networks works wit ith pro rova vable le guara rantees
play

networks works wit ith pro rova vable le guara rantees tees - PowerPoint PPT Presentation

Feb 20, 2024 •520 likes •1.01k views

ERTS 2020, Toulouse 29 th January, 2020 Safe Sa fety y ve veri rifi fica cati tion on fo for d r deep ep neural ral networks works wit ith pro rova vable le guara

  1. ERTS 2020, Toulouse 29 th January, 2020 Safe Sa fety y ve veri rifi fica cati tion on fo for d r deep ep neural ral networks works wit ith pro rova vable le guara rantees tees Prof. Marta Kwiatkowska Department of Computer Science University of Oxford

  2. The unstoppable rise of deep learning • Neural networks timeline 1940s First proposed 1998 Convolutional nets 2006 Deep nets trained 2011 Rectifier units 2015 Vision breakthrough 2016 Win at Go 2019 Turing Award • Enabled by − Big data − Flexible, easy to build models − Availability of GPUs − Efficient inference

  3. Deep learning with everything

  4. Deep learning in healthcare

  5. Much excitement about self-driving www.bsfilms.me - Black Sheep Films

  6. Self- driving in Oxford….

  7. Would you trust a self-driving car? Waymo early riders, Tesla, Uber, … In the UK FiveAI, Oxbotica , …

  8. Unwelcome news recently… How can this happen if we have 99.9% accuracy?

  9. An AI safety problem… • Complex scenarios - goals - perception - autonomy - situation awareness - context (social, regulatory) - trust - ethics • Safety-critical, so guarantees needed Credit: Anita Dufala/Public source • Should failure occur, accountability needs to be established

  10. Modelling challenges • Cyber-physical systems − hybrid combination of continuous and discrete dynamics, with stochasticity − autonomous control 0.1 0.4 0.5 • Data rich, data-enabled models − achieved through learning − parameter estimation − continuous adaptation • Heterogeneous components, including learning based − model-based design − automated verification via model checking − correct-by-construction model synthesis from specifications

  11. Probabilistic verification and synthesis • Stochasticity ever present − randomisation, uncertainty, risk • Need quantitative, probabilistic guarantees for: − safety, security, reliability, performance, resource usage, trust, authentication, … • Examples − (reliability ) “the probability of the car crashing in the next hour is less than 0.001” − (energy ) “energy usage is below 2000 mA per minute” • My focus is on automated, tool-supported methodologies − probabilistic model checker PRISM, www.prismmodelchecker.org − HVC 2016 Award (joint with Dave Parker and Gethin Norman) • Applied to a wide range of systems…

  12. OK, but what is probabilistic verification good for? 16

  13. Case study: Cardiac pacemaker • How it works − reads electrical signals through sensors in the right atrium and right ventricle − monitors the timing of heart beats and local electrical activity − generates artificial pacing signal as necessary • Safety-critical real-time system! • The guarantee • (basic safety) maintain 60-100 beats per minute − Killed by code: FDA recalls 23 defective pacemaker devices because of adverse health consequences or death, six likely caused by software defects (2010) 17

  14. Modelling framework Model the pacemaker and the heart, compose and verify Quantitative verification of implantable cardiac pacemakers over hybrid heart models. Chen et al , Information and Computation 2014

  15. Modelling framework

  16. Modelling framework

  17. Pacemaker verification • Basic guarantees − (basic safety) maintain 60-100 beats per minute − (energy usage) detailed analysis, plotted against timing parameters of the pacemaker • Advanced guarantees − rate-adaptive pacemaker, for patients with chronotropic deficiency − (advanced safety) adapt the rate to exercise and stress levels − in silico testing Closed-Loop Quantitative Verification of Rate-Adaptive Pacemakers. Paoletti et al , ACM Transactions on Cyber-Physical Systems 2018

