mag net
play

Mag Net A Two-Pronged Defense against Adversarial Examples Dongyu - PowerPoint PPT Presentation

Sep 01, 2023 •287 likes •599 views

Mag Net A Two-Pronged Defense against Adversarial Examples Dongyu Meng Hao Chen ShanghaiTech University, China University of California, Davis, USA Neural networks in real-life applications user authentication autonomous

  1. Mag Net A Two-Pronged Defense against Adversarial Examples Dongyu Meng Hao Chen ShanghaiTech University, China University of California, Davis, USA

  2. Neural networks in real-life applications user authentication autonomous vehicle 2

  3. Neural networks as classifier Panda 0.62 Tiger 0.03 Gibbon 0.11 Output Input Classifier (distribution) 3

  4. Adversarial examples x panda Examples carefully crafted to - look like normal examples + x p(x is panda) = 0.58 - cause misclassification gibbon p(x is gibbon) = 0.99 4 [ICLR 15] Goodfellow, Shlens, and Szegedy. EXPLAINING AND HARNESSING ADVERSARIAL EXAMPLES

  5. Attacks Fast gradient sign method(FGSM) [Goodfellow, 2015] Carlini’s attack [Carlini, 2017] confidence Iterative gradient sign [Kurakin, 2016] Deepfool [Moosavi-Dezfooli, 2015] …… 5

  6. Defenses target specific attack modify classifier Adversarial training Yes Yes [Goodfellow, 2015] Defensive distillation Yes [Papernot, 2016] Detecting specific attacks Yes [Metzen, 2017] …… 6

  7. Desirable properties Does not modify target classifier. - Can be deployed more easily as an add-on. Does not rely on attack-specific properties. - Generalizes to unknown attacks. 7

  8. Manifold hypothesis Manifold Possible inputs take up dense sample space. But inputs we care about lie on a low dimensional manifold . 8

  9. Our hypothesis for adversarial examples Manifold Some adversarial examples are far away from the manifold. 9 Classifiers are not trained to work on these inputs.

  10. Our hypothesis for adversarial examples Manifold Other adversarial example are close to the manifold boundary where the classifier generalizes poorly . 10

  11. Sanitize your inputs. 11

  12. Our solution Manifold Detector : Decides if the example is far from the manifold. 12

  13. Our solution Manifold Reformer : Draws the example towards the manifold. 13

  14. Workflow MagNet returns y MagNet rejects the input 14

  15. Autoencoder - Neural nets. Reconstruction error: - Learn to copy input to output. - Trained with constraints. 15

  16. Autoencoder Autoencoders - learn to map inputs towards manifold. - approximate input-manifold distance with reconstruction error. Train autoencoders on normal examples only as building blocks. 16

  17. Detector ? -- based on reconstruction error ? Input is normal. x x’ MagNet accepts the input. yes ||X-X’|| 2 < threshold? autoencoder x’ no Input is adversarial. MagNet rejects the input. 17

  18. Detector ? -- based on probability divergence ? P P Panda 0.62 Panda 0.62 Input is normal. Tiger 0.03 Tiger 0.03 x x’ MagNet accepts the input. Gibbon 0.11 Gibbon 0.11 yes ? ? classifier D KL (P||Q) < threshold? D KL (P||Q) autoencoder Q Q Panda ... Panda ... x’ Tiger ... no Tiger ... Input is adversarial. Gibbon ... Gibbon ... MagNet rejects the input. classifier 18

  19. Reformer ? ? Q Panda ... x x’ Tiger ... x’ Gibbon ... classifier autoencoder MagNet returns Q as final classification result. 19

  20. Threat model knows the parameters of ... target classifier defense blackbox defense whitebox defense 20

  21. Blackbox defense on MNIST dataset accuracy on adversarial examples 21

  22. Blackbox defense on CIFAR-10 dataset accuracy on adversarial examples 22

  23. Detector vs. reformer complete MagNet: detector+reformer confidence detector reformer no defense small distortion large distortion less noticeable more transferable (distortion) Detector and reformer complement each other . 23

  24. Whitebox defense is not practical To defeat whitebox attacker, defender has to either - make it impossible for attacker to find adversarial examples, - or create a perfect classification network. 24

