by learning the distributions of adversarial examples
play

by learning the Distributions of Adversarial Examples Boqing Gong - PowerPoint PPT Presentation

Dec 31, 2022 •317 likes •750 views

by learning the Distributions of Adversarial Examples Boqing Gong Joint work with Yandong Li, Lijun Li, Liqiang Wang, & Tong Zhang Published in ICML 2019 Intriguing properties of deep neural networks (DNNs) Szegedy, C., Zaremba, W.,

  1. by learning the Distributions of Adversarial Examples Boqing Gong Joint work with Yandong Li, Lijun Li, Liqiang Wang, & Tong Zhang Published in ICML 2019

  2. Intriguing properties of deep neural networks (DNNs) Szegedy, C., Zaremba, W., Sutskever, I., Bruna, J., Erhan, D., Goodfellow, I., & Fergus, R. (2014). Intriguing properties of neural networks. ICLR . Goodfellow, I. J., Shlens, J., & Szegedy, C. (2015). Explaining and harnessing adversarial examples. ICLR .

  3. Intriguing properties of deep neural networks (DNNs) Szegedy, C., Zaremba, W., Sutskever, I., Bruna, J., Erhan, D., Goodfellow, I., & Fergus, R. (2014). Intriguing properties of neural networks. ICLR . Goodfellow, I. J., Shlens, J., & Szegedy, C. (2015). Explaining and harnessing adversarial examples. ICLR .

  4. Projected gradient descent (PGD) attack Madry, A., Makelov, A., Schmidt, L., Tsipras, D., & Vladu, A. (2017). Towards deep learning models resistant to adversarial attacks. arXiv:1706.06083 . Kurakin, A., Goodfellow, I., & Bengio, S. (2016). Adversarial machine learning at scale. arXiv preprint arXiv:1611.01236 .

  5. Intriguing results (1) ~100% attack success rates on CIFAR10 & ImageNet vs

  6. Intriguing results (2)

  7. Intriguing results (2) Adversarial examples generalize between different DNNs vs E.g., AlexNet InceptionV3

  8. Intriguing results (3) A universal adversarial perturbation Moosavi-Dezfooli, S. M., Fawzi, A., Fawzi, O., & Frossard, P. (2017). Universal adversarial perturbations. CVPR.

  9. In a nutshell, white-box adversarial attacks can Fool different DNNs for almost all test examples Most data points lie near the classification boundaries. Fool different DNNs by the same adversarial examples The classification boundaries of various DNNs are close. Fool different DNNs by a single universal perturbation We can turn most examples to adversarial by moving them along the same direction by the same amount.

  10. However, white-box adversarial attacks can Not apply to most real-world scenarios Not work when the network architecture is unknown Not work when the weights are unknown Not work when querying networks is (e.g., cost) prohibitive

  11. Substitute attack (Papernot Black-box attacks et al., 2017) Decision-based (Brendel et al., 2017) Panda Boundary-tracing (Cheng et al., 2019) Zero-th order (Chen et al., 2017) Panda: 0.88493 Natural evolution Indri: 0.00878 strategies (Ilyas et al., 2018) Red Panda: 0.00317

  12. The? adversarial perturbation (for an input) Bad local optimum, non-smooth optimization, curse of dimensionality, defense-specific gradient estimation, etc. Athalye, A., Carlini, N., & Wagner, D. (2018). Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. ICML .

  13. Our work Learns the distribution of adversarial examples (for any input)

  14. Our work Learns the distribution of adversarial examples (for an input) Reduces the “attack dimension” Fewer queries into the network. Smoothes the optimization Higher attack success rates. Characterizes the risk of the input example New defense methods.

  15. Our work Learns the distribution of adversarial examples (for an input) > > >

  16. Our work Learns the distribution of adversarial examples (for an input) A sample from the distribution fails DNN by a high chance.

  17. Which family of distributions?

  18. Natural evolution strategies (NES) Wierstra, D., Schaul, T., Glasmachers, T., Sun, Y., Peters, J., & Schmidhuber, J. (2014). Natural evolution strategies. JMLR. .

