Towards Attack-Agnostic Defense for 2D and 3D Recognition Hao Su Workshop on Adversarial Machine Learning in Real-World Computer Vision Systems Long Beach, CA, USA � 1
Outline • Background and Motivation • Project-based Defense Mechanism • For 2D Image Classification • For 3D Shape Classification • Summary Attack-Agnostic Defense for 2D and 3D Recognition 2 Hao Su UC San Diego
Outline • Background and Motivation • Project-based Defense Mechanism • For 2D Image Classification • For 3D Shape Classification • Summary Attack-Agnostic Defense for 2D and 3D Recognition 3 Hao Su UC San Diego
• Deep learning has made groundbreaking achievements on… • However, deep learning faces robustness and security challenges Attack-Agnostic Defense for 2D and 3D Recognition 4 Hao Su UC San Diego
Classic Adversarial Attacks Clean • FGSM : Fast Gradient Sign Method FGSM • BIM : Basic Iterative Method BIM • DeepFool DeepFool • C&W • … C&W Attack-Agnostic Defense for 2D and 3D Recognition 5 Hao Su UC San Diego
<latexit sha1_base64="YUbJu1viQUpHdj1X5q1XjSmTy8=">ACYHicbVBNbxMxEPVu+UhDS1O4lYtFhJSKNotSHCsgEocOBRB2krxKvJ6J41V27usZyGL5T/JjUMv/BKcDyFoeZKl5zdvxp6XV0paTJKfUbx15+69+53t7oOd3Yd7vf1HZ7ZsagFjUaqyvsi5BSUNjFGigouqBq5zBef51dtl/fwr1FaW5jO2FWSaXxo5k4JjkKa9b0zn5cJpaSW38GzLw0vKNMc53nuTvzUDRbD9pBZqdeq4Mq985OWGOKMBjQsQIUcibNH8Mn7124LDyjHwYM54B8SBfP18YhbQ+za+fjJIV6G2SbkifbHA67f1gRSkaDQaF4tZO0qTCzPEapVDgu6yxUHFxS9hEqjhGmzmVgF5+iwoBZ2VdTgG6Ur9u8NxbW2r8+BcrmBv1pbi/2qTBmevMydN1SAYsX5o1iKJV2mTQtZg0DVBsJFLcNfqZjzmgsM0XVDCOnNlW+Ts6NR+mJ09PFl/jNJo4OeUKekgFJyStyTN6TUzImglxHW9FOtBv9ijvxXry/tsbRpucx+QfxwW/PUrfh</latexit> Defense Mechanisms • The meta algorithm is to optimize the following score: minimize E ( x,y ) ∼ D [max δ ∈ S L ( θ , x + δ , y )] ack: Towards Deep Learning Models Resistant to Adversarial Attacks, M ą dry et al. Attack-Agnostic Defense for 2D and 3D Recognition 6 Hao Su UC San Diego
<latexit sha1_base64="hL+FaLtOT9luwfLW3Ut08xl3Pcw=">AB6HicbVDLTgJBEOzF+IL9ehlIjHxRHbRI9ELx4hkUcCGzI79MLI7OxmZtZICF/gxYPGePWTvPk3DrAHBSvpFLVne6uIBFcG9f9dnJr6xubW/ntws7u3v5B8fCoqeNUMWywWMSqHVCNgktsG4EthOFNAoEtoLR7cxvPaLSPJb3ZpygH9GB5CFn1Fip/tQrltyOwdZJV5GSpCh1it+dfsxSyOUhgmqdcdzE+NPqDKcCZwWuqnGhLIRHWDHUkj1P5kfuiUnFmlT8JY2ZKGzNXfExMaT2OAtsZUTPUy95M/M/rpCa89idcJqlByRaLwlQE5PZ16TPFTIjxpZQpri9lbAhVZQZm03BhuAtv7xKmpWyd1Gu1C9L1ZsjycwCmcgwdXUIU7qEDGCA8wyu8OQ/Oi/PufCxac042cwx/4Hz+AOeHjQA=</latexit> <latexit