provably robust boosted decision stumps and trees against
play

Provably Robust Boosted Decision Stumps and Trees against - PowerPoint PPT Presentation

Aug 29, 2022 •147 likes •848 views

Provably Robust Boosted Decision Stumps and Trees against Adversarial Attacks Maksym Andriushchenko (EPFL ) Matthias Hein (University of T ubingen) Work done at the University of T ubingen SMLD 2019, NeurIPS 2019 Stumps Trees

  1. Provably Robust Boosted Decision Stumps and Trees against Adversarial Attacks Maksym Andriushchenko (EPFL ∗ ) Matthias Hein (University of T¨ ubingen) ∗ Work done at the University of T¨ ubingen SMLD 2019, NeurIPS 2019 Stumps Trees Plain boosted stumps Robust boosted stumps Plain boosted trees Robust boosted trees 1.00 1.00 1.00 1.00 0.75 0.75 0.75 0.75 0.50 0.50 0.50 0.50 0.25 0.25 0.25 0.25 0.00 0.00 0.00 0.00 0.00 0.25 0.50 0.75 1.00 0.00 0.25 0.50 0.75 1.00 0.00 0.25 0.50 0.75 1.00 0.00 0.25 0.50 0.75 1.00 Maksym Andriushchenko (EPFL) 1

  2. Adversarial vulnerability Source: Goodfellow et al, “Explaining and Harnessing Adversarial Examples”, 2014 Maksym Andriushchenko (EPFL) 2

  3. Adversarial vulnerability Source: Goodfellow et al, “Explaining and Harnessing Adversarial Examples”, 2014 Problem : small changes in the input ⇒ large changes in the output Maksym Andriushchenko (EPFL) 2

  4. Adversarial vulnerability Source: Goodfellow et al, “Explaining and Harnessing Adversarial Examples”, 2014 Problem : small changes in the input ⇒ large changes in the output Topic of active research for neural networks and image recognition, but what about other domains and other classifiers ? Maksym Andriushchenko (EPFL) 2

  5. Motivation: other domains (going beyond images) Some input feature values can be incorrect : measurement noise, a human mistake, an adversarially crafted change, etc. Maksym Andriushchenko (EPFL) 3

  6. Motivation: other domains (going beyond images) Some input feature values can be incorrect : measurement noise, a human mistake, an adversarially crafted change, etc. For high-stakes decision making, it’s necessary to ensure a reasonable worst-case error rate under possible noise perturbations Maksym Andriushchenko (EPFL) 3

  7. Motivation: other domains (going beyond images) Some input feature values can be incorrect : measurement noise, a human mistake, an adversarially crafted change, etc. For high-stakes decision making, it’s necessary to ensure a reasonable worst-case error rate under possible noise perturbations The expected perturbation range can be specified by domain experts Maksym Andriushchenko (EPFL) 3

  8. Motivation: other classifiers Our paper : we concentrate on boosted decision stumps and trees Maksym Andriushchenko (EPFL) 4

  9. Motivation: other classifiers Our paper : we concentrate on boosted decision stumps and trees They are widely adopted in practice – implementations like XGBoost or LightGBM are used almost in every Kaggle competition Maksym Andriushchenko (EPFL) 4

  10. Motivation: other classifiers Our paper : we concentrate on boosted decision stumps and trees They are widely adopted in practice – implementations like XGBoost or LightGBM are used almost in every Kaggle competition Moreover, boosted trees are interpretable which is also an important practical aspect. Who wants to deploy a black-box? Maksym Andriushchenko (EPFL) 4

  11. Motivation: other classifiers Our paper : we concentrate on boosted decision stumps and trees They are widely adopted in practice – implementations like XGBoost or LightGBM are used almost in every Kaggle competition Moreover, boosted trees are interpretable which is also an important practical aspect. Who wants to deploy a black-box? = ⇒ it is important to develop boosted trees which are robust , but first we need to understand the reason of their vulnerability Maksym Andriushchenko (EPFL) 4

  12. Motivation: other classifiers Our paper : we concentrate on boosted decision stumps and trees They are widely adopted in practice – implementations like XGBoost or LightGBM are used almost in every Kaggle competition Moreover, boosted trees are interpretable which is also an important practical aspect. Who wants to deploy a black-box? = ⇒ it is important to develop boosted trees which are robust , but first we need to understand the reason of their vulnerability So why do adversarial examples exist? Maksym Andriushchenko (EPFL) 4