  19. Natural evolution strategies (NES) Wierstra, D., Schaul, T., Glasmachers, T., Sun, Y., Peters, J., & Schmidhuber, J. (2014). Natural evolution strategies. JMLR. .

  20. Natural evolution strategies (NES) Wierstra, D., Schaul, T., Glasmachers, T., Sun, Y., Peters, J., & Schmidhuber, J. (2014). Natural evolution strategies. JMLR. .

  21. Natural evolution strategies (NES) Wierstra, D., Schaul, T., Glasmachers, T., Sun, Y., Peters, J., & Schmidhuber, J. (2014). Natural evolution strategies. JMLR. .

  22. Natural evolution strategies (NES) Wierstra, D., Schaul, T., Glasmachers, T., Sun, Y., Peters, J., & Schmidhuber, J. (2014). Natural evolution strategies. JMLR. .

  23. Natural evolution strategies (NES) Wierstra, D., Schaul, T., Glasmachers, T., Sun, Y., Peters, J., & Schmidhuber, J. (2014). Natural evolution strategies. JMLR. .

  24. Natural evolution strategies (NES) Wierstra, D., Schaul, T., Glasmachers, T., Sun, Y., Peters, J., & Schmidhuber, J. (2014). Natural evolution strategies. JMLR. .

  25. Black-box

  26. Experiment setup Attack 13 defended DNNs & 2 vanilla DNNs Consider both and Examine all test examples of CIFAR10 & 1000 of ImageNet Excluding those misclassified by the targeted DNN Evaluate by attack success rates

  27. Attack success rates, ImageNet

  28. Attack success rates, CIFAR10

  29. Attack success rate vs. optimization steps

  30. Transferabilities of the adversarial examples

  31. A universally effective defense technique? Adversarial training / defensive learning DNN weights The PGD attack

  32. In a nutshell, Is a powerful black-box attack, >= white-box attacks Is universal , failed various defenses by the same algorithm Characterizes the distributions of adversarial examples Reduces the “attack dimension” Speeds up the defensive learning (ongoing work)

  33. Physical Joint work with Yang Zhang, adversarial attack Hassan Foroosh, & David Phil Boqing Gong Published in ICLR 2019

  34. Recall the following result A universal adversarial perturbation Moosavi-Dezfooli, S. M., Fawzi, A., Fawzi, O., & Frossard, P. (2017). Universal adversarial perturbations. CVPR.

  35. Physical attack: universal perturbation → 2D mask Eykholt, Kevin, Ivan Evtimov, Earlence Fernandes, Bo Li, Amir Rahmati, Chaowei Xiao, Atul Prakash, Tadayoshi Kohno, and Dawn Song. "Robust physical-world attacks on deep learning models." CVPR 2018 .

  36. Physical attack: 2D mask → 3D camouflage Gradient descent w.r.t. camouflage c in order to minimize detection scores for the vehicle under all feasible locations Non-differentiable

  37. Physical attack: 2D mask → 3D camouflage Repeat until done 1. Camouflage a vehicle 2. Drive it around and take many pictures of it 3. Detect it by Faster-RCNN & save the detection scores → Dataset: {(camouflage, vehicle, background, detection score)}

  38. Physical attack: 2D mask → 3D camouflage Fit a DNN to predict any camouflage’s corresponding detection scores

  39. Physical attack: 2D mask → 3D camouflage Gradient descent w.r.t. Camouflage c in order to minimize detection scores for the vehicle under all feasible locations Non-differentiable But approximated by a DNN

  41. Why do we care?

  42. Observation, re-observation, & future work Defended DNNs are still vulnerable to transfer attacks (only to some moderate degree though) Adversarial examples from black-box attacks are less transferable than those from white-box attacks All future work on defenses will adopt adversarial training Adversarial training will become faster (we are working on it) We should certify DNNs’ expected robustness by

