unknown Objects Milch et. al. 2005 574 Presentation - Brian Ferris Overview Introduction Motivating Examples BLOG: Bayesian Logic Syntax and Semantics Inference Introduction Existing

569 views • 21 slides
DANIEL M. ROY UNIVERSITY OF CAMBRIDGE Joint work with Nate Ackerman (Harvard) Jeremy Avigad (CMU)

DANIEL M. ROY UNIVERSITY OF CAMBRIDGE Joint work with Nate Ackerman (Harvard) Jeremy Avigad (CMU)

Exchangeable graphs, conditional independence, and computably-measurable samplers DANIEL M. ROY UNIVERSITY OF CAMBRIDGE Joint work with Nate Ackerman (Harvard) Jeremy Avigad (CMU) Cameron Freer (MIT) Jason Rute (U of HawaiiManoa)

477 views • 19 slides
12. Principles of Parameter Estimation The purpose of this lecture is to illustrate the usefulness

12. Principles of Parameter Estimation The purpose of this lecture is to illustrate the usefulness

12. Principles of Parameter Estimation The purpose of this lecture is to illustrate the usefulness of the various concepts introduced and studied in earlier lectures to practical problems of interest. In this context, consider the problem of

354 views • 19 slides
Introduction to Survey Statistics Day 2 Sampling and Weighting Federico Vegetti Central

Introduction to Survey Statistics Day 2 Sampling and Weighting Federico Vegetti Central

Introduction to Survey Statistics Day 2 Sampling and Weighting Federico Vegetti Central European University University of Heidelberg 1 / 32 Sources of error in surveys Figure 1: From Groves et al. (2009) 2 / 32 Representation error

679 views • 32 slides

More recommend