sha1_base64="ZnfaHojXYBGPV7LW5qdtkR/Yrwc=">AB6HicbVA9SwNBEJ2LXzF+RS1tFoNgFe6ioIVFwMbCIgHzAckR9jZzyZq9vWN3Twghv8DGQhFbf5Kd/8ZNcoUmPh4vDfDzLwgEVwb1/12cmvrG5tb+e3Czu7e/kHx8Kip41QxbLBYxKodUI2CS2wYbgS2E4U0CgS2gtHtzG89odI8lg9mnKAf0YHkIWfUWKl+3yuW3LI7B1klXkZKkKHWK351+zFLI5SGCap1x3MT40+oMpwJnBa6qcaEshEdYMdSPU/mR+6JScWaVPwljZkobM1d8TExpPY4C2xlRM9TL3kz8z+ukJrz2J1wmqUHJFovCVBATk9nXpM8VMiPGlCmuL2VsCFVlBmbTcG4C2/vEqalbJ3Ua7UL0vVmyOPJzAKZyDB1dQhTuoQMYIDzDK7w5j86L8+58LFpzTjZzDH/gfP4AowmMzg=</latexit> Adversarial Training • Approximate the max of in the vicinity of training data by L x gradient-based optimization Attack-Agnostic Defense for 2D and 3D Recognition 7 Hao Su UC San Diego
<latexit sha1_base64="ZnfaHojXYBGPV7LW5qdtkR/Yrwc=">AB6HicbVA9SwNBEJ2LXzF+RS1tFoNgFe6ioIVFwMbCIgHzAckR9jZzyZq9vWN3Twghv8DGQhFbf5Kd/8ZNcoUmPh4vDfDzLwgEVwb1/12cmvrG5tb+e3Czu7e/kHx8Kip41QxbLBYxKodUI2CS2wYbgS2E4U0CgS2gtHtzG89odI8lg9mnKAf0YHkIWfUWKl+3yuW3LI7B1klXkZKkKHWK351+zFLI5SGCap1x3MT40+oMpwJnBa6qcaEshEdYMdSPU/mR+6JScWaVPwljZkobM1d8TExpPY4C2xlRM9TL3kz8z+ukJrz2J1wmqUHJFovCVBATk9nXpM8VMiPGlCmuL2VsCFVlBmbTcG4C2/vEqalbJ3Ua7UL0vVmyOPJzAKZyDB1dQhTuoQMYIDzDK7w5j86L8+58LFpzTjZzDH/gfP4AowmMzg=</latexit> <latexit sha1_base64="hL+FaLtOT9luwfLW3Ut08xl3Pcw=">AB6HicbVDLTgJBEOzF+IL9ehlIjHxRHbRI9ELx4hkUcCGzI79MLI7OxmZtZICF/gxYPGePWTvPk3DrAHBSvpFLVne6uIBFcG9f9dnJr6xubW/ntws7u3v5B8fCoqeNUMWywWMSqHVCNgktsG4EthOFNAoEtoLR7cxvPaLSPJb3ZpygH9GB5CFn1Fip/tQrltyOwdZJV5GSpCh1it+dfsxSyOUhgmqdcdzE+NPqDKcCZwWuqnGhLIRHWDHUkj1P5kfuiUnFmlT8JY2ZKGzNXfExMaT2OAtsZUTPUy95M/M/rpCa89idcJqlByRaLwlQE5PZ16TPFTIjxpZQpri9lbAhVZQZm03BhuAtv7xKmpWyd1Gu1C9L1ZsjycwCmcgwdXUIU7qEDGCA8wyu8OQ/Oi/PufCxac042cwx/4Hz+AOeHjQA=</latexit> Adversarial Training • Approximate the max of in the vicinity of training data by L x gradient-based optimization • Can derive adversarial training methods such as FGSM, PGD, … Attack-Agnostic Defense for 2D and 3D Recognition 8 Hao Su UC San Diego
<latexit sha1_base64="hL+FaLtOT9luwfLW3Ut08xl3Pcw=">AB6HicbVDLTgJBEOzF+IL9ehlIjHxRHbRI9ELx4hkUcCGzI79MLI7OxmZtZICF/gxYPGePWTvPk3DrAHBSvpFLVne6uIBFcG9f9dnJr6xubW/ntws7u3v5B8fCoqeNUMWywWMSqHVCNgktsG4EthOFNAoEtoLR7cxvPaLSPJb3ZpygH9GB5CFn1Fip/tQrltyOwdZJV5GSpCh1it+dfsxSyOUhgmqdcdzE+NPqDKcCZwWuqnGhLIRHWDHUkj1P5kfuiUnFmlT8JY2ZKGzNXfExMaT2OAtsZUTPUy95M/M/rpCa89idcJqlByRaLwlQE5PZ16TPFTIjxpZQpri9lbAhVZQZm03BhuAtv7xKmpWyd1Gu1C9L1ZsjycwCmcgwdXUIU7qEDGCA8wyu8OQ/Oi/PufCxac042cwx/4Hz+AOeHjQA=</latexit> <latexit sha1_base64="ZnfaHojXYBGPV7LW5qdtkR/Yrwc=">AB6HicbVA9SwNBEJ2LXzF+RS1tFoNgFe6ioIVFwMbCIgHzAckR9jZzyZq9vWN3Twghv8DGQhFbf5Kd/8ZNcoUmPh4vDfDzLwgEVwb1/12cmvrG5tb+e3Czu7e/kHx8Kip41QxbLBYxKodUI2CS2wYbgS2E4U0CgS2gtHtzG89odI8lg9mnKAf0YHkIWfUWKl+3yuW3LI7B1klXkZKkKHWK351+zFLI5SGCap1x3MT40+oMpwJnBa6qcaEshEdYMdSPU/mR+6JScWaVPwljZkobM1d8TExpPY4C2xlRM9TL3kz8z+ukJrz2J1wmqUHJFovCVBATk9nXpM8VMiPGlCmuL2VsCFVlBmbTcG4C2/vEqalbJ3Ua7UL0vVmyOPJzAKZyDB1dQhTuoQMYIDzDK7w5j86L8+58LFpzTjZzDH/gfP4AowmMzg=</latexit> Adversarial Training • Approximate the max of in the vicinity of training data by L x gradient-based optimization • Can derive adversarial training methods such as FGSM, PGD, … • Extensively and actively studied direction Attack-Agnostic Defense for 2D and 3D Recognition 9 Hao Su UC San Diego
