re reverse eng engine neeri ring ng de deep re relu ne
play

Re Reverse-Eng Engine neeri ring ng De Deep Re ReLU Ne - PowerPoint PPT Presentation

Feb 03, 2024 •98 likes •315 views

Re Reverse-Eng Engine neeri ring ng De Deep Re ReLU Ne Networ orks David Rolnick and Konrad Krding University of Pennsylvania International Conference on Machine Learning (ICML) 2020 Reverse-engineering a neural network Problem:

  1. Re Reverse-Eng Engine neeri ring ng De Deep Re ReLU Ne Networ orks David Rolnick and Konrad Körding University of Pennsylvania International Conference on Machine Learning (ICML) 2020

  2. Reverse-engineering a neural network Problem: Recover network architecture and weights from black-box access. Implications for: • Proprietary networks • Confidential training data • Adversarial attacks 1

  3. Is perfect reverse-engineering possible? What if two networks define exactly the same function? ReLU networks unaffected by: • Permutation: re-labeling neurons/weights in any layer • Scaling: at any neuron, multiplying incoming weights & bias by , multiplying outgoing weights by Our goal: Reverse engineering deep ReLU networks up to permutation & scaling. 2

  4. Related work • Recovering networks with one hidden layer (e.g. Goel & Klivans 2017, Milli et al. 2019, Jagielski et al. 2019, Ge et al. 2019) • Neuroscience, simple circuits in brain (Heggelund 1981) • No algorithm to recover even the first layer of a deep network 3

  5. Linear regions in a ReLU network • Activation function: • Deep ReLU networks are piecewise linear functions: • Linear regions = pieces of on which is constant (Hanin & Rolnick 2019) 4

  6. Boundaries of linear regions 5

  7. Boundaries of linear regions Piecewise linear boundary component for each neuron (Hanin & Rolnick 2019) 6

  8. Main theorem (informal) For a fully connected ReLU network of any depth, suppose that each boundary component is connected and that and intersect for each pair of adjacent neurons and . a) Given the set of linear region boundaries, it is possible to recover the complete structure and weights of the network, up to permutation and scaling, except for a measure-zero set of networks. b) It is possible to approximate the set of linear region boundaries and thus the architecture/weights by querying the network. 7

  9. Main theorem (informal) For a fully connected ReLU network of any depth, suppose that each boundary component is connected and that and intersect for each pair of adjacent neurons and . a) Given the set of linear region boundaries, it is possible to recover the complete structure and weights of the network, up to permutation and scaling, except for a measure-zero set of networks. b) It is possible to approximate the set of linear region boundaries and thus the architecture/weights by querying the network. 8

  10. Part (a), proof intuition Neuron in Layer 1 9

  11. Part (a), proof intuition Neuron in Layer 2 10

  12. Main theorem (informal) For a fully connected ReLU network of any depth, suppose that each boundary component is connected and that and intersect for each pair of adjacent neurons and . a) Given the set of linear region boundaries, it is possible to recover the complete structure and weights of the network, up to permutation and scaling, except for a measure-zero set of networks. b) It is possible to approximate the set of linear region boundaries and thus the architecture/weights by querying the network. 11

  13. Part (b): reconstructing Layer 1 Goal : Approximate boundaries by querying network adaptively Approach: Identify points on the boundary by binary search using 1) Find boundary points along a line 2) Each belongs to some , identify the local hyperplane by regression 3) Test whether is a hyperplane 12

  14. Part (b): reconstructing Layers ≥ 2 1) Start with unused boundary points identified in previous algorithm 2) Explore how bends as it intersects already identified 13

  15. Why don’t we just… …train on the output of the black-box network to recover it? It doesn’t work. …repeat our algorithm for Layer 1 to learn Layer 2? Requires arbitrary inputs to Layer 2, but cannot invert Layer 1. 14

  16. Assumptions of the algorithm Boundary components are connected Þ generally holds unless input dimension small Adjacent neurons have intersecting boundary components Þ failure can result from unavoidable ambiguities in network (beyond permutation and scaling) Note: Algorithm “degrades gracefully” • When assumptions don’t hold exactly, still recovers most of the network 15