  43. New works to watch Stateful DNNs: Goodfellow (2019). A Research Agenda: Dynamic Models to Defend Against Correlated Attacks. arXiv: 1903.06293. Explaining adversarial examples: Ilyas et al. (2019) Adversarial Examples Are Not Bugs, They Are Features. arXiv:1905.02175. Faster adversarial training: Zhang et al. (2019). You Only Propagate Once: Painless Adversarial Training Using Maximal Principle. arXiv:1905.00877. && Shafahi et al. (2019). Adversarial Training for Free! arXiv: 1904.12843. Certifying DNNs’ expected robustness: Webb et al. (2019). A Statistical Approach to Assessing Neural Network Robustness. ICLR. && Cohen et al. (2019). Certified adversarial robustness via randomized smoothing. arXiv preprint arXiv:1902.02918.

Recommend

ATTACK: Learning the Distributions of Adversarial Examples for an Improved Black-Box Attack on

ATTACK: Learning the Distributions of Adversarial Examples for an Improved Black-Box Attack on

ATTACK: Learning the Distributions of Adversarial Examples for an Improved Black-Box Attack on Deep Neural Networks Yandong Li* 1 Lijun Li* 1 Liqiang Wang 1 Tong Zhang 2 Boqing Gong 3 *Equal Contribution 1 University of Central Florida 2 Hong

440 views • 11 slides
Physical Adversarial Examples Alex Kurakin Ian Goodfellow Output STOP Machine Learning

Physical Adversarial Examples Alex Kurakin Ian Goodfellow Output STOP Machine Learning

Physical Adversarial Examples Alex Kurakin Ian Goodfellow Output STOP Machine Learning Training Examples Hidden units / BICYCLE features CAR PEDESTRIA N Parameters Input ImageNet (Russakovsky et al 2015) Adversarial Examples: Images

369 views • 19 slides
Vulnerability of machine learning models to adversarial examples Petra Vidnerov Institute of

Vulnerability of machine learning models to adversarial examples Petra Vidnerov Institute of

Vulnerability of machine learning models to adversarial examples Petra Vidnerov Institute of Computer Science The Czech Academy of Sciences Hora Informaticae 2016 Outline Introduction Works on adversarial examples Our work Genetic

855 views • 46 slides
Adversarial Examples Hanxiao Liu April 2, 2018 1 / 22 Adversarial Examples Inputs to ML

Adversarial Examples Hanxiao Liu April 2, 2018 1 / 22 Adversarial Examples Inputs to ML

Adversarial Examples Hanxiao Liu April 2, 2018 1 / 22 Adversarial Examples Inputs to ML models that an attacker has intentionally designed to cause the model to make a mistake 1 Why this is interesting: Safety. Interpretability.

881 views • 22 slides
Deep Adversarial Learning for NLP 9:00 10:30 Introduction and Adversarial Training, GANs

Deep Adversarial Learning for NLP 9:00 10:30 Introduction and Adversarial Training, GANs

Deep Adversarial Learning for NLP 9:00 10:30 Introduction and Adversarial Training, GANs William Wang 10:30 11:00 Break - 11:00 12:15 Adversarial Examples Sameer Singh 12:15 12:30 Conclusions and Question Answering William

1.75k views • 105 slides
CSC321 Lecture 22: Adversarial Learning Roger Grosse Roger Grosse CSC321 Lecture 22: Adversarial

CSC321 Lecture 22: Adversarial Learning Roger Grosse Roger Grosse CSC321 Lecture 22: Adversarial

CSC321 Lecture 22: Adversarial Learning Roger Grosse Roger Grosse CSC321 Lecture 22: Adversarial Learning 1 / 26 Overview Two topics for today: Adversarial examples: examples carefully crafted to cause an undesirable behavior (e.g.

