adversarial attacks on probabilistic autoregressive
play

Adversarial Attacks on Probabilistic Autoregressive Forecasting - PowerPoint PPT Presentation

Oct 20, 2023 •303 likes •765 views

ICML 2020 Raphal Dang-Nhu Gagandeep Singh Pavol Bielik Martin Vechev Department of Computer Science, ETH Zrich dangnhur@ethz.ch 1 Adversarial Attacks on Probabilistic Autoregressive Forecasting Models 2 (i) Probabilistic forecasting

  1. ICML 2020 Raphaël Dang-Nhu Gagandeep Singh Pavol Bielik Martin Vechev Department of Computer Science, ETH Zürich dangnhur@ethz.ch 1 Adversarial Attacks on Probabilistic Autoregressive Forecasting Models

  2. 2 (i) Probabilistic forecasting model 1 Blundell et al., Weight Uncertainty in Neural Networks, ICML 2015 Monte-Carlo sampling • Complex resulting output distribution, approximated via • Multiple sources of noise: (i) each timestep, (ii) each weight 1 (ii) Bayesian neural network Neural architectures with stochastic behavior 1600 1400 1200 1000 800 600 400 −10 −5 0 5 10 15 20

  3. 2 (i) Probabilistic forecasting model 1 Blundell et al., Weight Uncertainty in Neural Networks, ICML 2015 Monte-Carlo sampling • Complex resulting output distribution, approximated via • Multiple sources of noise: (i) each timestep, (ii) each weight 1 (ii) Bayesian neural network Neural architectures with stochastic behavior 1600 1400 1200 1000 800 600 400 −10 −5 0 5 10 15 20

  4. 2 (i) Probabilistic forecasting model 1 Blundell et al., Weight Uncertainty in Neural Networks, ICML 2015 Monte-Carlo sampling • Complex resulting output distribution, approximated via • Multiple sources of noise: (i) each timestep, (ii) each weight 1 (ii) Bayesian neural network Neural architectures with stochastic behavior 1600 1400 1200 1000 800 600 400 −10 −5 0 5 10 15 20

  5. 2 (i) Probabilistic forecasting model 1 Blundell et al., Weight Uncertainty in Neural Networks, ICML 2015 Monte-Carlo sampling • Complex resulting output distribution, approximated via • Multiple sources of noise: (i) each timestep, (ii) each weight 1 (ii) Bayesian neural network Neural architectures with stochastic behavior 1600 1400 1200 1000 800 600 400 −10 −5 0 5 10 15 20

  6. 3 • Stochastic sequence model • Generates several prediction traces Handwriting generation WaveNet for raw audio Traditionally used as a generative model Focus of this work: probabilistic forecasting models 1600 1400 1200 1000 800 600 400 −10 −5 0 5 10 15 20

  7. 3 • Stochastic sequence model • Generates several prediction traces Handwriting generation WaveNet for raw audio Traditionally used as a generative model Focus of this work: probabilistic forecasting models 1600 1400 1200 1000 800 600 400 −10 −5 0 5 10 15 20

  8. Integrated in Amazon Sagemaker (DeepAR architecture) • Allows to predict volatility of the time-series. • Useful with low signal-to-noise ratio. Key idea: use generated traces as Monte-Carlo samples to estimate the evolution of the time-series Stock prices Electricity consumption Business sales 2 Salinas et al., DeepAR: Probabilistic forecasting with autoregressive recurrent networks, International Journal of Forecasting, 2020 4 Probabilistic forecasting models for decision-making 2

  9. • Allows to predict volatility of the time-series. • Useful with low signal-to-noise ratio. Key idea: use generated traces as Monte-Carlo samples to estimate the evolution of the time-series Stock prices Electricity consumption Business sales 2 Salinas et al., DeepAR: Probabilistic forecasting with autoregressive recurrent networks, International Journal of Forecasting, 2020 4 Probabilistic forecasting models for decision-making 2 Integrated in Amazon Sagemaker (DeepAR architecture)

  10. We aim at providing an ofg-the-shelf methodology for these attacks • Adaptation of gradient-based adversarial attacks to these new attack objectives for stochastic models • Main technical aspect: developing estimators for propagating the objective gradient through the Monte-Carlo approximation 5 Contributions • New class of attack objectives based on output statistics