  17. More complex networks Convolutional layers • Algorithm still works • Doesn’t account for weight-sharing, so less efficient Skip connections • Algorithm works with modification • Need to consider intersections between more pairs of boundary components 16

  18. Experimental results – Layer 1 algorithm 17

  19. Experimental results – Layer ≥ 2 algorithm 18

  20. Summary • Prove: Can recover architecture, weights, & biases of deep ReLU networks from linear region boundaries (under natural assumptions). • Implement: Algorithm for recovering full network from black-box access by approximating these boundaries. • Demonstrate: Success of our algorithm at reverse-engineering networks in practice. 19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Geoengi gine neeri ring f ng for C r Climate te Cha hang nge: Na Natu ture Ha Has A

Geoengi gine neeri ring f ng for C r Climate te Cha hang nge: Na Natu ture Ha Has A

Geoengi gine neeri ring f ng for C r Climate te Cha hang nge: Na Natu ture Ha Has A Already Demon onstrated the d the Pr Proc ocess and Som nd Some Ef Effects Dr. Russ Schnell NOAA Global Monitoring Division 325 Broadway

152 views • 14 slides
Adaptivity of deep ReLU network and its generalization error analysis Taiji Suzuki The

Adaptivity of deep ReLU network and its generalization error analysis Taiji Suzuki The

Adaptivity of deep ReLU network and its generalization error analysis Taiji Suzuki The University of Tokyo Department of Mathematical Informatics AIP-RIKEN 22nd/Feb/2019 The 2nd Korea-Japan Machine Learning Workshop 1 / 50 Deep

1.57k views • 64 slides
Collapse of Deep and Narrow ReLU Neural Nets Lu Lu , Yeonjong Shin, Yanhui Su, George Karniadakis

Collapse of Deep and Narrow ReLU Neural Nets Lu Lu , Yeonjong Shin, Yanhui Su, George Karniadakis

Collapse of Deep and Narrow ReLU Neural Nets Lu Lu , Yeonjong Shin, Yanhui Su, George Karniadakis Division of Applied Mathematics, Brown University Scientific Machine Learning, ICERM January 28, 2019 Lu (Brown) ReLU NN Collapse Scientific ML

589 views • 32 slides
Constructive universal high-dimensional distribution generation through deep ReLU networks Dmytro

Constructive universal high-dimensional distribution generation through deep ReLU networks Dmytro

Constructive universal high-dimensional distribution generation through deep ReLU networks Dmytro Perekrestenko July 2020 joint work with Stephan M uller and Helmut B olcskei Motivation Deep neural networks are widely used as generative

380 views • 17 slides
POLYTECHNI C of BARI FACULTY of ENGI NEERI NG COURSE of DEGREE in ELECTRONI C ENGI NEERI NG

POLYTECHNI C of BARI FACULTY of ENGI NEERI NG COURSE of DEGREE in ELECTRONI C ENGI NEERI NG

POLYTECHNI C of BARI FACULTY of ENGI NEERI NG COURSE of DEGREE in ELECTRONI C ENGI NEERI NG GRADUATION THESIS Bistatic SAR for Earth observation: application of the Dynamic I nversion technique to the orbital and attitude control

760 views • 36 slides
Nonparametric regression using deep neural networks with ReLU activation function Johannes

Nonparametric regression using deep neural networks with ReLU activation function Johannes

Nonparametric regression using deep neural networks with ReLU activation function Johannes Schmidt-Hieber February 2018 Caltech 1 / 20 Many impressive results in applications . . . Lack of theoretical understanding . . . 2 / 20

215 views • 20 slides
Main Result samples 1 , , ReLU Main Theorem 1

Main Result samples 1 , , ReLU Main Theorem 1

A Convergence Theory for Deep Learning via Over-Parameterization Zeyuan Allen-Zhu Yuanzhi Li Zhao Song MSR AI Stanford UT Austin Princeton U of Washington Harvard Main Result samples 1 , , ReLU

309 views • 19 slides
The Remote Metamorphic Engine Detecting, Evading, Attacking the AI and Reverse Engineering Amro

The Remote Metamorphic Engine Detecting, Evading, Attacking the AI and Reverse Engineering Amro

