recent trends in adversarial machine learning
play

Recent Trends in Adversarial Machine Learning Thanks to Ian - PowerPoint PPT Presentation

Dec 10, 2022 •185 likes •536 views

Recent Trends in Adversarial Machine Learning Thanks to Ian Goodfellow, Somesh Jha, Patrick McDaniel, and Nicolas Papernot for some slides December 4, 2018 Berkay Celik How it works training Learning Algorithm Training Data Model

  1. Recent Trends in Adversarial Machine Learning Thanks to Ian Goodfellow, Somesh Jha, Patrick McDaniel, and Nicolas Papernot for some slides December 4, 2018 Berkay Celik

  2. How it works … training … Learning Algorithm Training Data Model (Deep Learning, Decision Trees, others … ) Learning : find classifier function that minimize a cost/loss (~model error)

  3. How it works … run-time … Machine [0.01, 0.84 , 0.02, 0.01, Learning 0.01, 0.01, 0.05, 0.01, 0.03, Classifier 0.01] Inference time : which ”class” is most like the input sample

  4. An Example … M components N components p0=0.01 … p1=0.93 … … … p8=0.02 { pN=0.01 Input Layer Hidden Layers Output Layer (e.g., convolutional, rectified linear, …) Neuron Weighted Link (weight is a parameter part of ) θ O

  5. I.I.D. Machine Learning I: Independent I: Identically D: Distributed All train and test examples drawn independently from same distribution

  6. ML reached “human-level performance” on many IID tasks circa 2013 ...recognizing objects and faces…. (Szegedy et al, 2014) (Taigmen et al, 2013) ...solving CAPTCHAS and reading addresses... (Goodfellow et al, 2013) (Goodfellow et al, 2013)

  7. Caveats to “human-level” benchmarks The test data is not very Humans are not very good diverse. ML models are fooled at some parts of the by natural but unusual data. benchmark

  8. Security Requires Moving Beyond I.I.D. • Not identical: attackers can use unusual inputs (Eykholt et al, 2017) • Not independent: attacker can repeatedly send a single mistake (“test set attack”)

  9. Good models make surprising mistakes in non-IID setting “Adversarial examples” + = Schoolbus Ostrich Perturbation (rescaled for visualization) (Szegedy et al, 2013)

  10. Adversarial Examples

  11. Attacks on the machine learning pipeline Learned parameters Recovery of sensitive Learning algorithm training data Training data Training set Test output poisoning Test input Model theft Adversarial Examples

  12. Definition “Adversarial examples are inputs to machine learning models that an attacker has intentionally designed to cause the model to make a mistake” (Goodfellow et al 2017)

  13. Threat Model

  14. Fifty Shades of Gray Box Attacks • Does the attacker go first, and the defender reacts? • This is easy, just train on the attacks, or design some preprocessing to remove them • If the defender goes first • Does the attacker have full knowledge? This is “white box” • Limited knowledge: “black box” • Does the attacker know the task the model is solving (input space, output space, defender cost) ? • Does the attacker know the machine learning algorithm being used? • Details of the algorithm? (Neural net architecture, etc.) • Learned parameters of the model? • Can the attacker send “probes” to see how the defender processes different test inputs? • Does the attacker observe just the output class? Or also the probabilities?

  15. Roadmap • WHITE-BOX ATTACKS • BLACK-BOX ATTACKS • TRANSFERABILITY • DEFENSE TECHNIQUES

  16. White Box Attacks

  17. FGSM (Misclassification)

  18. Intuition

  19. JSMA (targeted)

  20. Carlini-Wagner (CW) (targeted)

  21. Success of an adversarial image Experiments excluding MNIST 1s, many of which look like 7s Pair Diff L 0 L 1 L 2 L ∞ L 0 63 35.0 4.86 1.0 .996 L 1 91 19.9 3.21 1.0 L 2 110 21.7 2.83 L ∞ 121 34.0 3.82 .76

  22. Black-box Attacks

  23. Black-box Attacks

  24. Transferability

  25. Roadmap • WHITE-BOX ATTACKS • BLACK-BOX ATTACKS • TRANSFERABILITY • DEFENSE TECHNIQUES

  26. Pipeline of Defense Failures Does not generalize over threat models Seems to generalize, but it’s an illusion Does not generalize over attack algos Does not affect adaptive attacker Reduces advx, but reduces clean accuracy too much No effect on advx

