adversarial attacks beyond the image space
play

Adversarial Attacks Beyond the Image Space Xiaohui Zeng , Chenxi - PowerPoint PPT Presentation

Aug 20, 2022 •255 likes •577 views

Adversarial Attacks Beyond the Image Space Xiaohui Zeng , Chenxi Liu, Yu-Siang Wang, Weichao Qiu, Lingxi Xie, Yu-Wing Tai, Chi Keung Tang, Alan Yuille 06/19/2019 Visual Recognition Pipeline Visual Recognition Pipeline 3D scene Visual

  1. Adversarial Attacks Beyond the Image Space Xiaohui Zeng , Chenxi Liu, Yu-Siang Wang, Weichao Qiu, Lingxi Xie, Yu-Wing Tai, Chi Keung Tang, Alan Yuille 06/19/2019

  2. Visual Recognition Pipeline

  3. Visual Recognition Pipeline 3D scene

  4. Visual Recognition Pipeline projection 3D scene 2D image

  5. Visual Recognition Pipeline car projection recognition 3D scene 2D image label

  6. Adversarial Attacks on 2D Image car projection recognition + bus recognition

  7. Adversarial Attacks ● Can the network fail if we slightly modify 2D pixel values? ○ Yes!

  8. Adversarial Attacks ● Can the network fail if we slightly modify 2D pixel values? ○ Yes! ● Should we be concerned about them in the real world? Well, sort of. ○

  9. Adversarial Attacks ● Can the network fail if we slightly modify 2D pixel values? ○ Yes! ● Should we be concerned about them in the real world? Well, sort of. ○ ○ Potentially dangerous. ○ But require position-wise albedo change, which is unrealistic to implement.

  10. Adversarial Attacks on 3D Scene car projection recognition + ??? rotation, projection recognition translation

  11. Adversarial Attacks on 3D Scene car projection recognition + ??? lighting projection recognition

  12. Adversarial Attacks ● Can the network fail if we ● Can the network fail if we slightly modify 2D pixel values? slightly modify 3D physical ○ Yes! parameters? ● Should we be concerned about ○ Well, let’s find out :) them in the real world? Well, sort of. ○ ○ Potentially dangerous. ○ But require position-wise albedo change, which is unrealistic to implement.

  13. Adversarial Attacks ● Can the network fail if we ● Can the network fail if we slightly modify 2D pixel values? slightly modify 3D physical ○ Yes! parameters? ● Should we be concerned about ○ Well, let’s find out :) them in the real world? ● Should we be concerned about Well, sort of. them in the real world? ○ ○ Potentially dangerous. ○ If they exist, then we should ○ But require position-wise be much more concerned albedo change, which is than before, as they are unrealistic to implement. much more easily realized.

  14. Visual Recognition Pipeline car projection recognition 3D scene 2D image label Physical Image Output Space Space Space

  15. Visual Recognition Pipeline car rendering recognition 3D scene 2D image label Physical Image Output Space Space Space

  16. Visual Recognition Pipeline car rendering CNN 3D scene 2D image label Physical Image Output Space Space Space

  17. Visual Recognition Pipeline car rendering CNN 3D scene 2D image label Physical Image Output Space Space Space

  18. Settings & Tasks Differentiable ● White box attack Renderer Use gradient descent ●

  19. Settings & Tasks Differentiable ● White box attack Renderer Use gradient descent ● Non-Differentiable Black box attack ● Renderer ● Use finite difference for the non-differentiable component Chen, Pin-Yu, et al. "Zoo: Zeroth order optimization based black-box attacks to deep neural networks without training substitute models." Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security. ACM, 2017.

  20. Settings & Tasks Differentiable Renderer Non-Differentiable Renderer

  21. Settings & Tasks Object Classification (ShapeNet) Differentiable Renderer Non-Differentiable Renderer Chang, Angel X., et al. "Shapenet: An information-rich 3d model repository." arXiv preprint arXiv:1512.03012 (2015).

  22. Settings & Tasks Object Classification Visual Question (ShapeNet) Answering (CLEVR) Differentiable Renderer Non-Differentiable Renderer Johnson, Justin, et al. "Clevr: A diagnostic dataset for compositional language and elementary visual reasoning." In CVPR. 2017.

  23. Settings & Tasks Object Classification Visual Question (ShapeNet) Answering (CLEVR) Differentiable Renderer #1 #2 Non-Differentiable Renderer #3 #4

  24. #1: Differentiable + Object Classification ● Differentiable renderer: Liu et al, 2017 surface normal ○ ○ illumination material ○ Liu, Guilin, et al. "Material editing using a physically based rendering network." In ICCV. 2017.

