fooling neural networks
play

Fooling Neural Networks Linguang Zhang Feb-4-2015 Preparation - PowerPoint PPT Presentation

Jan 19, 2023 •375 likes •888 views

Fooling Neural Networks Linguang Zhang Feb-4-2015 Preparation Task: image classification. Datasets: MNIST, ImageNet. training and testing data. Preparation Logistic regression: Good for 0/1 classification. e.g. spam

  1. Fooling Neural Networks Linguang Zhang Feb-4-2015

  2. Preparation • Task: image classification. • Datasets: MNIST, ImageNet. • training and testing data.

  3. Preparation • Logistic regression: • Good for 0/1 classification. e.g. spam filtering

  4. Preparation • Multi-class classification? N categories? • Softmax regression • Weight Decay (regularization)

  5. Preparation • Autoencoder • What is autoencoder? Input = decoder(encoder(input)) • Why is it useful? Dimension reduction. • Training • Feed-forward and obtain output x ̂ at the output layer • Compute dist(x ̂ , x). • Update weights through backpropagation.

  6. Basic Neural Network

  7. Intriguing Properties of Neural Networks Szegedy, Christian, Wojciech Zaremba, Ilya Sutskever, Joan Bruna, Dumitru Erhan, Ian Goodfellow, and Rob Fergus. "Intriguing properties of neural networks." arXiv preprint arXiv:1312.6199 (2013).

  8. Activation • Activation of a hidden unit is a meaningful feature. using the natural basis of the i-th hidden unit: randomly choose a vector:

  9. using the natural basis: randomly choose a vector:

  10. Adversarial Examples • What is adversarial example? We can let the network to misclassify an image by adding a imperceptible (for human) perturbation. • Why do adversarial examples exist? Deep Neural Networks learn input-output mappings that are discontinuous to a significant extent. • Interesting observation: the adversarial examples generated for network A can also make network B fail.

  11. Generate Adversarial Examples Input image: Classifier: Target label: x+r is the closest image to x classified as l by f . When :

  13. Intriguing properties • Properties: • Visually hard to distinguish the generated adversarial examples. • Cross model generalization. (different hyper-parameters) • Cross training-set generalization. (different training set) • Observation: • adversarial examples are universal. • back-feeding adversarial examples to training might improve generalization of the model.

  14. Experiment Cross-model generalization of adversarial examples.

  15. Experiment Cross training-set generalization - baseline (no distortion) Cross training-set generalization error rate magnify distortion

  16. The Opposite Direction Imperceptible adversarial examples that cause misclassification. Unrecognizable images that make DNN believe Nguyen, Anh, Jason Yosinski, and Jeff Clune. "Deep Neural Networks are Easily Fooled: High Confidence Predictions for Unrecognizable Images." arXiv preprint arXiv:1412.1897 (2014).

  17. Fooling Examples Problem statement: producing images that are completely unrecognizable to humans, but that state-of-the-art Deep Neural Networks believe to be recognizable objects with high confidence (99%).

  18. DNN Models • ImageNet: AlexNet. (Caffe version) • 42.6% error rate. Original error rate is 40.7%. • MNIST: LeNet (Caffe version) • 0.94% error rate. Original error rate is 0.8%.

  19. Generating Images with Evolution (one class) • Evolutionary Algorithms (EAs) are inspired by Darwinian evolution. • Contains a population of organisms (images). • Organisms will be randomly perturbed and selected based on fitness function . • Fitness function: in our case, is the highest prediction value a DNN believes that the image belongs to a class.

  20. Generating Images with Evolution (multi-class) • Algorithm: Multi-dimensional archive of phenotypic elites MAP-Elites. • Procedures: • Randomly choose an organism, mutate it randomly. • Show the mutated organism to the DNN. If the prediction score is higher than the current highest score of ANY class, make the organism as the champion of that class.

