stronger and faster wasserstein adversarial attacks
play

Stronger and Faster Wasserstein Adversarial Attacks Kaiwen Wu - PowerPoint PPT Presentation

Dec 25, 2022 •642 likes •1.04k views

Stronger and Faster Wasserstein Adversarial Attacks Kaiwen Wu kaiwen.wu@uwaterloo.ca Joint work with Allen Wang and Yaoliang Yu K.Wu, A.Wang and Y.Yu Wasserstein Adversarial Attacks July 29, 2020 1 / 18 Adversarial Examples Adversarial

  1. Stronger and Faster Wasserstein Adversarial Attacks Kaiwen Wu kaiwen.wu@uwaterloo.ca Joint work with Allen Wang and Yaoliang Yu K.Wu, A.Wang and Y.Yu Wasserstein Adversarial Attacks July 29, 2020 1 / 18

  2. Adversarial Examples Adversarial examples: (Goodfellow et al. 2015) Generating adversarial examples: maximize ℓ ( f ( x adv ) , y ) x adv subject to x adv ≈ x K.Wu, A.Wang and Y.Yu Wasserstein Adversarial Attacks July 29, 2020 2 / 18

  3. How “Similar” Is Similar? How to quantify x adv ≈ x ? � x − x adv � p ≤ ǫ (Szegedy et al. 2014) point-wise function (Laidlaw et al. 2019) geometric transformation (Engstrom et al. 2019) Wasserstein distance (Wong et al. 2019) ... Our contributions stronger and faster Wasserstein adversarial attacks higher robust accuracy using adversarial training K.Wu, A.Wang and Y.Yu Wasserstein Adversarial Attacks July 29, 2020 3 / 18

  4. What is Wasserstein Distance? Π ≥ 0 � Π , C � s . t . Π 1 = x , Π ⊤ 1 = z W ( x , z ) = min x ∈ R n and z ∈ R n : input images Π ∈ R n × n : transportation matrix C ∈ R n × n : transportation cost cost Π ij × C ij z x K.Wu, A.Wang and Y.Yu Wasserstein Adversarial Attacks July 29, 2020 4 / 18

  5. Applications across Different Domains (Arjovsky et al. 2017; Rabin et al. 2014; Solomon et al. 2015) K.Wu, A.Wang and Y.Yu Wasserstein Adversarial Attacks July 29, 2020 5 / 18

  6. Why Wasserstein Distance? Captures geometry in image space, e.g . translation, rotation ǫ = 0 . 05 ǫ = 0 . 10 ǫ = 0 . 20 ǫ = 0 . 40 ℓ ∞ ǫ = 0 . 50 ǫ = 1 . 00 ǫ = 2 . 00 ǫ = 4 . 00 ℓ 2 ǫ = 0 . 05 ǫ = 0 . 10 ǫ = 0 . 20 ǫ = 0 . 40 Wasserstein predict: 4 predict: 9

  7. Why Wasserstein Distance? Captures geometry in image space, e.g . translation, rotation ǫ = 0 . 05 ǫ = 0 . 10 ǫ = 0 . 20 ǫ = 0 . 40 ℓ ∞ ǫ = 0 . 50 ǫ = 1 . 00 ǫ = 2 . 00 ǫ = 4 . 00 ℓ 2 ǫ = 0 . 05 ǫ = 0 . 10 ǫ = 0 . 20 ǫ = 0 . 40 Wasserstein predict: 4 predict: 9 K.Wu, A.Wang and Y.Yu Wasserstein Adversarial Attacks July 29, 2020 6 / 18

  8. Computing Wasserstein Adversarial Examples Search for adversarial examples: ℓ ( x adv ) maximize x adv subject to W ( x , x adv ) ≤ ǫ K.Wu, A.Wang and Y.Yu Wasserstein Adversarial Attacks July 29, 2020 7 / 18

  9. Computing Wasserstein Adversarial Examples Search for adversarial examples: ℓ ( x adv ) maximize x adv subject to W ( x , x adv ) ≤ ǫ Alternatively, search for transportation matrix: ℓ (Π ⊤ 1 ) maximize Π ≥ 0 subject to Π 1 = x , � Π , C � ≤ ǫ Then, recover adversarial examples: x adv = Π ⊤ 1 K.Wu, A.Wang and Y.Yu Wasserstein Adversarial Attacks July 29, 2020 7 / 18

