SLIDE 1
Exploring the Landscape
- f Spa5al Robustness
Logan Engstrom
(with Brandon Tran*, Dimitris Tsipras*, Ludwig Schmidt, Aleksander Mądry) madry-lab.ml
Exploring the Landscape of Spa5al Robustness Logan Engstrom (with - - PowerPoint PPT Presentation
Exploring the Landscape of Spa5al Robustness Logan Engstrom (with - - PowerPoint PPT Presentation
Exploring the Landscape of Spa5al Robustness Logan Engstrom (with Brandon Tran*, Dimitris Tsipras*, Ludwig Schmidt, Aleksander Mdry) madry-lab.ml ML Glitch: Adversarial Examples ML Glitch: Adversarial Examples pig small,
SLIDE 2
SLIDE 3
“pig” “airliner” small, nonrandom noise
ML “Glitch”: Adversarial Examples
SLIDE 4
“pig” “airliner” small, non-random noise
ML “Glitch”: Adversarial Examples
SLIDE 5
“pig” “airliner” small, non-random noise
ML “Glitch”: Adversarial Examples
SLIDE 6
“pig” “airliner” small, non-random noise
What does small mean here?
ML “Glitch”: Adversarial Examples
SLIDE 7
“pig” “airliner” small, non-random noise
What does small mean here?
Traditionally: perturbations that have small l_p norm
ML “Glitch”: Adversarial Examples
SLIDE 8
“pig” “airliner” small, non-random noise
What does small mean here?
Traditionally: perturbations that have small l_p norm Do small l_p norms capture every sense of “small”?
ML “Glitch”: Adversarial Examples
SLIDE 9
Spa5al Perturba5ons
SLIDE 10
Spa5al Perturba5ons
SLIDE 11
Spa5al Perturba5ons
rotation up to 30°
SLIDE 12
Spa5al Perturba5ons
rotation up to 30° x, y translations up to ~10%
SLIDE 13
Spa5al Perturba5ons
rotation up to 30° x, y translations up to ~10%
These are not small l_p perturbations!
SLIDE 14
Spa5al Perturba5ons
rotation up to 30° x, y translations up to ~10%
How robust are models to spatial perturbations? These are not small l_p perturbations!
SLIDE 15
Spa5al Robustness
SLIDE 16
Spa5al Robustness
Spoiler: models are not robust
SLIDE 17
Spa5al Robustness
Spoiler: models are not robust
SLIDE 18
Spa5al Robustness
Spoiler: models are not robust Can we train more spatially robust classifiers?
SLIDE 19
Spa5al Defenses
SLIDE 20
Spa5al Defenses
Lesson from l_p robustness: use robust optimization
[Goodfellow et al ‘15 ][Madry et al ’18]
(= train on worst-case perturbed inputs)
SLIDE 21
Spa5al Defenses
Lesson from l_p robustness: use robust optimization
[Goodfellow et al ‘15 ][Madry et al ’18]
(= train on worst-case perturbed inputs)
Key question: how to find worst-case translations, rotations?
SLIDE 22
Attempt #1: first-order methods
Spa5al Defenses
Lesson from l_p robustness: use robust optimization
[Goodfellow et al ‘15 ][Madry et al ’18]
(= train on worst-case perturbed inputs)
Key question: how to find worst-case translations, rotations?
SLIDE 23
Attempt #1: first-order methods
Spa5al Defenses
Lesson from l_p robustness: use robust optimization
[Goodfellow et al ‘15 ][Madry et al ’18]
(= train on worst-case perturbed inputs)
Key question: how to find worst-case translations, rotations?
SLIDE 24
Attempt #1: first-order methods
Spa5al Defenses
Lesson from l_p robustness: use robust optimization
[Goodfellow et al ‘15 ][Madry et al ’18]
(= train on worst-case perturbed inputs)
Key question: how to find worst-case translations, rotations?
SLIDE 25
Spa5al Defenses
Key question: how to find worst-case translations, rotations?
Attempt #1: first-order methods
Lesson from l_p robustness: use robust optimization
[Goodfellow et al ‘15 ][Madry et al ’18]
(= train on worst-case perturbed inputs)
SLIDE 26
Spa5al Defenses
Key question: how to find worst-case translations, rotations?
Attempt #1: first-order methods Attempt #2: exhaustive search
Lesson from l_p robustness: use robust optimization
[Goodfellow et al ‘15 ][Madry et al ’18]
(= train on worst-case perturbed inputs)
SLIDE 27
Spa5al Defenses
Key question: how to find worst-case translations, rotations?