  21. Encoding an Image • Direct encoding: • For MNIST: 28 x 28 pixels. • For ImageNet: 256 x 256 pixels, each pixel has 3 channels (H, S, V). • Values are independently mutated. • 10% chance of being chosen. The chance drops by half every 1000 generations. • mutate via the polynomial mutation operator.

  22. Directly Encoded Images

  23. Encoding an Image • Indirect encoding: • very likely to produce regular images with meaningful patterns. • both humans and DNNs can recognize. • Compositional pattern-producing network (CPPN).

  24. CPPN-encoded Images

  25. MNIST - Irregular Images LeNet: 99.99% median confidence, 200 generations.

  26. MNIST - Regular Images LeNet: 99.99% median confidence, 200 generations.

  27. ImageNet - Irregular Images AlexNet: 21.59% median confidence, 20000 generations. 45 classes: > 99% confidence.

  28. ImageNet - Irregular Images

  29. ImageNet - Regular Images Dogs and cats AlexNet: 88.11% median confidence, 5000 generations. High confidence images are found in most classes.

  30. Difficulties in Dogs and Cats • Size of dataset of cats and dogs is large. • Less overfit -> difficult to fool. • Too many classes for cats and dogs. • e.g. difficult to achieve high score in Dog A while guaranteeing low score in Dog B. • [Recall] For the final softmax layer, it is difficult to give high confidence in the above case.

  31. ImageNet - Regular Images

  32. Fooling Closely Related Classes

  33. Fooling Closely Related Classes • Two possibilities: • [Recall] Imperceptible changes can change a DNN’s class label. Evolution could produce very similar images to fool multiple classes. • Many of the images are related to each other naturally. • Different runs produce different images: many ways to fool the DNN.

  34. Repetition of Patterns

  35. Repetition of Patterns • Explanations • Extra copies make the DNN more confident. • DNNs tend to learn low&mid-level features rather than the global structure. • Many natural images do contain multiple copies.

  36. Training with Fooling Images Retraining does not help.

  37. adversarial examples

  38. Why Do Adversarial Examples Exist? • Past explanations • extreme nonlinearity of DNN. • insufficient model averaging. • insufficient regularization. • New explanation • Linear behavior in high-dimensional spaces is sufficient to cause adversarial examples. Goodfellow, Ian J., Jonathon Shlens, and Christian Szegedy. "Explaining and Harnessing Adversarial Examples." arXiv preprint arXiv:1412.6572 (2014).

  39. Linear Explanations of Adversarial Examples Perturbation: Adversarial examples: typically =1/255 Pixel value precision: Perturbation is meaningless if: Activation of adversarial examples: maximizes the increase of activation.

  40. Linear Explanations of Adversarial Examples Activation of adversarial examples: Assume the magnitude of the weight vector is m and the dimension is n : Increase of activation is: A simple linear model can have adversarial examples as long as its input has sufficient dimensionality.

  41. Faster Way to Generate Adversarial Examples Cost function: Perturbation:

  42. Faster Way to Generate Adversarial Examples epsilon error rate confidence shallow softmax 0.25 99.9% 79.3% (MNIST) maxout network 0.25 89.4% 97.6% convolutional maxout 0.1 87.15% 96.6% network (CIFAR-10)

  43. Adversarial Training of Linear Models Simple case: Linear Regression. Train gradient descend on: Adversarial training version is:

  44. Adversarial Training of Deep Networks Regularized cost function: On MNIST: error rate drops from 0.94% to 0.84% For adversarial examples: error rate drops from 89.4% to 17.9% Original Adversarially adversarial examples model trained model 40.9% 19.4%

  45. Explaining Why Adversarial Examples Generalize • [Recall] An adversarial example generated for one model is often misclassified by other models. • When different models misclassify an adversarial examples, they often agree with each other. • As long as is positive, adversarial examples work. • Hypothesis: neural networks trained all resemble the linear classifier learned on the same training set. • Such stability of underlying classification weights causes the stability of adversarial examples.

