robustness and geometry of deep neural networks
play

Robustness and geometry of deep neural networks Alhussein Fawzi - PowerPoint PPT Presentation

Feb 26, 2024 •104 likes •809 views

Robustness and geometry of deep neural networks Alhussein Fawzi DeepMind May 23rd 2019 The Mathematics of Deep Learning and Data Science University of Cambridge 1 Recent advances in machine learning Error rate (%) He et., al., Delving

  1. Robustness and geometry of deep neural networks Alhussein Fawzi DeepMind May 23rd 2019 The Mathematics of Deep Learning and Data Science University of Cambridge 1

  2. Recent advances in machine learning Error rate (%) He et., al., “Delving Deep into Rectifiers: Surpassing Human-Level Performance on ImageNet Classification” , 2015 2 Karpathy et., al, “Automated Image Captioning with ConvNets and Recurrent Nets” LeCun et. al.,, “Deep Learning” , 2015 DeepMind https://deepmind.com/research/alphago/

  3. Robustness of classifiers to perturbations In real world environments, images undergo perturbations. 3

  4. Robustness of classifiers to perturbations In real world environments, images undergo perturbations. Lampshade 3

  5. Robustness of classifiers to perturbations In real world environments, images undergo perturbations. Perturbation Lampshade 3

  6. Robustness of classifiers to perturbations In real world environments, images undergo perturbations. Perturbation Lampshade 3

  7. Robustness of classifiers to perturbations In real world environments, images undergo perturbations. Perturbation f Lampshade 3

  8. Robustness of classifiers to perturbations In real world environments, images undergo perturbations. Perturbation f Lampshade? Lampshade 3

  9. Robustness of classifiers to perturbations In real world environments, images undergo perturbations. Perturbation f Lampshade? Lampshade Broad range of perturbations Adversarial perturbations [Szegedy et. al. ICLR 2014], [Biggio et. al., PKDD 2013], ... Random noise [Fawzi et. al., NIPS 2016], [Franceschi et. al., AISTATS 2018] Structured nuisances (geometric transformations [Bruna et. al., TPAMI 2013], [Jaderberg et. al., NIPS 2015] , occlusions [Sharif et. al., CCS 2016] , etc...). 3

  10. Robustness of classifiers to perturbations (Cont’d) Safety of machine learning systems ? 4

  11. Robustness of classifiers to perturbations (Cont’d) Safety of machine learning systems ? Better understanding of the geometry of state-of-the-art classifiers. Class 2 Class 1 4

  12. Talk outline 1 Fooling classifiers is easy: vulnerability to different perturbations. 2 Improving the robustness (i.e., “defending”) is difficult. 3 Geometric analysis of a successful defense: adversarial training. 5

  13. Adversarial perturbations State-of-the-art deep neural networks have been shown to be surprisingly unstable to adversarial perturbations. 6

  14. Adversarial perturbations State-of-the-art deep neural networks have been shown to be surprisingly unstable to adversarial perturbations. School bus 6

  15. Adversarial perturbations State-of-the-art deep neural networks have been shown to be surprisingly unstable to adversarial perturbations. School bus Ostrich 6

  16. Adversarial perturbations State-of-the-art deep neural networks have been shown to be surprisingly unstable to adversarial perturbations. School bus Perturbation Ostrich Figure from [Szegedy et. al., ICLR 2014]. 6

  17. Adversarial perturbations State-of-the-art deep neural networks have been shown to be surprisingly unstable to adversarial perturbations. School bus Perturbation Ostrich Figure from [Szegedy et. al., ICLR 2014]. Adversarial examples are found by seeking the minimal perturbation (in the ℓ 2 sense) that switches the label of the classifier. 6

  18. Adversarial perturbations Robustness to adversarial noise r ∗ ( ) x x r ∗ ( x ) = min � r � 2 subject to f ( x + r ) � = f ( x ) . r 7

  19. Other types of adversarial perturbations Universal perturbations [Moosavi-Dezfooli et. al., 2017] C h ihuah u a Joyst i ck L a b r a d o r Flagpole T e B all o on r r i e r Geometric transformations [Fawzi et. al., 2015, Moosavi-Dezfooli et. al., 2018, Xiao et al., 2018] 8