412 views • 26 slides
Adversarial Examples and Adversarial Training Innova&ve Technology Leader program January 22

Adversarial Examples and Adversarial Training Innova&ve Technology Leader program January 22

Adversarial Examples and Adversarial Training Innova&ve Technology Leader program January 22 nd 2018 Florian Tramr Stanford Deep Learning is Super Smart! 2 Is it really? + . 007 = Im sure this Im certain this is a panda is

452 views • 12 slides
Adversarial Examples and Adversarial Training Ian Goodfellow, Sta ff Research Scientist, Google

Adversarial Examples and Adversarial Training Ian Goodfellow, Sta ff Research Scientist, Google

Adversarial Examples and Adversarial Training Ian Goodfellow, Sta ff Research Scientist, Google Brain CS 231n, Stanford University, 2017-05-30 Overview What are adversarial examples? Why do they happen? How can they be used to

866 views • 43 slides
The case for dynamic defenses against adversarial examples Ian Goodfellow SafeML ICLR Workshop

The case for dynamic defenses against adversarial examples Ian Goodfellow SafeML ICLR Workshop

The case for dynamic defenses against adversarial examples Ian Goodfellow SafeML ICLR Workshop 2019-05-06 New Orleans Based on https://arxiv.org/pdf/1903.06293.pdf Definition Adversarial examples are inputs to machine learning models that

411 views • 22 slides
A Closer Look at Adversarial Examples for Separated Data Kamalika Chaudhuri University of

A Closer Look at Adversarial Examples for Separated Data Kamalika Chaudhuri University of

A Closer Look at Adversarial Examples for Separated Data Kamalika Chaudhuri University of California, San Diego Adversarial Examples Gibbon Panda Small perturbation to legitimate inputs causing misclassification Adversarial Examples Can

1.41k views • 42 slides
Synthesizing Robust Adversarial Examples Anish Athalye*, Logan Engstrom*, Andrew Ilyas*, Kevin

Synthesizing Robust Adversarial Examples Anish Athalye*, Logan Engstrom*, Andrew Ilyas*, Kevin

Synthesizing Robust Adversarial Examples Anish Athalye*, Logan Engstrom*, Andrew Ilyas*, Kevin Kwok Adversarial examples Adversarial examples Imperceptible perturbations to an input can change a neural network's prediction adversarial

1.06k views • 23 slides
Thermometer Encoding: One Hot Way to Resist Adversarial Examples Stanford, 2017-11-16 Aurko Roy*

Thermometer Encoding: One Hot Way to Resist Adversarial Examples Stanford, 2017-11-16 Aurko Roy*

Thermometer Encoding: One Hot Way to Resist Adversarial Examples Stanford, 2017-11-16 Aurko Roy* Colin Ra ff el Jacob Ian Buckman* Goodfellow *joint first author Adversarial Examples Adversarial Definitely Probably panda perturbation

607 views • 15 slides
Adversarial Examples in NLP Sameer Singh sameer@uci.edu @sameer_ sameersingh.org What are

Adversarial Examples in NLP Sameer Singh sameer@uci.edu @sameer_ sameersingh.org What are

Slides: http://tiny.cc/adversarial Adversarial Examples in NLP Sameer Singh sameer@uci.edu @sameer_ sameersingh.org What are Adversarial Examples? panda gibbon 57.7% confidence 99.3% confidence [Goodfellow et al, ICLR 2015 ]

1.56k views • 43 slides
SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY

SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY

SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY Christian Kaestner with slides from Eunsuk Kang Required reading: Hulten, Geoff. "Building Intelligent Systems: A Guide to Machine Learning

1.95k views • 113 slides
? AdVersarial: Defeating Perceptual Ad Blocking with Adversarial Examples Florian Tramr

? AdVersarial: Defeating Perceptual Ad Blocking with Adversarial Examples Florian Tramr

Todays Story: How I got my first Death Threat ? AdVersarial: Defeating Perceptual Ad Blocking with Adversarial Examples Florian Tramr October 8 th 2019 Joint work with Pascal Dupr, Gili Rusak, Giancarlo Pellegrino and Dan Boneh The

415 views • 29 slides
Explaining and Harnessing Adversarial Examples Ian J. Goodfellow, Jonathon Shlens, &