  11. We aim at providing an ofg-the-shelf methodology for these attacks • Adaptation of gradient-based adversarial attacks to these new attack objectives for stochastic models • Main technical aspect: developing estimators for propagating the objective gradient through the Monte-Carlo approximation 5 Contributions • New class of attack objectives based on output statistics

  12. We aim at providing an ofg-the-shelf methodology for these attacks • Adaptation of gradient-based adversarial attacks to these new attack objectives for stochastic models • Main technical aspect: developing estimators for propagating the objective gradient through the Monte-Carlo approximation 5 Contributions • New class of attack objectives based on output statistics

  13. We aim at providing an ofg-the-shelf methodology for these attacks • Adaptation of gradient-based adversarial attacks to these new attack objectives for stochastic models • Main technical aspect: developing estimators for propagating the objective gradient through the Monte-Carlo approximation 5 Contributions • New class of attack objectives based on output statistics

  14. • Adaptation of gradient-based adversarial attacks to these new attack objectives for stochastic models • Main technical aspect: developing estimators for propagating the objective gradient through the Monte-Carlo approximation 5 Contributions • New class of attack objectives based on output statistics We aim at providing an ofg-the-shelf methodology for these attacks

  15. Class of attack objectives

  16. Untargeted attacks on information divergence D with the original predicted distribution D q x q x Untargeted/Targeted attacks on the mean of the distribution distance q x y target 6 Stochastic model with input x , and output y ∼ q x ( · ) . Previously considered attack objectives:

  17. Untargeted attacks on information divergence D with the original predicted distribution Untargeted/Targeted attacks on the mean of the distribution distance q x y target 6 Stochastic model with input x , and output y ∼ q x ( · ) . Previously considered attack objectives: max D ( q x + δ ∥ q x ) δ

  18. Untargeted attacks on information divergence D with the original predicted distribution Untargeted/Targeted attacks on the mean of the distribution 6 Stochastic model with input x , and output y ∼ q x ( · ) . Previously considered attack objectives: max D ( q x + δ ∥ q x ) δ ( ) min E q x + δ [ y ] , target δ distance

  19. Extensions: • Bayesian setting q x y z . This corresponds to minimizing distance q x y target • Generalization to simultaneous attack of several statistics. • Statistics depending on x . 7 Framework We perform a targeted attack on a statistic χ ( y ) of the output.

  20. Extensions: • Bayesian setting q x y z . This corresponds to minimizing distance • Generalization to simultaneous attack of several statistics. • Statistics depending on x . 7 Framework We perform a targeted attack on a statistic χ ( y ) of the output. ( ) E q x + δ [ χ ( y )] , target

  21. This corresponds to minimizing distance • Generalization to simultaneous attack of several statistics. • Statistics depending on x . 7 Framework We perform a targeted attack on a statistic χ ( y ) of the output. ( ) E q x + δ [ χ ( y )] , target Extensions: • Bayesian setting q x ( y | z ) .

  22. average i y i 1 i y i i y i Limit sell order Our framework allows to specifically target one of these options threshold y h Barrier option threshold 8 Consider a stock with Asian call option 0 y h European call option Observation z y Name Motivation 1: option pricing in finance • past prices x = ( p 1 , . . . , p t − 1 ) • predicted future prices y = ( p t , . . . , p T ) .

  23. 8 Consider a stock with Our framework allows to specifically target one of these options y h Name Barrier option Observation z European call option Limit sell order Asian call option Motivation 1: option pricing in finance • past prices x = ( p 1 , . . . , p t − 1 ) • predicted future prices y = ( p t , . . . , p T ) . χ ( y ) max( 0 , y h ) average i ( y i ) [ ] max i y i ≥ threshold 1 max i y i ≥ threshold

  24. 8 Consider a stock with Our framework allows to specifically target one of these options y h Name Barrier option Observation z European call option Limit sell order Asian call option Motivation 1: option pricing in finance • past prices x = ( p 1 , . . . , p t − 1 ) • predicted future prices y = ( p t , . . . , p T ) . χ ( y ) max( 0 , y h ) average i ( y i ) [ ] max i y i ≥ threshold 1 max i y i ≥ threshold

  25. uncertainty constraints for the adversarial example. q x y k . to detect adversarial examples. New attacks bypass these defenses by enforcing Our framework allows to express these constraints, with • The entropy q x q y x . • The distribution’s moments 9 Motivation 2: attacking model uncertainty Some defenses use prediction uncertainty

  26. q x y k . to detect adversarial examples. New attacks bypass these defenses by enforcing Our framework allows to express these constraints, with • The entropy q x q y x . • The distribution’s moments 9 Motivation 2: attacking model uncertainty Some defenses use prediction uncertainty uncertainty constraints for the adversarial example.

