Towards Attack-Agnostic Defense for 2D and 3D Recognition Hao Su - - PowerPoint PPT Presentation
Towards Attack-Agnostic Defense for 2D and 3D Recognition Hao Su Workshop on Adversarial Machine Learning in Real-World Computer Vision Systems Long Beach, CA, USA 1 Outline Background and Motivation Project-based Defense Mechanism
1
Workshop on Adversarial Machine Learning in Real-World Computer Vision Systems Long Beach, CA, USA
Attack-Agnostic Defense for 2D and 3D Recognition Hao Su UC San Diego
2
Attack-Agnostic Defense for 2D and 3D Recognition Hao Su UC San Diego
3
Attack-Agnostic Defense for 2D and 3D Recognition Hao Su UC San Diego
4
Attack-Agnostic Defense for 2D and 3D Recognition Hao Su UC San Diego
Clean FGSM BIM DeepFool C&W
5
Attack-Agnostic Defense for 2D and 3D Recognition Hao Su UC San Diego
6 ack: Towards Deep Learning Models Resistant to Adversarial Attacks, Mądry et al.
δ∈S L(θ, x + δ, y)]
<latexit sha1_base64="YUbJu1viQUpHdj1X5q1XjSmTy8=">ACYHicbVBNbxMxEPVu+UhDS1O4lYtFhJSKNotSHCsgEocOBRB2krxKvJ6J41V27usZyGL5T/JjUMv/BKcDyFoeZKl5zdvxp6XV0paTJKfUbx15+69+53t7oOd3Yd7vf1HZ7ZsagFjUaqyvsi5BSUNjFGigouqBq5zBef51dtl/fwr1FaW5jO2FWSaXxo5k4JjkKa9b0zn5cJpaSW38GzLw0vKNMc53nuTvzUDRbD9pBZqdeq4Mq985OWGOKMBjQsQIUcibNH8Mn7124LDyjHwYM54B8SBfP18YhbQ+za+fjJIV6G2SbkifbHA67f1gRSkaDQaF4tZO0qTCzPEapVDgu6yxUHFxS9hEqjhGmzmVgF5+iwoBZ2VdTgG6Ur9u8NxbW2r8+BcrmBv1pbi/2qTBmevMydN1SAYsX5o1iKJV2mTQtZg0DVBsJFLcNfqZjzmgsM0XVDCOnNlW+Ts6NR+mJ09PFl/jNJo4OeUKekgFJyStyTN6TUzImglxHW9FOtBv9ijvxXry/tsbRpucx+QfxwW/PUrfh</latexit> Attack-Agnostic Defense for 2D and 3D Recognition Hao Su UC San Diego
gradient-based optimization
7
L
<latexit sha1_base64="ZnfaHojXYBGPV7LW5qdtkR/Yrwc=">AB6HicbVA9SwNBEJ2LXzF+RS1tFoNgFe6ioIVFwMbCIgHzAckR9jZzyZq9vWN3Twghv8DGQhFbf5Kd/8ZNcoUmPh4vDfDzLwgEVwb1/12cmvrG5tb+e3Czu7e/kHx8Kip41QxbLBYxKodUI2CS2wYbgS2E4U0CgS2gtHtzG89odI8lg9mnKAf0YHkIWfUWKl+3yuW3LI7B1klXkZKkKHWK351+zFLI5SGCap1x3MT40+oMpwJnBa6qcaEshEdYMdSPU/mR+6JScWaVPwljZkobM1d8TExpPY4C2xlRM9TL3kz8z+ukJrz2J1wmqUHJFovCVBATk9nXpM8VMiPGlCmuL2VsCFVlBmbTcG4C2/vEqalbJ3Ua7UL0vVmyOPJzAKZyDB1dQhTuoQMYIDzDK7w5j86L8+58LFpzTjZzDH/gfP4AowmMzg=</latexit> Attack-Agnostic Defense for 2D and 3D Recognition Hao Su UC San Diego
gradient-based optimization
8
L
<latexit sha1_base64="ZnfaHojXYBGPV7LW5qdtkR/Yrwc=">AB6HicbVA9SwNBEJ2LXzF+RS1tFoNgFe6ioIVFwMbCIgHzAckR9jZzyZq9vWN3Twghv8DGQhFbf5Kd/8ZNcoUmPh4vDfDzLwgEVwb1/12cmvrG5tb+e3Czu7e/kHx8Kip41QxbLBYxKodUI2CS2wYbgS2E4U0CgS2gtHtzG89odI8lg9mnKAf0YHkIWfUWKl+3yuW3LI7B1klXkZKkKHWK351+zFLI5SGCap1x3MT40+oMpwJnBa6qcaEshEdYMdSPU/mR+6JScWaVPwljZkobM1d8TExpPY4C2xlRM9TL3kz8z+ukJrz2J1wmqUHJFovCVBATk9nXpM8VMiPGlCmuL2VsCFVlBmbTcG4C2/vEqalbJ3Ua7UL0vVmyOPJzAKZyDB1dQhTuoQMYIDzDK7w5j86L8+58LFpzTjZzDH/gfP4AowmMzg=</latexit> Attack-Agnostic Defense for 2D and 3D Recognition Hao Su UC San Diego
gradient-based optimization
9
L
