certified robustness to adversarial examples with di ff
play

Certified Robustness to Adversarial Examples with Di ff erential - PowerPoint PPT Presentation

Feb 21, 2024 •195 likes •680 views

Certified Robustness to Adversarial Examples with Di ff erential Privacy Mathias Lcuyer, Vaggelis Atlidakis, Roxana Geambasu, Daniel Hsu, Suman Jana Columbia University Code: https://github.com/columbia/pixeldp Contact:

  1. Certified Robustness to Adversarial Examples with Di ff erential Privacy Mathias Lécuyer, Vaggelis Atlidakis, Roxana Geambasu, Daniel Hsu, Suman Jana Columbia University Code: https://github.com/columbia/pixeldp 
 Contact: mathias@cs.columbia.edu

  2. Deep Learning • Deep Neural Networks (DNNs) deliver remarkable performance on many tasks. • DNNs are increasingly deployed, including in attack-prone contexts: Taylor Swift Said to Use Facial Recognition to Identify Stalkers By Sopan Deb, Natasha Singer - Dec. 13, 2018 � 2

  3. Example softmax 1.0 input layer layer layer x 1 2 3 0.5 ticket 1 0.1 … ticket 2 … 0.2 … ticket 3 0.1 no ticket 0.6 no ticket ticket 3 ticket 1 ticket 2 � 3

  4. Example But DNNs are vulnerable to adversarial example attacks. softmax 1.0 input layer layer layer x 1 2 3 0.5 0.1 … … 0.2 … argmax 0.1 0.6 no ticket no ticket ticket 3 ticket 1 ticket 2 � 4

  5. Example But DNNs are vulnerable to adversarial example attacks. + softmax 1.0 input layer layer layer x 1 2 3 0.5 0.1 0.1 … … 0.2 0.7 … argmax 0.1 0.1 0.1 0.6 no ticket ticket 2 no ticket ticket 3 ticket 1 ticket 2 � 5

  6. Accuracy under attack Inception-v3 DNN on ImageNet dataset. Giant panda 1 || α || = 1.06 || α || = 0.52 2 2 0.75 Accuracy (top 1) 0.5 Teddy bear Teapot 0.25 0 0 0.5 1 1.5 2 2.5 3 Size of attack α (2-norm) � 6

  7. Best-e ff ort approaches 1. Evaluate accuracy under attack: • Launch an attack on examples in a test set. • Compute accuracy on the attacked examples. 2. Improve accuracy under attack: • Many approaches: e.g. train on adversarial examples. (e.g Goodfellow+ '15; Papernot+ '16; Buckman+ '18; Guo+ '18) Problem: both steps are attack specific, leading to an arms race that attackers are winning. (e.g Carlini-Wagner '17; Athalye+ '18) 7

  8. Key questions • Guaranteed accuracy: what is my minimum accuracy under any attack? • Prediction robustness: given a prediction can any attack change it? 8

  9. Key questions • Guaranteed accuracy: what is my minimum accuracy under any attack? • Prediction robustness: given a prediction can any attack change it? • A few recent approaches with provable guarantees. (e.g. Wong-Kolter '18; Raghunathan+ '18; Wang+ '18) • Poor scalability in terms of: • Input dimension (e.g. number of pixels). • DNN size. • Size of training data. 9

  10. Key questions • Guaranteed accuracy: what is my minimum accuracy under any attack? • Prediction robustness: given a prediction can any attack change it? • My defense PixelDP gives answers for norm bounded attacks. • Key idea: novel use of differential privacy theory at prediction time. • The most scalable approach: first provable guarantees for large models on ImageNet! 10

  11. PixelDP outline Motivation Design Evaluation 11

  12. Key idea • Problem: small input perturbations create large score changes. = 2 + softmax 1.0 input layer layer layer x 1 2 3 0.5 0.1 0.1 … … 0.7 0.6 … argmax 0.1 0.1 0.1 0.2 ticket 2 no ticket ticket 3 ticket 1 ticket 2 � 12

  13. Key idea • Problem: small input perturbations create large score changes. • Idea: design a DNN with bounded maximum score changes 
 (leveraging Differential Privacy theory). = 2 + softmax 1.0 input layer layer layer x 1 2 3 0.5 0.1 0.1 … … 0.6 0.7 … argmax 0.1 0.1 0.1 0.2 ticket 2 no ticket ticket 3 ticket 1 ticket 2 � 13