  27. to detect adversarial examples. New attacks bypass these defenses by enforcing Our framework allows to express these constraints, with 9 Motivation 2: attacking model uncertainty Some defenses use prediction uncertainty uncertainty constraints for the adversarial example. • The entropy E q x [ − log( q [ y | x ])] . • The distribution’s moments E q x [ y k ] .

  28. Details about the estimators

Recommend

Adversarial Training Attacks on Deep Networks and Generative Adversarial Networks Erkut Erdem

Adversarial Training Attacks on Deep Networks and Generative Adversarial Networks Erkut Erdem

images from Geris Game (Pixar, 1997) Adversarial Training Attacks on Deep Networks and Generative Adversarial Networks Erkut Erdem Aykut Erdem Levent Karacan Computer Vision Lab, Hacettepe University Outline Part 1: Attacks on

1.11k views • 72 slides
Friendly Adversarial Training: Attacks Which Do Not Kill Training Make Adversarial Learning

Friendly Adversarial Training: Attacks Which Do Not Kill Training Make Adversarial Learning

Friendly Adversarial Training: Attacks Which Do Not Kill Training Make Adversarial Learning Stronger Jingfeng Zhang 1 * , Xilie Xu 2* , Bo Han 34 , Gang Niu 4 , Lichen Cui 5 , Masashi Sugiyama 46 , and Mohan Kankanhalli 1 1 Department of Computer

376 views • 14 slides
Stronger and Faster Wasserstein Adversarial Attacks Kaiwen Wu kaiwen.wu@uwaterloo.ca Joint work

Stronger and Faster Wasserstein Adversarial Attacks Kaiwen Wu kaiwen.wu@uwaterloo.ca Joint work

Stronger and Faster Wasserstein Adversarial Attacks Kaiwen Wu kaiwen.wu@uwaterloo.ca Joint work with Allen Wang and Yaoliang Yu K.Wu, A.Wang and Y.Yu Wasserstein Adversarial Attacks July 29, 2020 1 / 18 Adversarial Examples Adversarial

1.04k views • 38 slides
Confidence-Calibrated Adversarial Training Generalizing to Unseen Attacks David Stutz, Matthias

Confidence-Calibrated Adversarial Training Generalizing to Unseen Attacks David Stutz, Matthias

Confidence-Calibrated Adversarial Training Generalizing to Unseen Attacks David Stutz, Matthias Hein, Bernt Schiele 2-Minute Overview Problem: Robustness to various adversarial examples. Adversarial training on L adversarial examples:

635 views • 34 slides
On Adaptive Attacks to Adversarial Example Defenses Florian Tramr USENIX ScAINet August 10 th

On Adaptive Attacks to Adversarial Example Defenses Florian Tramr USENIX ScAINet August 10 th

On Adaptive Attacks to Adversarial Example Defenses Florian Tramr USENIX ScAINet August 10 th , 2020 Joint work with Nicholas Carlini, Wieland Brendel and Aleksander Madry What Are Adversarial Examples? 88% Tabby Cat 99% Guacamole Biggio

360 views • 21 slides
Attacks Meet Interpretability: Attribute-steered Detection of Adversarial Samples Guanhong Tao ,

Attacks Meet Interpretability: Attribute-steered Detection of Adversarial Samples Guanhong Tao ,

Attacks Meet Interpretability: Attribute-steered Detection of Adversarial Samples Guanhong Tao , Shiqing Ma, Yingqi Liu, Xiangyu Zhang Understanding Adversarial Samples Legitimate input Isla Fisher Model Pixel-wise Differences ( 50 times)

482 views • 34 slides
Adversarial BoltzmannMachines Belief Nets Networks Variational NADE

Adversarial BoltzmannMachines Belief Nets Networks Variational NADE

Unsupervised Learning Non-probabilistic Models Probabilistic Sparse Coding (Generative) Models Autoencoders Others (e.g. k-means) Tractable Models Non-Tractable Models Generative Fully observed Adversarial