  13. Plain boosted stumps Robust boosted stumps 1.00 1.00 0.75 0.75 0.50 0.50 0.25 0.25 0.00 0.00 0.00 0.25 0.50 0.75 1.00 0.00 0.25 0.50 0.75 1.00 Understanding adversarial vulnerability What goes wrong and how to fix it? Maksym Andriushchenko (EPFL) 5

  14. Understanding adversarial vulnerability What goes wrong and how to fix it? We would like to have a large geometric margin for every point Plain boosted stumps Robust boosted stumps 1.00 1.00 0.75 0.75 0.50 0.50 0.25 0.25 0.00 0.00 0.00 0.25 0.50 0.75 1.00 0.00 0.25 0.50 0.75 1.00 Maksym Andriushchenko (EPFL) 5

  15. Understanding adversarial vulnerability What goes wrong and how to fix it? We would like to have a large geometric margin for every point Plain boosted stumps Robust boosted stumps 1.00 1.00 0.75 0.75 0.50 0.50 0.25 0.25 0.00 0.00 0.00 0.25 0.50 0.75 1.00 0.00 0.25 0.50 0.75 1.00 Empirical risk minimization does not distinguish the two types of solutions ⇒ we need to use a robust objective Maksym Andriushchenko (EPFL) 5

  16. Understanding adversarial vulnerability What goes wrong and how to fix it? We would like to have a large geometric margin for every point Plain boosted stumps Robust boosted stumps 1.00 1.00 0.75 0.75 0.50 0.50 0.25 0.25 0.00 0.00 0.00 0.25 0.50 0.75 1.00 0.00 0.25 0.50 0.75 1.00 Empirical risk minimization does not distinguish the two types of solutions ⇒ we need to use a robust objective Let’s formalize the problem! Maksym Andriushchenko (EPFL) 5

  17. ✶ ✶ Adversarial robustness What is an adversarial example ? Consider x ∈ R d , y ∈ {− 1 , 1 } , classifier f : R d → R , some L p -norm threshold ǫ : δ ∈ R d yf ( x + δ ) min � δ � p ≤ ǫ, x + δ ∈ C Maksym Andriushchenko (EPFL) 6

  18. ✶ ✶ Adversarial robustness What is an adversarial example ? Consider x ∈ R d , y ∈ {− 1 , 1 } , classifier f : R d → R , some L p -norm threshold ǫ : δ ∈ R d yf ( x + δ ) min � δ � p ≤ ǫ, x + δ ∈ C Assume x is correctly classified ( yf ( x ) > 0), then x + δ ∗ is an adversarial example if x + δ ∗ is incorrectly classified ( yf ( x + δ ∗ ) < 0) Maksym Andriushchenko (EPFL) 6

  19. Adversarial robustness What is an adversarial example ? Consider x ∈ R d , y ∈ {− 1 , 1 } , classifier f : R d → R , some L p -norm threshold ǫ : δ ∈ R d yf ( x + δ ) min � δ � p ≤ ǫ, x + δ ∈ C Assume x is correctly classified ( yf ( x ) > 0), then x + δ ∗ is an adversarial example if x + δ ∗ is incorrectly classified ( yf ( x + δ ∗ ) < 0) How to measure robustness? Robust test error (RTE): n n 1 1 � � ✶ yf ( x ) < 0 → ✶ yf ( x + δ ∗ ) < 0 n n i =1 i =1 � �� � � �� � standard zero-one loss robust zero-one loss Maksym Andriushchenko (EPFL) 6

  20. Adversarial robustness What is an adversarial example ? Consider x ∈ R d , y ∈ {− 1 , 1 } , classifier f : R d → R , some L p -norm threshold ǫ : δ ∈ R d yf ( x + δ ) min � δ � p ≤ ǫ, x + δ ∈ C Assume x is correctly classified ( yf ( x ) > 0), then x + δ ∗ is an adversarial example if x + δ ∗ is incorrectly classified ( yf ( x + δ ∗ ) < 0) How to measure robustness? Robust test error (RTE): n n 1 1 � � ✶ yf ( x ) < 0 → ✶ yf ( x + δ ∗ ) < 0 n n i =1 i =1 � �� � � �� � standard zero-one loss robust zero-one loss Finding δ ∗ : non-convex opt. problem for NNs and BTs. Exact mixed integer formulations exist for ReLU-NNs and BTs ( slow ). Maksym Andriushchenko (EPFL) 6