The Remote Metamorphic Engine Detecting, Evading, Attacking the AI and Reverse Engineering Amro Abdelgawad / REcon 2016 line46_1: mov ecx, [esp] nop nop mov dl, 0xe9 test edx, edx mov byte [ecx], dl The Remote Metamorphic Engine xor eax, 0

683 views • 50 slides
KEYSTONE: the last missing framework for Reverse Engineering www.keystone-engine.org NGUYEN Anh

KEYSTONE: the last missing framework for Reverse Engineering www.keystone-engine.org NGUYEN Anh

KEYSTONE: the last missing framework for Reverse Engineering www.keystone-engine.org NGUYEN Anh Quynh <aquynh -at- gmail.com> RECON - June 19th, 2016 1 / 48 NGUYEN Anh Quynh KEYSTONE: the last missing framework for Reverse Engineering

731 views • 48 slides
Summary (of part 1) Basic deep networks via iterated logistic regression. Deep network

Summary (of part 1) Basic deep networks via iterated logistic regression. Deep network

Summary (of part 1) Basic deep networks via iterated logistic regression. Deep network terminology: parameters, activations, layers, nodes. Standard choices: biases, ReLU nonlinearity, cross-entropy loss. Basic optimization: magic

640 views • 52 slides
Parameterised Sigmoid and ReLU Hidden Activation Functions for DNN Acoustic Modelling Chao Zhang

Parameterised Sigmoid and ReLU Hidden Activation Functions for DNN Acoustic Modelling Chao Zhang

Parameterised Sigmoid and ReLU Hidden Activation Functions for DNN Acoustic Modelling Chao Zhang & Phil Woodland University of Cambridge 29 April 2015 Introduction The hidden activation function plays an important role in deep

744 views • 13 slides
Reverse Mathematics and Commutative Ring Theory Takeshi Yamazaki Mathematical Institute, Tohoku

Reverse Mathematics and Commutative Ring Theory Takeshi Yamazaki Mathematical Institute, Tohoku

Reverse Mathematics and Commutative Ring Theory Takeshi Yamazaki Mathematical Institute, Tohoku University Computability Theory and Foundations of Mathematics Tokyo Institute of Technology, February 18 - 20, 2013 Outline of this talk: 1. What

745 views • 15 slides
All That Glisters Is Not Convnets: Hybrid Architectures For Faster, Better Solvers Prof Tom

All That Glisters Is Not Convnets: Hybrid Architectures For Faster, Better Solvers Prof Tom

All That Glisters Is Not Convnets: Hybrid Architectures For Faster, Better Solvers Prof Tom Drummond Image classification network structure #classes Conv+RELU Conv+ Conv+RELU Reshape FC+RELU FC+Softmax Downsample Feature detection

493 views • 30 slides
TIME/ACCURACY TRADEOFFS FOR LEARNING A RELU WITH RESPECT TO GAUSSIAN MARGINALS Surbhi Goel

TIME/ACCURACY TRADEOFFS FOR LEARNING A RELU WITH RESPECT TO GAUSSIAN MARGINALS Surbhi Goel

TIME/ACCURACY TRADEOFFS FOR LEARNING A RELU WITH RESPECT TO GAUSSIAN MARGINALS Surbhi Goel Sushrut Karmalkar Adam Klivans The University of Texas at Austin 1 WHAT IS RELU REGRESSION? Given : Samples drawn from distribution

372 views • 21 slides
Small ReLU networks are powerful memorizers: a tight analysis of memorization capacity Chulhee

Small ReLU networks are powerful memorizers: a tight analysis of memorization capacity Chulhee

Small ReLU networks are powerful memorizers: a tight analysis of memorization capacity Chulhee Yun, Suvrit Sra, Ali Jadbabaie Laboratory for Information and Decision Systems, MIT Given a ReLU fully-connected network, how many hidden nodes

670 views • 19 slides
Proc ocess ss Engine gineering ring S.r.l. Made in in Proces ess Made in in Italy www

Proc ocess ss Engine gineering ring S.r.l. Made in in Proces ess Made in in Italy www