815 views • 58 slides
CVPR 2020 Universal Adversarial Attacks Image agnostic and transferable across networks

CVPR 2020 Universal Adversarial Attacks Image agnostic and transferable across networks

1 1,4 2,3 2 3 4 1 CVPR 2020 Universal Adversarial Attacks Image agnostic and transferable across networks Adversarial No defense: Baseline DNN perturbation Input image Classification Feature extraction dense Perturbed image

592 views • 6 slides
On Certifying Non-uniform Bounds against Adversarial Attacks Chen Liu , Ryota Tomioka ,

On Certifying Non-uniform Bounds against Adversarial Attacks Chen Liu , Ryota Tomioka ,

On Certifying Non-uniform Bounds against Adversarial Attacks Chen Liu , Ryota Tomioka , Volkan Cevher Ecole Polytechnique F ed erale de Lausanne Microsoft Research Cambridge June 11th, 2019 Liu et al. (EPFL)

557 views • 17 slides
15-780 Graduate Artificial Intelligence: Adversarial attacks and provable defenses J. Zico

15-780 Graduate Artificial Intelligence: Adversarial attacks and provable defenses J. Zico

15-780 Graduate Artificial Intelligence: Adversarial attacks and provable defenses J. Zico Kolter (this lecture) and Ariel Procaccia Carnegie Mellon University Spring 2018 Portions base upon joint work with Eric Wong 1 Outline Adverarial

710 views • 39 slides
Overview What is Adversarial Attack? Why should we care? How does it work? Real

Overview What is Adversarial Attack? Why should we care? How does it work? Real

Adversarial Attacks on Phishing Detection Ryan Chang Overview What is Adversarial Attack? Why should we care? How does it work? Real World Demo on Phishing Detection Model How to defend? Adversarial Examples on

610 views • 26 slides
Counteracting Adversarial Attacks in Autonomous Driving Qi Sun 1 , Arjun Ashok Rao 1 , Xufeng Yao

Counteracting Adversarial Attacks in Autonomous Driving Qi Sun 1 , Arjun Ashok Rao 1 , Xufeng Yao

Counteracting Adversarial Attacks in Autonomous Driving Qi Sun 1 , Arjun Ashok Rao 1 , Xufeng Yao 1 , Bei Yu 1 , Shiyan Hu 2 1 The Chinese University of Hong Kong 2 University of Southampton 1 / 21 Vision-Based Object Detection Classification

640 views • 29 slides
Learning a Probabilistic Latent Space of Object Shapes via 3D Generative-Adversarial Modeling

Learning a Probabilistic Latent Space of Object Shapes via 3D Generative-Adversarial Modeling

Learning a Probabilistic Latent Space of Object Shapes via 3D Generative-Adversarial Modeling Jiajun Wu* Chengkai Zhang* Tianfan Xue Bill Freeman Josh Tenenbaum NIPS 2016 (* indicates equal contribution) Outline Synthesizing 3D shapes

967 views • 65 slides
CSC321 Lecture 20: Reversible and Autoregressive Models Roger Grosse Roger Grosse CSC321

CSC321 Lecture 20: Reversible and Autoregressive Models Roger Grosse Roger Grosse CSC321

CSC321 Lecture 20: Reversible and Autoregressive Models Roger Grosse Roger Grosse CSC321 Lecture 20: Reversible and Autoregressive Models 1 / 23 Overview Four modern approaches to generative modeling: Generative adversarial networks (last

561 views • 23 slides
Adversary for Social Good: Protecting Familial Privacy through Joint Adversarial Attacks Chetan

Adversary for Social Good: Protecting Familial Privacy through Joint Adversarial Attacks Chetan

Adversary for Social Good: Protecting Familial Privacy through Joint Adversarial Attacks Chetan Kumar, Riazat Ryan, Ming Shao Department of Computer and Information Science, University of Massachusetts, Dartmouth Data Leakage: Limited time

294 views • 27 slides
SimBA: Simple Black-box Adversarial Attacks Chuan Guo , Jacob R. Gardner, Yurong You, Andrew

SimBA: Simple Black-box Adversarial Attacks Chuan Guo , Jacob R. Gardner, Yurong You, Andrew

SimBA: Simple Black-box Adversarial Attacks Chuan Guo , Jacob R. Gardner, Yurong You, Andrew Gordon Wilson, Kilian Q. Weinberger June 12, 2019 <latexit

