tutorial on adversarial machine learning with cleverhans
play

Tutorial on Adversarial Machine Learning with CleverHans Nicholas - PowerPoint PPT Presentation

Feb 14, 2024 •33 likes •493 views

@NicolasPapernot Tutorial on Adversarial Machine Learning with CleverHans Nicholas Carlini University of California, Berkeley Nicolas Papernot Pennsylvania State University Did you git clone https://github.com/carlini/odsc_adversarial_nn ?

  1. @NicolasPapernot Tutorial on Adversarial Machine Learning with CleverHans Nicholas Carlini University of California, Berkeley Nicolas Papernot Pennsylvania State University Did you git clone https://github.com/carlini/odsc_adversarial_nn ? November 2017 - ODSC

  2. Getting setup If you have not already: git clone https://github.com/carlini/odsc_adversarial_nn cd odsc_adversarial_nn python test_install.py 2

  3. Why neural networks? 3

  4. Classification with neural networks Machine Learning [0.01, 0.84 , 0.02, 0.01, 0.01, 0.01, 0.05, 0.01, 0.03, 0.01] Classifier [p(0|x,θ), p(1|x,θ), p(2|x,θ), …, p(7|x,θ), p(8|x,θ), p(9|x,θ)] x f(x,θ) Classifier : map inputs to one class among a predefined set 4

  5. 5

  6. 6

  7. 7

  8. D I N E J O A S F K P B T G L Q C H M R 8

  9. 9

  10. 10

  11. [0 1 0 0 0 0 0 0 0 0] [0 1 0 0 0 0 0 0 0 0] [1 0 0 0 0 0 0 0 0 0] [0 0 0 0 0 0 0 1 0 0] Machine Learning [0 0 0 0 0 0 0 0 0 1] [0 0 0 1 0 0 0 0 0 0] Classifier [0 0 0 0 0 0 0 0 1 0] [0 0 0 0 0 0 1 0 0 0] [0 1 0 0 0 0 0 0 0 0] [0 0 0 0 1 0 0 0 0 0] Learning : find internal classifier parameters θ that minimize a cost/loss function (~model error) 11

  12. NNs give better results than any other approach But there’s a catch ... 12

  13. Adversarial examples 13 [GSS15] Goodfellow et al. Explaining and Harnessing Adversarial Examples

  14. 14

  15. Crafting adversarial examples: fast gradient sign method During training, the classifier uses a loss function to minimize model prediction errors After training, attacker uses loss function to maximize model prediction error 1. Compute its gradient with respect to the input of the model 2. Take the sign of the gradient and multiply it by a threshold 15 [GSS15] Goodfellow et al. Explaining and Harnessing Adversarial Examples

  16. Transferability 16

  17. Not specific to neural networks Logistic regression SVM 17 Nearest Neighbors Decision Trees

  18. Machine Learning with TensorFlow import tensorflow as tf sess = tf.Session() five = tf.constant(5) six = tf.constant(6) sess.run(five+six) # 11 18

  19. Machine Learning with TensorFlow import tensorflow as tf sess = tf.Session() five = tf.constant(5) number = tf.placeholder(tf.float32, []) added = five+number sess.run(added, {number: 6}) # 11 sess.run(added, {number: 8}) # 13 19

  20. Machine Learning with TensorFlow import tensorflow as tf number = tf.placeholder(tf.float32, []) squared = number * number derivative = tf.gradients(squared, [number])[0] sess.run(derivative, {number: 5}) # 10 20

  21. Classifying ImageNet with the Inception Model [Hands On] 21

  22. Attacking ImageNet 22

  23. 23

  24. Growing community 1.3K+ stars 300+ forks 40+ contributors 24

  25. Attacking the Inception Model for ImageNet [Hands On] python attack.py Replace panda.png with adversarial_panda.png python classify.py Things to try: 1. Replace the given image of a panda with your own image 2. Change the target label which the adversarial example should be classified as 25

  26. Adversarial Training 7 Training 2 26

  27. Adversarial Training 7 Attack Attack 2 27

  28. Adversarial Training 7 Training 2 7 2 28

  29. Adversarial training Intuition: injecting adversarial example during training with correct labels Goal: improve model generalization outside of training manifold Training time (epochs) 29 Figure by Ian Goodfellow

  30. Adversarial training Intuition: injecting adversarial example during training with correct labels Goal: improve model generalization outside of training manifold Training time (epochs) 30 Figure by Ian Goodfellow

  31. Adversarial training Intuition: injecting adversarial example during training with correct labels Goal: improve model generalization outside of training manifold Training time (epochs) 31 Figure by Ian Goodfellow