  27. Pipeline of Defense Failures Dropout at Train Time Does not generalize over threat models Seems to generalize, but it’s an illusion Does not generalize over attack algos Does not affect adaptive attacker Reduces advx, but reduces clean accuracy too much No effect on advx

  28. Pipeline of Defense Failures Weight Decay Does not generalize over threat models Seems to generalize, but it’s an illusion Does not generalize over attack algos Does not affect adaptive attacker Reduces advx, but reduces clean accuracy too much No effect on advx

  29. Pipeline of Defense Failures original foveal Cropping / fovea mechanisms Does not generalize over threat models Seems to generalize, but it’s an illusion Does not generalize over attack algos Does not affect adaptive attacker Reduces advx, but reduces clean accuracy too much No effect on advx

  30. Pipeline of Defense Failures Adversarial Training with a Weak Attack Does not generalize over threat models Seems to generalize, but it’s an illusion Does not generalize over attack algos Does not affect adaptive attacker Reduces advx, but reduces clean accuracy too much No effect on advx

  31. Pipeline of Defense Failures Defensive Distillation Does not generalize over threat models Seems to generalize, but it’s an illusion Does not generalize over attack algos Does not affect adaptive attacker Reduces advx, but reduces clean accuracy too much No effect on advx

  32. Pipeline of Defense Failures Adversarial Training with a Strong Attack Current Certified / Provable Defenses Does not generalize over threat models Seems to generalize, but it’s an illusion Does not generalize over attack algos Does not affect adaptive attacker Reduces advx, but reduces clean accuracy too much No effect on advx

  33. What’s next defense?

  34. Future Directions • Common goal (AML and ML) • Just make the model better • They still share this goal • It is now clear security research must have some independent goals. For two models with the same error volume, for reasons of security we prefer: • The model with lower confidence on mistakes • The model whose mistakes are harder to find

  35. h.ps://beerkay.github.io @ZBerkayCelik THANKS! December 4, 2018 Berkay Celik

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Recent Advances in Adversarial Machine Learning Nicholas Carlini Google Research Recent

Recent Advances in Adversarial Machine Learning Nicholas Carlini Google Research Recent

Recent Advances in Adversarial Machine Learning Nicholas Carlini Google Research Recent Advances in Adversarial (Examples in) Machine Learning Nicholas Carlini Google Research The Year is 2014 Someone tells you they have a new algorithm to

1.52k views • 139 slides
Machine Learning and Artificial Intelligence in Recent Trends, Technologies, and Challenges

Machine Learning and Artificial Intelligence in Recent Trends, Technologies, and Challenges

Machine Learning and Artificial Intelligence in Recent Trends, Technologies, and Challenges sebastianraschka.com Sebastian Raschka, Ph.D. @rasbt Assist. Prof. Dep. of Statistics 1 information Article Machine Learning in Python: Main

1.04k views • 65 slides
SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY

SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY

SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY Christian Kaestner with slides from Eunsuk Kang Required reading: Hulten, Geoff. "Building Intelligent Systems: A Guide to Machine Learning

1.95k views • 113 slides
Provably Secure Machine Learning Jacob Steinhardt ARO Adversarial Machine Learning Workshop

Provably Secure Machine Learning Jacob Steinhardt ARO Adversarial Machine Learning Workshop

Provably Secure Machine Learning Jacob Steinhardt ARO Adversarial Machine Learning Workshop September 14, 2017 Why Prove Things? Attackers often have more motivation/resources than defenders Heuristic defenses: arms race between attack and

738 views • 52 slides
Shallow Security: on the Creation of Adversarial Variants to Evade Machine Learning-Based

Shallow Security: on the Creation of Adversarial Variants to Evade Machine Learning-Based

REVERSING AND OFFENSIVE-ORIENTED TRENDS SYMPOSIUM 2019 (ROOTS) 28TH TO 29TH NOVEMBER 2019, VIENNA, AUSTRIA Shallow Security: on the Creation of Adversarial Variants to Evade Machine Learning-Based Malware Detectors Fabrcio Ceschin Marcus

1.12k views • 59 slides
AdVersarial: Perceptual Ad Blocking meets Adversarial Machine Learning Florian Tramr November

AdVersarial: Perceptual Ad Blocking meets Adversarial Machine Learning Florian Tramr November

