obfuscated gradients
play

Obfuscated Gradients Give a False Sense of Security: Circumventing - PowerPoint PPT Presentation

Sep 18, 2023 •451 likes •1.13k views

Obfuscated Gradients Give a False Sense of Security: Circumventing Defenses to Adversarial Examples Anish Athalye* 1 , Nicholas Carlini * 2 , and David Wagner 3 1 Massachusetts Institute of Technology 2 University of California, Berkeley (now

  1. Obfuscated Gradients Give a False Sense of Security: Circumventing Defenses to Adversarial Examples Anish Athalye* 1 , Nicholas Carlini * 2 , and David Wagner 3 1 Massachusetts Institute of Technology 2 University of California, Berkeley (now Google Brain) 3 University of California, Berkeley

  2. How and Why

  3. Act I Background: Adversarial Examples for Neural Networks

  9. Why should we care about adversarial examples? Make ML Make ML robust better

  11. 13 total defense papers at ICLR'18 9 are white-box, non-certified 6 of these are broken 
 (~0% accuracy) 1 of these is partially broken

  13. How did we evade them? Why we able to evade them?

  15. Act II HOW: Our Attacks

  16. How do we generate adversarial examples?

  17. neural network loss 
 MAXIMIZE on the given input the perturbation is less SUCH THAT than a given threshold

  18. Why can we generate adversarial examples (with gradient descent)?

  19. Truck Dog Airplane

  20. ( (

  22. We find that 7 of 9 ICLR defenses rely on the same artifact: obfuscated gradients

  26. "Fixing" Gradient Descent [0.1, 
 0.3, 0.0, 
 0.2, 0.4]

  28. Act III WHY: 
 Evaluation Methodology

  29. Serious effort 
 to evaluate 
 By space, most papers are ½ evaluation

  30. What went wrong then?

  31. acc, loss = model.evaluate( 
 x_test, y_test) Is no longer sufficient.

  32. There is no single test set for security

  33. The only thing that matters is robustness against an adversary 
 targeting the defense

  35. The purpose of a defense evaluation is NOT to show the defense is RIGHT

  36. The purpose of a defense evaluation is to FAIL to show the defense is WRONG

  39. Act IV Making & Measuring 
 Progress

  40. Strive for simplicity over complexity

  45. What metric should we optimize?

  46. Threat Model The set of assumptions 
 we place on the adversary

  47. In the context of adversarial examples: 1. Perturbation Bounds & Measure 2. Model Access & Knowledge

  48. The threat model MUST assume the attacker has read the paper and knows the defender is using those techniques to defend.

  49. Metrics for Success Accuracy under More permissive existing threat models threat models

  50. "making the attacker think more" 
 is not (usually) progress The threat model doesn't limit the attacker's approach

  52. Act V Conclusion

  53. A paper can only do so much in an evaluation.

  54. A paper can only do so much in an evaluation. We need more re-evaluation papers.

  55. So you want to build a defense? "Anyone, from the most clueless amateur to the best cryptographer, can create an algorithm that he himself can't break." -- Bruce Schneier

  56. So you want to build a defense? As a corollary: learn to break defenses before you try to build them If you can't break the state-of-the-art, you are unlikely to be able to build on it

  57. Challenging Suggestions Defense-GAN on MNIST We were able to break it only partially Samangouei et al . 2018 ("Defense-GAN...") "Strong" Adversarial Training on CIFAR We were not able to break it at all Madry et al. 2018 ("Towards Deep...")

  58. Visit our poster & originally scheduled talk 
 (Today, #110) & (Tomorrow, A7 @ 2:50) Email us Anish: aathalye@mit.edu Me: nicholas@carlini.com Track Progress Source Code robust-ml.org git.io/obfuscated-gradients

  61. Did we get it right? 1. We reproduced the original claims against the 
 (weak) attacks initially attempted 
 2. We showed the papers authors' our results 
 3. It's possible we didn't. But our code is public: 
 https://github.com/anishathalye/obfuscated-gradients

  62. Isn't this just gradient masking? The short answer: No , if it were, we wouldn't 
 have seen 7 of 9 ICLR defenses relying on it.