  25. #1: Differentiable + Object Classification ● Differentiable renderer: Liu et al, 2017 surface normal ○ ○ illumination material ○ ● Can image space adversarial noise be explained by physical space? ○ No for 97% of the case

  26. #1: Differentiable + Object Classification ● Differentiable renderer: Liu et al, 2017 surface normal ○ ○ illumination material ○ ● Can image space adversarial noise be explained by physical space? ○ No for 97% of the case ● Attacking image space vs physical space: Image Surface N. Illumination Material Combined Attack 100.00 89.27 29.61 18.88 94.42 success %

  27. #2: Differentiable + VQA ● Attacking image space vs physical space: Image Surface N. Illumination Material Combined Attack 96.33 83.67 48.67 8.33 90.67 success %

  28. #3: Non-Differentiable + Object Classification ● Non-Differentiable renderer: Blender color ○ ○ rotation translation ○ ○ lighting

  29. #3: Non-Differentiable + Object Classification ● Non-Differentiable renderer: Blender color ○ ○ rotation translation ○ ○ lighting How often does physical space attack succeed? ● ○ ~10% of the time ○ But highly interpretable: Rotate (-2.9, 9.4, 2.5) x 10 -3 rad along x, y, z Move (2.0, 0.0, 0.2) x 10 -3 along x, y, z Change RGB color by (9.1, 5.4, -4.8) x 10 -2 Adjust light source by -0.3 Change the light angle by (9.5, 5.4, 0.6) x 10 -2 cap helmet

  30. #4: Non-Differentiable + VQA ● How often does physical space attack succeed? ~20% of the time ○ ○ But highly interpretable: Q: How many other purple objects have the same shape as the purple matte object? Move light source by (0.0, 3.0, -1.0, -1.7) x 10 -2 Rotate object 2 by (-1.6, 4.1) x 10 -2 Move object 3 by (-3.1, 6.2) x 10 -2 Change RGB of object 9 by (-3.7, -1.1, -4.5) x 10 -2 …… A: 0 A: 1

  31. Conclusion ● We study adversarial attacks beyond the image space on the physical space Such attacks (via rotation, translation, color, lighting etc) can still succeed ● ● They pose more serious threat Rotate (-2.9, 9.4, 2.5) x 10 -3 rad along x, y, z Move (2.0, 0.0, 0.2) x 10 -3 along x, y, z Change RGB color by (9.1, 5.4, -4.8) x 10 -2 Adjust light source by -0.3 Change the light angle by (9.5, 5.4, 0.6) x 10 -2 cap helmet

  32. Thank you!

Recommend

CVPR 2020 Universal Adversarial Attacks Image agnostic and transferable across networks

CVPR 2020 Universal Adversarial Attacks Image agnostic and transferable across networks

1 1,4 2,3 2 3 4 1 CVPR 2020 Universal Adversarial Attacks Image agnostic and transferable across networks Adversarial No defense: Baseline DNN perturbation Input image Classification Feature extraction dense Perturbed image

592 views • 6 slides
Adversarial Training Attacks on Deep Networks and Generative Adversarial Networks Erkut Erdem

Adversarial Training Attacks on Deep Networks and Generative Adversarial Networks Erkut Erdem

images from Geris Game (Pixar, 1997) Adversarial Training Attacks on Deep Networks and Generative Adversarial Networks Erkut Erdem Aykut Erdem Levent Karacan Computer Vision Lab, Hacettepe University Outline Part 1: Attacks on

1.11k views • 72 slides
Friendly Adversarial Training: Attacks Which Do Not Kill Training Make Adversarial Learning

Friendly Adversarial Training: Attacks Which Do Not Kill Training Make Adversarial Learning

Friendly Adversarial Training: Attacks Which Do Not Kill Training Make Adversarial Learning Stronger Jingfeng Zhang 1 * , Xilie Xu 2* , Bo Han 34 , Gang Niu 4 , Lichen Cui 5 , Masashi Sugiyama 46 , and Mohan Kankanhalli 1 1 Department of Computer

376 views • 14 slides
Stronger and Faster Wasserstein Adversarial Attacks Kaiwen Wu kaiwen.wu@uwaterloo.ca Joint work

Stronger and Faster Wasserstein Adversarial Attacks Kaiwen Wu kaiwen.wu@uwaterloo.ca Joint work

Stronger and Faster Wasserstein Adversarial Attacks Kaiwen Wu kaiwen.wu@uwaterloo.ca Joint work with Allen Wang and Yaoliang Yu K.Wu, A.Wang and Y.Yu Wasserstein Adversarial Attacks July 29, 2020 1 / 18 Adversarial Examples Adversarial