  20. Finding adversarial perturbations is easy... http://robust.vision 9

  21. ... but designing defense mechanisms is hard! Despite the huge number of proposed defenses, state-of-the-art classifiers are still vulnerable to small perturbations. 10

  22. ... but designing defense mechanisms is hard! Despite the huge number of proposed defenses, state-of-the-art classifiers are still vulnerable to small perturbations. 10

  23. ... but designing defense mechanisms is hard! Despite the huge number of proposed defenses, state-of-the-art classifiers are still vulnerable to small perturbations. 10

  24. ... but designing defense mechanisms is hard! Despite the huge number of proposed defenses, state-of-the-art classifiers are still vulnerable to small perturbations. 10

  25. Adversarial training 11

  26. Adversarial training Adversarial accuracy (CIFAR-10): 11

  27. Adversarial training Adversarial accuracy (CIFAR-10): [Madry et. al., 2017] 11

  28. Adversarial training Adversarial accuracy (CIFAR-10): [Madry et. al., 2017] Adversarial training leads to state-of-the art robustness to adversarial perturbations. 11

  29. Adversarial training Adversarial accuracy (CIFAR-10): [Madry et. al., 2017] Adversarial training leads to state-of-the art robustness to adversarial perturbations. But what does it actually do? 11

  30. Decision boundaries Adv. direction Random direction 12

  31. Decision boundaries Adv. direction Normal training Random direction 12

  32. Decision boundaries Adv. direction Normal training Adversarial training Random direction 12

  33. Decision boundaries Adv. direction Normal training Adversarial training Random direction After adversarial training, the decision boundaries are flatter and more regular. 12

  34. Effect of adversarial training on loss landscape Logit Label 13

  35. Effect of adversarial training on loss landscape Logit Label Before adv. fine-tuning 13

  36. Effect of adversarial training on loss landscape Logit Label Before adv. fine-tuning After adv. fine-tuning 13

  37. Effect of adversarial training on loss landscape (Cont’d) 14

  38. Quantitative analysis: curvature decrease with adversarial training We compute the Hessian matrix at a test point x with respect to inputs . � ∂ 2 ℓ � H = ∂ x i ∂ x j The eigenvalues of H are the curvature of ℓ in the vicinity of x . 15

  39. Quantitative analysis: curvature decrease with adversarial training We compute the Hessian matrix at a test point x with respect to inputs . � ∂ 2 ℓ � H = ∂ x i ∂ x j The eigenvalues of H are the curvature of ℓ in the vicinity of x . Eigenvalue profile Original Adversarial 1.5 1.0 Value 0.5 0.0 -0.5 0 500 1000 1500 2000 2500 3000 Eigenvalue number 15

  40. Quantitative analysis: curvature decrease with adversarial training We compute the Hessian matrix at a test point x with respect to inputs . � ∂ 2 ℓ � H = ∂ x i ∂ x j The eigenvalues of H are the curvature of ℓ in the vicinity of x . Eigenvalue profile Original Adversarial 1.5 1.0 Value 0.5 0.0 -0.5 0 500 1000 1500 2000 2500 3000 Eigenvalue number 15

  41. Relation between curvature and robustness Locally quadratic approximation of the loss function 16

  42. Relation between curvature and robustness Locally quadratic approximation of the loss function We derive upper and lower bounds on the minimal perturbation required to fool a classifier. 16

  43. Relation between curvature and robustness Locally quadratic approximation of the loss function We derive upper and lower bounds on the minimal perturbation required to fool a classifier. Threshold 16

  44. Relation between curvature and robustness Locally quadratic approximation of the loss function We derive upper and lower bounds on the minimal perturbation required to fool a classifier. Threshold 16

  45. Relation between curvature and robustness Locally quadratic approximation of the loss function We derive upper and lower bounds on the minimal perturbation required to fool a classifier. Threshold 16

  46. Relation between curvature and robustness Locally quadratic approximation of the loss function We derive upper and lower bounds on the minimal perturbation required to fool a classifier. Threshold 16

  47. Relation between curvature and robustness Locally quadratic approximation of the loss function We derive upper and lower bounds on the minimal perturbation required to fool a classifier. Threshold Robustness Upper bound Lower bound Curvature 16

