SLIDE 1
On the (In-)Security
- f Machine Learning
Nicholas Carlini
Google Brain
On the (In-)Security of Machine Learning Nicholas Carlini Google - - PowerPoint PPT Presentation
On the (In-)Security of Machine Learning Nicholas Carlini Google - - PowerPoint PPT Presentation
On the (In-)Security of Machine Learning Nicholas Carlini Google Brain Written: Sept 24, 2014 Written: Sept 24, 2014 Today: Oct 16, 2018 Written: Sept 24, 2014 Today: Oct 16, 2018 ... 4 years ago So how are we doing? 95% it is a
SLIDE 2
SLIDE 3
SLIDE 4
SLIDE 5
SLIDE 6
SLIDE 7
Written: Sept 24, 2014
SLIDE 8
Written: Today: Sept 24, 2014 Oct 16, 2018
SLIDE 9
... 4 years ago Written: Today: Sept 24, 2014 Oct 16, 2018
SLIDE 10
So how are we doing?
SLIDE 11
95% it is a French Bulldog
SLIDE 12
83% it is a Old English Sheepdog
SLIDE 13
78% it is a Greater Swiss Mountain Dog
SLIDE 14
67% it is a Great Dane
SLIDE 15
99.99% it is Guacamole
SLIDE 16
96% it is a Golden Retriever
SLIDE 17
99.99% it is Guacamole
SLIDE 18
This phenomenon is known as an adversarial example
- B. Biggio, I. Corona, D. Maiorca, B. Nelson, N. Srndic, P. Laskov, G. Giacinto, and F. Roli. Evasion attacks against machine learning at test time. 2013.
- C. Szegedy, W. Zaremba, I. Sutskever, J. Bruna, D. Erhan, I. Goodfellow, and R. Fergus. Intriguing properties of neural networks. ICLR 2014.
- I. Goodfellow, J. Shlens, and C. Szegedy. Explaining and harnessing adversarial examples. 2014.
SLIDE 19
SLIDE 20
SLIDE 21
SLIDE 22
SLIDE 23
Why should we care about adversarial examples?
Make ML robust
SLIDE 24
SLIDE 25
Why should we care about adversarial examples?
Make ML robust Make ML better
SLIDE 26
How do we generate adversarial examples?
SLIDE 27
DEFN: The loss of a neural network
- n an input x for a label y
is a measure of how wrong the network is on x.
SLIDE 28
loss( , dog) is small loss( , guacamole) is large
SLIDE 29
neural network loss
- n the given input
the perturbation is less than a given threshold MAXIMIZE SUCH THAT
SLIDE 30
What do we need to know? Everything.
SLIDE 31
SLIDE 32
SLIDE 33
SLIDE 34
WHY does this work?
SLIDE 35
Truck Dog
SLIDE 36
Dog Truck Airplane
SLIDE 37
SLIDE 38
( (
SLIDE 39
Okay, lesson learned.
SLIDE 40
Okay, lesson learned. Don't classify dogs with neural networks.
SLIDE 41
99.99% it is a School Bus
SLIDE 42
Okay, lesson learned.
SLIDE 43
Okay, lesson learned. Don't classify dogs with neural networks. images
SLIDE 44
And now for something completely different And now for something completely different And now for something completely different
SLIDE 45
Mozilla's DeepSpeech
SLIDE 46
Mozilla's DeepSpeech transcribes this as "most of them were staring quietly at the big table"
SLIDE 47
Mozilla's DeepSpeech transcribes this as "most of them were staring quietly at the big table"
SLIDE 48
What about this?
SLIDE 49
"It was the best of times, it was the worst of times, it was the age of wisdom, it was the age of foolishness, it was the epoch of belief, it was the epoch of incredulity"
SLIDE 50
SLIDE 51
SLIDE 52
SLIDE 53
SLIDE 54
Okay, lesson learned.
SLIDE 55
Okay, lesson learned. Don't classify images with neural networks.
- r audio
^
SLIDE 56
SLIDE 57
Okay, lesson learned.
SLIDE 58
Okay, lesson learned. Don't let adversaries perform gradient descent.
SLIDE 59
SLIDE 60
SLIDE 61
SLIDE 62
SLIDE 63
SLIDE 64
SLIDE 65
SLIDE 66
SLIDE 67
Okay, lesson learned.
SLIDE 68
Okay, lesson learned. Don't let adversaries have ANY access to my model
SLIDE 69
SLIDE 70
Okay, lesson learned.
SLIDE 71
Okay, lesson learned. Give up.
SLIDE 72
SLIDE 73
SLIDE 74
SLIDE 75
Yes, machine learning gives amazing results
SLIDE 76
Guacamole (99%)
However, there are also significant vulnerabilities
SLIDE 77
https://nicholas.carlini.com nicholas@carlini.com
Questions?
SLIDE 78
SLIDE 79