  63. X defense has multiple parts, but you only broke each part separately. True. Usually, an ensemble several weaker defenses is not an effective defense strategy, unless there is an 
 argument they cover each other's weaknesses. He et al. "Adversarial Example Defenses: Ensembles of Weak Defenses are not Strong". WOOT'18.

  64. Did you try X with adversarial training? Not usually. In some cases the combination is worse than adversarial training alone

  65. Specific advice for performing evaluations - Carlini et al. 2017 & S&P ("Towards Evaluating ...") - Athalye et al. 2018 @ ICML ("Obfuscated ...") - Madry et al. 2018 @ ICLR ("Towards Deep...") - Uesato et al. 2018 @ ICML ("Adversarial Risk...") Details in our originally-scheduled talk, Tomorrow @ 2:50 in A7

  66. There is a true notion of robustness, for a computationally unbounded adversary. We are forced to approximate this. Adversarial Risk and the Dangers of Evaluating Against Weak Attacks. 
 Jonathan Uesato, Brendan O'Donoghue, Aaron van den Oord, Pushmeet Kohli. 
 ICML 2018.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Obfuscated Gradients Give a False Sense of Security: Circumventing Defenses to Adversarial

Obfuscated Gradients Give a False Sense of Security: Circumventing Defenses to Adversarial

Obfuscated Gradients Give a False Sense of Security: Circumventing Defenses to Adversarial Examples Anish Athalye* 1 , Nicholas Carlini * 2 , and David Wagner 3 1 Massachusetts Institute of Technology 2 University of California, Berkeley (now

540 views • 50 slides
Blended Conditional Gradients: The unconditioning of conditional gradients Joint work with Gabor

Blended Conditional Gradients: The unconditioning of conditional gradients Joint work with Gabor

Blended Conditional Gradients: The unconditioning of conditional gradients Joint work with Gabor Braun, Sebastian Pokutta, Steve Wright Dan Tu 1/9 CONDITIONAL GRADIENTS: PROJECTION-FREE Given a polytope ! , solve the optimization problem: min

109 views • 9 slides
Outline Last time Image gradients Seam carving gradients as energy Edges

Outline Last time Image gradients Seam carving gradients as energy Edges

CS 376 Spring 2018 - Lecture 4 1/30/2018 Outline Last time Image gradients Seam carving gradients as energy Edges and binary images Today Tues Jan 30, 2018 Gradients edges and contours Kristen Grauman

647 views • 20 slides
Natural Policy Gradients (cont.) Katerina Fragkiadaki Revision Policy Gradients 1.

Natural Policy Gradients (cont.) Katerina Fragkiadaki Revision Policy Gradients 1.

Carnegie Mellon School of Computer Science Deep Reinforcement Learning and Control Natural Policy Gradients (cont.) Katerina Fragkiadaki Revision Policy Gradients 1. Collect trajectories for policy 2. Estimate advantages A 3.

941 views • 76 slides
The oxygen abundance gradients of galaxies in the Eagle simulations Patricia B. Tissera

The oxygen abundance gradients of galaxies in the Eagle simulations Patricia B. Tissera

The oxygen abundance gradients of galaxies in the Eagle simulations Patricia B. Tissera Universidad Andres Bello Millennium Institute of Astrophysics Metallicity gradients in disc galaxies What drives metallicity gradients in Ho+2015 discs

281 views • 11 slides
Obfuscated Circuits with Capabilities and Performance Beyond the SAT Attacks Conference on

Obfuscated Circuits with Capabilities and Performance Beyond the SAT Attacks Conference on

SMT Attack : Next Generation Attack on Obfuscated Circuits with Capabilities and Performance Beyond the SAT Attacks Conference on Cryptographic Hardware and Embedded Systems 2019 ( CHES 2019 ) Kimia Zamiri Azar , Hadi Mardani Kamali, Houman

701 views • 69 slides
Non-Obfuscated Yet Unprovable Programs John Case Michael Ralston Computer and Information

Non-Obfuscated Yet Unprovable Programs John Case Michael Ralston Computer and Information

Non-Obfuscated Yet Unprovable Programs John Case Michael Ralston Computer and Information Sciences Department University of Delaware Newark, DE 19716 USA Email: { case , mralston } @udel.edu Revision of Talk at Asian Logic Conference 2011