  32. Adversarial training Intuition: injecting adversarial example during training with correct labels Goal: improve model generalization outside of training manifold Training time (epochs) 32 Figure by Ian Goodfellow

  33. Efficient Adversarial Training through Loss Modification Small when prediction is correct on legitimate input 33

  34. Efficient Adversarial Training through Loss Modification Small when prediction is Small when prediction is correct on legitimate input correct on adversarial input 34

  35. Adversarial Training Demo 35

  36. Attacking remotely hosted black-box models Remote ML sys “0” “1” “4” (1) The adversary queries remote ML system for labels on inputs of its choice. 36

  37. Attacking remotely hosted black-box models Local Remote substitute ML sys “0” “1” “4” (2) The adversary uses this labeled data to train a local substitute for the remote system. 37

  38. Attacking remotely hosted black-box models Local Remote substitute ML sys “0” “2” “9” (3) The adversary selects new synthetic inputs for queries to the remote ML system based on the local substitute’s output surface sensitivity to input variations. 38

  39. Attacking remotely hosted black-box models “yield sign” Local Remote substitute ML sys (4) The adversary then uses the local substitute to craft adversarial examples, which are misclassified by the remote ML system because of transferability. 39

  40. Attacking with transferability “yield sign” Undefended Defended model model (4) The adversary then uses the local substitute to craft adversarial examples, which are misclassified by the remote ML system because of transferability. 40

  41. Attacking Adversarial Training with Transferability Demo 41

  42. How to test your model for adversarial examples? White-box attacks One shot ● FastGradientMethod Iterative/Optimization-based ● BasicIterativeMethod, CarliniWagnerL2 Transferability attacks ● Transfer from undefended ● Transfer from defended 42

  43. Defenses Adversarial training: - Original variant - Ensemble adversarial training - Madry et al. Reduce dimensionality of input space: - Binarization of the inputs - Thermometer-encoding 43

  44. Adversarial examples represent worst-case distribution drifts 44 [DDS04] Dalvi et al. Adversarial Classification (KDD)

  45. Adversarial examples are a tangible instance of hypothetical AI safety problems 45 Image source: http://www.nerdist.com/wp-content/uploads/2013/07/Space-Odyssey-4.jpg

  46. How to reach out to us? Nicholas Carlini nicholas@carlini.com Nicolas Papernot nicolas@papernot.fr 46

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Adversarial Robustness: Theory and Practice Zico Kolter Aleksander Mdry madry-lab.ml

Adversarial Robustness: Theory and Practice Zico Kolter Aleksander Mdry madry-lab.ml

Adversarial Robustness: Theory and Practice Zico Kolter Aleksander Mdry madry-lab.ml Tutorial website: @zicokolter @aleks_madry adversarial-ml-tutorial.org Machine Learning: The Success Story Image classification Reinforcement Learning

528 views • 49 slides
SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY

SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY

SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY Christian Kaestner with slides from Eunsuk Kang Required reading: Hulten, Geoff. "Building Intelligent Systems: A Guide to Machine Learning

1.95k views • 113 slides
Wild Patterns: Ten Years After the Rise of Adversarial Machine Learning Battista Biggio * Slides

Wild Patterns: Ten Years After the Rise of Adversarial Machine Learning Battista Biggio * Slides

Pattern Recognition University of and Applications Lab Cagliari, Italy Wild Patterns: Ten Years After the Rise of Adversarial Machine Learning Battista Biggio * Slides from this talk are inspired from the tutorial I prepared with Fabio Roli on

850 views • 65 slides
Provably Secure Machine Learning Jacob Steinhardt ARO Adversarial Machine Learning Workshop

Provably Secure Machine Learning Jacob Steinhardt ARO Adversarial Machine Learning Workshop

Provably Secure Machine Learning Jacob Steinhardt ARO Adversarial Machine Learning Workshop September 14, 2017 Why Prove Things? Attackers often have more motivation/resources than defenders Heuristic defenses: arms race between attack and

738 views • 52 slides
AdVersarial: Perceptual Ad Blocking meets Adversarial Machine Learning Florian Tramr November

AdVersarial: Perceptual Ad Blocking meets Adversarial Machine Learning Florian Tramr November

AdVersarial: Perceptual Ad Blocking meets Adversarial Machine Learning Florian Tramr November 14 th 2019 Joint work with Pascal Dupr, Gili Rusak, Giancarlo Pellegrino and Dan Boneh The Future of Ad-Blocking easylist.txt markup

612 views • 23 slides
Adversarial Machine Learning (AML) Somesh Jha University of Wisconsin, Madison Thanks to

Adversarial Machine Learning (AML) Somesh Jha University of Wisconsin, Madison Thanks to