  10. Optimization in Transportation Matrix K.Wu, A.Wang and Y.Yu Wasserstein Adversarial Attacks July 29, 2020 8 / 18

  11. Optimization in Transportation Matrix ∇ Π ℓ (Π) ǫ (a) projected gradient 1 2 � Π − G � 2 minimize F Π ≥ 0 subject to Π 1 = x , � Π , C � ≤ ǫ K.Wu, A.Wang and Y.Yu Wasserstein Adversarial Attacks July 29, 2020 8 / 18

  12. Optimization in Transportation Matrix ∇ Π ℓ (Π) ǫ (a) projected gradient (b) Frank-Wolfe (Jaggi 2011) 1 2 � Π − G � 2 � Π , H � minimize minimize F Π ≥ 0 Π ≥ 0 subject to Π 1 = x , � Π , C � ≤ ǫ subject to Π 1 = x , � Π , C � ≤ ǫ K.Wu, A.Wang and Y.Yu Wasserstein Adversarial Attacks July 29, 2020 8 / 18

  13. Optimization in Transportation Matrix ∇ Π ℓ (Π) ǫ (a) projected gradient (b) Frank-Wolfe (Jaggi 2011) 1 2 � Π − G � 2 � Π , H � minimize minimize F Π ≥ 0 Π ≥ 0 subject to Π 1 = x , � Π , C � ≤ ǫ subject to Π 1 = x , � Π , C � ≤ ǫ For n dimensional images, Π has n 2 variables... K.Wu, A.Wang and Y.Yu Wasserstein Adversarial Attacks July 29, 2020 8 / 18

  14. Solve Projection in PGD 2 � Π − G � 2 1 minimize F Π ≥ 0 subject to Π 1 = x , � Π , C � ≤ ǫ K.Wu, A.Wang and Y.Yu Wasserstein Adversarial Attacks July 29, 2020 9 / 18

  15. Solve Projection in PGD 2 � Π − G � 2 1 minimize F Π ≥ 0 subject to Π 1 = x , � Π , C � ≤ ǫ The Lagrange dual can be simplified as a univariate problem g ( λ ) maximize λ ≥ 0 K.Wu, A.Wang and Y.Yu Wasserstein Adversarial Attacks July 29, 2020 9 / 18

  16. Solve Projection in PGD 2 � Π − G � 2 1 minimize F Π ≥ 0 subject to Π 1 = x , � Π , C � ≤ ǫ The Lagrange dual can be simplified as a univariate problem g ( λ ) maximize λ ≥ 0 No closed-form expression... K.Wu, A.Wang and Y.Yu Wasserstein Adversarial Attacks July 29, 2020 9 / 18

  17. Solve Projection in PGD 2 � Π − G � 2 1 minimize F Π ≥ 0 subject to Π 1 = x , � Π , C � ≤ ǫ The Lagrange dual can be simplified as a univariate problem g ( λ ) maximize λ ≥ 0 No closed-form expression... But g ′ ( λ ) can be evaluated in O ( n 2 log n ) time Proposition 0 ≤ λ ⋆ ≤ 2 � vec ( G ) � ∞ + � x � ∞ min i � = j { C ij } K.Wu, A.Wang and Y.Yu Wasserstein Adversarial Attacks July 29, 2020 9 / 18

  18. Bisection on the Dual maximize g ( λ ) λ ≥ 0 Converge to high precision ≤ 20 iterations in practice. g ( λ ) λ

  19. Bisection on the Dual maximize g ( λ ) λ ≥ 0 Converge to high precision ≤ 20 iterations in practice. g ( λ ) λ ⋆ λ

  20. Bisection on the Dual maximize g ( λ ) λ ≥ 0 Converge to high precision ≤ 20 iterations in practice. g ( λ ) 2 � vec ( G ) � ∞ + � x � ∞ λ ⋆ min i � = j { C ij } λ