  48. How important is the curvature decrease? Is the curvature decrease the main effect of adversarial training leading to improved robustness? 17

  49. How important is the curvature decrease? Is the curvature decrease the main effect of adversarial training leading to improved robustness? → we regularize explicitly for the curvature. 17

  50. How important is the curvature decrease? Is the curvature decrease the main effect of adversarial training leading to improved robustness? → we regularize explicitly for the curvature. Idea: Regularize the norm of the Hessian of the loss wrt inputs. 17

  51. How important is the curvature decrease? Is the curvature decrease the main effect of adversarial training leading to improved robustness? → we regularize explicitly for the curvature. Idea: Regularize the norm of the Hessian of the loss wrt inputs. Use Hutichinson’s estimator � � Hz � 2 � H � F = E 2 z ∼N (0 , I ) 17

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Toward Adversarial Robustness by Diversity in an Ensemble of Specialized Deep Neural Networks

Toward Adversarial Robustness by Diversity in an Ensemble of Specialized Deep Neural Networks

Toward Adversarial Robustness by Diversity in an Ensemble of Specialized Deep Neural Networks presented at Canadian AI 2020 Mahdieh Abbasi 1 , Arezoo Rajabi 2 , Christian Gagn 1,3 , and Rakesh B. Bobba 2 1. IID, Universit Laval, Qubec,

728 views • 20 slides
ON THE ADVERSARIAL ROBUSTNESS OF UNCERTAINTY AWARE DEEP NEURAL NETWORKS APRIL 29 TH , 2019

ON THE ADVERSARIAL ROBUSTNESS OF UNCERTAINTY AWARE DEEP NEURAL NETWORKS APRIL 29 TH , 2019

ON THE ADVERSARIAL ROBUSTNESS OF UNCERTAINTY AWARE DEEP NEURAL NETWORKS APRIL 29 TH , 2019 PREPARED BY: ALI HARAKEH QUESTION Can a neural network mitigate the effects of adversarial attacks by estimating the uncertainty in its predictions ?

1.14k views • 26 slides
Deep Learning with Neural Networks The Structure and Optimization of Deep Neural Networks Allan

Deep Learning with Neural Networks The Structure and Optimization of Deep Neural Networks Allan

Deep Learning with Neural Networks The Structure and Optimization of Deep Neural Networks Allan Zelener Machine Learning Reading Group January 7 th 2016 The Graduate Center, CUNY Objectives Explain some of the trends of deep learning and

680 views • 44 slides
Introduction to Deep Neural Networks 0. Logistics Spring 2020 1 Neural Networks are taking

Introduction to Deep Neural Networks 0. Logistics Spring 2020 1 Neural Networks are taking

Introduction to Deep Neural Networks 0. Logistics Spring 2020 1 Neural Networks are taking over! Neural networks have become one of the major thrust areas recently in various pattern recognition, prediction, and analysis problems In

987 views • 40 slides
Visualizing and Interpreting Deep Neural Networks Bolei Zhou Department of Information

Visualizing and Interpreting Deep Neural Networks Bolei Zhou Department of Information

Visualizing and Interpreting Deep Neural Networks Bolei Zhou Department of Information Engineering The Chinese University of Hong Kong Deep Neural Networks are Everywhere Playing Go Making Medical Decision Understanding Scenes Deep Neural

1.1k views • 46 slides
On the Expressive Power of Deep Neural Networks Maithra Raghu, Ben Poole, Jon Kleinberg, Surya

On the Expressive Power of Deep Neural Networks Maithra Raghu, Ben Poole, Jon Kleinberg, Surya

On the Expressive Power of Deep Neural Networks Maithra Raghu, Ben Poole, Jon Kleinberg, Surya Ganguli, Jascha Sohl Dickstein Tom Brady Deep Neural Networks Recent successes in using Deep neural networks for image classification,

1.32k views • 17 slides
Outline Evolution of neurocomputing Artificial neural networks Feed forward

Outline Evolution of neurocomputing Artificial neural networks Feed forward

Introduction to Neural Networks and Deep Learning Ling Guan References: S. Haykin, Neural Networks , 2 nd Edition, New Jersey: Prentice Hall, 1. 2004. C. M. Bishop, Neural Networks for Pattern Re cognition, New York: 2. Oxford University