Explaining and Harnessing Adversarial Examples Ian J. Goodfellow, Jonathon Shlens, &

Explaining and Harnessing Adversarial Examples Ian J. Goodfellow, Jonathon Shlens, & Christian Szegedy Presented by - Kawin Ethayarajh and Abhishek Tiwari Introduction - adversarial examples : Inputs formed by applying small but

1.49k views • 103 slides
Neglected topics CS 446 Adversarial examples and deep networks 1 / 23 Adversarial

Neglected topics CS 446 Adversarial examples and deep networks 1 / 23 Adversarial

Neglected topics CS 446 Adversarial examples and deep networks 1 / 23 Adversarial examples? Standard ML setup: We have training data; try to do well on withheld testing data. Adversarial/robust ML setup: We have training

672 views • 27 slides
When foes are friends adversarial examples as protective technologies Carmela Troncoso

When foes are friends adversarial examples as protective technologies Carmela Troncoso

When foes are friends adversarial examples as protective technologies Carmela Troncoso @carmelatroncoso Security and Privacy Engineering Lab The machine learning revolution 2 Machine Learning ) Definition (Wikipedia) Machine learning [...]

965 views • 58 slides
Learning Universal Adversarial Perturbations with Generative Models Jamie Hayes & George

Learning Universal Adversarial Perturbations with Generative Models Jamie Hayes & George

Learning Universal Adversarial Perturbations with Generative Models Jamie Hayes & George Danezis UCL Adversarial examples transfer between different models. An adversarial example crafted against one model will generally fool other models.

515 views • 18 slides
Adversarial Examples and Adversarial Training Ian Goodfellow, OpenAI Research Scientist Security

Adversarial Examples and Adversarial Training Ian Goodfellow, OpenAI Research Scientist Security

Adversarial Examples and Adversarial Training Ian Goodfellow, OpenAI Research Scientist Security Seminar, Stanford University, 2017-01-17 In this presentation Intriguing Properties of Neural Networks Szegedy et al, 2013

939 views • 44 slides
On the Defense Against Adversarial Examples Beyond the Visible Spectrum Anthony Ortiz 1 , Olac

On the Defense Against Adversarial Examples Beyond the Visible Spectrum Anthony Ortiz 1 , Olac

On the Defense Against Adversarial Examples Beyond the Visible Spectrum Anthony Ortiz 1 , Olac Fuentes 1 , Dalton Rosario 2 , Christopher Kiekintveld 1 1 Department of Computer Science, UTEP 2 US Army Research Laboratory Adversarial Examples on

460 views • 19 slides
Adversarial Examples and Adversarial Training Ian Goodfellow, OpenAI Research Scientist Guest

Adversarial Examples and Adversarial Training Ian Goodfellow, OpenAI Research Scientist Guest

Adversarial Examples and Adversarial Training Ian Goodfellow, OpenAI Research Scientist Guest lecture for CS 294-131, UC Berkeley, 2016-10-05 In this presentation Intriguing Properties of Neural Networks Szegedy et al, 2013

660 views • 44 slides
Synthesizing Robust Adversarial Examples Anish Athalye*, Logan Engstrom*, Andrew Ilyas*, Kevin

Synthesizing Robust Adversarial Examples Anish Athalye*, Logan Engstrom*, Andrew Ilyas*, Kevin

Synthesizing Robust Adversarial Examples Anish Athalye*, Logan Engstrom*, Andrew Ilyas*, Kevin Kwok Standard Adversarial Examples Given image x ; target class y Maximize with projected gradient descent: Standard Adversarial Examples Standard

560 views • 15 slides
Adversarial Examples presentation by Ian Goodfellow Deep Learning Summer School Montreal August

Adversarial Examples presentation by Ian Goodfellow Deep Learning Summer School Montreal August

Adversarial Examples presentation by Ian Goodfellow Deep Learning Summer School Montreal August 9, 2015 Google Proprietary In this presentation. - Intriguing Properties of Neural Networks. Szegedy et al., ICLR 2014. -

464 views • 42 slides

More recommend