On Certifying Non-uniform Bounds against Adversarial Attacks Chen Liu † , Ryota Tomioka ‡ , Volkan Cevher † † ´ Ecole Polytechnique F´ ed´ erale de Lausanne ‡ Microsoft Research Cambridge June 11th, 2019 Liu et al. (EPFL) Non-uniform Bounds June 11th, 2019 1 / 9
Background Problem (Certification Problem) Given the label set C , a classification model f : R n → C and an input data point x ∈ R n , we would like to find the largest neighborhood S around x such that f ( x ) = f ( x ′ ) ∀ x ′ ∈ S . Set S is called adversarial budget and x ∈ S . Liu et al. (EPFL) Non-uniform Bounds June 11th, 2019 2 / 9
Motivation S ( p ) ǫ ( x ) = { x ′ = x + ǫ v |� v � p ≤ 1 } ǫ ∈ R Liu et al. (EPFL) Non-uniform Bounds June 11th, 2019 3 / 9
Motivation S ( p ) ǫ ( x ) = { x ′ = x + ǫ v |� v � p ≤ 1 } S ( p ) ǫ ( x ) = { x ′ = x + ǫ ⊙ v |� v � p ≤ 1 } ǫ ∈ R n ǫ ∈ R Liu et al. (EPFL) Non-uniform Bounds June 11th, 2019 3 / 9
Motivation S ( p ) ǫ ( x ) = { x ′ = x + ǫ v |� v � p ≤ 1 } S ( p ) ǫ ( x ) = { x ′ = x + ǫ ⊙ v |� v � p ≤ 1 } ǫ ∈ R n ǫ ∈ R Advantages of non-uniform bounds: Larger overall volumes. Quantitative metric of feature robustness. Liu et al. (EPFL) Non-uniform Bounds June 11th, 2019 3 / 9
Formulation A N -layer fully connected neural network, parameterized by { W ( i ) , b ( i ) } N − 1 i =1 z ( i +1) = W ( i ) ˆ z ( i ) + b ( i ) i = 1 , 2 , ..., N − 1 (1) z ( i ) = σ ( z ( i ) ) ˆ i = 2 , 3 , ..., N − 1 Liu et al. (EPFL) Non-uniform Bounds June 11th, 2019 4 / 9
Formulation A N -layer fully connected neural network, parameterized by { W ( i ) , b ( i ) } N − 1 i =1 z ( i +1) = W ( i ) ˆ z ( i ) + b ( i ) i = 1 , 2 , ..., N − 1 (1) z ( i ) = σ ( z ( i ) ) ˆ i = 2 , 3 , ..., N − 1 Given a model { W ( i ) , b ( i ) } and a data point x labeled as c ∈ C , we want to n 1 − 1 � min − log ǫ j ǫ j =0 z (1) ∈ S ǫ ( x ) ˆ (2) z ( i +1) = W ( i ) ˆ z ( i ) + b ( i ) i = 1 , 2 , ..., N − 1 z ( i ) = σ ( z ( i ) ) ˆ i = 2 , 3 , ..., N − 1 − z ( N ) z ( N ) ≥ δ j = 0 , 1 ,..., n N − 1; j � = c c j Liu et al. (EPFL) Non-uniform Bounds June 11th, 2019 4 / 9
Formulation A N -layer fully connected neural network, parameterized by { W ( i ) , b ( i ) } N − 1 i =1 z ( i +1) = W ( i ) ˆ z ( i ) + b ( i ) i = 1 , 2 , ..., N − 1 (1) z ( i ) = σ ( z ( i ) ) ˆ i = 2 , 3 , ..., N − 1 Given a model { W ( i ) , b ( i ) } and a data point x labeled as c ∈ C , we want to n 1 − 1 � min − log ǫ j ǫ j =0 z (1) ∈ S ǫ ( x ) ˆ (2) z ( i +1) = W ( i ) ˆ z ( i ) + b ( i ) i = 1 , 2 , ..., N − 1 z ( i ) = σ ( z ( i ) ) ˆ i = 2 , 3 , ..., N − 1 − z ( N ) z ( N ) ≥ δ j = 0 , 1 ,..., n N − 1; j � = c c j Generally intractable (at least NP-complete)! [Weng et al. 18] Liu et al. (EPFL) Non-uniform Bounds June 11th, 2019 4 / 9