<latexit sha1_base64="ZnfaHojXYBGPV7LW5qdtkR/Yrwc=">AB6HicbVA9SwNBEJ2LXzF+RS1tFoNgFe6ioIVFwMbCIgHzAckR9jZzyZq9vWN3Twghv8DGQhFbf5Kd/8ZNcoUmPh4vDfDzLwgEVwb1/12cmvrG5tb+e3Czu7e/kHx8Kip41QxbLBYxKodUI2CS2wYbgS2E4U0CgS2gtHtzG89odI8lg9mnKAf0YHkIWfUWKl+3yuW3LI7B1klXkZKkKHWK351+zFLI5SGCap1x3MT40+oMpwJnBa6qcaEshEdYMdSPU/mR+6JScWaVPwljZkobM1d8TExpPY4C2xlRM9TL3kz8z+ukJrz2J1wmqUHJFovCVBATk9nXpM8VMiPGlCmuL2VsCFVlBmbTcG4C2/vEqalbJ3Ua7UL0vVmyOPJzAKZyDB1dQhTuoQMYIDzDK7w5j86L8+58LFpzTjZzDH/gfP4AowmMzg=</latexit> Attack-Agnostic Defense for 2D and 3D Recognition Hao Su UC San Diego
the model evolves;
10
θ
<latexit sha1_base64="NxezZAi/2OcGxjA9seuckw+VtMA=">AB7XicbVA9SwNBEJ2LXzF+RS1tFoNgFe6ioIVFwMYygvmA5Ah7m71kzd7esTsnhCP/wcZCEVv/j53/xk1yhSY+GHi8N8PMvCRwqDrfjuFtfWNza3idmlnd2/oHx41DJxqhlvsljGuhNQw6VQvIkCJe8kmtMokLwdjG9nfvuJayNi9YCThPsRHSoRCkbRSq0ejSfrniVt05yCrxclKBHI1+as3iFkacYVMUmO6npugn1GNgk+LfVSwxPKxnTIu5YqGnHjZ/Nrp+TMKgMSxtqWQjJXf09kNDJmEgW2M6I4MsveTPzP6YXvuZUEmKXLHFojCVBGMye50MhOYM5cQSyrSwtxI2opoytAGVbAje8surpFWrehfV2v1lpX6Tx1GEziFc/DgCupwBw1oAoNHeIZXeHNi58V5dz4WrQUnzmGP3A+fwCjd48m</latexit>S
<latexit sha1_base64="o1ngUyig/1Er59mybNEbgK7/QbI=">AB8nicbVDLSgMxFL1TX7W+qi7dBIvgqsxUQRcuCm5cVrQPmA4lk2ba0EwyJBmhDP0MNy4UcevXuPNvzLSz0NYDgcM595JzT5hwpo3rfjultfWNza3ydmVnd2/oHp41NEyVYS2ieRS9UKsKWeCtg0znPYSRXEctoNJ7e532iSjMpHs0oUGMR4JFjGBjJb8fYzMmGcPs0G15tbdOdAq8QpSgwKtQfWrP5QkjakwhGOtfc9NTJBhZRjhdFbp5omEzwiPqWChxTHWTzyDN0ZpUhiqSyTxg0V39vZDjWehqHdjKPqJe9XPzP81MTXQcZE0lqCLj6KUIyNRfj8aMkWJ4VNLMFHMZkVkjBUmxrZUsSV4yevk6j7l3UG/eXteZNUcZTuAUzsGDK2jCHbSgDQkPMrvDnGeXHenY/FaMkpdo7hD5zPH4sokWc=</latexit> Attack-Agnostic Defense for 2D and 3D Recognition Hao Su UC San Diego
the model evolves.
11
θ
<latexit sha1_base64="NxezZAi/2OcGxjA9seuckw+VtMA=">AB7XicbVA9SwNBEJ2LXzF+RS1tFoNgFe6ioIVFwMYygvmA5Ah7m71kzd7esTsnhCP/wcZCEVv/j53/xk1yhSY+GHi8N8PMvCRwqDrfjuFtfWNza3idmlnd2/oHx41DJxqhlvsljGuhNQw6VQvIkCJe8kmtMokLwdjG9nfvuJayNi9YCThPsRHSoRCkbRSq0ejSfrniVt05yCrxclKBHI1+as3iFkacYVMUmO6npugn1GNgk+LfVSwxPKxnTIu5YqGnHjZ/Nrp+TMKgMSxtqWQjJXf09kNDJmEgW2M6I4MsveTPzP6YXvuZUEmKXLHFojCVBGMye50MhOYM5cQSyrSwtxI2opoytAGVbAje8surpFWrehfV2v1lpX6Tx1GEziFc/DgCupwBw1oAoNHeIZXeHNi58V5dz4WrQUnzmGP3A+fwCjd48m</latexit>S
<latexit sha1_base64="o1ngUyig/1Er59mybNEbgK7/QbI=">AB8nicbVDLSgMxFL1TX7W+qi7dBIvgqsxUQRcuCm5cVrQPmA4lk2ba0EwyJBmhDP0MNy4UcevXuPNvzLSz0NYDgcM595JzT5hwpo3rfjultfWNza3ydmVnd2/oHp41NEyVYS2ieRS9UKsKWeCtg0znPYSRXEctoNJ7e532iSjMpHs0oUGMR4JFjGBjJb8fYzMmGcPs0G15tbdOdAq8QpSgwKtQfWrP5QkjakwhGOtfc9NTJBhZRjhdFbp5omEzwiPqWChxTHWTzyDN0ZpUhiqSyTxg0V39vZDjWehqHdjKPqJe9XPzP81MTXQcZE0lqCLj6KUIyNRfj8aMkWJ4VNLMFHMZkVkjBUmxrZUsSV4yevk6j7l3UG/eXteZNUcZTuAUzsGDK2jCHbSgDQkPMrvDnGeXHenY/FaMkpdo7hD5zPH4sokWc=</latexit> Attack-Agnostic Defense for 2D and 3D Recognition Hao Su UC San Diego
parameters) used in training
\begin{tabular}{|l|l|l|}
Attack-Agnostic Defense for 2D and 3D Recognition Hao Su UC San Diego
parameters) used in training
\begin{tabular}{|l|l|l|}
Logit Pairing Methods Can Fool Gradient-Based Attacks, by Mosbach et al.