  14. Di ff erential Privacy • Differential Privacy (DP): technique to randomize a computation over a database, such that changing one data point can only lead to bounded changes in the distribution over possible outputs. • For ( ε , δ )-DP randomized computation A f : ≤ P ( A f ( d ) ∈ S ) ≤ e ✏ P ( A f ( d 0 ) ∈ S ) + δ • We prove the Expected Output Stability Bound. For any DP mechanism with bounded outputs in [0, 1] we have: ( A f ( d ) ( A f ( d 0 ) � 14

  15. Key idea • Problem: small input perturbations create large score changes. • Idea: design a DNN with bounded maximum score changes 
 (leveraging Differential Privacy theory). Make prediction DP softmax 1.0 input layer layer layer x 1 2 3 0.5 0.1 … … 0.2 … argmax 0.1 0.6 no ticket no ticket ticket 3 ticket 1 ticket 2 � 15

  16. Key idea • Problem: small input perturbations create large score changes. • Idea: design a DNN with bounded maximum score changes 
 (leveraging Differential Privacy theory). stability bounds Make prediction DP softmax 1.0 input layer layer layer x 1 2 3 0.5 0.1 0.1 … … 0.2 0.2 … argmax 0.1 0.1 0.6 0.6 stalker 2 no ticket ticket 3 ticket 1 ticket 2 � 16

  17. Key idea • Problem: small input perturbations create large score changes. • Idea: design a DNN with bounded maximum score changes 
 (leveraging Differential Privacy theory). stability bounds Make prediction DP softmax 1.0 input layer layer layer x 1 2 3 0.5 0.1 0.1 … … 0.2 0.2 … argmax 0.1 0.1 0.6 0.6 stalker 2 no ticket ticket 3 ticket 1 ticket 2 � 17

  18. PixelDP architecture 1. Add a new noise layer to make DNN DP . 2. Estimate the DP DNN's mean scores. 3. Add estimation error in the stability bounds. � 18

  19. PixelDP architecture softmax input layer layer layer x 1 2 3 0.2 … … 0.1 … + 0.1 0.6 noise layer 1. Add a new noise layer to make DNN DP . 2. Estimate the DP DNN's mean scores. 3. Add estimation error in the stability bounds. � 19

  20. … 3. Add estimation error in the stability bounds. 2. Estimate the DP DNN's mean scores. 1. Add a new noise layer to make DNN DP ( input x ( ε , δ )-DP … layer 1 noise layer + … layer 2 PixelDP architecture layer 3 softmax 0.6 0.1 0.1 0.2 � 20 .

  21. output of an ( ε , δ )-DP mechanism is still ( ε , δ )-DP Resilience to post-processing : any computation on the … 3. Add estimation error in the stability bounds. 2. Estimate the DP DNN's mean scores. 1. Add a new noise layer to make DNN DP input x … layer 1 noise layer + … layer ( 2 PixelDP architecture layer 3 softmax 0.6 0.1 0.1 0.2 � 21 . .

  22. PixelDP architecture softmax ^ input layer layer layer x 1 2 3 0.1 0.2 Compute empirical mean with ? … … 0.2 0.1 … + standard Monte Carlo estimate. 0.1 0.1 0.6 0.6 noise layer 1. Add a new noise layer to make DNN DP . 2. Estimate the DP DNN's mean scores. 3. Add estimation error in the stability bounds. � 22

  23. PixelDP architecture η -confidence intervals stability bounds softmax ^ input layer layer layer ^ x 1 2 3 0.1 0.2 1.0 … … 0.2 0.1 … + 0.1 0.1 0.6 0.6 0.5 noise layer stalker 3 harmless stalker 1 stalker 2 1. Add a new noise layer to make DNN DP . 2. Estimate the DP DNN's mean scores. 3. Add estimation error in the stability bounds. � 23

  24. PixelDP architecture η -confidence intervals stability bounds softmax ^ input layer layer layer ^ x 1 2 3 0.1 0.2 1.0 … … 0.2 0.1 … + 0.1 0.1 0.6 0.6 0.5 noise layer stalker 3 harmless stalker 1 stalker 2 1. Add a new noise layer to make DNN DP . 2. Estimate the DP DNN's mean scores. 3. Add estimation error in the stability bounds. � 24