682 views • 41 slides
Toward Automated Forensic Analysis of Obfuscated Malware Ryan J. Farley George Mason University

Toward Automated Forensic Analysis of Obfuscated Malware Ryan J. Farley George Mason University

Toward Automated Forensic Analysis of Obfuscated Malware Ryan J. Farley George Mason University Department of Computer Science Committee: Xinyuan Wang, Hakan Aydin, Songqing Chen, Brian Mark Where Innovation Is Tradition April 24, 2015

611 views • 59 slides
Context-Sensitive Analysis of Obfuscated x86 Executables Arun Lakhotia(1), Davidson Boccardo(2),

Context-Sensitive Analysis of Obfuscated x86 Executables Arun Lakhotia(1), Davidson Boccardo(2),

Context-Sensitive Analysis of Obfuscated x86 Executables Arun Lakhotia(1), Davidson Boccardo(2), Anshuman Singh(1), and Aleardo Manacero Jr.(2) (1)University of Louisiana at Lafayette, USA (2)Paulista State University (UNESP), Brazil PEPM 2010

309 views • 29 slides
Guided Evolutionary Strategies Augmenting random search with surrogate gradients Niru

Guided Evolutionary Strategies Augmenting random search with surrogate gradients Niru

Guided Evolutionary Strategies Augmenting random search with surrogate gradients Niru Maheswaranathan // Google Research, Brain Team Joint work with: Luke Metz, George Tucker, Dami Choi, Jascha Sohl-dickstein Optimizing with surrogate gradients

379 views • 24 slides
Unintended Conseqences Obfuscated Attacks on TLDs Eberhard W Lisse & Alejandra Reynoso

Unintended Conseqences Obfuscated Attacks on TLDs Eberhard W Lisse & Alejandra Reynoso

Unintended Conseqences Obfuscated Attacks on TLDs Eberhard W Lisse & Alejandra Reynoso Namibian Network Information Center & Universidad del Valle de Guatemala 2017-06-26 Lisse & Reynoso (Johannesburg) Unintended Conseqences

202 views • 19 slides
Recovering Clear, Natural Identifiers from Obfuscated (JavaScript) Names @b_vasilescu Today

Recovering Clear, Natural Identifiers from Obfuscated (JavaScript) Names @b_vasilescu Today

Bogdan Vasilescu Casey Casalnuovo Prem Devanbu (CMU, ISR) (UCDavis) (UCDavis) @b_vasilescu @devanbu Recovering Clear, Natural Identifiers from Obfuscated (JavaScript) Names @b_vasilescu Today var geom2d = function() { var t =

1.11k views • 61 slides
Compostional Gradients in Petroleum Reservoirs Curtis H. Whitson (U. Trondheim) Paul Belery (Fina

Compostional Gradients in Petroleum Reservoirs Curtis H. Whitson (U. Trondheim) Paul Belery (Fina

SPE 28000 Compostional Gradients in Petroleum Reservoirs Curtis H. Whitson (U. Trondheim) Paul Belery (Fina Exploration Norway) Compositional Gradients When & Why Are They Important? Determining Original Hydrocarbons (IOIP/IGIP)

357 views • 32 slides
Modeling Velocity Gradients in an OBC, First-Break Positioning Algorithm Noel Zinn Western

Modeling Velocity Gradients in an OBC, First-Break Positioning Algorithm Noel Zinn Western

Modeling Velocity Gradients in an OBC, First-Break Positioning Algorithm Noel Zinn Western Geophysical EAGE Geneva 1997 In this talk I provide an overview of the modeling of vertical and lateral velocity gradients that can be sources of

403 views • 25 slides
The Effects of Thermal Gradients in Automotive Battery Packs Balancing Strategy Dr Alastair

The Effects of Thermal Gradients in Automotive Battery Packs Balancing Strategy Dr Alastair

The Effects of Thermal Gradients in Automotive Battery Packs Balancing Strategy Dr Alastair Hales Mechanical Engineering Imperial College London Thermal Performance of Lithium-Ion Batteries Temperature effects Thermal gradients in