  21. Training adversarially robust models Robust optimization problem wrt the set ∆( ǫ ): n � δ ∈ ∆( ǫ ) L ( f ( x i + δ ; θ ) , y i ) min max θ i =1 Maksym Andriushchenko (EPFL) 7

  22. Training adversarially robust models Robust optimization problem wrt the set ∆( ǫ ): n � δ ∈ ∆( ǫ ) L ( f ( x i + δ ; θ ) , y i ) min max θ i =1 L is a usual margin-based loss function (cross-entropy, exp. loss, etc) Maksym Andriushchenko (EPFL) 7

  23. Training adversarially robust models Robust optimization problem wrt the set ∆( ǫ ): n � δ ∈ ∆( ǫ ) L ( f ( x i + δ ; θ ) , y i ) min max θ i =1 L is a usual margin-based loss function (cross-entropy, exp. loss, etc) ǫ = 0 = ⇒ just well-known Empirical Risk Minimization Maksym Andriushchenko (EPFL) 7

  24. Training adversarially robust models Robust optimization problem wrt the set ∆( ǫ ): n � δ ∈ ∆( ǫ ) L ( f ( x i + δ ; θ ) , y i ) min max θ i =1 L is a usual margin-based loss function (cross-entropy, exp. loss, etc) ǫ = 0 = ⇒ just well-known Empirical Risk Minimization Goal : small loss ( ⇒ large margin) not only at x i , but for every x i + δ ∈ ∆( ǫ ) Maksym Andriushchenko (EPFL) 7

  25. Training adversarially robust models Robust optimization problem wrt the set ∆( ǫ ): n � δ ∈ ∆( ǫ ) L ( f ( x i + δ ; θ ) , y i ) min max θ i =1 L is a usual margin-based loss function (cross-entropy, exp. loss, etc) ǫ = 0 = ⇒ just well-known Empirical Risk Minimization Goal : small loss ( ⇒ large margin) not only at x i , but for every x i + δ ∈ ∆( ǫ ) Adversarial training : approximately solve the robust loss = ⇒ minimization of a lower bound on the objective Maksym Andriushchenko (EPFL) 7

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Gradient boosted trees w ith XGBoost C R E D IT R ISK MOD E L IN G IN P YTH ON Michael

Gradient boosted trees w ith XGBoost C R E D IT R ISK MOD E L IN G IN P YTH ON Michael

Gradient boosted trees w ith XGBoost C R E D IT R ISK MOD E L IN G IN P YTH ON Michael Crabtree Data Scientist , Ford Motor Compan y Decision trees Creates predictions similar to logistic regression Not str u ct u red like a regression

523 views • 35 slides
Tree Computation for Ranking and Classification CS240A, T. Yang, 2016 Outlines Decision Trees

Tree Computation for Ranking and Classification CS240A, T. Yang, 2016 Outlines Decision Trees

Tree Computation for Ranking and Classification CS240A, T. Yang, 2016 Outlines Decision Trees Learning Assembles: Random forest, boosted trees Decision Trees Decision trees can express any function of the input attributes.

452 views • 31 slides
Decision Trees Some exercises 1. Exemplifying how to compute information gains and how to work

Decision Trees Some exercises 1. Exemplifying how to compute information gains and how to work

0. Decision Trees Some exercises 1. Exemplifying how to compute information gains and how to work with decision stumps CMU, 2013 fall, W. Cohen E. Xing, sample questions, pr. 4 2. Timmy wants to know how to do well for ML exam. He collects

1.4k views • 121 slides
Decision Trees: Some exercises 1. Exemplifying how to compute information gains and how to work

Decision Trees: Some exercises 1. Exemplifying how to compute information gains and how to work

0. Decision Trees: Some exercises 1. Exemplifying how to compute information gains and how to work with decision stumps CMU, 2013 fall, W. Cohen E. Xing, Sample questions, pr. 4 2. Timmy wants to know how to do well for ML exam. He collects

1.84k views • 169 slides
Learning Multiple Tasks with Boosted Decision Trees Jean Baptiste Faddoul, Boris Chidlovskii,

Learning Multiple Tasks with Boosted Decision Trees Jean Baptiste Faddoul, Boris Chidlovskii,

Introduction Learning MT-DTs MT-Adaboost Experiments Conclusion Learning Multiple Tasks with Boosted Decision Trees Jean Baptiste Faddoul, Boris Chidlovskii, Fabien Torre, R emi Gilleron CAp12, May 2012 Introduction Learning MT-DTs