  25. Further challenges • Train DP DNN with noise. • Control pre-noise sensitivity during training. • Support various attack norms ( ). 0 , L 1 , L 2 , L 1 • Scale to large DNNs and datasets. � 25

  26. Scaling to Inception on ImageNet • Large dataset: image resolution is 300x300x3. • Large model: • 48 layers deep. • 23 millions parameters. • Released pre-trained by Google on ImageNet. Inception-v3 � 26

  27. Scaling to Inception on ImageNet PixelDP auto-encoder input input x x … … … … + noise layer 5 � 27

  28. PixelDP auto-encoder … … + Scaling to Inception on ImageNet ( … … Inception-v3 � 28 Post-processing

  29. PixelDP Outline Motivation Design Evaluation 29

  30. Evaluation: 1. Guaranteed accuracy on large DNNs/datasets 2. Are robust predictions harder to attack in practice? 3. Comparison with other defenses against state-of-the- art attacks. � 30

  31. Methodology Five datasets: Three models: Number of Number of 
 Number of Dataset Image size Dataset Classes Layers Parameters ImageNet 299x299x3 1000 Inception-v3 48 23M CIFAR-100 32x32x3 100 Wide ResNet 28 36M CIFAR-10 32x32x3 10 CNN 3 3M SVHN 32x32x3 10 MNIST 28x28x1 10 Metrics: Attack methodology: • Guaranteed accuracy. • State of the art attack [Carlini and Wagner S&P'17]. • Accuracy under attack. • Strengthened against our defense by averaging gradients over multiple noise draws. � 31

  32. Guaranteed accuracy on ImageNet with Inception-v3 Accuracy Guaranteed accuracy (%) Model (%) 0.05 0.1 0.2 Baseline 78 - - - PixelDP: L=0.25 68 63 0 0 More DP noise PixelDP: L=0.75 58 53 49 40 Meaningful guaranteed accuracy for ImageNet! � 32

  33. Accuracy on robust predictions Baseline Precision: threshold 0.05 Recall: threshold 0.05 1 0.9 Accuracy (top 1) 0.8 0.7 Dataset: CIFAR-10 0.6 0.5 0.4 0.3 0.2 0.1 0 0 0.2 0.4 0.6 0.8 1 1.2 1.4 Attack size (2-norm) What if we only act on robust predictions? 
 (e.g. if not robust, check ticket) � 33

Recommend

Certified Adversarial Robustness via Randomized Smoothing Jeremy Cohen Elan Rosenfeld

Certified Adversarial Robustness via Randomized Smoothing Jeremy Cohen Elan Rosenfeld

Certified Adversarial Robustness via Randomized Smoothing Jeremy Cohen Elan Rosenfeld Zico Kolter Carnegie Mellon University Introduction We study a certified adversarial defense in " norm which scales to ImageNet

1.5k views • 12 slides
Limits on Robustness to Adversarial Examples Elvis Dohmatob Criteo AI Lab October 2, 2019 Elvis

Limits on Robustness to Adversarial Examples Elvis Dohmatob Criteo AI Lab October 2, 2019 Elvis

Preliminaries on adversarial robustness Classifier-dependent lower bounds Universal lower bounds Limits on Robustness to Adversarial Examples Elvis Dohmatob Criteo AI Lab October 2, 2019 Elvis Dohmatob Limits on Robustness to Adversarial

763 views • 74 slides
Scalable Differential Privacy with Certified Robustness in Adversarial Learning NhatHai Phan 1 ,

Scalable Differential Privacy with Certified Robustness in Adversarial Learning NhatHai Phan 1 ,

The 37th International Conference on Machine Learning (ICML20), Jul 12 th - 18 th , 2020. Scalable Differential Privacy with Certified Robustness in Adversarial Learning NhatHai Phan 1 , My T. Thai 2 , Han Hu 1 , Ruoming Jin 3 , Tong Sun 4 ,

860 views • 23 slides
Adversarial Training and Robustness for Multiple Perturbations Poster #87 Florian Tramr &

Adversarial Training and Robustness for Multiple Perturbations Poster #87 Florian Tramr &