  25. Graybox model knows the parameters of... defense classifier A B C D blackbox defense - Attacker knows possible defenses. - Exact defense is only known at run time. graybox defense Defense strategy whitebox - Train diverse defenses. defense - Randomly pick one for each session. 25

  26. Train diverse defenses With MagNet, this means training diverse autoencoders. Our Method: Train n autoencoders at the same time. average reconstructed image reconstruction error Minimize autoencoder diversity 26

  27. Graybox classification accuracy generate attack on Train diverse defense defend with Idea Penalize the resemblance of autoencoders. 27

  28. Limitations The effectiveness of MagNet depends on assumptions that - detector and reformer functions exist. - we can approximate them with autoencoders. We show empirically that these assumptions are likely correct. 28

  29. Conclusion We propose MagNet framework: ● Detector detects examples far from the manifold ● Reformer moves examples closer to the manifold We demonstrated effective defense against adversarial examples in blackbox scenario with MagNet. Instead of whitebox model, we advocate graybox model, where security rests on model diversity. 29

  30. Thanks & Questions? Find more about MagNet: ● https://arxiv.org/abs/1705.09064 Paper ● https://github.com/Trevillie/MagNet Demo code ● mengdy.me Author homepage 30

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Defense Against Adversarial Images using Web-Scale Nearest-Neighbor Search Abhimanyu Dubey,

Defense Against Adversarial Images using Web-Scale Nearest-Neighbor Search Abhimanyu Dubey,

Defense Against Adversarial Images using Web-Scale Nearest-Neighbor Search Abhimanyu Dubey, Laurens van der Maaten, I. Zeki Yalniz, Yixuan Li and Dhruv Mahajan Adversarial Images adversarial swan pelican perturbation

457 views • 8 slides
Hash-flooding DoS reloaded: Hash flooding begins? attacks and defenses July 1998 article

Hash-flooding DoS reloaded: Hash flooding begins? attacks and defenses July 1998 article

Hash-flooding DoS reloaded: Hash flooding begins? attacks and defenses July 1998 article Jean-Philippe Aumasson, Designing and attacking Kudelski Security (NAGRA) port scan detection tools by Solar Designer (Alexander D. J. Bernstein,

1.83k views • 164 slides
Lecture 08 Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at

Lecture 08 Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at

Lecture 08 Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides adapted from Miller, Bailey, and Brumley Control Flow Hijack: Always control + computation shellcode (aka payload)

652 views • 36 slides
Clickjacking Credit: paper (Clickjacking: Attacks and Defenses Huang et al.) and most slide

Clickjacking Credit: paper (Clickjacking: Attacks and Defenses Huang et al.) and most slide

Clickjacking Credit: paper (Clickjacking: Attacks and Defenses Huang et al.) and most slide content (Vern Paxson) Misleading users Browser assumes that clicks and keystrokes = clear indication of what the user wants to do Constitutes

567 views • 24 slides
Adversarial Robustness via Runtime Masking and Cleansing Yi-Hsuan Wu Chia-Hung Yuan Shan-Hung

Adversarial Robustness via Runtime Masking and Cleansing Yi-Hsuan Wu Chia-Hung Yuan Shan-Hung

Adversarial Robustness via Runtime Masking and Cleansing Yi-Hsuan Wu Chia-Hung Yuan Shan-Hung Wu Department of Computer Science, National Tsing Hua University, Taiwan International Conference on Machine Learning, 2020 Y.H. Wu, C.H. Yuan,

1.3k views • 52 slides
Offensive Threat Modeling for Attackers turning threat modeling on its head Rafal M. Los

Offensive Threat Modeling for Attackers turning threat modeling on its head Rafal M. Los

Offensive Threat Modeling for Attackers turning threat modeling on its head Rafal M. Los Chief Security Evangelist HP Software Shane MacDougall Principal Tactical Intelligence Modern threat modeling is a defensive response to

783 views • 52 slides
Cybercrime Kill Chain vs. Effec4veness of Defense Layers

Cybercrime Kill Chain vs. Effec4veness of Defense Layers

Cybercrime Kill Chain vs. Effec4veness of Defense Layers Dr. Stefan Frei &amp; Francisco Arts @stefan_frei @franklyfranc