Adversarial Machine Learning (AML) Somesh Jha University of Wisconsin, Madison Thanks to Nicolas Papernot, Ian Goodfellow, and Jerry Zhu for some slides . Machine learning brings social disruption at scale Healthcare Energy Source: Peng and

821 views • 71 slides
Vulnerability of machine learning models to adversarial examples Petra Vidnerov Institute of

Vulnerability of machine learning models to adversarial examples Petra Vidnerov Institute of

Vulnerability of machine learning models to adversarial examples Petra Vidnerov Institute of Computer Science The Czech Academy of Sciences Hora Informaticae 2016 Outline Introduction Works on adversarial examples Our work Genetic

855 views • 46 slides
Learning is a never-ending process Tasks come and go, but learning is forever Learn more e ff

Learning is a never-ending process Tasks come and go, but learning is forever Learn more e ff

NeurIPS 2018 Tutorial on Automatic Machine Learning Learning to Learn Learning Learning Learning Learning Learning automl.org/events -> AutoML Tutorial -> Slides Frank Hutter Joaquin Vanschoren Eindhoven University of Technology

1.36k views • 40 slides
CS 294-34: Practical Machine Learning Tutorial Ariel Kleiner Content inspired by Fall 2006

CS 294-34: Practical Machine Learning Tutorial Ariel Kleiner Content inspired by Fall 2006

CS 294-34: Practical Machine Learning Tutorial Ariel Kleiner Content inspired by Fall 2006 tutorial lecture by Alexandre Bouchard-Cote and Alex Simma August 27, 2009 Machine Learning Draws Heavily On. . . Probability and Statistics

1.21k views • 34 slides
Adversarial Robustness of Machine Learning Models for Graphs Prof. Dr. Stephan Gnnemann

Adversarial Robustness of Machine Learning Models for Graphs Prof. Dr. Stephan Gnnemann

Adversarial Robustness of Machine Learning Models for Graphs Prof. Dr. Stephan Gnnemann Department of Informatics Technical University of Munich 28.10.2019 Adversarial Robustness of Machine Learning Models for Graphs S. Gnnemann Can you

669 views • 27 slides
Intro Tutorial on GANs Michela Paganini Fermilab Machine Learning Group Meeting March 21, 2018

Intro Tutorial on GANs Michela Paganini Fermilab Machine Learning Group Meeting March 21, 2018

Yale Intro Tutorial on GANs Michela Paganini Fermilab Machine Learning Group Meeting March 21, 2018 Yale Outline Overview: Generative modeling Generative Adversarial Networks (GANs) Hands-on : build vanilla GAN on FashionMNIST GAN

965 views • 22 slides
Physical Adversarial Examples Alex Kurakin Ian Goodfellow Output STOP Machine Learning

Physical Adversarial Examples Alex Kurakin Ian Goodfellow Output STOP Machine Learning

Physical Adversarial Examples Alex Kurakin Ian Goodfellow Output STOP Machine Learning Training Examples Hidden units / BICYCLE features CAR PEDESTRIA N Parameters Input ImageNet (Russakovsky et al 2015) Adversarial Examples: Images

369 views • 19 slides
When foes are friends adversarial examples as protective technologies Carmela Troncoso

When foes are friends adversarial examples as protective technologies Carmela Troncoso

When foes are friends adversarial examples as protective technologies Carmela Troncoso @carmelatroncoso Security and Privacy Engineering Lab The machine learning revolution 2 Machine Learning ) Definition (Wikipedia) Machine learning [...]

965 views • 58 slides
Recent Trends in Adversarial Machine Learning Thanks to Ian Goodfellow, Somesh Jha, Patrick

Recent Trends in Adversarial Machine Learning Thanks to Ian Goodfellow, Somesh Jha, Patrick

Recent Trends in Adversarial Machine Learning Thanks to Ian Goodfellow, Somesh Jha, Patrick McDaniel, and Nicolas Papernot for some slides December 4, 2018 Berkay Celik How it works training Learning Algorithm Training Data Model

536 views • 35 slides
Adversarial Machine Learning MIX+GAN Ian Goodfellow, Sta ff Research Scientist, Google Brain

Adversarial Machine Learning MIX+GAN Ian Goodfellow, Sta ff Research Scientist, Google Brain

Progressive GAN CoGAN LR-GAN MedGAN CGAN IcGAN A ff GAN DiscoGAN LS-GAN BIM LAPGAN MPM-GAN AdaGAN FGSM iGAN LSGAN InfoGAN IAN ATN Adversarial Machine Learning MIX+GAN Ian Goodfellow, Sta ff Research Scientist, Google Brain McGAN