Defense success rate when varying attacker PGD iteration
L∞ = 16.0
<latexit sha1_base64="gMBJ5vBI0xrjFc073YuQXMQ/BLQ=">AB+HicbVBNS8NAEN3Ur1o/GvXoJVgETyGpol6EohcPHirYD2hD2Gw37dLNJuxOhBj6S7x4UMSrP8Wb/8Ztm4O2Ph4vDfDzLwg4UyB43wbpZXVtfWN8mZla3tnt2ru7bdVnEpCWyTmsewGWFHOBG0BA067iaQ4CjtBObqd95pFKxWDxAlAvwkPBQkYwaMk3q3d+3mcihGxy5Z7bjm/WHNuZwVombkFqEDTN7/6g5ikERVAOFaq5zoJeDmWwAink0o/VTBZIyHtKepwBFVXj47fGIda2VghbHUJcCaqb8nchwplUWB7owjNSiNxX/83ophJdezkSAhVkvihMuQWxNU3BGjBJCfBME0wk07daZIQlJqCzqugQ3MWXl0m7brundv3+rNa4LuIo0N0hE6Qiy5QA92iJmohglL0jF7Rm/FkvBjvxse8tWQUMwfoD4zPH6y7knA=</latexit>Note: adv. training with 10 iterations and
Iter 10 400 CIFAR-10 16.0 6.7 Tiny-ImageNet 25.5 16.3
<latexit sha1_base64="J6u4vQw4b2tNmCAHnLHvPTi5jIc=">ACjnicbVFtT9swEHay8bLylrGP+2KtAvGFKClQJiYEAwnRLwgQBaSmqhz3Si0cJ7IvSFXWn8Mf2rf9m7lphjrgLOt5dPfc+e4cZ1IYDI/jvh49z8wuKn2tLyuqa93n91qS5tDmqUz1fcwMSKGgjQIl3GcaWBJLuIsfTyfxuyfQRqTqBkcZdBP2oMRAcIbW1fOeoxgehCqQxblkelz8kuUZ16LhpGathaDpi23SMChN7AYRf9UFZy2zn5eb5eSqbjpBxa/v6s+Eao0XbLNgIXgDbc2P3puKdmYqg+i9d9bx64Ael0bckrEidVHbZ835H/ZTnCSjkhnTCYMuwXTKLgEO1xuIGP80fbQsVSxBEy3KNc5phvW06eDVNurkJbe2YyCJcaMktgqE4ZD8zo2cb4X6+Q4+N4thMpyBMWnDw1ySTGlk7+hfaGBoxZwrgWtlfKh0wzbv/A1OwSwtcjvyW3DT/c8RtXu/Xjk2odi+Qr+Ua2SEj2yTE5J5ekTbiz5ITOgfPD9dyme+geTaWuU+V8If+Ze/4XZ7y52w=</latexit> Attack-Agnostic Defense for 2D and 3D Recognition Hao Su UC San Diego
parameters) used in training
\begin{tabular}{|l|l|l|}
Logit Pairing Methods Can Fool Gradient-Based Attacks, by Mosbach et al.
Defense success rate when varying attacker PGD iteration
L∞ = 16.0
<latexit sha1_base64="gMBJ5vBI0xrjFc073YuQXMQ/BLQ=">AB+HicbVBNS8NAEN3Ur1o/GvXoJVgETyGpol6EohcPHirYD2hD2Gw37dLNJuxOhBj6S7x4UMSrP8Wb/8Ztm4O2Ph4vDfDzLwg4UyB43wbpZXVtfWN8mZla3tnt2ru7bdVnEpCWyTmsewGWFHOBG0BA067iaQ4CjtBObqd95pFKxWDxAlAvwkPBQkYwaMk3q3d+3mcihGxy5Z7bjm/WHNuZwVombkFqEDTN7/6g5ikERVAOFaq5zoJeDmWwAink0o/VTBZIyHtKepwBFVXj47fGIda2VghbHUJcCaqb8nchwplUWB7owjNSiNxX/83ophJdezkSAhVkvihMuQWxNU3BGjBJCfBME0wk07daZIQlJqCzqugQ3MWXl0m7brundv3+rNa4LuIo0N0hE6Qiy5QA92iJmohglL0jF7Rm/FkvBjvxse8tWQUMwfoD4zPH6y7knA=</latexit>Note: adv. training with 10 iterations and
Iter 10 400 CIFAR-10 16.0 6.7 Tiny-ImageNet 25.5 16.3
<latexit sha1_base64="J6u4vQw4b2tNmCAHnLHvPTi5jIc=">ACjnicbVFtT9swEHay8bLylrGP+2KtAvGFKClQJiYEAwnRLwgQBaSmqhz3Si0cJ7IvSFXWn8Mf2rf9m7lphjrgLOt5dPfc+e4cZ1IYDI/jvh49z8wuKn2tLyuqa93n91qS5tDmqUz1fcwMSKGgjQIl3GcaWBJLuIsfTyfxuyfQRqTqBkcZdBP2oMRAcIbW1fOeoxgehCqQxblkelz8kuUZ16LhpGathaDpi23SMChN7AYRf9UFZy2zn5eb5eSqbjpBxa/v6s+Eao0XbLNgIXgDbc2P3puKdmYqg+i9d9bx64Ael0bckrEidVHbZ835H/ZTnCSjkhnTCYMuwXTKLgEO1xuIGP80fbQsVSxBEy3KNc5phvW06eDVNurkJbe2YyCJcaMktgqE4ZD8zo2cb4X6+Q4+N4thMpyBMWnDw1ySTGlk7+hfaGBoxZwrgWtlfKh0wzbv/A1OwSwtcjvyW3DT/c8RtXu/Xjk2odi+Qr+Ua2SEj2yTE5J5ekTbiz5ITOgfPD9dyme+geTaWuU+V8If+Ze/4XZ7y52w=</latexit> Attack-Agnostic Defense for 2D and 3D Recognition Hao Su UC San Diego
15
Attack-Agnostic Defense for 2D and 3D Recognition Hao Su UC San Diego
16
Attack-Agnostic Defense for 2D and 3D Recognition Hao Su UC San Diego
adversarial attacks ( is “larger” and defense gets harder)
17
δ∈S L(θ, x + δ, y)]