AdVersarial: Perceptual Ad Blocking meets Adversarial Machine Learning Florian Tramr November 14 th 2019 Joint work with Pascal Dupr, Gili Rusak, Giancarlo Pellegrino and Dan Boneh The Future of Ad-Blocking easylist.txt markup

612 views • 23 slides
Adversarial Machine Learning (AML) Somesh Jha University of Wisconsin, Madison Thanks to

Adversarial Machine Learning (AML) Somesh Jha University of Wisconsin, Madison Thanks to

Adversarial Machine Learning (AML) Somesh Jha University of Wisconsin, Madison Thanks to Nicolas Papernot, Ian Goodfellow, and Jerry Zhu for some slides . Machine learning brings social disruption at scale Healthcare Energy Source: Peng and

821 views • 71 slides
Vulnerability of machine learning models to adversarial examples Petra Vidnerov Institute of

Vulnerability of machine learning models to adversarial examples Petra Vidnerov Institute of

Vulnerability of machine learning models to adversarial examples Petra Vidnerov Institute of Computer Science The Czech Academy of Sciences Hora Informaticae 2016 Outline Introduction Works on adversarial examples Our work Genetic

855 views • 46 slides
Adversarial Robustness of Machine Learning Models for Graphs Prof. Dr. Stephan Gnnemann

Adversarial Robustness of Machine Learning Models for Graphs Prof. Dr. Stephan Gnnemann

Adversarial Robustness of Machine Learning Models for Graphs Prof. Dr. Stephan Gnnemann Department of Informatics Technical University of Munich 28.10.2019 Adversarial Robustness of Machine Learning Models for Graphs S. Gnnemann Can you

669 views • 27 slides
Physical Adversarial Examples Alex Kurakin Ian Goodfellow Output STOP Machine Learning

Physical Adversarial Examples Alex Kurakin Ian Goodfellow Output STOP Machine Learning

Physical Adversarial Examples Alex Kurakin Ian Goodfellow Output STOP Machine Learning Training Examples Hidden units / BICYCLE features CAR PEDESTRIA N Parameters Input ImageNet (Russakovsky et al 2015) Adversarial Examples: Images

369 views • 19 slides
When foes are friends adversarial examples as protective technologies Carmela Troncoso

When foes are friends adversarial examples as protective technologies Carmela Troncoso

When foes are friends adversarial examples as protective technologies Carmela Troncoso @carmelatroncoso Security and Privacy Engineering Lab The machine learning revolution 2 Machine Learning ) Definition (Wikipedia) Machine learning [...]

965 views • 58 slides
Multi-armed bandits S Bubeck, N Cesa-Bianchi Foundations and Trends in Machine Learning 2012 *

Multi-armed bandits S Bubeck, N Cesa-Bianchi Foundations and Trends in Machine Learning 2012 *

Multi-armed bandits S Bubeck, N Cesa-Bianchi Foundations and Trends in Machine Learning 2012 * Real title: regret analysis of stochastic and nonstochastic multi-armed bandit problems Overview Stochastic, adversarial, extensions &

281 views • 7 slides
Adversarial Machine Learning MIX+GAN Ian Goodfellow, Sta ff Research Scientist, Google Brain

Adversarial Machine Learning MIX+GAN Ian Goodfellow, Sta ff Research Scientist, Google Brain

Progressive GAN CoGAN LR-GAN MedGAN CGAN IcGAN A ff GAN DiscoGAN LS-GAN BIM LAPGAN MPM-GAN AdaGAN FGSM iGAN LSGAN InfoGAN IAN ATN Adversarial Machine Learning MIX+GAN Ian Goodfellow, Sta ff Research Scientist, Google Brain McGAN

860 views • 45 slides
Adversarial Machine Learning MIX+GAN Ian Goodfellow, Sta ff Research Scientist, Google Brain

Adversarial Machine Learning MIX+GAN Ian Goodfellow, Sta ff Research Scientist, Google Brain

Progressive GAN CoGAN LR-GAN MedGAN CGAN IcGAN A ff GAN DiscoGAN LS-GAN BIM LAPGAN MPM-GAN AdaGAN FGSM iGAN LSGAN InfoGAN IAN ATN Adversarial Machine Learning MIX+GAN Ian Goodfellow, Sta ff Research Scientist, Google Brain McGAN

797 views • 42 slides
Adversarial Machine Learning MIX+GAN Ian Goodfellow, Sta ff Research Scientist, Google Brain

Adversarial Machine Learning MIX+GAN Ian Goodfellow, Sta ff Research Scientist, Google Brain