  21. Bisection on the Dual maximize g ( λ ) λ ≥ 0 Converge to high precision ≤ 20 iterations in practice. g ( λ ) 2 � vec ( G ) � ∞ + � x � ∞ λ ⋆ min i � = j { C ij } λ 0 K.Wu, A.Wang and Y.Yu Wasserstein Adversarial Attacks July 29, 2020 10 / 18

  22. Solve Linear Minimization in Frank-Wolfe � Π , H � minimize Π ≥ 0 subject to Π 1 = x , � Π , C � ≤ ǫ K.Wu, A.Wang and Y.Yu Wasserstein Adversarial Attacks July 29, 2020 11 / 18

  23. Solve Linear Minimization in Frank-Wolfe � Π , H � minimize Π ≥ 0 subject to Π 1 = x , � Π , C � ≤ ǫ The Lagrange dual can be simplified as a univariate problem maximize g ( λ ) λ ≥ 0 K.Wu, A.Wang and Y.Yu Wasserstein Adversarial Attacks July 29, 2020 11 / 18

  24. Solve Linear Minimization in Frank-Wolfe � Π , H � minimize Π ≥ 0 subject to Π 1 = x , � Π , C � ≤ ǫ The Lagrange dual can be simplified as a univariate problem maximize g ( λ ) λ ≥ 0 Bound on the optimum: 0 ≤ λ ⋆ ≤ 2 � vec ( H ) � ∞ min i � = j { C ij } K.Wu, A.Wang and Y.Yu Wasserstein Adversarial Attacks July 29, 2020 11 / 18

  25. Solve Linear Minimization in Frank-Wolfe � Π , H � minimize Π ≥ 0 subject to Π 1 = x , � Π , C � ≤ ǫ The Lagrange dual can be simplified as a univariate problem maximize g ( λ ) λ ≥ 0 Bound on the optimum: 0 ≤ λ ⋆ ≤ 2 � vec ( H ) � ∞ min i � = j { C ij } Does not work... ◮ difficult to recover primal solution ◮ severe numerical instability K.Wu, A.Wang and Y.Yu Wasserstein Adversarial Attacks July 29, 2020 11 / 18

  26. Entropic Regularization n n � � � Π , H � + γ Π ij log Π ij minimize Π ≥ 0 i =1 j =1 subject to Π 1 = x , � Π , C � ≤ ǫ K.Wu, A.Wang and Y.Yu Wasserstein Adversarial Attacks July 29, 2020 12 / 18

  27. Entropic Regularization n n � � � Π , H � + γ Π ij log Π ij minimize Π ≥ 0 i =1 j =1 subject to Π 1 = x , � Π , C � ≤ ǫ Closed-form expression to recover primal solution K.Wu, A.Wang and Y.Yu Wasserstein Adversarial Attacks July 29, 2020 12 / 18

  28. Entropic Regularization n n � � � Π , H � + γ Π ij log Π ij minimize Π ≥ 0 i =1 j =1 subject to Π 1 = x , � Π , C � ≤ ǫ Closed-form expression to recover primal solution Entropic regularization introduces approximation error K.Wu, A.Wang and Y.Yu Wasserstein Adversarial Attacks July 29, 2020 12 / 18

  29. Entropic Regularization n n � � � Π , H � + γ Π ij log Π ij minimize Π ≥ 0 i =1 j =1 subject to Π 1 = x , � Π , C � ≤ ǫ Closed-form expression to recover primal solution Entropic regularization introduces approximation error But the approximation error is guaranteed to be small K.Wu, A.Wang and Y.Yu Wasserstein Adversarial Attacks July 29, 2020 12 / 18

  30. Exploit Sparsity Local transportation constraint (Wong et al. 2019) ⇒ structured sparsity in Π Per iteration cost is reduced to O ( n ) by exploiting sparsity K.Wu, A.Wang and Y.Yu Wasserstein Adversarial Attacks July 29, 2020 13 / 18

  31. Comparison adversarial accuracy on CIFAR-10 (standard training) 80 60 40 20 0 ǫ = 0 . 001 0.002 0.003 0.004 0.005 Wong et al. (2019) Dual Proj.(ours) Dual LMO(ours) K.Wu, A.Wang and Y.Yu Wasserstein Adversarial Attacks July 29, 2020 14 / 18