  46. Fooling Examples • Can simply generate fooling examples by generating a point far from the data with larger norms (more confidence) • Gaussian fooling examples: • softmax top layer: error rate: 98.35%, average confidence: 92.8%. • independent sigmoid top layer: error rate: 68%, average confidence: 87.9%.

  47. Summary • Intriguing properties � • No difference between individual high level units and random linear combinations of high level units. • Adversarial Examples • Indistinguishable. • Generalize. • Fooling images � • Generate fooling images via evolution. • Direct encoding and indirect encoding (irregular and regular images). • Retraining does not boost immunity.

  48. Generative Adversarial Nets • Two types of models: • Generative model: generative model learns the joint probability distribution of the data - p(x, y). • Discriminative model: discriminative model learns the conditional probability distribution of the data - p(y | x). • Much easier to get discriminative model with the generative model.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CS7015 (Deep Learning) : Lecture 13 Visualizing Convolutional Neural Networks, Guided

CS7015 (Deep Learning) : Lecture 13 Visualizing Convolutional Neural Networks, Guided

CS7015 (Deep Learning) : Lecture 13 Visualizing Convolutional Neural Networks, Guided Backpropagation, Deep Dream, Deep Art, Fooling Convolutional Neural Networks Mitesh M. Khapra Department of Computer Science and Engineering Indian Institute

1.07k views • 72 slides
Outline Evolution of neurocomputing Artificial neural networks Feed forward

Outline Evolution of neurocomputing Artificial neural networks Feed forward

Introduction to Neural Networks and Deep Learning Ling Guan References: S. Haykin, Neural Networks , 2 nd Edition, New Jersey: Prentice Hall, 1. 2004. C. M. Bishop, Neural Networks for Pattern Re cognition, New York: 2. Oxford University

451 views • 17 slides
Neural Networks 0. Logistics Spring 2019 1 Neural Networks are taking over! Neural networks

Neural Networks 0. Logistics Spring 2019 1 Neural Networks are taking over! Neural networks

Neural Networks 0. Logistics Spring 2019 1 Neural Networks are taking over! Neural networks have become one of the major thrust areas recently in various pattern recognition, prediction, and analysis problems In many problems they have

852 views • 33 slides
Neural Networks 1. Introduction Fall 2017 Neural Networks are taking over! Neural networks

Neural Networks 1. Introduction Fall 2017 Neural Networks are taking over! Neural networks

Neural Networks 1. Introduction Fall 2017 Neural Networks are taking over! Neural networks have become one of the major thrust areas recently in various pattern recognition, prediction, and analysis problems In many problems they have

1.17k views • 91 slides
CONVOLUTIONAL AND RECURRENT NEURAL NETWORKS Neural networks Fully connected networks

CONVOLUTIONAL AND RECURRENT NEURAL NETWORKS Neural networks Fully connected networks

CONVOLUTIONAL AND RECURRENT NEURAL NETWORKS Neural networks Fully connected networks Neuron Non-linearity Softmax layer DNN training Loss function and regularization SGD and backprop Learning rate Overfitting

1.8k views • 86 slides
Neural Networks 1. Introduction Spring 2019 1 Neural Networks are taking over! Neural

Neural Networks 1. Introduction Spring 2019 1 Neural Networks are taking over! Neural

Neural Networks 1. Introduction Spring 2019 1 Neural Networks are taking over! Neural networks have become one of the major thrust areas recently in various pattern recognition, prediction, and analysis problems In many problems they

1.57k views • 124 slides
Neural Networks 1. Introduction Spring 2020 1 Neural Networks are taking over! Neural

Neural Networks 1. Introduction Spring 2020 1 Neural Networks are taking over! Neural

Neural Networks 1. Introduction Spring 2020 1 Neural Networks are taking over! Neural networks have become one of the major thrust areas recently in various pattern recognition, prediction, and analysis problems In many problems they

1.63k views • 119 slides
Relaxation and Hopfield Networks Neural Networks Neural Networks - Hopfield 1 Bibliography

