SLIDE 1
CS109B Data Science 2
Pavlos Protopapas and Mark Glickman
Lecture 21: Adversarial Networks
1
CS109B, PROTOPAPAS, GLICKMAN
How vulnerable are Neural Networks?
Uses of Neural Networks
Lecture 21: Adversarial Networks CS109B Data Science 2 Pavlos - - PowerPoint PPT Presentation
Lecture 21: Adversarial Networks CS109B Data Science 2 Pavlos - - PowerPoint PPT Presentation
Lecture 21: Adversarial Networks CS109B Data Science 2 Pavlos Protopapas and Mark Glickman 1 How vulnerable are Neural Networks? Uses of Neural Networks CS109B, P ROTOPAPAS , G LICKMAN How vulnerable are Neural Networks? CS109B, P ROTOPAPAS ,
SLIDE 2
SLIDE 3
CS109B, PROTOPAPAS, GLICKMAN
How vulnerable are Neural Networks?
SLIDE 4
CS109B, PROTOPAPAS, GLICKMAN
Explaining Adversarial Examples
[Goodfellow et. al ‘15] 1. Robust attacks with FGSM
- 2. Robust defense with Adversarial Training
SLIDE 5
CS109B, PROTOPAPAS, GLICKMAN
Explaining Adversarial Examples
SLIDE 6
CS109B, PROTOPAPAS, GLICKMAN
Some of these adversarial examples can even fool humans:
SLIDE 7
CS109B, PROTOPAPAS, GLICKMAN
Attacking with Fast Gradient Sign Method (FGSM)
W X L
x + λ · sign(rxL) ) x∗
SLIDE 8
CS109B, PROTOPAPAS, GLICKMAN
Attacking with Fast Gradient Sign Method (FGSM)
W X L
x + λ · sign(rxL) ) x∗
SLIDE 9
CS109B, PROTOPAPAS, GLICKMAN
x + λ · sign(rxL) ) x∗
SLIDE 10
CS109B, PROTOPAPAS, GLICKMAN
Defending with Adversarial Training
1. Generate adversarial examples
- 2. Adjust labels
SLIDE 11
CS109B, PROTOPAPAS, GLICKMAN
Defending with Adversarial Training
1. Generate adversarial examples
- 2. Adjust labels
“Panda”
SLIDE 12
CS109B, PROTOPAPAS, GLICKMAN
Defending with Adversarial Training
1. Generate adversarial examples
- 2. Adjust labels
- 3. Add them to the training set
- 4. Train new network
“Panda”
SLIDE 13
CS109B, PROTOPAPAS, GLICKMAN
Attack methods post GoodFellow 2015
- FGSM [Goodfellow et. al ‘15]
- JSMA [Papernot et. al ‘16]
- C&W [Carlini + Wagner ‘16]
- Step-LL [Kurakin et. al ‘17]
- I-FGSM [Tramer et. al ‘18]
SLIDE 14
CS109B, PROTOPAPAS, GLICKMAN
White box attacks
W
x + λ · rxL ) x∗
L
x + λ · sign(rxL) ) x∗
SLIDE 15
CS109B, PROTOPAPAS, GLICKMAN
“Black Box” Attacks
“Black Box” Attacks [Papernot et. al ‘17]
SLIDE 16
CS109B, PROTOPAPAS, GLICKMAN
“Black Box” Attacks
Examine inputs and outputs of the model
SLIDE 17
CS109B, PROTOPAPAS, GLICKMAN
“Black Box” Attacks
Panda
SLIDE 18
CS109B, PROTOPAPAS, GLICKMAN
“Black Box” Attacks
Panda Gibbon
SLIDE 19
CS109B, PROTOPAPAS, GLICKMAN
“Black Box” Attacks
Panda Gibbon Ostrich
SLIDE 20
CS109B, PROTOPAPAS, GLICKMAN
“Black Box” Attacks
Train a model that performs the same as the black box
SLIDE 21
CS109B, PROTOPAPAS, GLICKMAN
“Black Box” Attacks
Train a model that performs the same as the black box
Panda Gibbon Ostrich
SLIDE 22
CS109B, PROTOPAPAS, GLICKMAN
“Black Box” Attacks
Now attack the model you just trained with “white” box attack
L W
x + λ · rxL ) x∗
x + λ · sign(rxL) ) x∗
SLIDE 23
CS109B, PROTOPAPAS, GLICKMAN
“Black Box” Attacks
Use those adversarial examples to the “black” box
SLIDE 24
CS109B, PROTOPAPAS, GLICKMAN
CleverHans
A Python library to benchmark machine learning systems' vulnerability to adversarial examples. https://github.com/tensorflow/cleverhans http://www.cleverhans.io/
SLIDE 25
PAVLOS PROTOPAPAS
More Defenses
Mixup:
- Mix two training examples
- Augment training set
Smooth decision boundaries:
- Regularize the derivatives wrt
to x
˜ x = λxi + (1 − λ)xj ˜ y = λyi + (1 − λ)yj
SLIDE 26
CS109B, PROTOPAPAS, GLICKMAN
Physical attacks
- Object Detection
- Adversarial Stickers
SLIDE 27
CS109B, PROTOPAPAS, GLICKMAN