  32. Comparison adversarial accuracy on CIFAR-10 (standard training) 80 60 40 20 0 ǫ = 0 . 001 0.002 0.003 0.004 0.005 Wong et al. (2019) Dual Proj.(ours) Dual LMO(ours) time per iteration in ms iterations 80 60 20 40 10 20 0 0 K.Wu, A.Wang and Y.Yu Wasserstein Adversarial Attacks July 29, 2020 14 / 18

  33. Entropic Regularization Reflects Shapes

  34. Entropic Regularization Reflects Shapes

  35. Entropic Regularization Reflects Shapes K.Wu, A.Wang and Y.Yu Wasserstein Adversarial Attacks July 29, 2020 15 / 18

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Friendly Adversarial Training: Attacks Which Do Not Kill Training Make Adversarial Learning

Friendly Adversarial Training: Attacks Which Do Not Kill Training Make Adversarial Learning

Friendly Adversarial Training: Attacks Which Do Not Kill Training Make Adversarial Learning Stronger Jingfeng Zhang 1 * , Xilie Xu 2* , Bo Han 34 , Gang Niu 4 , Lichen Cui 5 , Masashi Sugiyama 46 , and Mohan Kankanhalli 1 1 Department of Computer

376 views • 14 slides
Generative Adversarial Networks, Wasserstein Distance, and Adversarial Loss Zhiyu Min Alibaba

Generative Adversarial Networks, Wasserstein Distance, and Adversarial Loss Zhiyu Min Alibaba

Generative Adversarial Networks, Wasserstein Distance, and Adversarial Loss Zhiyu Min Alibaba AliMe X-Lab Outline GAN Definition and formulation Saddle point optimization Vanishing gradient Alternative objective for Generator

516 views • 25 slides
Bregman and Wasserstein, with Applications to Generative Adversarial Networks (GANs) and beyond

Bregman and Wasserstein, with Applications to Generative Adversarial Networks (GANs) and beyond

Bregman Divergence Function Generative Adversarial Networks (GANs) Wasserstein Divergence and GANs Relaxed Wasserstein Empirical Results Conclusions Bregman and Wasserstein, with Applications to Generative Adversarial Networks (GANs) and

1.62k views • 148 slides
Decentralize and Randomize: Faster Algorithm for Wasserstein Barycenters Pavel Dvurechensky,

Decentralize and Randomize: Faster Algorithm for Wasserstein Barycenters Pavel Dvurechensky,

Decentralize and Randomize: Faster Algorithm for Wasserstein Barycenters Pavel Dvurechensky, Darina Dvinskikh, Alexander Gasnikov, Csar A. Uribe, Angelia Nedi c Conference on Neural Information Processing Systems 2018 Wasserstein

391 views • 9 slides
Adversarial Training Attacks on Deep Networks and Generative Adversarial Networks Erkut Erdem

Adversarial Training Attacks on Deep Networks and Generative Adversarial Networks Erkut Erdem

images from Geris Game (Pixar, 1997) Adversarial Training Attacks on Deep Networks and Generative Adversarial Networks Erkut Erdem Aykut Erdem Levent Karacan Computer Vision Lab, Hacettepe University Outline Part 1: Attacks on

1.11k views • 72 slides
Wasserstein Adversarial Examples via Projected Sinkhorn Iterations ICML 19 Eric Wong 1 Frank R.

Wasserstein Adversarial Examples via Projected Sinkhorn Iterations ICML 19 Eric Wong 1 Frank R.

Wasserstein Adversarial Examples via Projected Sinkhorn Iterations ICML 19 Eric Wong 1 Frank R. Schmidt 2 J. Zico Kolter 1 1 Carnegie Mellon University 2 Bosch Center for Artificial Intelligence Presented by Kaiwen Wu August 2019 Kaiwen Wu

154 views • 12 slides
Confidence-Calibrated Adversarial Training Generalizing to Unseen Attacks David Stutz, Matthias

Confidence-Calibrated Adversarial Training Generalizing to Unseen Attacks David Stutz, Matthias

Confidence-Calibrated Adversarial Training Generalizing to Unseen Attacks David Stutz, Matthias Hein, Bernt Schiele 2-Minute Overview Problem: Robustness to various adversarial examples. Adversarial training on L adversarial examples:

635 views • 34 slides
On Adaptive Attacks to Adversarial Example Defenses Florian Tramr USENIX ScAINet August 10 th

On Adaptive Attacks to Adversarial Example Defenses Florian Tramr USENIX ScAINet August 10 th

On Adaptive Attacks to Adversarial Example Defenses Florian Tramr USENIX ScAINet August 10 th , 2020 Joint work with Nicholas Carlini, Wieland Brendel and Aleksander Madry What Are Adversarial Examples? 88% Tabby Cat 99% Guacamole Biggio

360 views • 21 slides
Attacks Meet Interpretability: Attribute-steered Detection of Adversarial Samples Guanhong Tao ,

Attacks Meet Interpretability: Attribute-steered Detection of Adversarial Samples Guanhong Tao ,

Attacks Meet Interpretability: Attribute-steered Detection of Adversarial Samples Guanhong Tao , Shiqing Ma, Yingqi Liu, Xiangyu Zhang Understanding Adversarial Samples Legitimate input Isla Fisher Model Pixel-wise Differences ( 50 times)

482 views • 34 slides
In Search of A better, faster, stronger Web Marissa Mayer VP Search & User Experience

In Search of A better, faster, stronger Web Marissa Mayer VP Search & User Experience

In Search of A better, faster, stronger Web Marissa Mayer VP Search & User Experience Google The importance of first impressions We didnt have any webmasters And, I dont do HTML. Still simple, still fast 4 Key Elements

645 views • 28 slides
CVPR 2020 Universal Adversarial Attacks Image agnostic and transferable across networks

CVPR 2020 Universal Adversarial Attacks Image agnostic and transferable across networks

1 1,4 2,3 2 3 4 1 CVPR 2020 Universal Adversarial Attacks Image agnostic and transferable across networks Adversarial No defense: Baseline DNN perturbation Input image Classification Feature extraction dense Perturbed image

592 views • 6 slides
Adversarial Attacks on Probabilistic Autoregressive Forecasting Models 2 (i) Probabilistic

Adversarial Attacks on Probabilistic Autoregressive Forecasting Models 2 (i) Probabilistic

ICML 2020 Raphal Dang-Nhu Gagandeep Singh Pavol Bielik Martin Vechev Department of Computer Science, ETH Zrich dangnhur@ethz.ch 1 Adversarial Attacks on Probabilistic Autoregressive Forecasting Models 2 (i) Probabilistic forecasting

765 views • 45 slides
Stronger and Faster Side-Channel Protections for CSIDH azquez 1 Mathilde Chenu 2,3 Daniel

Stronger and Faster Side-Channel Protections for CSIDH azquez 1 Mathilde Chenu 2,3 Daniel

Stronger and Faster Side-Channel Protections for CSIDH azquez 1 Mathilde Chenu 2,3 Daniel Cervantes-V nguez 1 and Luca De Feo 4 and Jes us-Javier Chi-Dom quez 1 and Benjamin Smith 2,3 Francisco Rodr guez-Henr 1 Computer Science

1.25k views • 93 slides
On Certifying Non-uniform Bounds against Adversarial Attacks Chen Liu , Ryota Tomioka ,

On Certifying Non-uniform Bounds against Adversarial Attacks Chen Liu , Ryota Tomioka ,

On Certifying Non-uniform Bounds against Adversarial Attacks Chen Liu , Ryota Tomioka , Volkan Cevher Ecole Polytechnique F ed erale de Lausanne Microsoft Research Cambridge June 11th, 2019 Liu et al. (EPFL)

557 views • 17 slides
15-780 Graduate Artificial Intelligence: Adversarial attacks and provable defenses J. Zico

15-780 Graduate Artificial Intelligence: Adversarial attacks and provable defenses J. Zico

15-780 Graduate Artificial Intelligence: Adversarial attacks and provable defenses J. Zico Kolter (this lecture) and Ariel Procaccia Carnegie Mellon University Spring 2018 Portions base upon joint work with Eric Wong 1 Outline Adverarial

710 views • 39 slides
Roger Dingledine March 2013 update 1 2 3 4 5 6 7 8 9 10 Tor 0.2.4.7-alpha ..