<latexit sha1_base64="YUbJu1viQUpHdj1X5q1XjSmTy8=">ACYHicbVBNbxMxEPVu+UhDS1O4lYtFhJSKNotSHCsgEocOBRB2krxKvJ6J41V27usZyGL5T/JjUMv/BKcDyFoeZKl5zdvxp6XV0paTJKfUbx15+69+53t7oOd3Yd7vf1HZ7ZsagFjUaqyvsi5BSUNjFGigouqBq5zBef51dtl/fwr1FaW5jO2FWSaXxo5k4JjkKa9b0zn5cJpaSW38GzLw0vKNMc53nuTvzUDRbD9pBZqdeq4Mq985OWGOKMBjQsQIUcibNH8Mn7124LDyjHwYM54B8SBfP18YhbQ+za+fjJIV6G2SbkifbHA67f1gRSkaDQaF4tZO0qTCzPEapVDgu6yxUHFxS9hEqjhGmzmVgF5+iwoBZ2VdTgG6Ur9u8NxbW2r8+BcrmBv1pbi/2qTBmevMydN1SAYsX5o1iKJV2mTQtZg0DVBsJFLcNfqZjzmgsM0XVDCOnNlW+Ts6NR+mJ09PFl/jNJo4OeUKekgFJyStyTN6TUzImglxHW9FOtBv9ijvxXry/tsbRpucx+QfxwW/PUrfh</latexit>S
<latexit sha1_base64="s0ORvqxeEX0PpYtJdKPahu5m4g=">AB8nicbVDLSgMxFL1TX7W+qi7dBIvgqsxUQZdFNy4r2gdMh5JM21oJhmSjFCGfoYbF4q49Wvc+Tdm2lo64HA4Zx7ybknTDjTxnW/ndLa+sbmVnm7srO7t39QPTzqaJkqQtEcql6IdaUM0HbhlOe4miOA457YaT29zvPlGlmRSPZprQIMYjwSJGsLGS34+xGRPMs4fZoFpz6+4caJV4BalBgdag+tUfSpLGVBjCsda+5yYmyLAyjHA6q/RTRNMJnhEfUsFjqkOsnkGTqzyhBFUtknDJqrvzcyHGs9jUM7mUfUy14u/uf5qYmug4yJDVUkMVHUcqRkSi/Hw2ZosTwqSWYKGazIjLGChNjW6rYErzlk1dJp1H3LuqN+8ta86aowncArn4MEVNOEOWtAGAhKe4RXeHO8O/Ox2K05BQ7x/AHzucPjPaRbQ=</latexit> Attack-Agnostic Defense for 2D and 3D Recognition Hao Su UC San Diego
18
Accuracy on CIFAR-10
Attack-Agnostic Defense for 2D and 3D Recognition Hao Su UC San Diego
19
Accuracy on CIFAR-10
Attack-Agnostic Defense for 2D and 3D Recognition Hao Su UC San Diego
20
\begin{tabular}{c|cccc}
✏ = 1
<latexit sha1_base64="teYXVFJ3fq7ZJSWwvuhScrfpYA=">AB8XicbZDLSgMxFIYz9VbrepSkGARXJWZutCFYsGNyxbsBduhZNLTNjSTDElGKEOXvoEbF4q49QXc+grufAZ9CNPLQlt/CHz8/znknBNEnGnjup9OamFxaXklvZpZW9/Y3Mpu71S1jBWFCpVcqnpANHAmoGKY4VCPFJAw4FAL+pejvHYLSjMprs0gAj8kXcE6jBJjrZsmRJpxKc69Vjbn5t2x8Dx4U8hdvH/d7b+Vv0ut7EezLWkcgjCUE60bnhsZPyHKMphmGnGiJC+6QLDYuChKD9ZDzxEB9ap407UtknDB67vzsSEmo9CANbGRLT07PZyPwva8Smc+onTESxAUEnH3Vijo3Eo/Vxmymghg8sEKqYnRXTHlGEGnukjD2CN7vyPFQLe84Xyi7ueIZmiN9tABOkIeOkFdIVKqIoEugePaInRzsPzrPzMilNOdOeXfRHzusPVIWVHw=</latexit> Attack-Agnostic Defense for 2D and 3D Recognition Hao Su UC San Diego
21
\begin{tabular}{c|cccc}
✏ = 1
<latexit sha1_base64="teYXVFJ3fq7ZJSWwvuhScrfpYA=">AB8XicbZDLSgMxFIYz9VbrepSkGARXJWZutCFYsGNyxbsBduhZNLTNjSTDElGKEOXvoEbF4q49QXc+grufAZ9CNPLQlt/CHz8/znknBNEnGnjup9OamFxaXklvZpZW9/Y3Mpu71S1jBWFCpVcqnpANHAmoGKY4VCPFJAw4FAL+pejvHYLSjMprs0gAj8kXcE6jBJjrZsmRJpxKc69Vjbn5t2x8Dx4U8hdvH/d7b+Vv0ut7EezLWkcgjCUE60bnhsZPyHKMphmGnGiJC+6QLDYuChKD9ZDzxEB9ap407UtknDB67vzsSEmo9CANbGRLT07PZyPwva8Smc+onTESxAUEnH3Vijo3Eo/Vxmymghg8sEKqYnRXTHlGEGnukjD2CN7vyPFQLe84Xyi7ueIZmiN9tABOkIeOkFdIVKqIoEugePaInRzsPzrPzMilNOdOeXfRHzusPVIWVHw=</latexit>Accuracy on CIFAR-10
PGD (✏ = 1) 32×32 83.7 64×64 80.5
<latexit sha1_base64="NAHypyY/gt3zgHvZjdTdFL9Bjcs=">ADVXicjVLPa9swFJadruyH0234y5i9UZ7EXacxil0o7BCxy7LYGkLUQiyoiQismwkuRC8/Dn7h3oZO+y+P6GXQuWkG2uSQx+I9+l7+vRJjxdngmvj+78ct7LxaPx1pPq02fPX2zXdl6e6TRXlHVoKlJ1ERPNBJesY7gR7CJTjCSxYOfx5GNZP79kSvNUfjPTjPUSMpJ8yCkxlurvOBOIYzbisjAkzgVRs4J+pzZmVXg/8Lj0WGbhO9g+PYF7HmaZ5iKV7wNvf5WsryMb3j7GD7MJ6x42PGHaC+v2olaIpuiCIU2NSLUgqs3NRt/Nc1GqfHRgU3NJip34QE6XKNZ735KslKCSuvAt0KbAnT4ADlmcvCvs9V+bdH/jzgKgjuwO7xl8f6J/fP9r92hUepDRPmDRUEK27gZ+ZXkGU4VSwWRXnmWETsiIdS2UxP62V8ynYgbfWmYAh6mySxo4Z/9XFCTReprE9mRCzFgv10pyXa2bm2GrV3CZ5YZJujAa5gKaFJYjBgdcMWrE1AJCFbdvhXRMFKHGDmLZhGD5y6vgrI4C2/CvthtHYBFb4DV4A/ZACJwD6BNugA6lw5167ju5P96ayUdlcHWdO80rcC8q27dCn+CT</latexit> Attack-Agnostic Defense for 2D and 3D Recognition Hao Su UC San Diego