362 views • 19 slides
Robust Decision Trees Against Adversarial Examples Honge Chen 1 , Huan Zhang 2 , Duane Boning 1 and

Robust Decision Trees Against Adversarial Examples Honge Chen 1 , Huan Zhang 2 , Duane Boning 1 and

Robust Decision Trees Against Adversarial Examples Honge Chen 1 , Huan Zhang 2 , Duane Boning 1 and Cho-Jui Hsieh 2 1 MIT 2 UCLA 36 th International Conference on Machine Learning (ICML) June 11, 2019, Long Beach, CA, USA Code (XGBoost

859 views • 31 slides
A Formal Proof of PAC Learnability for Decision Stumps Joseph Tassarotti Boston College

A Formal Proof of PAC Learnability for Decision Stumps Joseph Tassarotti Boston College

A Formal Proof of PAC Learnability for Decision Stumps Joseph Tassarotti Boston College Jean-Baptiste Tristan Oracle Labs Koundinya Vajjha University of Pittsburgh Rigour in Machine Learning John had proved on paper that an ML algorithm

799 views • 59 slides
Decision Trees Lecture 22 To left or to right 1 Decision Trees 2 Decision Trees A different

Decision Trees Lecture 22 To left or to right 1 Decision Trees 2 Decision Trees A different

Decision Trees Lecture 22 To left or to right 1 Decision Trees 2 Decision Trees A different complexity measure 2 Decision Trees A different complexity measure Number of bits of input read 2 Decision Trees A different complexity measure

1.62k views • 107 slides
Decision Trees Lecture 23 To left or to right 1 Decision Trees 2 Decision Trees A different

Decision Trees Lecture 23 To left or to right 1 Decision Trees 2 Decision Trees A different

Decision Trees Lecture 23 To left or to right 1 Decision Trees 2 Decision Trees A different complexity measure 2 Decision Trees A different complexity measure Number of bits of input read 2 Decision Trees A different complexity measure

1.3k views • 107 slides
Lecture 23: Decision Trees Decision trees Prof. Julia Hockenmaier

Lecture 23: Decision Trees Decision trees Prof. Julia Hockenmaier

CS440/ECE448: Intro to Artificial Intelligence Lecture 23: Decision Trees Decision trees Prof. Julia Hockenmaier juliahmr@illinois.edu http://cs.illinois.edu/fa11/cs440 Decision trees Decision tree

338 views • 7 slides
Decision Tree R Greiner Cmput 466 / 551 Learning Decision Trees Def'n: Decision Trees

Decision Tree R Greiner Cmput 466 / 551 Learning Decision Trees Def'n: Decision Trees

HTF: 9.2 B: 14.4 R N , C h a p t e r 1 8 1 8 . 3 Decision Tree R Greiner Cmput 466 / 551 Learning Decision Trees Def'n: Decision Trees Algorithm for Learning Decision Trees Entropy, Inductive Bias (Occam's

1.43k views • 87 slides
1 Baysian networks for decision analysis The TV show problem as a BN Problems More than

1 Baysian networks for decision analysis The TV show problem as a BN Problems More than

Several names Decision graphs Decision trees Influence diagrams Decision graphs I A certain kind of strictly symmetric decision trees Decisions and utilities No forgetting assumption LIMIDs Limited Memory

596 views • 6 slides
1 Baysian networks for decision analysis The TV show problem as a BN Problems Choice 1

1 Baysian networks for decision analysis The TV show problem as a BN Problems Choice 1

Several names Decision graphs Decision trees Influence diagrams Decision graphs I A certain kind of strictly symmetric decision trees Decisions and utilities No forgetting assumption LIMIDs Limited Memory

185 views • 6 slides
Differentiable Abstract Interpretation for Provably Robust Neural Networks safeai.ethz.ch

Differentiable Abstract Interpretation for Provably Robust Neural Networks safeai.ethz.ch

Differentiable Abstract Interpretation for Provably Robust Neural Networks safeai.ethz.ch Matthew Mirman Timon Gehr Martin Vechev ICML 2018 1 / 27 Adversarial Attack Example of FGSM attack produced by Goodfellow et al. (2014) 2 / 27 L

677 views • 35 slides
Learning Decision Trees Representation is a decision tree. Bias is towards simple decision

Learning Decision Trees Representation is a decision tree. Bias is towards simple decision