  18. Synthetic ECG: healthy heart

  19. Bradycardia (slow heart rate)

  20. Bradycardia heart, paced

  21. Parameter synthesis for pacemakers • Can we adapt the pacing rate to patient’s ECG to − minimise energy usage? − maximise cardiac output? − explore trade offs? • The guarantee − (optimal timing delay synthesis): find values for timing delays that optimise a given objective, adapted to patient’s ECG • Significant improvement over default values Synthesising robust and optimal parameters for cardiac pacemakers using symbolic and evolutionary computation techniques. Kwiatkowska et al, HSB’16

  22. Trade offs in optimal delay synthesis

  23. Case study: ECG biometrics • Biometrics increasing in popularity − are they secure? • Nymi band − ECG used as a biometric identifier − biometric template created first − compared with real ECG signal • Proposed uses − for access into buildings and restricted spaces − for payment − etc Broken Hearted: How to Attack ECG Biometrics, Ebertz et al., In Proc NDSS 2017

  24. Attack on ECG biometrics • We use synthetic ECGs to impersonate a user − build model from data, 41 volunteers − inject synthetic signals to break authentication − 80% success rate • Results − serious weakness − countermeasures needed • Modelling essential, good for attacks …

  25. Case study: Transferability of attack • Beware your fitness tracker! • How easy it is to predict attacks when collecting data from different sources − ECG − eye movements − mouse movements − touchscreen dynamics − gait − etc • Human study − easy for eye movements − ECG more chaotic When your fitness tracker betrays you, Ebertz et al., In Proc S&P 2018

  26. Back to the challenge of autonomous driving… • Things that can go wrong in perception software - sensor failure - object detection failure • Machine learning software - not clear how it works - does not offer guarantees - Yet safety-critical applications Lidar image, Credit: Oxford Robotics Institute

  27. Deep neural networks can be fooled! • They are unstable wrt adversarial perturbations − often imperceptible changes to the image [Szegedy et al 2014, Biggio et al 2013 …] − sometimes artificial white noise − practical attacks, potential security risk − transferable between different architectures − not just image classification: also images segmentation, pose recognition, sentiment analysis…

  28. Training vs testing

  29. Should we worry about safety of self-driving? − Nexar Traffic Light Challenge: Red light classified as green with 68%/95%/78% confidence after one pixel change. • Deep neural networks are unstable wrt adversarial perturbations − Nexar Traffic Light Challenge: red light classified as green with 68%/95%/78% confidence after one pixel change 39 Feature-Guided Black-Box Safety Testing of Deep Neural Networks. Wicker et al , In Proc. TACAS, 2018.

  30. German traffic sign benchmark … stop 30m 80m 30m go go speed speed speed right straight limit limit limit Confidence 0.999964 0.99 Safety Verification of Deep Neural Networks. Huang et al , In Proc. CAV, 2017.

  31. Aren’t these artificial? Real traffic signs in Alaska! Need to consider physical attacks, not only digital…

  32. Safety of classification decisions • Safety assurance process is complex • Here focus on safety at a point as part of such a process − same as pointwise robustness… η x • Assume given y − trained network f : D → {c 1 ,… c k } − diameter for support region η − norm, e.g. L 2 , L ∞ • Define safety as invariance of classification decision over η − i.e. ∄ y ∈ η such that f(x) ≠ f( y) • Also wrt family of safe manipulations − e.g. scratches, weather conditions, camera angle, etc

  33. Training vs testing vs verification

  34. Searching for adversarial examples… • Input space for most neural networks is high dimensional and non-linear • Where do we start? • How can we apply structure to the problem? Image of a tree has • 4,000 x 2,000 x 3 dimensions = 24,000,000 dimensions We would like to find a • very ‘small’ change to these dimensions

  35. Feature-based representation • Employ the SIFT algorithm to extract features • Reduce dimensionality by focusing on salient features • Use a Gaussian mixture model in order to assign each pixel a probability based on its perceived saliency TACAS 2018, https://arxiv.org/abs/1710.07859

  36. Game-based search • Goal is finding adv. example, reward inverse of distance • Player 1 selects the feature that we will manipulate • Each feature represents a possible move for player 1 • Player 2 then selects the pixels in the feature to manipulate • Use Monte Carlo tree search to explore the game tree, while querying the network to align features • Method black/grey box, can approximate the maximum safe radius for a given input

  37. Guarantees for deep learning! • Prove that no adversarial examples exist in a neighbourhood around an input • Compute lower and upper bounds on maximal safety radius A Game-Based Approximate Verification of Deep Neural Networks with Provable Guarantees. Wu et al , CoRR abs/1807.03571, 2018.