550 views • 17 slides
Histograms of Oriented Gradients for Human Detection N. Dalal and B. Triggs CVPR 2005 HOG Steps

Histograms of Oriented Gradients for Human Detection N. Dalal and B. Triggs CVPR 2005 HOG Steps

Histograms of Oriented Gradients for Human Detection N. Dalal and B. Triggs CVPR 2005 HOG Steps HOG feature extraction Compute centered horizontal and vertical gradients with no smoothing Compute gradient orientation and magnitudes

181 views • 7 slides
Cybercrime Kill Chain vs. Effec4veness of Defense Layers

Cybercrime Kill Chain vs. Effec4veness of Defense Layers

Cybercrime Kill Chain vs. Effec4veness of Defense Layers Dr. Stefan Frei & Francisco Arts @stefan_frei @franklyfranc

787 views • 60 slides
Offensive Threat Modeling for Attackers turning threat modeling on its head Rafal M. Los

Offensive Threat Modeling for Attackers turning threat modeling on its head Rafal M. Los

Offensive Threat Modeling for Attackers turning threat modeling on its head Rafal M. Los Chief Security Evangelist HP Software Shane MacDougall Principal Tactical Intelligence Modern threat modeling is a defensive response to

783 views • 52 slides
Adversarial Robustness via Runtime Masking and Cleansing Yi-Hsuan Wu Chia-Hung Yuan Shan-Hung

Adversarial Robustness via Runtime Masking and Cleansing Yi-Hsuan Wu Chia-Hung Yuan Shan-Hung

Adversarial Robustness via Runtime Masking and Cleansing Yi-Hsuan Wu Chia-Hung Yuan Shan-Hung Wu Department of Computer Science, National Tsing Hua University, Taiwan International Conference on Machine Learning, 2020 Y.H. Wu, C.H. Yuan,

1.3k views • 52 slides
Mag Net A Two-Pronged Defense against Adversarial Examples Dongyu Meng Hao Chen ShanghaiTech

Mag Net A Two-Pronged Defense against Adversarial Examples Dongyu Meng Hao Chen ShanghaiTech

Mag Net A Two-Pronged Defense against Adversarial Examples Dongyu Meng Hao Chen ShanghaiTech University, China University of California, Davis, USA Neural networks in real-life applications user authentication autonomous

599 views • 30 slides
The case for dynamic defenses against adversarial examples Ian Goodfellow SafeML ICLR Workshop

The case for dynamic defenses against adversarial examples Ian Goodfellow SafeML ICLR Workshop

The case for dynamic defenses against adversarial examples Ian Goodfellow SafeML ICLR Workshop 2019-05-06 New Orleans Based on https://arxiv.org/pdf/1903.06293.pdf Definition Adversarial examples are inputs to machine learning models that

411 views • 22 slides
The material below presents the briefing slide text accompanied by recommended oral comments for

The material below presents the briefing slide text accompanied by recommended oral comments for

The material below presents the briefing slide text accompanied by recommended oral comments for people interested in military reform to give to audiences. While the presentation was created in the 1980s, it is remarkably relevant to the defense

521 views • 22 slides
Website fingerprinting on Tor: attacks and defenses Claudia Diaz KU Leuven Joint work with: Marc

Website fingerprinting on Tor: attacks and defenses Claudia Diaz KU Leuven Joint work with: Marc

Website fingerprinting on Tor: attacks and defenses Claudia Diaz KU Leuven Joint work with: Marc Juarez , Sadia Afroz, Gunes Acar, Rachel Greenstadt, Mohsen Imani, Mike Perry, Matthew Wright Post-Snowden Cryptography Workshop Brussels, December

754 views • 52 slides
Outline 2 Motivation Current cyber defense landscape & open questions Pro-active

Outline 2 Motivation Current cyber defense landscape & open questions Pro-active

A DVERSARIAL AND U NCERTAIN R EASONING FOR A DAPTIVE C YBER D EFENSE : B UILDING THE S CIENTIFIC F OUNDATION Sushil Jajodia George Mason University IEEE International 5G Summit, Reston, Virginia August 19, 2017 Outline 2 Motivation

863 views • 41 slides

More recommend