Learning Decision Trees Representation is a decision tree. Bias is towards simple decision trees. Search through the space of decision trees, from simple decision trees to more complex ones. Decision trees A decision tree is

484 views • 10 slides
Decision Tree Decision Trees A decision tree is a decision support tool that uses a tree-like

Decision Tree Decision Trees A decision tree is a decision support tool that uses a tree-like

Decision Tree Decision Trees A decision tree is a decision support tool that uses a tree-like graph or model of decisions and their possible MSE 2400 EaLiCaRA consequences, including chance event Dr. Tom Way outcomes, resource costs, and

568 views • 8 slides
Introduction to Machine Learning CART: Splitting Criteria compstat-lmu.github.io/lecture_i2ml

Introduction to Machine Learning CART: Splitting Criteria compstat-lmu.github.io/lecture_i2ml

Introduction to Machine Learning CART: Splitting Criteria compstat-lmu.github.io/lecture_i2ml TREES Classification Tree: Regression Tree: Iris Data 2.5 -1.20 -0.42 0.98 -0.20 -0.01 2.0 Species Petal.Width 1.5 setosa versicolor

401 views • 13 slides
The landscape of empirical risk for non-convex losses Song Mei ICME, Stanford December 3, 2016

The landscape of empirical risk for non-convex losses Song Mei ICME, Stanford December 3, 2016

The landscape of empirical risk for non-convex losses Song Mei ICME, Stanford December 3, 2016 Joint work with Yu Bai and Andrea Montanari Song Mei (ICME, Stanford) The landscape of empirical risk December 3, 2016 1 / 17 Binary linear

341 views • 33 slides
CS485/685 Lecture 15: Feb 28, 2012 Probably Approximately Correct Learning [BDSS] Chapter 1

CS485/685 Lecture 15: Feb 28, 2012 Probably Approximately Correct Learning [BDSS] Chapter 1

28/02/2012 CS485/685 Lecture 15: Feb 28, 2012 Probably Approximately Correct Learning [BDSS] Chapter 1 CS485/685 (c) 2012 P. Poupart 1 Quick Recap Tom Mitchell (1998): A computer program is said to learn from experience E with respect to some

288 views • 9 slides
Introduction to Machine Learning CMU-10701 10. Risk Minimization Barnabs Pczos 10. Risk

Introduction to Machine Learning CMU-10701 10. Risk Minimization Barnabs Pczos 10. Risk

Introduction to Machine Learning CMU-10701 10. Risk Minimization Barnabs Pczos 10. Risk Minimization 2 What have we seen so far? Several algorithms that seem to work fine on training datasets: Linear regression Nave Bayes

1.13k views • 51 slides
Risk bounds for cl classification and re regre ression rules that interpolate Daniel Hsu

Risk bounds for cl classification and re regre ression rules that interpolate Daniel Hsu

Risk bounds for cl classification and re regre ression rules that interpolate Daniel Hsu Computer Science Department &amp; Data Science Institute Columbia University Google Research, 2019 Feb 20 Spoilers Springer Series in Statistics

619 views • 29 slides
Recent Results on Algorithmic Fairness and Meta-Learning Massimiliano Pontil Computational

Recent Results on Algorithmic Fairness and Meta-Learning Massimiliano Pontil Computational

Recent Results on Algorithmic Fairness and Meta-Learning Massimiliano Pontil Computational Statistics and Machine Learning Istituto Italiano di Tecnologia and Department of Computer Science University College London 4th Annual Machine

439 views • 26 slides
The Failure of a Clearinghouse: Empirical Evidence Vincent Bignon Guillaume Vuillemey Banque de

The Failure of a Clearinghouse: Empirical Evidence Vincent Bignon Guillaume Vuillemey Banque de

The Failure of a Clearinghouse: Empirical Evidence Vincent Bignon Guillaume Vuillemey Banque de France HEC Paris &amp; CEPR Conseil scientifique de lAMF Paris April 2017 Vincent Bignon, Guillaume Vuillemey The Failure of a

809 views • 80 slides
Concentration of risk measures: A Wasserstein distance approach 1 Prashanth L. A. Joint work

Concentration of risk measures: A Wasserstein distance approach 1 Prashanth L. A. Joint work

Concentration of risk measures: A Wasserstein distance approach 1 Prashanth L. A. Joint work with Sanjay P. Bhat IIT Madras TCS Research To appear in the proceedings of NeurIPS-2019. Introduction Risk criteria Conditional

587 views • 58 slides

More recommend