Security of Deep Learning Nicolas Papernot ~ ngp5056@cse.psu.edu - - PowerPoint PPT Presentation

▶

Nov 30, 2023 386 likes •753 views

All parts of this talk should not be further distributed without first contacting the author Security of Deep Learning Nicolas Papernot ~ ngp5056@cse.psu.edu PSU CSE - Dr. Patrick McDaniels lab 1 All parts of this talk should not be further

SLIDE 1 All parts of this talk should not be further distributed without first contacting the author

Security of Deep Learning

Nicolas Papernot ~ ngp5056@cse.psu.edu PSU CSE - Dr. Patrick McDaniel’s lab 1

SLIDE 2

Neuron

utput

input input input input

2 All parts of this talk should not be further distributed without first contacting the author

SLIDE 3 All parts of this talk should not be further distributed without first contacting the author

Neural Networks

3 All parts of this talk should not be further distributed without first contacting the author

SLIDE 4 All parts of this talk should not be further distributed without first contacting the author

Danger!

(Artificial) Neural Networks are far from modeling the brain’s behavior

SLIDE 5 All parts of this talk should not be further distributed without first contacting the author

Deep Neural Networks

5 All parts of this talk should not be further distributed without first contacting the author

SLIDE 6 All parts of this talk should not be further distributed without first contacting the author 6

Deep Neural Networks

All parts of this talk should not be further distributed without first contacting the author

SLIDE 7 All parts of this talk should not be further distributed without first contacting the author 7

Deep Neural Networks

All parts of this talk should not be further distributed without first contacting the author

SLIDE 8 All parts of this talk should not be further distributed without first contacting the author 8

Deep Neural Networks

All parts of this talk should not be further distributed without first contacting the author

SLIDE 9 All parts of this talk should not be further distributed without first contacting the author 9

Deep Neural Networks

All parts of this talk should not be further distributed without first contacting the author

SLIDE 10 All parts of this talk should not be further distributed without first contacting the author 10

SLIDE 11 11 All parts of this talk should not be further distributed without first contacting the author

SLIDE 12 All parts of this talk should not be further distributed without first contacting the author 12

SLIDE 13 13 All parts of this talk should not be further distributed without first contacting the author

SLIDE 14

Speech Recognition as Probabilistic Transduction

Audio Frame State

Phoneme

Word

Sentence Meaning Feature Extraction Acoustic Model Decision Trees Lexicon Language Model NLP Source: Tara N. Sainath @ ICML DL Workshop 2015 14 All parts of this talk should not be further distributed without first contacting the author

SLIDE 15 15

SLIDE 16 16 0 1 2 3 4 5 6 7 8 9 Output classification 9 8 7 6 5 4 3 2 1 0 Input class

Adversarial Samples

All parts of this talk should not be further distributed without first contacting the author

SLIDE 17 17 All parts of this talk should not be further distributed without first contacting the author

SLIDE 18 18 All parts of this talk should not be further distributed without first contacting the author

SLIDE 19

Neuron

utput

input input input input

19 All parts of this talk should not be further distributed without first contacting the author

SLIDE 20

Neuron

y = ϕ @

j=0

wjxj 1 A

20 All parts of this talk should not be further distributed without first contacting the author

SLIDE 21 All parts of this talk should not be further distributed without first contacting the author 21 x1 h1 x2

w32 w11

w12

w21 w22 All parts of this talk should not be further distributed without first contacting the author

SLIDE 22 All parts of this talk should not be further distributed without first contacting the author 22 x1 h1 x2

w32 w11

w12

w21 w22 All parts of this talk should not be further distributed without first contacting the author

SLIDE 23 23

All parts of this talk should not be further distributed without first contacting the author

SLIDE 24 24

rF(X)

All parts of this talk should not be further distributed without first contacting the author

SLIDE 25 25 x1 h1 x2

w32 w11

w12

w21 w22 All parts of this talk should not be further distributed without first contacting the author

SLIDE 26 26

X = (1, 0.37) X∗ = (1, 0.43)

All parts of this talk should not be further distributed without first contacting the author

SLIDE 27 27

F(X) = 0.11 F(X∗) = 0.95

All parts of this talk should not be further distributed without first contacting the author

SLIDE 28 All parts of this talk should not be further distributed without first contacting the author

What about Deep Neural Networks?

28 All parts of this talk should not be further distributed without first contacting the author

SLIDE 29 29 All parts of this talk should not be further distributed without first contacting the author

SLIDE 30 30

30,000

All parts of this talk should not be further distributed without first contacting the author

SLIDE 31 31

270,000

All parts of this talk should not be further distributed without first contacting the author

SLIDE 32 32

97.10%

All parts of this talk should not be further distributed without first contacting the author

SLIDE 33 33

4.02%

All parts of this talk should not be further distributed without first contacting the author

SLIDE 34 34 All parts of this talk should not be further distributed without first contacting the author

SLIDE 35 35

Current Research

All parts of this talk should not be further distributed without first contacting the author