Relaxation and Hopfield Networks Neural Networks Neural Networks - Hopfield 1 Bibliography

Relaxation and Hopfield Networks Neural Networks Neural Networks - Hopfield 1 Bibliography Hopfield, J. J., "Neural networks and physical systems with emergent collective computational abilities," Proceedings of the National Academy

367 views • 19 slides
Neural Networks and their Application to Go Neural Networks Learning Blackjack Theory Training

Neural Networks and their Application to Go Neural Networks Learning Blackjack Theory Training

Neural Networks and their Application to Go A. Bausch Neural Networks and their Application to Go Neural Networks Learning Blackjack Theory Training neural networks Problems AlphaGo Anne-Marie Bausch The Game of Go Policy Network

280 views • 24 slides
(Very) Brief Introduction to Neural Networks IITP-03 Algorithms for NLP 1 / 31 Learning

(Very) Brief Introduction to Neural Networks IITP-03 Algorithms for NLP 1 / 31 Learning

(Very) Brief Introduction to Neural Networks IITP-03 Algorithms for NLP 1 / 31 Learning objectives What are neural networks? What are deep neural networks? How do we train neural networks? What variants of neural network

331 views • 31 slides
How Neural Networks (NN) Biological Neuron: A . . . Can (Hopefully) Learn Artificial Neural . .

How Neural Networks (NN) Biological Neuron: A . . . Can (Hopefully) Learn Artificial Neural . .

Need for Machine . . . Neural Networks . . . How to Speed Up . . . Neural Networks: A . . . How Neural Networks (NN) Biological Neuron: A . . . Can (Hopefully) Learn Artificial Neural . . . Resulting Algorithm Faster by Taking Into How to

464 views • 17 slides
Outline Why model neural networks? Modeling Neural Networks A brief look at the neuron.

Outline Why model neural networks? Modeling Neural Networks A brief look at the neuron.

Outline Why model neural networks? Modeling Neural Networks A brief look at the neuron. A look at some current works. Adding an evolutionary strategy. Paul Nuytten CPSC 607 Why Model Neural Networks? The Neuron The nervous

697 views • 4 slides
Introduction to Deep Neural Networks 0. Logistics Spring 2020 1 Neural Networks are taking

Introduction to Deep Neural Networks 0. Logistics Spring 2020 1 Neural Networks are taking

Introduction to Deep Neural Networks 0. Logistics Spring 2020 1 Neural Networks are taking over! Neural networks have become one of the major thrust areas recently in various pattern recognition, prediction, and analysis problems In

987 views • 40 slides
Propagating Error Backward Hyperparameters for Neural Networks } Multi-layer (deep) neural

Propagating Error Backward Hyperparameters for Neural Networks } Multi-layer (deep) neural

Learning in Neural Networks w 1,3 w 3,5 1 3 5 w w 1,4 3,6 w w 2,3 4,5 2 4 6 w w 2,4 4,6 Class #18: Back-Propagation; } A neural network can learn a classification function by Tuning Hyper-Parameters adjusting its weights to

259 views • 4 slides
Neural Networks Hugo Larochelle ( @hugo_larochelle ) Google Brain 2 NEURAL NETWORKS What

Neural Networks Hugo Larochelle ( @hugo_larochelle ) Google Brain 2 NEURAL NETWORKS What

Neural Networks Hugo Larochelle ( @hugo_larochelle ) Google Brain 2 NEURAL NETWORKS What well cover ... f ( x ) computer vision architectures - convolutional networks - data augmentation 1 - residual networks ... ...