Roger Dingledine March 2013 update 1 2 3 4 5 6 7 8 9 10 Tor 0.2.4.7-alpha ..

Roger Dingledine March 2013 update 1 2 3 4 5 6 7 8 9 10 Tor 0.2.4.7-alpha .. 0.2.4.9-alpha New stronger/faster ECC-based link encryption New stronger/faster ECC-based circuit handshake (ntor, curve25519) Support for exiting

237 views • 23 slides
Read and delete this slide Alongside the guidance and resources available at psnc.org.uk/flu,

Read and delete this slide Alongside the guidance and resources available at psnc.org.uk/flu,

Read and delete this slide Alongside the guidance and resources available at psnc.org.uk/flu, PSNC Briefing 040/16 provides detailed information on the flu vaccination Advanced Service and it provides information for speakers using this

682 views • 30 slides
Target groups Phase 1: Potential stakeholders to improve specifications and ensure maximum

Target groups Phase 1: Potential stakeholders to improve specifications and ensure maximum

Target groups Phase 1: Potential stakeholders to improve specifications and ensure maximum participation in the innovation competition. Examples of stakeholders: Users, designers, developers, implementers Phase 2: Potential users of the

443 views • 9 slides
The Carbon Cycle: Budgets, Trends, and Lessons from Southern Hemisphere Measurements A. Modelling

The Carbon Cycle: Budgets, Trends, and Lessons from Southern Hemisphere Measurements A. Modelling

The Carbon Cycle: Budgets, Trends, and Lessons from Southern Hemisphere Measurements A. Modelling and Interpretation B. Baring Head surface CO 2 data C. Lauder ground based remote sensing CO 2 measurements D. Lauder surface CO 2 data E. Rainbow

334 views • 30 slides
26 th World Gas Conference 1 5 June 2015, Paris, France CURRENT BIOGAS PRODUCTION AND

26 th World Gas Conference 1 5 June 2015, Paris, France CURRENT BIOGAS PRODUCTION AND

26 th World Gas Conference 1 5 June 2015, Paris, France CURRENT BIOGAS PRODUCTION AND UTILISATION IN THE MEMBER COUNTRIES OF IEA BIOENERGY TASK 37 Dr. Mattias Svensson Energiforsk Swedish Energy Research Centre IEA Bioenergy comprises 10

424 views • 17 slides
Assessing Impacts of Training Opportunities in the Safety Net For Dental Students and Residents

Assessing Impacts of Training Opportunities in the Safety Net For Dental Students and Residents

Assessing Impacts of Training Opportunities in the Safety Net For Dental Students and Residents Jean Moore, DrPH Presented by: Oral Health Workforce Research Center Center for Health Workforce Studies School of Public Health | University at

339 views • 13 slides
GAIA Infrastructure Capital Limited Results for the year ended 28 February 2017 May 2017

GAIA Infrastructure Capital Limited Results for the year ended 28 February 2017 May 2017

GAIA Infrastructure Capital Limited Results for the year ended 28 February 2017 May 2017 Contents 1. Introduction to GAIA 2. Viable asset transaction: Dorper Wind Farm 3. Financials review 4. Investment pipeline 5. Conclusion 6. Contact

875 views • 30 slides
Visions of our Profession Overview 1. Situation in your country 2. Your expectations as a

Visions of our Profession Overview 1. Situation in your country 2. Your expectations as a

Student Forum 2011 Utrecht Visions of our Profession Overview 1. Situation in your country 2. Your expectations as a student 3. Other professions in BMS areas 1. Situation in your country a) Do you have different steps in career progress

501 views • 16 slides
POST GRADUATE DIPLOMA IN AUDIO PROGRAMME PRODUCTION (PGDAPP) Term-End Examination December,

POST GRADUATE DIPLOMA IN AUDIO PROGRAMME PRODUCTION (PGDAPP) Term-End Examination December,

POST GRADUATE DIPLOMA IN AUDIO PROGRAMME PRODUCTION (PGDAPP) Term-End Examination December, 2OO8 MJM-OO2 : PRODUGTION AND PRESENTATION Time :3 Hours Maximum Marks : 7a0 (Weightage: 70%) Note: Attempt any fiue questions. All

1.36k views • 8 slides

More recommend