22
\begin{tabular}{c|cccc}
✏ = 1
<latexit sha1_base64="teYXVFJ3fq7ZJSWwvuhScrfpYA=">AB8XicbZDLSgMxFIYz9VbrepSkGARXJWZutCFYsGNyxbsBduhZNLTNjSTDElGKEOXvoEbF4q49QXc+grufAZ9CNPLQlt/CHz8/znknBNEnGnjup9OamFxaXklvZpZW9/Y3Mpu71S1jBWFCpVcqnpANHAmoGKY4VCPFJAw4FAL+pejvHYLSjMprs0gAj8kXcE6jBJjrZsmRJpxKc69Vjbn5t2x8Dx4U8hdvH/d7b+Vv0ut7EezLWkcgjCUE60bnhsZPyHKMphmGnGiJC+6QLDYuChKD9ZDzxEB9ap407UtknDB67vzsSEmo9CANbGRLT07PZyPwva8Smc+onTESxAUEnH3Vijo3Eo/Vxmymghg8sEKqYnRXTHlGEGnukjD2CN7vyPFQLe84Xyi7ueIZmiN9tABOkIeOkFdIVKqIoEugePaInRzsPzrPzMilNOdOeXfRHzusPVIWVHw=</latexit>Accuracy on CIFAR-10
PGD (✏ = 1) PGD (✏ = 2) PGD (✏ = 4) 32×32 83.7 77.3 47.8 64×64 80.5 66.4 35.9 Gap 3.2 10.9 11.9
<latexit sha1_base64="NAHypyY/gt3zgHvZjdTdFL9Bjcs=">ADVXicjVLPa9swFJadruyH0234y5i9UZ7EXacxil0o7BCxy7LYGkLUQiyoiQismwkuRC8/Dn7h3oZO+y+P6GXQuWkG2uSQx+I9+l7+vRJjxdngmvj+78ct7LxaPx1pPq02fPX2zXdl6e6TRXlHVoKlJ1ERPNBJesY7gR7CJTjCSxYOfx5GNZP79kSvNUfjPTjPUSMpJ8yCkxlurvOBOIYzbisjAkzgVRs4J+pzZmVXg/8Lj0WGbhO9g+PYF7HmaZ5iKV7wNvf5WsryMb3j7GD7MJ6x42PGHaC+v2olaIpuiCIU2NSLUgqs3NRt/Nc1GqfHRgU3NJip34QE6XKNZ735KslKCSuvAt0KbAnT4ADlmcvCvs9V+bdH/jzgKgjuwO7xl8f6J/fP9r92hUepDRPmDRUEK27gZ+ZXkGU4VSwWRXnmWETsiIdS2UxP62V8ynYgbfWmYAh6mySxo4Z/9XFCTReprE9mRCzFgv10pyXa2bm2GrV3CZ5YZJujAa5gKaFJYjBgdcMWrE1AJCFbdvhXRMFKHGDmLZhGD5y6vgrI4C2/CvthtHYBFb4DV4A/ZACJwD6BNugA6lw5167ju5P96ayUdlcHWdO80rcC8q27dCn+CT</latexit> δ∈S L(θ, Tψ(x + δ), y)] ≤ E(x,y)∼D[max δ∈S L(θ, x + δ, y)]
<latexit sha1_base64="tVB1wknsykIBXKtCVmbEMu6L1+A=">AC2HictVHLbtQwFHXCqwyPDrBkYzFCmhGjUVKQYFnxkFiwKLTVoyjyHudKw6ThTfoIksSyxAqNt+Gju+gl/AkxlQadlyJUvH59zj+3BWKWkwin4E4ZWr167f2LrZu3X7zt3t/r37B6ZsagFTUaqyPsq4ASU1TFGigqOqBl5kCg6zk1cr/fAT1EaWeh/bCpKCH2s5l4Kjp9L+T1ZwXGSZfeNSO1yO2xEzsqAdK7iyr52jM9bo3L8BaFkOCjmT+k/CB+esvywdo+GDBeAfEwt6zqzNeSO7qeWVUa6oVs+WfvPyM3pu0oUwB/S+9/C6LpP2B9Ek6oJeBvEGDMgm9tL+d5aXoilAo1DcmFkcVZhYXqMUClyPNQYqLk74Mcw81LwAk9huPkcfeyan87L2RyPt2PMOywtj2iLzmasZzEVtRf5LmzU4f5FYqasGQYt1oXmjKJZ09cs0lzUIVK0HXNTS90rFgtdcoN9dzy8hvjyZXCwM4mfTnbePxvsvtysY4s8JI/IkMTkOdklb8kemRIRTAMbfAm+h/Dz+G38HSdGgYbzwPyV4RnvwCR0ueP</latexit> δ∈S L(θ, Tψ(x + δ), y)] ≤ E(x,y)∼D[max δ∈S L(θ, x + δ, y)]
<latexit sha1_base64="tVB1wknsykIBXKtCVmbEMu6L1+A=">AC2HictVHLbtQwFHXCqwyPDrBkYzFCmhGjUVKQYFnxkFiwKLTVoyjyHudKw6ThTfoIksSyxAqNt+Gju+gl/AkxlQadlyJUvH59zj+3BWKWkwin4E4ZWr167f2LrZu3X7zt3t/r37B6ZsagFTUaqyPsq4ASU1TFGigqOqBl5kCg6zk1cr/fAT1EaWeh/bCpKCH2s5l4Kjp9L+T1ZwXGSZfeNSO1yO2xEzsqAdK7iyr52jM9bo3L8BaFkOCjmT+k/CB+esvywdo+GDBeAfEwt6zqzNeSO7qeWVUa6oVs+WfvPyM3pu0oUwB/S+9/C6LpP2B9Ek6oJeBvEGDMgm9tL+d5aXoilAo1DcmFkcVZhYXqMUClyPNQYqLk74Mcw81LwAk9huPkcfeyan87L2RyPt2PMOywtj2iLzmasZzEVtRf5LmzU4f5FYqasGQYt1oXmjKJZ09cs0lzUIVK0HXNTS90rFgtdcoN9dzy8hvjyZXCwM4mfTnbePxvsvtysY4s8JI/IkMTkOdklb8kemRIRTAMbfAm+h/Dz+G38HSdGgYbzwPyV4RnvwCR0ueP</latexit> Attack-Agnostic Defense for 2D and 3D Recognition Hao Su UC San Diego
25
Attack-Agnostic Defense for 2D and 3D Recognition Hao Su UC San Diego
26
Attack-Agnostic Defense for 2D and 3D Recognition Hao Su UC San Diego
27
Attack-Agnostic Defense for 2D and 3D Recognition Hao Su UC San Diego
(a) Abnormal. Typical reason: recognition obscured by details. (b) Ambiguous. Obfuscated labels.