  38. Evaluating safety-critical scenarios: Nexar • Using our Game-based Monte Carlo Tree Search method we were able to reduce the accuracy of the network form 95% to 0% • On average, each input took less than a second to manipulate (.304 seconds) • On average each image was vulnerable to 3 pixel changes

  39. 3D deep learning 56

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

EXACTLY SOL VABLE MEAN-FIELD MONOMER-DIMER MODELS Pierluigi Contucci, Department of Mathematics

EXACTLY SOL VABLE MEAN-FIELD MONOMER-DIMER MODELS Pierluigi Contucci, Department of Mathematics

Galileo Galilei Institute Florence, June 2014 EXACTLY SOL VABLE MEAN-FIELD MONOMER-DIMER MODELS Pierluigi Contucci, Department of Mathematics Alma Mater Studiorum - University of Bologna 1 Monomer-Dimer models describe systems with hard-

411 views • 25 slides
Cha Challenge: A llenge: Achie hieva vable or ble or Inconceiva Inconceivable? ble?

Cha Challenge: A llenge: Achie hieva vable or ble or Inconceiva Inconceivable? ble?

Independence Ballroom Advancing the HR Leader Solving the Wor Solving the W ork-Lif Life Balance e Balance Cha Challenge: A llenge: Achie hieva vable or ble or Inconceiva Inconceivable? ble? Sponsored By: 1:45pm 2:45pm Today is

1.2k views • 78 slides
Asses Assessmen sments ts to Identify to Identify Remo emova vable ble Cast Cast Walk

Asses Assessmen sments ts to Identify to Identify Remo emova vable ble Cast Cast Walk

Using Using Balance Balance and R and Reac each V h Velocity elocity Asses Assessmen sments ts to Identify to Identify Remo emova vable ble Cast Cast Walk alker Str er Strut ut Height Height Influence on P Influence on Patient

453 views • 17 slides
Routing in Cost-shared Networks: Equilibria and Dynamics Debmalya Panigrahi (joint works with

Routing in Cost-shared Networks: Equilibria and Dynamics Debmalya Panigrahi (joint works with

Routing in Cost-shared Networks: Equilibria and Dynamics Debmalya Panigrahi (joint works with Rupert Freeman and Sam Haney; Shuchi Chawla, Seffi Naor, Mohit Singh, and Seeun Umboh) set of agents want to route traffic from their respective

534 views • 41 slides
Organizing Deep Networks Edouard Oyallon advisor: Stphane Mallat following the works of

Organizing Deep Networks Edouard Oyallon advisor: Stphane Mallat following the works of

DATA 1 Organizing Deep Networks Edouard Oyallon advisor: Stphane Mallat following the works of Laurent Sifre, Joan Bruna, collaborators : Eugene Belilovsky, Sergey Zagoruyko, Bogdan Cirstea, Jrn Jacobsen, 2 DATA Classification

853 views • 42 slides
Organising Deep Networks Edouard Oyallon advisor: Stphane Mallat following the works of

Organising Deep Networks Edouard Oyallon advisor: Stphane Mallat following the works of

DATA 1 Organising Deep Networks Edouard Oyallon advisor: Stphane Mallat following the works of Laurent Sifre, Joan Bruna, collaborators : Eugene Belilovsky, Sergey Zagoruyko, Jrn Jacobsen, DATA 2 2 High Dimensional

362 views • 14 slides
Works will be presented Deep Convolutional Generative Adversarial Networks(DCGAN) Image

Works will be presented Deep Convolutional Generative Adversarial Networks(DCGAN) Image

Michael James Smiths rhyperealistic paintings Part 3 Image Editing with GANs Levent Karacan Computer Vision Lab, Hacettepe University Works will be presented Deep Convolutional Generative Adversarial Networks(DCGAN) Image Editing

1.17k views • 68 slides
Outline Why model neural networks? Modeling Neural Networks A brief look at the neuron.