451 views • 17 slides
Towards Evaluating the Robustness of Neural Networks Nicholas Carlini and David Wagner

Towards Evaluating the Robustness of Neural Networks Nicholas Carlini and David Wagner

Towards Evaluating the Robustness of Neural Networks Nicholas Carlini and David Wagner University of California, Berkeley Background A neural network is a function with trainable parameters that learns a given mapping Given an image,

590 views • 58 slides
Introduction to Artificial Intelligence Neural Networks - Deep Learning for NLP Janyl Jumadinova

Introduction to Artificial Intelligence Neural Networks - Deep Learning for NLP Janyl Jumadinova

Introduction to Artificial Intelligence Neural Networks - Deep Learning for NLP Janyl Jumadinova November 21, 2016 Neural Networks 2/20 Neural Networks 3/20 Neural Networks Neural computing requires a number of neurons , to be connected

813 views • 21 slides
Optimizing Deep Neural Networks Leena Chennuru Vankadara 26-10-2015 Table of Contents Neural

Optimizing Deep Neural Networks Leena Chennuru Vankadara 26-10-2015 Table of Contents Neural

Optimizing Deep Neural Networks Leena Chennuru Vankadara 26-10-2015 Table of Contents Neural Networks and loss surfaces Problems of Deep Architectures Optimization in Neural Networks Under fitting Proliferation of Saddle

1.67k views • 41 slides
Deep Neural Networks and Molecular Dynamics Roberto Car Princeton University MAX Conference

Deep Neural Networks and Molecular Dynamics Roberto Car Princeton University MAX Conference

Deep Neural Networks and Molecular Dynamics Roberto Car Princeton University MAX Conference ICTP, Trieste, Jan 29-31 2018 Deep Neural Networks When properly trained, deep NN are capable of learning the complex functional dependence of

442 views • 17 slides
CS7015 (Deep Learning) : Lecture 13 Visualizing Convolutional Neural Networks, Guided

CS7015 (Deep Learning) : Lecture 13 Visualizing Convolutional Neural Networks, Guided

CS7015 (Deep Learning) : Lecture 13 Visualizing Convolutional Neural Networks, Guided Backpropagation, Deep Dream, Deep Art, Fooling Convolutional Neural Networks Mitesh M. Khapra Department of Computer Science and Engineering Indian Institute

1.07k views • 72 slides
Deep Neural Networks and Deep Reinforcement Learning Deep Learning, Goodfellow, Bengio and

Deep Neural Networks and Deep Reinforcement Learning Deep Learning, Goodfellow, Bengio and

Deep Neural Networks and Deep Reinforcement Learning Deep Neural Networks and Deep Reinforcement Learning Deep Learning, Goodfellow, Bengio and Courville [chapt. 6,7,8]; AIMA [sect. 21.1-21.3]; Sutton and Barto, Reinforcement Learning: an

527 views • 35 slides
Propagating Error Backward Hyperparameters for Neural Networks } Multi-layer (deep) neural

Propagating Error Backward Hyperparameters for Neural Networks } Multi-layer (deep) neural

Learning in Neural Networks w 1,3 w 3,5 1 3 5 w w 1,4 3,6 w w 2,3 4,5 2 4 6 w w 2,4 4,6 Class #18: Back-Propagation; } A neural network can learn a classification function by Tuning Hyper-Parameters adjusting its weights to

259 views • 4 slides
Deep Neural Networks Reveal a Gradient in the Complexity of Neural Representations across the

Deep Neural Networks Reveal a Gradient in the Complexity of Neural Representations across the

Deep Neural Networks Reveal a Gradient in the Complexity of Neural Representations across the Ventral Stream Umut Gcl and Marcel A. J. van Gerven Article overview by Ilya Kuzovkin Computational Neuroscience Seminar University of Tartu

852 views • 63 slides
Recurrent Neural Networks Deep neural networks have enabled major advances in machine learning

Recurrent Neural Networks Deep neural networks have enabled major advances in machine learning