bird -> people ship -> bird dog -> fish
bird or bicycle? 4 or 6? 0 or 6? unobvious
28
Attack-Agnostic Defense for 2D and 3D Recognition Hao Su UC San Diego
29
Adversarial Defense by Stratified Convolutional Sparse Coding, Sun et al.
Attack-Agnostic Defense for 2D and 3D Recognition Hao Su UC San Diego
30
Attack-Agnostic Defense for 2D and 3D Recognition Hao Su UC San Diego
31
Adversarial Defense by Stratified Convolutional Sparse Coding, Sun et al.
Attack-Agnostic Defense for 2D and 3D Recognition Hao Su UC San Diego
32
Adversarial Defense by Stratified Convolutional Sparse Coding, Sun et al.
Attack-Agnostic Defense for 2D and 3D Recognition Hao Su UC San Diego
s.t.
33
. Bach, and J. Ponce. Sparse modeling for image and vision processing. Foundations and Trends in Computer Graphics and Vision, 8(2-3):85–283, 2014.
Adversarial Defense by Stratified Convolutional Sparse Coding, Sun et al.
Attack-Agnostic Defense for 2D and 3D Recognition Hao Su UC San Diego
(pre-learned) dictionary filters: feature map
𝒈𝟐 𝒈𝟑 𝒈𝟒 𝒈𝒍
34
Adversarial Defense by Stratified Convolutional Sparse Coding, Sun et al.
Attack-Agnostic Defense for 2D and 3D Recognition Hao Su UC San Diego
35
Adversarial Defense by Stratified Convolutional Sparse Coding, Sun et al.
Attack-Agnostic Defense for 2D and 3D Recognition Hao Su UC San Diego
36
ImageNet-10, and 10 clusters for ImageNet.
Adversarial Defense by Stratified Convolutional Sparse Coding, Sun et al.
Attack-Agnostic Defense for 2D and 3D Recognition Hao Su UC San Diego
37
Adversarial Defense by Stratified Convolutional Sparse Coding, Sun et al.
Attack-Agnostic Defense for 2D and 3D Recognition Hao Su UC San Diego
38
Adversarial Defense by Stratified Convolutional Sparse Coding, Sun et al.
Attack-Agnostic Defense for 2D and 3D Recognition Hao Su UC San Diego
39
Optimization based transformation
Attack-Agnostic Defense for 2D and 3D Recognition Hao Su UC San Diego
ImageNet (Resolution: 224*224):
40
Adversarial Defense by Stratified Convolutional Sparse Coding, Sun et al.
Attack-Agnostic Defense for 2D and 3D Recognition Hao Su UC San Diego
ImageNet (Resolution: 224*224):
41
Adversarial Defense by Stratified Convolutional Sparse Coding, Sun et al.
Attack-Agnostic Defense for 2D and 3D Recognition Hao Su UC San Diego
42
D3 Ours Clean
Attack-Agnostic Defense for 2D and 3D Recognition Hao Su UC San Diego
43
Intrinsic tradeoff between image reconstruction quality and defensive robustness.
Adversarial Defense by Stratified Convolutional Sparse Coding, Sun et al.
Attack-Agnostic Defense for 2D and 3D Recognition Hao Su UC San Diego
44
Defense Clean FGSM BIM
DeepFool
CW No Defense 0.930 0.582 0.180 0.176 0.094 MagNet[1] 0.904 0.615 0.431 0.654 0.485
PixelDefend[2]
0.853 0.681 0.773 0.741 0.758 STL 0.829 0.710 0.745 0.785 0.777 STL(Cluster) 0.836 0.711 0.753 0.796 0.791
On CIFAR-10 by VGG-16
T(·)
<latexit sha1_base64="oLQGDewVlieHTb9JOtiR23Tmf8=">AB73icbVC7SgNBFL3rM8ZX1FKLxSDEJuzGQguLgI1lhLwgu4TZ2dlkyOzMOjMrhCXfELCxUMTW3/AT7PwQeyePQhMPXDicy/3hMkjCrtOF/Wyura+sZmbiu/vbO7t184OGwqkUpMGlgwIdsBUoRThqakbaiSQoDhpBYObid96IFJRwet6mBA/Rj1OI4qRNlK7XvJwKPR5t1B0ys4U9jJx56RYPRl7pe+Pca1b+PRCgdOYcI0ZUqrjOon2MyQ1xYyM8l6qSILwAPVIx1COYqL8bHrvyD4zSmhHQpri2p6qvycyFCs1jAPTGSPdV4veRPzP6Q6uvIzypNUE45ni6KU2VrYk+ftkEqCNRsagrCk5lYb95FEWJuI8iYEd/HlZdKslN2LcuXOpHENM+TgGE6hBC5cQhVuoQYNwMDgEZ7hxbq3nqxX623WumLNZ47gD6z3Hz+zkyQ=</latexit>Adversarial Defense by Stratified Convolutional Sparse Coding, Sun et al.