860 views • 45 slides
Adversarial Machine Learning MIX+GAN Ian Goodfellow, Sta ff Research Scientist, Google Brain

Adversarial Machine Learning MIX+GAN Ian Goodfellow, Sta ff Research Scientist, Google Brain

Progressive GAN CoGAN LR-GAN MedGAN CGAN IcGAN A ff GAN DiscoGAN LS-GAN BIM LAPGAN MPM-GAN AdaGAN FGSM iGAN LSGAN InfoGAN IAN ATN Adversarial Machine Learning MIX+GAN Ian Goodfellow, Sta ff Research Scientist, Google Brain McGAN

562 views • 39 slides
Discussion: Remote Timing Attacks are Practical 600.624 2/11/05 Outline Why are timing

Discussion: Remote Timing Attacks are Practical 600.624 2/11/05 Outline Why are timing

Discussion: Remote Timing Attacks are Practical 600.624 2/11/05 Outline Why are timing attacks important? Clarifications Zero-One Gap / Neighborhood Size etc. Problems Questions Extensions Contribution Discussion

645 views • 26 slides
Remote Timing Attacks are Still Practical Billy Brumley Nicola Tuveri Aalto University School of

Remote Timing Attacks are Still Practical Billy Brumley Nicola Tuveri Aalto University School of

Remote Timing Attacks are Still Practical Billy Brumley Nicola Tuveri Aalto University School of Science, Finland {bbrumley,ntuveri}@tcs.hut.fi Synopsis New remote timing attack vulnerability in OpenSSLs implementation of Montgomerys

487 views • 25 slides
AOS Linux Tutorial Remote Access and Transferring Files Michael Havas Dept. of Atmospheric and

AOS Linux Tutorial Remote Access and Transferring Files Michael Havas Dept. of Atmospheric and

AOS Linux Tutorial Remote Access and Transferring Files Michael Havas Dept. of Atmospheric and Oceanic Sciences McGill University September 28, 2010 Outline 1 Remote Access SSH From Linux or OS X SSH from Windows Transferring Files SSH

394 views • 20 slides
Linux on Sun Logical Domains David S. Miller Red Hat Inc. linux.conf.au, MEL8OURNE, 2008 David

Linux on Sun Logical Domains David S. Miller Red Hat Inc. linux.conf.au, MEL8OURNE, 2008 David

Background Userland Simulator Implementation Challenges/Futures Summary Linux on Sun Logical Domains David S. Miller Red Hat Inc. linux.conf.au, MEL8OURNE, 2008 David S. Miller Red Hat Inc. Linux on Sun LDOMs Background Userland

515 views • 36 slides
Lec08: Remote Exploit Taesoo Kim 2 Scoreboard 3 NSA Codebreaker Challenges 4 Administrivia

Lec08: Remote Exploit Taesoo Kim 2 Scoreboard 3 NSA Codebreaker Challenges 4 Administrivia

1 Lec08: Remote Exploit Taesoo Kim 2 Scoreboard 3 NSA Codebreaker Challenges 4 Administrivia No class on Oct 28 If you are interested in, check out EKOPARTY CTF 2016 Due: Lab08 is out and its due on Nov 3 (two weeks!)

530 views • 21 slides
Uncovering Zero-Days and advanced fuzzing How to successfully get the tools to unlock UNIX and

Uncovering Zero-Days and advanced fuzzing How to successfully get the tools to unlock UNIX and

Uncovering Zero-Days and advanced fuzzing How to successfully get the tools to unlock UNIX and Windows Servers About the presentation Whoami Introduction 0days and the rush for public vulnerabilities And Advanced fuzzing techniques

432 views • 31 slides
Security Analysis of Emerging Smart Home Applications Earlence Fernandes, Jaeyeon Jung, Atul

Security Analysis of Emerging Smart Home Applications Earlence Fernandes, Jaeyeon Jung, Atul

Security Analysis of Emerging Smart Home Applications Earlence Fernandes, Jaeyeon Jung, Atul Prakash IEEE Security and Privacy 24 May 2016 Smart Door Locks CO Sensors Connected Ovens Smart Plugs IP Cameras Emerging Smart Home Frameworks

502 views • 35 slides
A WMI S HELL A new way to get shells on remote Windows machines using only the WMI service LEXSI

A WMI S HELL A new way to get shells on remote Windows machines using only the WMI service LEXSI

A WMI S HELL A new way to get shells on remote Windows machines using only the WMI service LEXSI > CLIENT Andrei Dumitrescu Security Consultant, LEXSI S UMMARY Introduction Authenticated remote code execution (RCE) methods on

817 views • 32 slides

More recommend