Progressive GAN CoGAN LR-GAN MedGAN CGAN IcGAN A ff GAN DiscoGAN LS-GAN BIM LAPGAN MPM-GAN AdaGAN FGSM iGAN LSGAN InfoGAN IAN ATN Adversarial Machine Learning MIX+GAN Ian Goodfellow, Sta ff Research Scientist, Google Brain McGAN

562 views • 39 slides
Making and Measuring Progress in Adversarial Machine Learning Nicholas Carlini Google Research

Making and Measuring Progress in Adversarial Machine Learning Nicholas Carlini Google Research

Making and Measuring Progress in Adversarial Machine Learning Nicholas Carlini Google Research Act I Background Why should we care about adversarial examples? Make ML Make ML robust better Act II An Apparent Problem Let's go

1.12k views • 79 slides
Camera Calibration and Stereo Various slides from previous courses by: D.A. Forsyth (Berkeley /

Camera Calibration and Stereo Various slides from previous courses by: D.A. Forsyth (Berkeley /

CS4501: Introduction to Computer Vision Camera Calibration and Stereo Various slides from previous courses by: D.A. Forsyth (Berkeley / UIUC), I. Kokkinos (Ecole Centrale / UCL). S. Lazebnik (UNC / UIUC), S. Seitz (MSR / Facebook), J. Hays (Brown

573 views • 53 slides
Challenges in Networking to Support Augmented Reality and Virtual Reality Cedric Westphal

Challenges in Networking to Support Augmented Reality and Virtual Reality Cedric Westphal

Challenges in Networking to Support Augmented Reality and Virtual Reality Cedric Westphal Huawei IETF98- ICNRG Meeting Thursday 3/30/17 Trends in AR/VR Augmented Reality and Virtual Reality are going to create tremendous growth in

632 views • 15 slides
Electromagnetic Radiation - Spectrum Color Representation Short- AC Ultra- Gamma X rays

Electromagnetic Radiation - Spectrum Color Representation Short- AC Ultra- Gamma X rays

Electromagnetic Radiation - Spectrum Color Representation Short- AC Ultra- Gamma X rays violet Infrared Radar FM TV wave AM electricity 3 Dimensional Perceptual Color Space Munsell Color System -12 -8 -4 4 8 10 10 10

964 views • 12 slides
7 Presentation Thanks to John Stasko, Robert Spence, Ross Ihaka, Marti Hearst, Kent

7 Presentation Thanks to John Stasko, Robert Spence, Ross Ihaka, Marti Hearst, Kent

Elective in Software and Services (Complementi di software e servizi per la societ dell'informazione) Section Inf nfor ormat ation V on Visual sualizat ation on Numbers of credit : 3 Gius usep eppe pe S Sant antucci 7

1.01k views • 54 slides
MMSys 2018 12 June 18 1 Principal Consultant, TNO President, VR Industry Forum

MMSys 2018 12 June 18 1 Principal Consultant, TNO President, VR Industry Forum

MMSys 2018 12 June 18 1 Principal Consultant, TNO President, VR Industry Forum Chair, MPEG Roadmap AHG Co-Founder and Chief Business Officer, Tiledmedia MMSys 2018 12 June 18 MMSys 2018 12 June 18 MMSys

813 views • 62 slides
Computational Methods for Immersive Perception Qi Sun Stony Brook University Warehouse/Arts

Computational Methods for Immersive Perception Qi Sun Stony Brook University Warehouse/Arts

Computational Methods for Immersive Perception Qi Sun Stony Brook University Warehouse/Arts District, New Orleans, USA Traditional Visual Media Immersive Visual Media Perception for Better Immersive Experience Where we are? What we see?

644 views • 63 slides
Primary Colors RYB : Art Spectrum, RYB noble hues,

Primary Colors RYB : Art Spectrum, RYB noble hues,

Primary Colors RYB : Art Spectrum, RYB noble hues, primaries are White and Black , composite hues, formerly standard subtrac=ve colors. CMY.

253 views • 14 slides
Camera Obscura Image Formation (approximately) Vision infers world properties form images.

Camera Obscura Image Formation (approximately) Vision infers world properties form images.

Camera Obscura Image Formation (approximately) Vision infers world properties form images. So we need to understand how images depend on these properties. Two key elements "When images of illuminated objects ... penetrate

355 views • 9 slides

More recommend