787 views • 60 slides
Obfuscated Gradients Give a False Sense of Security: Circumventing Defenses to Adversarial

Obfuscated Gradients Give a False Sense of Security: Circumventing Defenses to Adversarial

Obfuscated Gradients Give a False Sense of Security: Circumventing Defenses to Adversarial Examples Anish Athalye* 1 , Nicholas Carlini * 2 , and David Wagner 3 1 Massachusetts Institute of Technology 2 University of California, Berkeley (now

1.13k views • 67 slides
Obfuscated Gradients Give a False Sense of Security: Circumventing Defenses to Adversarial

Obfuscated Gradients Give a False Sense of Security: Circumventing Defenses to Adversarial

Obfuscated Gradients Give a False Sense of Security: Circumventing Defenses to Adversarial Examples Anish Athalye* 1 , Nicholas Carlini * 2 , and David Wagner 3 1 Massachusetts Institute of Technology 2 University of California, Berkeley (now

540 views • 50 slides
The case for dynamic defenses against adversarial examples Ian Goodfellow SafeML ICLR Workshop

The case for dynamic defenses against adversarial examples Ian Goodfellow SafeML ICLR Workshop

The case for dynamic defenses against adversarial examples Ian Goodfellow SafeML ICLR Workshop 2019-05-06 New Orleans Based on https://arxiv.org/pdf/1903.06293.pdf Definition Adversarial examples are inputs to machine learning models that

411 views • 22 slides
The material below presents the briefing slide text accompanied by recommended oral comments for

The material below presents the briefing slide text accompanied by recommended oral comments for

The material below presents the briefing slide text accompanied by recommended oral comments for people interested in military reform to give to audiences. While the presentation was created in the 1980s, it is remarkably relevant to the defense

521 views • 22 slides
Website fingerprinting on Tor: attacks and defenses Claudia Diaz KU Leuven Joint work with: Marc

Website fingerprinting on Tor: attacks and defenses Claudia Diaz KU Leuven Joint work with: Marc

Website fingerprinting on Tor: attacks and defenses Claudia Diaz KU Leuven Joint work with: Marc Juarez , Sadia Afroz, Gunes Acar, Rachel Greenstadt, Mohsen Imani, Mike Perry, Matthew Wright Post-Snowden Cryptography Workshop Brussels, December

754 views • 52 slides
Outline 2 Motivation Current cyber defense landscape &amp; open questions Pro-active

Outline 2 Motivation Current cyber defense landscape &amp; open questions Pro-active

A DVERSARIAL AND U NCERTAIN R EASONING FOR A DAPTIVE C YBER D EFENSE : B UILDING THE S CIENTIFIC F OUNDATION Sushil Jajodia George Mason University IEEE International 5G Summit, Reston, Virginia August 19, 2017 Outline 2 Motivation

863 views • 41 slides
Poseidon: Mitigating Volumetric DDoS Attacks with Programmable Switches Menghao Zhang 1 , Guanyu

Poseidon: Mitigating Volumetric DDoS Attacks with Programmable Switches Menghao Zhang 1 , Guanyu

Poseidon: Mitigating Volumetric DDoS Attacks with Programmable Switches Menghao Zhang 1 , Guanyu Li 1 , Shicheng Wang 1 , Chang Liu 1 , Ang Chen 2 , Hongxin Hu 3 , Guofei Gu 4 , Qi Li 1 , Mingwei Xu 1 , Jianping Wu 1 1 4 2 3 DDoS Attacks are

480 views • 23 slides
Fragmentation Considered Vulnerable Yossi Gilad &amp; Amir Herzberg Computer Science Department,

Fragmentation Considered Vulnerable Yossi Gilad &amp; Amir Herzberg Computer Science Department,

Fragmentation Considered Vulnerable Yossi Gilad &amp; Amir Herzberg Computer Science Department, Bar Ilan University Overview IP fragmentation recap `Easy case fragment miss -association attacks Fragmentation attacks in tunnels

238 views • 23 slides
On the Feasibility of Rerouting-based DDoS Defenses Muoi Tran , Min Suk Kang, Hsu-Chun Hsiao,