Attack-Agnostic Defense for 2D and 3D Recognition Hao Su UC San Diego
45
Defense Clean FGSM BIM
DeepFool
CW No Defense 0.930 0.582 0.180 0.176 0.094 MagNet[1] 0.904 0.615 0.431 0.654 0.485
PixelDefend[2]
0.853 0.681 0.773 0.741 0.758 STL 0.829 0.710 0.745 0.785 0.777 STL(Cluster) 0.836 0.711 0.753 0.796 0.791
Use a network to project
Problem
T(·)
<latexit sha1_base64="oLQGDewVlieHTb9JOtiR23Tmf8=">AB73icbVC7SgNBFL3rM8ZX1FKLxSDEJuzGQguLgI1lhLwgu4TZ2dlkyOzMOjMrhCXfELCxUMTW3/AT7PwQeyePQhMPXDicy/3hMkjCrtOF/Wyura+sZmbiu/vbO7t184OGwqkUpMGlgwIdsBUoRThqakbaiSQoDhpBYObid96IFJRwet6mBA/Rj1OI4qRNlK7XvJwKPR5t1B0ys4U9jJx56RYPRl7pe+Pca1b+PRCgdOYcI0ZUqrjOon2MyQ1xYyM8l6qSILwAPVIx1COYqL8bHrvyD4zSmhHQpri2p6qvycyFCs1jAPTGSPdV4veRPzP6Q6uvIzypNUE45ni6KU2VrYk+ftkEqCNRsagrCk5lYb95FEWJuI8iYEd/HlZdKslN2LcuXOpHENM+TgGE6hBC5cQhVuoQYNwMDgEZ7hxbq3nqxX623WumLNZ47gD6z3Hz+zkyQ=</latexit>On CIFAR-10 by VGG-16
Adversarial Defense by Stratified Convolutional Sparse Coding, Sun et al.
Attack-Agnostic Defense for 2D and 3D Recognition Hao Su UC San Diego
46
Defense Clean FGSM BIM
DeepFool
CW No Defense 0.930 0.582 0.180 0.176 0.094 MagNet[1] 0.921 0.739 0.771 0.877 0.859
PixelDefend[2]
0.904 0.832 0.852 0.883 0.885 STL 0.900 0.852 0.875 0.884 0.888 STL(Cluster) 0.901 0.857 0.880 0.889 0.890
On CIFAR-10 by VGG-16
Adversarial Defense by Stratified Convolutional Sparse Coding, Sun et al.
Attack-Agnostic Defense for 2D and 3D Recognition Hao Su UC San Diego
ImageNet, Top-1 acc, ResNet-50 (Resolution: 224*224):
47
Adversarial Defense by Stratified Convolutional Sparse Coding, Sun et al.
Attack-Agnostic Defense for 2D and 3D Recognition Hao Su UC San Diego
48
Adversarial Defense by Stratified Convolutional Sparse Coding, Sun et al.
Attack-Agnostic Defense for 2D and 3D Recognition Hao Su UC San Diego
49
Optimization based transformation
Attack-Agnostic Defense for 2D and 3D Recognition Hao Su UC San Diego
50
Extending Adversarial Attacks AND Defenses To Deep 3D Point Cloud Classifiers, Liu et al, ICIP2019
Attack-Agnostic Defense for 2D and 3D Recognition Hao Su UC San Diego
51
Extending Adversarial Attacks AND Defenses To Deep 3D Point Cloud Classifiers, Liu et al, ICIP2019
Attack-Agnostic Defense for 2D and 3D Recognition Hao Su UC San Diego
52
Extending Adversarial Attacks AND Defenses To Deep 3D Point Cloud Classifiers, Liu et al, ICIP2019
Attack-Agnostic Defense for 2D and 3D Recognition Hao Su UC San Diego
53
(1,2,3) (1,1,1) (2,3,2) (2,3,4) simple symmetric function (e.g., max)
PointNet (vanilla)
h g γ
Observe:
f (x1,x2,…,xn) = γ ! g(h(x1),…,h(xn)) is symmetric if is symmetric
PointNet: Deep Learning on Point Sets for 3D Classification and Segmentation, CVPR17, Qi et al
Attack-Agnostic Defense for 2D and 3D Recognition Hao Su UC San Diego
54
Attack-Agnostic Defense for 2D and 3D Recognition Hao Su UC San Diego
55
Attack-Agnostic Defense for 2D and 3D Recognition Hao Su UC San Diego
56
Attack-Agnostic Defense for 2D and 3D Recognition Hao Su UC San Diego
57
Attack-Agnostic Defense for 2D and 3D Recognition Hao Su UC San Diego
58
Attack-Agnostic Defense for 2D and 3D Recognition Hao Su UC San Diego
59
Attack-Agnostic Defense for 2D and 3D Recognition Hao Su UC San Diego
60
Attack-Agnostic Defense for 2D and 3D Recognition Hao Su UC San Diego
61
Attack-Agnostic Defense for 2D and 3D Recognition Hao Su UC San Diego
62
Attack-Agnostic Defense for 2D and 3D Recognition Hao Su UC San Diego
63
On 16 hand-picked object categories that humans can classify with 100% accuracy
Attack Method No Defense None 1.0 Fast Gradient L2 0.602 Iter Gradient L2 0.258 Iter Gradient L2 (clip norm) 0.548 Normalized Iter Gradient L2 0.355
