Some thoughts on safety of machine learning Fabio Roli University - - PowerPoint PPT Presentation
Pattern Recognition and Applications Lab Some thoughts on safety of machine learning Fabio Roli University of Cagliari, Italy HUML 2016, Venice, December 16th, 2016 Department of Electrical and Electronic Engineering The black cloud
Pattern Recognition and Applications Lab
University
Department of Electrical and Electronic Engineering
HUML 2016, Venice, December 16th, 2016
http://pralab.diee.unica.it
2
1915 - 2001
http://pralab.diee.unica.it
3
The novel tells the arrival of an enormous cloud of gas that appears to destroy the life on Earth by blocking the Sun's radiation. The motion of the cloud doesn’t follow physical laws, so one scientist argues that it might be a life-form with a degree of intelligence. Supposing that the cloud might be intelligent, the scientists try to communicate with it But human paradigms for information communication do not work !
“Could I put in this way? Said Kingsley. Between two absolutely identical individuals, no communication at all would be necessary because each individual would automatically know the experience of the other. …..Between two widely different individuals a vastly more complicated communication system is required”
http://pralab.diee.unica.it
4
http://pralab.diee.unica.it 5
“But if cattle and horses and lions had hands
horses like horses and cattle like cattle also would depict the gods' shapes and make their bodies of such a sort as the form they themselves have” Xenophánes; 570 – 480 BC
Is antropomorphism good for the human use of machine learning ?
wouldn’t have never done?
http://pralab.diee.unica.it
6
The iCub is the humanoid robot developed at the Italian Institute of Technology as part of the EU project RobotCub and subsequently adopted by more than 20 laboratories worldwide. It has 53 motors that move the head, arms and hands, waist, and legs. It can see and hear, it has the sense of proprioception (body configuration) and movement (using accelerometers and gyroscopes).
[http://www.icub.org]
[G. Pasquale et al. MLIS 2015]
http://pralab.diee.unica.it
7
[http://old.iit.it/projects/data-sets]
http://pralab.diee.unica.it
8
Credits: Lorenzo Natale, Visual Learning of Objects and Tools on the iCub Robot, 2015
http://pralab.diee.unica.it
9 9
Plate Cup Adversarial Noise The adversarial image x + r is visually hard to distinguish from x
Disclaimer: unpublished work, work in progress at PRA Lab https://pralab.diee.unica.it
http://pralab.diee.unica.it
10
http://pralab.diee.unica.it 11
[Szegedy et al., Intriguing properties of neural networks, 2014]
http://pralab.diee.unica.it 12
generate attacks to face recognition systems, attacks which are realized through printing a pair of eyeglass frames. When worn by the attacker whose image is supplied to a state-of-the- art face-recognition algorithm, the eyeglasses allow her to evade being recognized or to impersonate another individual.
[M. Sharif et al., ACM CCS 2016]
http://pralab.diee.unica.it 13
[Patrick McDaniel et al., IEEE Security & Privacy, 2016]
http://pralab.diee.unica.it 14
[Patrick McDaniel et al., IEEE Security & Privacy, 2016]
To humans, adversarial images are indistinguishable from original images. Left an ordinary image of a stop sign Right an image manipulated with adversarial noise and classified as a yield sign
http://pralab.diee.unica.it 15
http://pralab.diee.unica.it 16
[M. Gori and F. Scarselli, PAMI 1998; B. Biggio et al., MCS 2015]
Adversarial inputs in low probability regions can evade easily the classifier
2−class classification −5 5 −5 5
Blue: legitimate class Red: illegal class Spam/Ham for example
http://pralab.diee.unica.it 17
[M. Gori and F. Scarselli, PAMI 1998; B. Biggio et al., MCS 2015]
1.5C classification (MCS) −5 5 −5 5
Better enclosing legitimate data in feature space may improve classifier security
2−class classification −5 5 −5 5
http://pralab.diee.unica.it 18
http://pralab.diee.unica.it 19
secure? ASIACCS '06 Proceedings of the 2006 ACM Symposium on Information, computer and communications security
http://pralab.diee.unica.it 20
http://pralab.diee.unica.it 21
Benign Malware
w1 w2 w3 wn
s s ≥ th s < th
...
DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket NDSS 2014 - The Network and Distributed System Security Symposium
http://pralab.diee.unica.it 22
Android.hardware.wifi
weights
SEND_SMS READ_SMS Android.hardware.wifi
weights
SEND_SMS READ_SMS CAMERA
http://pralab.diee.unica.it 23
We learn feature weights evenly-distributed by solving this optimization problem:
[A. Demontis et al., S+SSPR 2016]
There is a trade off between sparsity and security !
http://pralab.diee.unica.it 24
http://pralab.diee.unica.it 25
On security and sparsity of linear classifiers for adversarial settings S+SSPR 2016
Supposed that sparsity can facilitate interpretability, there is a trade
http://pralab.diee.unica.it 26
People are disappointed, and worried, for such errors… Can we trust in algorithms as well as we trust in humans ?
http://pralab.diee.unica.it 27
http://pralab.diee.unica.it 28
http://pralab.diee.unica.it 29
CoCo @ NIPS 2016 - Cognitive Computation: Integrating Neural and Symbolic Approaches
http://pralab.diee.unica.it
30
Engineering isn't about perfect solutions; it's about doing the best you can with limited resources (Randy Pausch, 1960-2008)