On the Feasibility of Rerouting-based DDoS Defenses Muoi Tran , Min Suk Kang, Hsu-Chun Hsiao,

On the Feasibility of Rerouting-based DDoS Defenses Muoi Tran , Min Suk Kang, Hsu-Chun Hsiao, Wei-Hsuan Chiang, Shu-Po Tung, Yu-Su Wang May 2019 | San Francisco, CA Transit-link DDoS attack: a powerful type of volumetric DDoS attack

438 views • 25 slides
Distributed Denial of Service Attacks &amp; Defenses Guest Lecture by: Vamsi Kambhampati Fall

Distributed Denial of Service Attacks &amp; Defenses Guest Lecture by: Vamsi Kambhampati Fall

Distributed Denial of Service Attacks &amp; Defenses Guest Lecture by: Vamsi Kambhampati Fall 2011 Distributed Denial of Service (DDoS) Exhaust resources of a target, or the resources it depends on Resources: CPU, Memory, Bandwidth

427 views • 23 slides
Differentiable Abstract Interpretation for Provably Robust Neural Networks safeai.ethz.ch

Differentiable Abstract Interpretation for Provably Robust Neural Networks safeai.ethz.ch

Differentiable Abstract Interpretation for Provably Robust Neural Networks safeai.ethz.ch Matthew Mirman Timon Gehr Martin Vechev ICML 2018 1 / 27 Adversarial Attack Example of FGSM attack produced by Goodfellow et al. (2014) 2 / 27 L

677 views • 35 slides
15-780 Graduate Artificial Intelligence: Adversarial attacks and provable defenses J. Zico

15-780 Graduate Artificial Intelligence: Adversarial attacks and provable defenses J. Zico

15-780 Graduate Artificial Intelligence: Adversarial attacks and provable defenses J. Zico Kolter (this lecture) and Ariel Procaccia Carnegie Mellon University Spring 2018 Portions base upon joint work with Eric Wong 1 Outline Adverarial

710 views • 39 slides
Adversarial Machine Learning (AML) Somesh Jha University of Wisconsin, Madison Thanks to

Adversarial Machine Learning (AML) Somesh Jha University of Wisconsin, Madison Thanks to

Adversarial Machine Learning (AML) Somesh Jha University of Wisconsin, Madison Thanks to Nicolas Papernot, Ian Goodfellow, and Jerry Zhu for some slides . Machine learning brings social disruption at scale Healthcare Energy Source: Peng and

821 views • 71 slides
The Federal Payroll Tax Case (Focus on Trust-Fund Recovery Penalty) S T E P H E N P . K A U F F

The Federal Payroll Tax Case (Focus on Trust-Fund Recovery Penalty) S T E P H E N P . K A U F F

The Federal Payroll Tax Case (Focus on Trust-Fund Recovery Penalty) S T E P H E N P . K A U F F M A N E S Q . S K E E N &amp; K A U F F M A N 9 11 N . CH A R L E S S T . B A L T I M O R E , M D 2 12 0 1 S K A U F F M A N @ S K A U F F

527 views • 34 slides
Defending against malicious peripherals with Cinch Presented by Avesta Hojjati CS598 Computer

Defending against malicious peripherals with Cinch Presented by Avesta Hojjati CS598 Computer

Defending against malicious peripherals with Cinch Presented by Avesta Hojjati CS598 Computer Security in the Physical World University of Illinois Based on slides by Sebastian Angel Citation S. Angel,R. Wahby, M. Howald, J. Leners, M.

650 views • 43 slides
Outline Return address protections CSci 5271 Introduction to Computer Security Announcements

Outline Return address protections CSci 5271 Introduction to Computer Security Announcements

Outline Return address protections CSci 5271 Introduction to Computer Security Announcements intermission Day 5: Low-level defenses and counterattacks ASLR and counterattacks Stephen McCamant University of Minnesota, Computer Science &amp;

269 views • 5 slides
CSE 544 Advanced Systems Security Trent Jaeger Systems and Internet Infrastructure Security

CSE 544 Advanced Systems Security Trent Jaeger Systems and Internet Infrastructure Security

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CSE 544 Advanced Systems Security Trent Jaeger Systems and

651 views • 28 slides

More recommend