<latexit sha1_base64="o1ngUyig/1Er59mybNEbgK7/QbI=">AB8nicbVDLSgMxFL1TX7W+qi7dBIvgqsxUQRcuCm5cVrQPmA4lk2ba0EwyJBmhDP0MNy4UcevXuPNvzLSz0NYDgcM595JzT5hwpo3rfjultfWNza3ydmVnd2/oHp41NEyVYS2ieRS9UKsKWeCtg0znPYSRXEctoNJ7e532iSjMpHs0oUGMR4JFjGBjJb8fYzMmGcPs0G15tbdOdAq8QpSgwKtQfWrP5QkjakwhGOtfc9NTJBhZRjhdFbp5omEzwiPqWChxTHWTzyDN0ZpUhiqSyTxg0V39vZDjWehqHdjKPqJe9XPzP81MTXQcZE0lqCLj6KUIyNRfj8aMkWJ4VNLMFHMZkVkjBUmxrZUsSV4yevk6j7l3UG/eXteZNUcZTuAUzsGDK2jCHbSgDQkPMrvDnGeXHenY/FaMkpdo7hD5zPH4sokWc=</latexit> <latexit sha1_base64="hL+FaLtOT9luwfLW3Ut08xl3Pcw=">AB6HicbVDLTgJBEOzF+IL9ehlIjHxRHbRI9ELx4hkUcCGzI79MLI7OxmZtZICF/gxYPGePWTvPk3DrAHBSvpFLVne6uIBFcG9f9dnJr6xubW/ntws7u3v5B8fCoqeNUMWywWMSqHVCNgktsG4EthOFNAoEtoLR7cxvPaLSPJb3ZpygH9GB5CFn1Fip/tQrltyOwdZJV5GSpCh1it+dfsxSyOUhgmqdcdzE+NPqDKcCZwWuqnGhLIRHWDHUkj1P5kfuiUnFmlT8JY2ZKGzNXfExMaT2OAtsZUTPUy95M/M/rpCa89idcJqlByRaLwlQE5PZ16TPFTIjxpZQpri9lbAhVZQZm03BhuAtv7xKmpWyd1Gu1C9L1ZsjycwCmcgwdXUIU7qEDGCA8wyu8OQ/Oi/PufCxac042cwx/4Hz+AOeHjQA=</latexit> <latexit sha1_base64="NxezZAi/2OcGxjA9seuckw+VtMA=">AB7XicbVA9SwNBEJ2LXzF+RS1tFoNgFe6ioIVFwMYygvmA5Ah7m71kzd7esTsnhCP/wcZCEVv/j53/xk1yhSY+GHi8N8PMvCRwqDrfjuFtfWNza3idmlnd2/oHx41DJxqhlvsljGuhNQw6VQvIkCJe8kmtMokLwdjG9nfvuJayNi9YCThPsRHSoRCkbRSq0ejSfrniVt05yCrxclKBHI1+as3iFkacYVMUmO6npugn1GNgk+LfVSwxPKxnTIu5YqGnHjZ/Nrp+TMKgMSxtqWQjJXf09kNDJmEgW2M6I4MsveTPzP6YXvuZUEmKXLHFojCVBGMye50MhOYM5cQSyrSwtxI2opoytAGVbAje8surpFWrehfV2v1lpX6Tx1GEziFc/DgCupwBw1oAoNHeIZXeHNi58V5dz4WrQUnzmGP3A+fwCjd48m</latexit> <latexit sha1_base64="hL+FaLtOT9luwfLW3Ut08xl3Pcw=">AB6HicbVDLTgJBEOzF+IL9ehlIjHxRHbRI9ELx4hkUcCGzI79MLI7OxmZtZICF/gxYPGePWTvPk3DrAHBSvpFLVne6uIBFcG9f9dnJr6xubW/ntws7u3v5B8fCoqeNUMWywWMSqHVCNgktsG4EthOFNAoEtoLR7cxvPaLSPJb3ZpygH9GB5CFn1Fip/tQrltyOwdZJV5GSpCh1it+dfsxSyOUhgmqdcdzE+NPqDKcCZwWuqnGhLIRHWDHUkj1P5kfuiUnFmlT8JY2ZKGzNXfExMaT2OAtsZUTPUy95M/M/rpCa89idcJqlByRaLwlQE5PZ16TPFTIjxpZQpri9lbAhVZQZm03BhuAtv7xKmpWyd1Gu1C9L1ZsjycwCmcgwdXUIU7qEDGCA8wyu8OQ/Oi/PufCxac042cwx/4Hz+AOeHjQA=</latexit> Limitation of Adversarial Training • For each , we have to run the optimization, which is costly; x • For each , we have to create sufficient adversarial perturbations in , as S x the model evolves; θ Attack-Agnostic Defense for 2D and 3D Recognition 10 Hao Su UC San Diego
Recommend
More recommend