<latexit sha1_base64="GaTdEvVOmhtq0Asr4Vr9iOxTQuY=">AEIHicjZPditNAFMezqR9r/erqpTeDu8p6U5K03bYgsouyKmhdZbtdaEqZTE7aYSeTMDNZrDFv4Ct47XgQ3jhSJ6py/gazhpi9imgcC/znN85M5l4MaNSWdaPNbN05uy58+sXyhcvXb5ytbJx7UhGiSDQJRGLxLGHJTDKoauoYnAcC8Chx6DndzP13unICSN+KGaxDAI8YjTgBKstDXcMHeQ68GI8lRhL2FYZCl5TXRkZbQY7jvsezuKYXJCXoKahz56DbqROgBMAl6Jc9P2+NBcUMHQpMOeUjb+AMDrN5bNEMaozXPf/mnUirF21dIQV8FL5QWpVW23G5k2tGjWURG1j6VCDwX2KXCFtp4Mna1p9o7lzKqc5iKuUZ/hWu1WkfZYgSjQrKrTaM2gTnsB1q1shUzraJsE0ZjxCMR3smJjfqcqDe1QGzbWRHY0WY0Vfg/2vCWqMx5dWtpQmt2qoJix/ABe7/uSTlYWXTqlrTQEVhz8Xmbu/Xh3v7b94fDCvfXT8iSaiHIgxL2betWA1SLBQlDLKym0iI9VXCI+hryXEIcpBOL3iGbmnHR0Ek9KM3NX/rkhxKOUk9HRmiNVYLq/l5q1fqKC1iClPE4UcDJrFCQMqQjlfwvyqQCi2EQLTATVsyIyxgITfcgyPwR7ectFceRU7VrVea5P464xi3XjhnHT2DZso2nsGo+MA6NrEPOt+dH8bH4pvSt9Kn0tfZulmvzmuvGQpR+/gY9LCPy</latexit> Attack-Agnostic Defense for 2D and 3D Recognition Hao Su UC San Diego
64
Attack Method No Defense Adversarial Training None 1.0 0.995 Fast Gradient L2 0.602 0.927 Iter Gradient L2 0.258 0.629 Iter Gradient L2 (clip norm) 0.548 0.674 Normalized Iter Gradient L2 0.355 0.409
<latexit sha1_base64="GaTdEvVOmhtq0Asr4Vr9iOxTQuY=">AEIHicjZPditNAFMezqR9r/erqpTeDu8p6U5K03bYgsouyKmhdZbtdaEqZTE7aYSeTMDNZrDFv4Ct47XgQ3jhSJ6py/gazhpi9imgcC/znN85M5l4MaNSWdaPNbN05uy58+sXyhcvXb5ytbJx7UhGiSDQJRGLxLGHJTDKoauoYnAcC8Chx6DndzP13unICSN+KGaxDAI8YjTgBKstDXcMHeQ68GI8lRhL2FYZCl5TXRkZbQY7jvsezuKYXJCXoKahz56DbqROgBMAl6Jc9P2+NBcUMHQpMOeUjb+AMDrN5bNEMaozXPf/mnUirF21dIQV8FL5QWpVW23G5k2tGjWURG1j6VCDwX2KXCFtp4Mna1p9o7lzKqc5iKuUZ/hWu1WkfZYgSjQrKrTaM2gTnsB1q1shUzraJsE0ZjxCMR3smJjfqcqDe1QGzbWRHY0WY0Vfg/2vCWqMx5dWtpQmt2qoJix/ABe7/uSTlYWXTqlrTQEVhz8Xmbu/Xh3v7b94fDCvfXT8iSaiHIgxL2betWA1SLBQlDLKym0iI9VXCI+hryXEIcpBOL3iGbmnHR0Ek9KM3NX/rkhxKOUk9HRmiNVYLq/l5q1fqKC1iClPE4UcDJrFCQMqQjlfwvyqQCi2EQLTATVsyIyxgITfcgyPwR7ectFceRU7VrVea5P464xi3XjhnHT2DZso2nsGo+MA6NrEPOt+dH8bH4pvSt9Kn0tfZulmvzmuvGQpR+/gY9LCPy</latexit> Attack-Agnostic Defense for 2D and 3D Recognition Hao Su UC San Diego
neighbors (k=10 in experiments)
65
Attack-Agnostic Defense for 2D and 3D Recognition Hao Su UC San Diego
66
Attack Method No Defense Adversarial Training Removing Outliers None 1.0 0.995 0.974 Fast Gradient L2 0.602 0.927 0.954 Iter Gradient L2 0.258 0.629 0.838 Iter Gradient L2 (clip norm) 0.548 0.674 0.891 Normalized Iter Gradient L2 0.355 0.409 0.803
<latexit sha1_base64="GaTdEvVOmhtq0Asr4Vr9iOxTQuY=">AEIHicjZPditNAFMezqR9r/erqpTeDu8p6U5K03bYgsouyKmhdZbtdaEqZTE7aYSeTMDNZrDFv4Ct47XgQ3jhSJ6py/gazhpi9imgcC/znN85M5l4MaNSWdaPNbN05uy58+sXyhcvXb5ytbJx7UhGiSDQJRGLxLGHJTDKoauoYnAcC8Chx6DndzP13unICSN+KGaxDAI8YjTgBKstDXcMHeQ68GI8lRhL2FYZCl5TXRkZbQY7jvsezuKYXJCXoKahz56DbqROgBMAl6Jc9P2+NBcUMHQpMOeUjb+AMDrN5bNEMaozXPf/mnUirF21dIQV8FL5QWpVW23G5k2tGjWURG1j6VCDwX2KXCFtp4Mna1p9o7lzKqc5iKuUZ/hWu1WkfZYgSjQrKrTaM2gTnsB1q1shUzraJsE0ZjxCMR3smJjfqcqDe1QGzbWRHY0WY0Vfg/2vCWqMx5dWtpQmt2qoJix/ABe7/uSTlYWXTqlrTQEVhz8Xmbu/Xh3v7b94fDCvfXT8iSaiHIgxL2betWA1SLBQlDLKym0iI9VXCI+hryXEIcpBOL3iGbmnHR0Ek9KM3NX/rkhxKOUk9HRmiNVYLq/l5q1fqKC1iClPE4UcDJrFCQMqQjlfwvyqQCi2EQLTATVsyIyxgITfcgyPwR7ectFceRU7VrVea5P464xi3XjhnHT2DZso2nsGo+MA6NrEPOt+dH8bH4pvSt9Kn0tfZulmvzmuvGQpR+/gY9LCPy</latexit> Attack-Agnostic Defense for 2D and 3D Recognition Hao Su UC San Diego
67
skeletons
Attack-Agnostic Defense for 2D and 3D Recognition Hao Su UC San Diego
68
Attack-Agnostic Defense for 2D and 3D Recognition Hao Su UC San Diego
69
Attack-Agnostic Defense for 2D and 3D Recognition Hao Su UC San Diego
70
Attack-Agnostic Defense for 2D and 3D Recognition Hao Su UC San Diego
71
achieve SOTA performance on attack agnostic defense
not to use networks for this projection step
Attack-Agnostic Defense for 2D and 3D Recognition Hao Su UC San Diego
72
Bo Sun to be a Ph.D. at UT Austin Daniel Liu Torrey Pines High School Tiange Luo Peking University Ronald Yu UCSD Fangchen Liu UCSD Nian-hsuan Tsai National Tsinghua University
Bo Li, Assistant Professor at UIUC