Attempt #1: first-order methods Attempt #2: exhaustive search
Exhaustive search is feasible, and a strong adversary! (discretize translations and rotations, try every combination)
Lesson from l_p robustness: use robust optimization
[Goodfellow et al ‘15 ][Madry et al ’18]
(= train on worst-case perturbed inputs)
SLIDE 28
Spa5al Defenses
Key question: how to find worst-case translations, rotations?
Attempt #1: first-order methods Attempt #2: exhaustive search
Exhaustive search is feasible, and a strong adversary! (discretize translations and rotations, try every combination)
Lesson from l_p robustness: use robust optimization
[Goodfellow et al ‘15 ][Madry et al ’18]
(= train on worst-case perturbed inputs)
SLIDE 29
Spa5al Defenses
Key question: how to find worst-case translations, rotations?
Attempt #1: first-order methods Attempt #2: exhaustive search
Train only on “worst” transformed input (highest loss)
Exhaustive search is feasible, and a strong adversary! (discretize translations and rotations, try every combination)
Lesson from l_p robustness: use robust optimization
[Goodfellow et al ‘15 ][Madry et al ’18]
(= train on worst-case perturbed inputs)
SLIDE 30
Spa5al Defenses
Key question: how to find worst-case translations, rotations?
Attempt #1: first-order methods Attempt #2: exhaustive search
Exhaustive search is feasible, and a strong adversary! (discretize translations and rotations, try every combination) (we approximate via 10 random samples to quicken training)
Lesson from l_p robustness: use robust optimization
[Goodfellow et al ‘15 ][Madry et al ’18]
(= train on worst-case perturbed inputs)
SLIDE 31
Spa5al Defenses
With robust optimization:
SLIDE 32
Spa5al Defenses
CIFAR classifier accuracy: 3% adversarial to 71% adversarial With robust optimization:
SLIDE 33
Spa5al Defenses
CIFAR classifier accuracy: 3% adversarial to 71% adversarial (compare to 93% standard accuracy) With robust optimization:
SLIDE 34
Spa5al Defenses
ImageNet classifier accuracy: 31% adversarial to 53% adversarial CIFAR classifier accuracy: 3% adversarial to 71% adversarial (compare to 93% standard accuracy) With robust optimization:
SLIDE 35
Spa5al Defenses
ImageNet classifier accuracy: 31% adversarial to 53% adversarial (compare to 76% standard accuracy) CIFAR classifier accuracy: 3% adversarial to 71% adversarial (compare to 93% standard accuracy) With robust optimization:
SLIDE 36
Spa5al Defenses
With robust optimization: ImageNet classifier accuracy: 31% adversarial to 53% adversarial (compare to 76% standard accuracy) CIFAR classifier accuracy: 3% adversarial to 71% adversarial (compare to 93% standard accuracy) (+10 sample majority vote)
SLIDE 37
Spa5al Defenses
With robust optimization: ImageNet classifier accuracy: 31% adversarial to 53% adversarial (compare to 76% standard accuracy) CIFAR classifier accuracy: 3% adversarial to 71% adversarial (compare to 93% standard accuracy) (+10 sample majority vote) 82%
SLIDE 38
Spa5al Defenses
With robust optimization: ImageNet classifier accuracy: 31% adversarial to 53% adversarial (compare to 76% standard accuracy) CIFAR classifier accuracy: 3% adversarial to 71% adversarial (compare to 93% standard accuracy) (+10 sample majority vote) 82% 56%
SLIDE 39
Spa5al Defenses
With robust optimization: Still significant room for improvement! ImageNet classifier accuracy: 31% adversarial to 53% adversarial (compare to 76% standard accuracy) CIFAR classifier accuracy: 3% adversarial to 71% adversarial (compare to 93% standard accuracy) (+10 sample majority vote) 82% 56%
SLIDE 40
Conclusions
SLIDE 41
Conclusions
Robust models need more refined notions of similarity
SLIDE 42
Conclusions
We do not have true spatial robustness Robust models need more refined notions of similarity
SLIDE 43
Conclusions
Intuitions from l_p robustness do not transfer We do not have true spatial robustness Robust models need more refined notions of similarity
SLIDE 44
Conclusions
Come to our poster! Pacific Ballroom #142 Intuitions from l_p robustness do not transfer We do not have true spatial robustness Robust models need more refined notions of similarity