1.04k views • 38 slides
Confidence-Calibrated Adversarial Training Generalizing to Unseen Attacks David Stutz, Matthias

Confidence-Calibrated Adversarial Training Generalizing to Unseen Attacks David Stutz, Matthias

Confidence-Calibrated Adversarial Training Generalizing to Unseen Attacks David Stutz, Matthias Hein, Bernt Schiele 2-Minute Overview Problem: Robustness to various adversarial examples. Adversarial training on L adversarial examples:

635 views • 34 slides
On Adaptive Attacks to Adversarial Example Defenses Florian Tramr USENIX ScAINet August 10 th

On Adaptive Attacks to Adversarial Example Defenses Florian Tramr USENIX ScAINet August 10 th

On Adaptive Attacks to Adversarial Example Defenses Florian Tramr USENIX ScAINet August 10 th , 2020 Joint work with Nicholas Carlini, Wieland Brendel and Aleksander Madry What Are Adversarial Examples? 88% Tabby Cat 99% Guacamole Biggio

360 views • 21 slides
Attacks Meet Interpretability: Attribute-steered Detection of Adversarial Samples Guanhong Tao ,

Attacks Meet Interpretability: Attribute-steered Detection of Adversarial Samples Guanhong Tao ,

Attacks Meet Interpretability: Attribute-steered Detection of Adversarial Samples Guanhong Tao , Shiqing Ma, Yingqi Liu, Xiangyu Zhang Understanding Adversarial Samples Legitimate input Isla Fisher Model Pixel-wise Differences ( 50 times)

482 views • 34 slides
Unpaired Image-to-Image Translation using Cycle-Consistent Adversarial Networks Jun-Yan Zhu, et,

Unpaired Image-to-Image Translation using Cycle-Consistent Adversarial Networks Jun-Yan Zhu, et,

Unpaired Image-to-Image Translation using Cycle-Consistent Adversarial Networks Jun-Yan Zhu, et, al. ICCV 2017 2018.11.01 20185209 Sangyoon Lee Table of contents **ref: https://www.youtube.com/watch?v=Fkqf3dS9Cqw&t=1700s Before

823 views • 25 slides
Conditional Generative Adversarial Networks (and a brief look at image-to-image translation)

Conditional Generative Adversarial Networks (and a brief look at image-to-image translation)

Conditional Generative Adversarial Networks (and a brief look at image-to-image translation) Final Presentation Peter Bromley Generative Models What is generative modeling? Data: Samples from high dimensional probability distribution p real

621 views • 25 slides
Applications of GANs Photo-Realistic Single Image Super-Resolution Using a Generative

Applications of GANs Photo-Realistic Single Image Super-Resolution Using a Generative

Applications of GANs Photo-Realistic Single Image Super-Resolution Using a Generative Adversarial Network Deep Generative Image Models using a Laplacian Pyramid of Adversarial Networks Generative Adversarial Text to Image Synthesis

614 views • 27 slides
Applications of GANs Photo-Realistic Single Image Super-Resolution Using a Generative

Applications of GANs Photo-Realistic Single Image Super-Resolution Using a Generative

Applications of GANs Photo-Realistic Single Image Super-Resolution Using a Generative Adversarial Network Deep Generative Image Models using a Laplacian Pyramid of Adversarial Networks Generative Adversarial Text to Image Synthesis

666 views • 39 slides
Adversarial Attacks on Probabilistic Autoregressive Forecasting Models 2 (i) Probabilistic

Adversarial Attacks on Probabilistic Autoregressive Forecasting Models 2 (i) Probabilistic

ICML 2020 Raphal Dang-Nhu Gagandeep Singh Pavol Bielik Martin Vechev Department of Computer Science, ETH Zrich dangnhur@ethz.ch 1 Adversarial Attacks on Probabilistic Autoregressive Forecasting Models 2 (i) Probabilistic forecasting

765 views • 45 slides
On Certifying Non-uniform Bounds against Adversarial Attacks Chen Liu , Ryota Tomioka ,

On Certifying Non-uniform Bounds against Adversarial Attacks Chen Liu , Ryota Tomioka ,

On Certifying Non-uniform Bounds against Adversarial Attacks Chen Liu , Ryota Tomioka , Volkan Cevher Ecole Polytechnique F ed erale de Lausanne Microsoft Research Cambridge June 11th, 2019 Liu et al. (EPFL)

557 views • 17 slides
Image Space Occlusion Culling Image Space Occlusion Culling 1 Hudson et al, SoCG 97 Occluder A

Image Space Occlusion Culling Image Space Occlusion Culling 1 Hudson et al, SoCG 97 Occluder A