Proc ocess ss Engine gineering ring S.r.l. Made in in Proces ess Made in in Italy www www.pe pe-proce rocess.com com << Company Presentation >> 1. Activity 2. Made in Process 3. Process Equipment 4. Machinery

472 views • 25 slides
Matrix Mechanism and Data Dependent algorithms CompSci 590.03

Matrix Mechanism and Data Dependent algorithms CompSci 590.03

Matrix Mechanism and Data Dependent algorithms CompSci 590.03 Instructor: Ashwin Machanavajjhala Lecture 9 : 590.03 Fall 16 1 Recap: Constrained Inference

834 views • 34 slides
1 Singular Value Decomposition The singular vector decomposition allows us to write any matrix A

1 Singular Value Decomposition The singular vector decomposition allows us to write any matrix A

Statistical Modeling and Analysis of Neural Data (NEU 560) Princeton University, Spring 2018 Jonathan Pillow Lecture 2 notes: SVD 1 Singular Value Decomposition The singular vector decomposition allows us to write any matrix A as A = USV ,

157 views • 4 slides
High-speed key encapsulation from NTRU Andreas Hlsing 1 , Joost Rijneveld 2 , John Schanck 3,4 ,

High-speed key encapsulation from NTRU Andreas Hlsing 1 , Joost Rijneveld 2 , John Schanck 3,4 ,

High-speed key encapsulation from NTRU Andreas Hlsing 1 , Joost Rijneveld 2 , John Schanck 3,4 , Peter Schwabe 2 1 Eindhoven University of Technology, The Netherlands 2 Radboud University, Nijmegen, The Netherlands 3 Institute for Quantum

1.25k views • 96 slides
Matrix Calculations: Inverse and Basis Transformation A. Kissinger (and H. Geuvers) Institute

Matrix Calculations: Inverse and Basis Transformation A. Kissinger (and H. Geuvers) Institute

Existence and uniqueness of inverse Determinants Radboud University Nijmegen Basis transformations Matrix Calculations: Inverse and Basis Transformation A. Kissinger (and H. Geuvers) Institute for Computing and Information Sciences

944 views • 39 slides
Invertible Residual Networks Jens Behrmann * Will Grathwohl* Ricky T. Q. Chen David Duvenaud

Invertible Residual Networks Jens Behrmann * Will Grathwohl* Ricky T. Q. Chen David Duvenaud

Invertible Residual Networks Jens Behrmann * Will Grathwohl* Ricky T. Q. Chen David Duvenaud Jrn-Henrik Jacobsen* (*equal contribution) What are Invertible Neural Networks? Non-invertible Invertible Invertible Neural Networks (INNs) are

330 views • 30 slides
Basic Idea Guess And Determine Determine partial internal state by guessing Use this to reduce

Basic Idea Guess And Determine Determine partial internal state by guessing Use this to reduce

Gain : Practical Key-Recovery Attacks on Round-Reduced PAEQ Dhiman Saha Sourya Kakarla Srinath Mandava Dipanwita Roy Chowdhury Crypto Research Lab, Department of Computer Science and Engineering, IIT Kharagpur, India {

634 views • 45 slides
A comparison of pairing-friendly curves at the 192-bit security level Aurore Guillevic Inria

A comparison of pairing-friendly curves at the 192-bit security level Aurore Guillevic Inria

A comparison of pairing-friendly curves at the 192-bit security level Aurore Guillevic Inria Nancy, Caramba team 17/04/2019 WRACH workshop, Roscoff Joint work with Shashank Singh, IISER Bhopal, India 1/43 Plan Introduction: Discrete

924 views • 64 slides
Lecture 7 Spring 2020 Shafi Goldwasser Today: Search for one-way functions 1. Discrete Log

Lecture 7 Spring 2020 Shafi Goldwasser Today: Search for one-way functions 1. Discrete Log

Lecture 7 Spring 2020 Shafi Goldwasser Today: Search for one-way functions 1. Discrete Log Problems in Cyclic Groups 2. Elliptic Logs over Elliptic Curves Recall: One Way Function easy x f(x) hard on average Definition: f: {0,1}*

468 views • 46 slides

More recommend