383 views • 11 slides
Chapter 4: Video 1 - Supplemental slides The Autoregressive Model Autoregressive (AR) processes

Chapter 4: Video 1 - Supplemental slides The Autoregressive Model Autoregressive (AR) processes

Chapter 4: Video 1 - Supplemental slides The Autoregressive Model Autoregressive (AR) processes Let 1 , 2 , . . . be White Noise(0, 2 ) innovations, with variance 2 Then, Y 1 , Y 2 , . . . is an AR process if for some constants

398 views • 4 slides
Adversarial Attacks on Node Embeddings via Graph Poisoning Aleksandar Bojchevski, Stephan

Adversarial Attacks on Node Embeddings via Graph Poisoning Aleksandar Bojchevski, Stephan

Adversarial Attacks on Node Embeddings via Graph Poisoning Aleksandar Bojchevski, Stephan Gnnemann Technical University of Munich ICML 2019 Node embeddings are used to Classify scientific papers Recommend items Classify proteins

336 views • 21 slides
Adversarial Attacks and Defenses in Deep Learning Hang Su suhangss@tsinghua.edu.cn Institute for

Adversarial Attacks and Defenses in Deep Learning Hang Su suhangss@tsinghua.edu.cn Institute for

Adversarial Attacks and Defenses in Deep Learning Hang Su suhangss@tsinghua.edu.cn Institute for Artificial Intelligence Dept. of Computer Science & Technology Tsinghua University 1 Background Artificial intelligence (AI) is a

917 views • 63 slides
On Evaluation of Adversarial Perturbations for Sequence-to-Sequence Models Paul Michel, Xian Li,

On Evaluation of Adversarial Perturbations for Sequence-to-Sequence Models Paul Michel, Xian Li,

On Evaluation of Adversarial Perturbations for Sequence-to-Sequence Models Paul Michel, Xian Li, Graham Neubig, Juan Pino Adversarial Attacks/Perturbations Apply a small (indistinguishable) perturbation to the input that elicit large

908 views • 75 slides
Vulnerabilities of Voice Assistants at the Edge: From Defeating Hidden Voice Attacks to

Vulnerabilities of Voice Assistants at the Edge: From Defeating Hidden Voice Attacks to

DAISY D ata A nalysis and I nformation S ecurit Y Lab Vulnerabilities of Voice Assistants at the Edge: From Defeating Hidden Voice Attacks to Audio-based Adversarial Attacks Yingying (Jennifer) Chen Professor, Electrical and Computer

1.05k views • 46 slides
Adversarial Attacks Beyond the Image Space Xiaohui Zeng , Chenxi Liu, Yu-Siang Wang, Weichao Qiu,

Adversarial Attacks Beyond the Image Space Xiaohui Zeng , Chenxi Liu, Yu-Siang Wang, Weichao Qiu,

Adversarial Attacks Beyond the Image Space Xiaohui Zeng , Chenxi Liu, Yu-Siang Wang, Weichao Qiu, Lingxi Xie, Yu-Wing Tai, Chi Keung Tang, Alan Yuille 06/19/2019 Visual Recognition Pipeline Visual Recognition Pipeline 3D scene Visual

577 views • 32 slides
Provably Robust Boosted Decision Stumps and Trees against Adversarial Attacks Maksym

Provably Robust Boosted Decision Stumps and Trees against Adversarial Attacks Maksym

Provably Robust Boosted Decision Stumps and Trees against Adversarial Attacks Maksym Andriushchenko (EPFL ) Matthias Hein (University of T ubingen) Work done at the University of T ubingen SMLD 2019, NeurIPS 2019 Stumps Trees

848 views • 70 slides
ON THE ADVERSARIAL ROBUSTNESS OF UNCERTAINTY AWARE DEEP NEURAL NETWORKS APRIL 29 TH , 2019

ON THE ADVERSARIAL ROBUSTNESS OF UNCERTAINTY AWARE DEEP NEURAL NETWORKS APRIL 29 TH , 2019

ON THE ADVERSARIAL ROBUSTNESS OF UNCERTAINTY AWARE DEEP NEURAL NETWORKS APRIL 29 TH , 2019 PREPARED BY: ALI HARAKEH QUESTION Can a neural network mitigate the effects of adversarial attacks by estimating the uncertainty in its predictions ?

1.14k views • 26 slides

More recommend