1.29k views • 75 slides
Neural Networks Oskar Taubert (SCC) SCC 1 15.01.2020 Oskar Taubert - Neural Networks SCC

Neural Networks Oskar Taubert (SCC) SCC 1 15.01.2020 Oskar Taubert - Neural Networks SCC

Neural Networks Oskar Taubert (SCC) SCC 1 15.01.2020 Oskar Taubert - Neural Networks SCC www.kit.edu KIT The Research University in the Helmholtz Association Neural Network Concept (very) remotely brain inspired computational system

479 views • 25 slides
Fitness Evaluation and Selection Debasis Samanta Indian Institute of Technology Kharagpur

Fitness Evaluation and Selection Debasis Samanta Indian Institute of Technology Kharagpur

Fitness Evaluation and Selection Debasis Samanta Indian Institute of Technology Kharagpur dsamanta@iitkgp.ac.in 13.03.2018 Debasis Samanta (IIT Kharagpur) Soft Computing Applications 13.03.2018 1 / 40 Important GA Operations Encoding 1

527 views • 40 slides
Natural Computing Lecture 1: Introduction Michael Herrmann mherrman@inf.ed.ac.uk INFR09038

Natural Computing Lecture 1: Introduction Michael Herrmann mherrman@inf.ed.ac.uk INFR09038

Natural Computing Lecture 1: Introduction Michael Herrmann mherrman@inf.ed.ac.uk INFR09038 phone: 0131 6 517177 21/9/2010 Informatics Forum 1.42 Natural Computation Physics Abacus Chemistry Slide ruler Biology

3.08k views • 30 slides
Evolutionary Algorithms for Complex Designs of Experiments and Data Analysis Irene Poli Dep. of

Evolutionary Algorithms for Complex Designs of Experiments and Data Analysis Irene Poli Dep. of

Evolutionary Algorithms for Complex Designs of Experiments and Data Analysis Irene Poli Dep. of Statistics, University Ca Foscari of Venice European Centre for Living Technology (ECLT) www.ecltech.org Research group : Matteo Borrotti, Davide

510 views • 27 slides
Metaheuristic models for decision support in the software construction process Ph.D. Thesis

Metaheuristic models for decision support in the software construction process Ph.D. Thesis

Metaheuristic models for decision support in the software construction process Ph.D. Thesis Aurora Ramrez Quesada Dept. Computer Science and Numerical Analysis University of Crdoba Supervisors: Dr. Jos Ral Romero Salguero Dr.

1.36k views • 57 slides
Selforganization of Information and Value- Relation to Physics and Emergence Werner Ebeling

Selforganization of Information and Value- Relation to Physics and Emergence Werner Ebeling

Selforganization of Information and Value- Relation to Physics and Emergence Werner Ebeling Humboldt Universitt, Leibniz-Soziett Berlin "There is a sudden rapid passage to a totally new and more comprehensive type of order or

439 views • 23 slides
Models of structured populations in constant and fluctuating environments Sepideh Mirrahimi

Models of structured populations in constant and fluctuating environments Sepideh Mirrahimi

Models of structured populations in constant and fluctuating environments Sepideh Mirrahimi CNRS, IMT, Toulouse Toulouse, June 16-19, 2014 1 / 26 Darwinian evolution of a structured population density We study the Darwinian evolution of a

1.65k views • 45 slides
Chapter 2: Origins of modern biology and Darwin's Theory of Natural Selection 1 Summary of this

Chapter 2: Origins of modern biology and Darwin's Theory of Natural Selection 1 Summary of this

Chapter 2: Origins of modern biology and Darwin's Theory of Natural Selection 1 Summary of this week (and next Tuesday) 1. Update on the class 2. Very brief description of evolution 3. Pre-scientific thought 4. Recall the idea of scientific

542 views • 29 slides
Colossians Series Lesson #38 November 27, 2011 Dean Bible Ministries www.deanbible.org Dr.

Colossians Series Lesson #38 November 27, 2011 Dean Bible Ministries www.deanbible.org Dr.

Colossians Series Lesson #38 November 27, 2011 Dean Bible Ministries www.deanbible.org Dr. Robert L. Dean, Jr. C OLOSSIANS : Jesus Christ is All-Sufficient Is Sufficient Enough? Colossians 2:1011 Colossians 2:6, As you therefore have

507 views • 22 slides

More recommend