Formulation A N -layer fully connected neural network, parameterized by { W ( i ) , b ( i ) } N − 1 i =1 z ( i +1) = W ( i ) ˆ z ( i ) + b ( i ) i = 1 , 2 , ..., N − 1 (1) z ( i ) = σ ( z ( i ) ) ˆ i = 2 , 3 , ..., N − 1 Given a model { W ( i ) , b ( i ) } and a data point x labeled as c ∈ C , we want to n 1 − 1 � min − log ǫ j ǫ j =0 z (1) ∈ S ǫ ( x ) ˆ (2) z ( i +1) = W ( i ) ˆ z ( i ) + b ( i ) i = 1 , 2 , ..., N − 1 z ( i ) = σ ( z ( i ) ) ˆ i = 2 , 3 , ..., N − 1 − u ( N ) l ( N ) ≥ δ j = 0 , 1 ,..., n N − 1; j � = c c j Generally intractable (at least NP-complete)! [Weng et al. 18] Relax the output logits! Liu et al. (EPFL) Non-uniform Bounds June 11th, 2019 4 / 9
Optimization l ( N ) and u ( N ) are differentiable w.r.t. ǫ . Liu et al. (EPFL) Non-uniform Bounds June 11th, 2019 5 / 9
Optimization l ( N ) and u ( N ) are differentiable w.r.t. ǫ . The relaxation problem is tractable n 1 − 1 � min − log ǫ j ǫ , y ≥ 0 (3) j =0 − u ( N ) s . t . l ( N ) j � = c − δ = y c Liu et al. (EPFL) Non-uniform Bounds June 11th, 2019 5 / 9
Optimization l ( N ) and u ( N ) are differentiable w.r.t. ǫ . The relaxation problem is tractable n 1 − 1 � min − log ǫ j ǫ , y ≥ 0 (3) j =0 − u ( N ) s . t . l ( N ) j � = c − δ = y c The problem can be solved by Augmented Lagrangian Method n 1 − 1 + � λ , v − y � + ρ � 2 � v − y � 2 max ǫ , y ≥ 0 − min log ǫ j (4) 2 λ j =0 v is defined as l ( N ) − u ( N ) j � = c − δ c Liu et al. (EPFL) Non-uniform Bounds June 11th, 2019 5 / 9
Experiments General Result Dataset Architecture Training Method Uniform Non-uniform Ratio - 0.0295 0.0349 1.183 100-100-100 PGD, τ = 0 . 1 0.0692 0.1678 2.425 - 0.0309 0.0350 1.133 MNIST 300-300-300 PGD, τ = 0 . 1 0.0507 0.1404 2.769 - 0.0319 0.0360 1.129 500-500-500 PGD, τ = 0 . 1 0.0436 0.1167 2.677 - 0.0397 0.0518 1.305 Fashion-MNIST 1024-1024-1024 PGD, τ = 0 . 1 0.0446 0.1134 2.543 - 0.0022 0.0072 3.273 SVHN 1024-1024-1024 PGD, τ = 0 . 1 0.0054 0.0281 5.204 Table: Average of uniform and non-uniform bounds in the test sets. Larger volumes covered by non-uniform bounds, especially for robust models. Liu et al. (EPFL) Non-uniform Bounds June 11th, 2019 6 / 9
Experiments Robustness and Feature Selection 100 normal normal robust robust 800 80 600 60 pixels pixels 400 40 200 20 0 0 0.00 0.05 0.10 0.15 0.20 0.25 0.30 0.35 0.40 0.00 0.02 0.04 0.06 0.08 0.10 bound bound Figure: Examples of distributions of bounds for normal and robust models among all pixels. (Left: MNIST, Right: SVHN) Features of very large bounds → Features dropped Liu et al. (EPFL) Non-uniform Bounds June 11th, 2019 7 / 9
Experiments Robustness and Interpretability We can visualize bounding map ǫ ∈ R n like an input data point. The bounding maps demonstrate better interpretability of robust models. Figure: Left: between digit 1 and 7. Right: between digit 3 and 8. Lighter pixels mean smaller bounds. Liu et al. (EPFL) Non-uniform Bounds June 11th, 2019 8 / 9
More Details Welcome to Poster #63 Code on GitHub: Certify Nonuniform Bounds Liu et al. (EPFL) Non-uniform Bounds June 11th, 2019 9 / 9
More Details Liu et al. (EPFL) Non-uniform Bounds June 11th, 2019 9 / 9
Recommend
More recommend