Recurrent Neural Networks Deep neural networks have enabled major advances in machine learning and AI y t-1 y t y t+1 Computer vision h t-1 h t h t+1 Language translation Speech recognition h t-1 h t h t+1 Question answering x t-1 x t x t+1

454 views • 43 slides
Joey Stanley University of Georgia joeystan@uga.edu @joey_stan joeystanley.com Special thanks

Joey Stanley University of Georgia joeystan@uga.edu @joey_stan joeystanley.com Special thanks

T HE PERCEPTION AND PRODUCTION OF TWO VOWEL MERGERS IN C OWLITZ C OUNTY , W ASHINGTON Joey Stanley University of Georgia joeystan@uga.edu @joey_stan joeystanley.com American Dialect Society Annual Meeting Austin, Texas January 5, 2017 C

501 views • 37 slides
Outline Introduction Dynamic Symbolic Execution Binsec/SE Demo CEA - - 2/11 Introduction The

Outline Introduction Dynamic Symbolic Execution Binsec/SE Demo CEA - - 2/11 Introduction The

BINSEC/SE: A Dynamic Symbolic Execution Toolkit for Binary-level Analysis Robin David S ebastien Bardin Thanh Dinh Ta Josselin Feist Laurent Mounier Marie-Laure Potet Jean-Yves Marion SANER 2016, Osaka, Japan, March 16th Outline

467 views • 22 slides
Five ways not to fool yourself Tim Harris 23-Jun-18 Five ways not to fool yourself A

Five ways not to fool yourself Tim Harris 23-Jun-18 Five ways not to fool yourself A

Five ways not to fool yourself Tim Harris 23-Jun-18 Five ways not to fool yourself A pragmatic implementation of non-blocking linked lists, Tim Harris, DISC 2001 Five ways not to fool yourself 1. Measure as you go Starting and stopping

585 views • 25 slides
CloudLeak: Large-Scale Deep Learning Models Stealing Through Adversarial Examples Honggang Yu 1 ,

CloudLeak: Large-Scale Deep Learning Models Stealing Through Adversarial Examples Honggang Yu 1 ,

CloudLeak: Large-Scale Deep Learning Models Stealing Through Adversarial Examples Honggang Yu 1 , Kaichen Yang 1 , Teng Zhang 2 , Yun-Yun Tsai 3 , Tsung-Yi Ho 3 , Yier Jin 1 1 University of Florida, 2 University of Central Florida, 3 National

468 views • 23 slides
Agile Adoption and Parenting Max Keeler September 28, 2009 The Goal 2 September 28, 2009

Agile Adoption and Parenting Max Keeler September 28, 2009 The Goal 2 September 28, 2009

1 Agile Adoption and Parenting Max Keeler September 28, 2009 The Goal 2 September 28, 2009 Hopes For This Presentation Share Agile adoption experience and lessons. Present a simple portfolio management and governance strategy.

553 views • 41 slides
Adversarial Connective-exploiting Networks for Implicit Discourse Relation Classification Lianhui

Adversarial Connective-exploiting Networks for Implicit Discourse Relation Classification Lianhui

Adversarial Connective-exploiting Networks for Implicit Discourse Relation Classification Lianhui Qin, Zhisong Zhang, Hai Zhao, Zhiting Hu , Eric P. Xing Shubham Jain Discourse Relations Connect linguistic units (like sentences) semantically

576 views • 19 slides
Making Default Address Selection More Robust FoolProof

Making Default Address Selection More Robust FoolProof

Making Default Address Selection More Robust FoolProof draft-linkova-6man-default-addr-selection-update-00 Jen Linkova IETF99, Prague, July 2017 When Does a Host Stop Using an Address? Preferred lifetime expired An RA received

540 views • 14 slides
Fool Proof Luke 24:13-35 April 1, 2018 1957 Swiss Spaghetti Harvest 1976 Zero-G Day

Fool Proof Luke 24:13-35 April 1, 2018 1957 Swiss Spaghetti Harvest 1976 Zero-G Day

Fool Proof Luke 24:13-35 April 1, 2018 1957 Swiss Spaghetti Harvest 1976 Zero-G Day 1998 Left-Handed Whopper 1993 Lightning Strike First Easter April Fools Day Fool Proof And he said to them, O foolish ones, and slow of

484 views • 24 slides

More recommend