Outline Why model neural networks? Modeling Neural Networks A brief look at the neuron.

Outline Why model neural networks? Modeling Neural Networks A brief look at the neuron. A look at some current works. Adding an evolutionary strategy. Paul Nuytten CPSC 607 Why Model Neural Networks? The Neuron The nervous

697 views • 4 slides
Web Caching Web Caching and wireless networks Next generation Wireless Networks Helsinki

Web Caching Web Caching and wireless networks Next generation Wireless Networks Helsinki

Web Caching Web Caching and wireless networks Next generation Wireless Networks Helsinki university of technology Csar Fernndez Gago Jean-Baptiste Escoyez 1 Index Web caching concepts Web caching issues How does it works?

417 views • 18 slides
THE POLITICS OF BLOCKCHAIN From Primus Inter Pares to Peer-to-Peer HOW BLOCKCHAIN WORKS In

THE POLITICS OF BLOCKCHAIN From Primus Inter Pares to Peer-to-Peer HOW BLOCKCHAIN WORKS In

THE POLITICS OF BLOCKCHAIN From Primus Inter Pares to Peer-to-Peer HOW BLOCKCHAIN WORKS In peer-to-peer networks, all the operations Peer-to-peer networks Proof-of-work equally rely on each node in the system. Digital signature Registry

328 views • 18 slides
Modeling Neural Networks Paul Nuytten CPSC 607 Outline Why model neural networks? A

Modeling Neural Networks Paul Nuytten CPSC 607 Outline Why model neural networks? A

Modeling Neural Networks Paul Nuytten CPSC 607 Outline Why model neural networks? A brief look at the neuron. A look at some current works. Adding an evolutionary strategy. Why Model Neural Networks? The nervous system is a

1.22k views • 23 slides
Street Works in RBK Allan Pike Lead Officer Network Operations Team The Networks Operations

Street Works in RBK Allan Pike Lead Officer Network Operations Team The Networks Operations

Street Works in RBK Allan Pike Lead Officer Network Operations Team The Networks Operations Team Lead Officer 3 Network Coordinators 3 Street Works Compliance Officers Roles of the Team Network Coordinators Assess permit applications

269 views • 11 slides
ArcelorMittal Newcastle Works June 2012 Contents About Newcastle Works Newcastle Works

ArcelorMittal Newcastle Works June 2012 Contents About Newcastle Works Newcastle Works

ArcelorMittal Newcastle Works June 2012 Contents About Newcastle Works Newcastle Works Management Drives People Highlights of Newcastle Works 1 About Newcastle Works 2 ArcelorMittal South Africa Vanderbijlpark plant

745 views • 49 slides
Public Works Department Public Works Department Public Works Department 2012-2017 Capital Works

Public Works Department Public Works Department Public Works Department 2012-2017 Capital Works

Public Works Department Public Works Department Public Works Department 2012-2017 Capital Works and Budget Presentation Manitoba Heavy Construction Association March 7, 2012 Public Works Department Annual Roads and Bridges Budget Year

354 views • 21 slides
Computer Networks CSE 461 3 Projects (10+15+15%) Group of 3 Can be same or different

Computer Networks CSE 461 3 Projects (10+15+15%) Group of 3 Can be same or different

Computer Networks CSE 461 3 Projects (10+15+15%) Group of 3 Can be same or different Individual assignments (20%) Mid term (20%) Final (20%) The Main Point 1. To learn how the Internet works What really happens when you

604 views • 47 slides
Ontario Works Program Ontario Works To be eligible for Ontario Works, an applicant must be:

Ontario Works Program Ontario Works To be eligible for Ontario Works, an applicant must be:

Ontario Works Program Ontario Works To be eligible for Ontario Works, an applicant must be: a resident of Ontario; in immediate financial need; and willing to participate in employment assistance activities. The amount of money

226 views • 19 slides
9/14/2019 Disclosures His Purkinje Conduction System Pacing Should be First Line Therapy for AV

9/14/2019 Disclosures His Purkinje Conduction System Pacing Should be First Line Therapy for AV

9/14/2019 Disclosures His Purkinje Conduction System Pacing Should be First Line Therapy for AV Block with Preserved LV function Advisory board - Boston Scientific - Eaglepoint LLC Speaker, Consultant, Research, - Medtronic Fellowship

488 views • 11 slides
Bridging the Gap between Structural and Statistical Pattern Recognition Horst Bunke Melchor

Bridging the Gap between Structural and Statistical Pattern Recognition Horst Bunke Melchor

Bridging the Gap between Structural and Statistical Pattern Recognition Horst Bunke Melchor Visiting Professor Department of Computer Science and Engineering University of Notre Dame and Institute of Computer Science and Applied Mathematics

662 views • 41 slides
Akila Viswanathan, MD MPH BWH/Dana-Farber Cancer Institute Harvard Medical School January 30,

Akila Viswanathan, MD MPH BWH/Dana-Farber Cancer Institute Harvard Medical School January 30,

Gyn e cologic Cancer InterGroup Cervix Cancer Research Network Interstitial Brachytherapy Akila Viswanathan, MD MPH BWH/Dana-Farber Cancer Institute Harvard Medical School January 30, 2016 Cervix Cancer Education Symposium, January 2016,

627 views • 47 slides
Analysis of Function Magnetic Resonance Images in R John Myles White April 6, 2010 John Myles

Analysis of Function Magnetic Resonance Images in R John Myles White April 6, 2010 John Myles

The fMRI Approach Experimental Design Linear Systems Theory Building a Linear Regression Model Alternative Approaches Analysis of Function Magnetic Resonance Images in R John Myles White April 6, 2010 John Myles White Analysis of Function

586 views • 34 slides
Functional Programming Practice Curtis Millar CSE, UNSW (and Data61) Term 2 2020 1 Overview

Functional Programming Practice Curtis Millar CSE, UNSW (and Data61) Term 2 2020 1 Overview

Overview Haskell Practice Homework Software System Design and Implementation Functional Programming Practice Curtis Millar CSE, UNSW (and Data61) Term 2 2020 1 Overview Haskell Practice Homework Recap: What is this course? Software must

713 views • 28 slides
From understanding self- organization in biology to managing artificial complex systems Fabrice

From understanding self- organization in biology to managing artificial complex systems Fabrice

From understanding self- organization in biology to managing artificial complex systems Fabrice Saffre & Jos Halloy Part 1: from living to artificial complex system Saffre & Halloy, 2005 Plan of the presentation Complex

1.33k views • 88 slides
Lets Make World Better Rajesh Gupta Director and CTO GreenIPCore, PlusQO Corp. Pvt. Ltd

Lets Make World Better Rajesh Gupta Director and CTO GreenIPCore, PlusQO Corp. Pvt. Ltd

Lets Make World Better Rajesh Gupta Director and CTO GreenIPCore, PlusQO Corp. Pvt. Ltd www.greenipcore.com About PlusQO PlusQO Corp. Pvt. Ltd is founded to develop State-of-Art Best Quality Products in the Different Established and New

503 views • 38 slides
Disclosures Physician Assisted Suicide & Euthanasia: Realities Beyond the No financial

Disclosures Physician Assisted Suicide & Euthanasia: Realities Beyond the No financial

Disclosures Physician Assisted Suicide & Euthanasia: Realities Beyond the No financial conflicts of interest Rhetoric Dr. Hooks comments are solely his own C. Christopher Hook, MD, FACP and do not necessarily reflect the views

386 views • 11 slides

More recommend