Image Space Occlusion Culling Image Space Occlusion Culling 1 Hudson et al, SoCG 97 Occluder A Viewpoint umbra B C 2 What Methods are Called Image-Space? Those where the decision to cull or render is done after projection (in image

566 views • 24 slides
15-780 Graduate Artificial Intelligence: Adversarial attacks and provable defenses J. Zico

15-780 Graduate Artificial Intelligence: Adversarial attacks and provable defenses J. Zico

15-780 Graduate Artificial Intelligence: Adversarial attacks and provable defenses J. Zico Kolter (this lecture) and Ariel Procaccia Carnegie Mellon University Spring 2018 Portions base upon joint work with Eric Wong 1 Outline Adverarial

710 views • 39 slides
Overview What is Adversarial Attack? Why should we care? How does it work? Real

Overview What is Adversarial Attack? Why should we care? How does it work? Real

Adversarial Attacks on Phishing Detection Ryan Chang Overview What is Adversarial Attack? Why should we care? How does it work? Real World Demo on Phishing Detection Model How to defend? Adversarial Examples on

610 views • 26 slides
learning: defense, transferable and camouflaged attacks Xingjun Ma School of Computing and

learning: defense, transferable and camouflaged attacks Xingjun Ma School of Computing and

Recent advances in adversarial machine learning: defense, transferable and camouflaged attacks Xingjun Ma School of Computing and Information Systems The University of Melbourne April 2020 Deep learning models are used everywhere Image

1.12k views • 34 slides
The Space of Faces = + An image is a point in a high dimensional space An N x M image is

The Space of Faces = + An image is a point in a high dimensional space An N x M image is

The Space of Faces = + An image is a point in a high dimensional space An N x M image is a point in R NM 1 Linear Subspaces Dimensionality Reduction convert x into v 1 , v 2 coordinates What does the v 2 coordinate measure? - distance

106 views • 9 slides
Counteracting Adversarial Attacks in Autonomous Driving Qi Sun 1 , Arjun Ashok Rao 1 , Xufeng Yao

Counteracting Adversarial Attacks in Autonomous Driving Qi Sun 1 , Arjun Ashok Rao 1 , Xufeng Yao

Counteracting Adversarial Attacks in Autonomous Driving Qi Sun 1 , Arjun Ashok Rao 1 , Xufeng Yao 1 , Bei Yu 1 , Shiyan Hu 2 1 The Chinese University of Hong Kong 2 University of Southampton 1 / 21 Vision-Based Object Detection Classification

640 views • 29 slides
1 The Space of Faces = + An image is a point in a high dimensional space An N x M image

1 The Space of Faces = + An image is a point in a high dimensional space An N x M image

1 The Space of Faces = + An image is a point in a high dimensional space An N x M image is a point in R NM 2 Linear Subspaces convert x into v 1 , v 2 coordinates What does the v 2 coordinate measure? - distance to line - use it for

810 views • 18 slides
Enforcing constraints for interpolation and extrapolation in Generative Adversarial Networks

Enforcing constraints for interpolation and extrapolation in Generative Adversarial Networks

Enforcing constraints for interpolation and extrapolation in Generative Adversarial Networks Panos Stinis (joint work with T. Hagge, A.M. Tartakovsky and E. Yeung) Pacific Northwest National Laboratory space space space Supported by Deep

255 views • 14 slides
Generative Adversarial Networks Phillip Isola 9.520 10/17/18 Image classification Classifier

Generative Adversarial Networks Phillip Isola 9.520 10/17/18 Image classification Classifier

z N ( ~ 0 , 1) Generative Adversarial Networks Phillip Isola 9.520 10/17/18 Image classification Classifier Fish image X label Y Image generation Generator Fish label Y image X <latexit

1.3k views • 106 slides
Adversary for Social Good: Protecting Familial Privacy through Joint Adversarial Attacks Chetan

Adversary for Social Good: Protecting Familial Privacy through Joint Adversarial Attacks Chetan

Adversary for Social Good: Protecting Familial Privacy through Joint Adversarial Attacks Chetan Kumar, Riazat Ryan, Ming Shao Department of Computer and Information Science, University of Massachusetts, Dartmouth Data Leakage: Limited time

294 views • 27 slides
Works will be presented Deep Convolutional Generative Adversarial Networks(DCGAN) Image

Works will be presented Deep Convolutional Generative Adversarial Networks(DCGAN) Image

Michael James Smiths rhyperealistic paintings Part 3 Image Editing with GANs Levent Karacan Computer Vision Lab, Hacettepe University Works will be presented Deep Convolutional Generative Adversarial Networks(DCGAN) Image Editing

1.17k views • 68 slides

More recommend