Adversarial Training and Robustness for Multiple Perturbations Poster #87 Florian Tramr & Dan Boneh NeurIPS 2019 Adversarial examples 88% Tabby Cat 99% Guacamole Szegedy et al., 2014 Goodfellow et al., 2015 Athalye, 2017 Adversarial

564 views • 23 slides
Lessons Learned from Evaluating the Robustness of Defenses to Adversarial Examples Nicholas

Lessons Learned from Evaluating the Robustness of Defenses to Adversarial Examples Nicholas

Lessons Learned from Evaluating the Robustness of Defenses to Adversarial Examples Nicholas Carlini Google Research Lessons Learned from Evaluating the Robustness of Defenses to Adversarial Examples Lessons Learned from Evaluating the

1.28k views • 127 slides
How CLEVER is is your neural network? Robustness evaluation against adversarial examples Pin-Yu

How CLEVER is is your neural network? Robustness evaluation against adversarial examples Pin-Yu

How CLEVER is is your neural network? Robustness evaluation against adversarial examples Pin-Yu Chen IBM Research AI OReilly AI Conference @ London 2018 IBM Research AI Label it! IBM Research AI Label it! AI model says: ostrich IBM

852 views • 36 slides
Confidence-Calibrated Adversarial Training Generalizing to Unseen Attacks David Stutz, Matthias

Confidence-Calibrated Adversarial Training Generalizing to Unseen Attacks David Stutz, Matthias

Confidence-Calibrated Adversarial Training Generalizing to Unseen Attacks David Stutz, Matthias Hein, Bernt Schiele 2-Minute Overview Problem: Robustness to various adversarial examples. Adversarial training on L adversarial examples:

635 views • 34 slides
Exploring the Landscape of Spa5al Robustness Logan Engstrom (with Brandon Tran*, Dimitris

Exploring the Landscape of Spa5al Robustness Logan Engstrom (with Brandon Tran*, Dimitris

Exploring the Landscape of Spa5al Robustness Logan Engstrom (with Brandon Tran*, Dimitris Tsipras*, Ludwig Schmidt, Aleksander Mdry) madry-lab.ml ML Glitch: Adversarial Examples ML Glitch: Adversarial Examples pig small,

604 views • 44 slides
Reinforcing Adversarial Robustness using Model Confidence Induced by Adversarial Training Xi Wu

Reinforcing Adversarial Robustness using Model Confidence Induced by Adversarial Training Xi Wu

Reinforcing Adversarial Robustness using Model Confidence Induced by Adversarial Training Xi Wu xiwu@cs.wisc.edu Joint work with Uyeong Jang, Jiefeng Chen, Lingjiao Chen, and Somesh Jha July 19, 2018 Xi Wu Model Confidence and Adversarial

740 views • 9 slides
Adversarial Examples Hanxiao Liu April 2, 2018 1 / 22 Adversarial Examples Inputs to ML

Adversarial Examples Hanxiao Liu April 2, 2018 1 / 22 Adversarial Examples Inputs to ML

Adversarial Examples Hanxiao Liu April 2, 2018 1 / 22 Adversarial Examples Inputs to ML models that an attacker has intentionally designed to cause the model to make a mistake 1 Why this is interesting: Safety. Interpretability.

881 views • 22 slides
Adversarial Domain Adaptation and Adversarial Robustness Judy Hoffman + = Big Deep success

Adversarial Domain Adaptation and Adversarial Robustness Judy Hoffman + = Big Deep success

Adversarial Domain Adaptation and Adversarial Robustness Judy Hoffman + = Big Deep success data learning Benchmark Performance 100 95 Accuracy 90 85 Millions of Images 80 Deep models 75 Challenge to recognize 1000

1.2k views • 60 slides
Improving Adversarial Robustness via Promoting Ensemble Diversity Tianyu

Improving Adversarial Robustness via Promoting Ensemble Diversity Tianyu

Improving Adversarial Robustness via Promoting Ensemble Diversity Tianyu Pang, Kun Xu, Chao Du, Ning Chen and Jun Zhu Department of Computer Science and Technology Tsinghua University TSAIL ICML | 2019 Adversarial

864 views • 14 slides
Adversarial Approaches to Bayesian Learning and Bayesian Approaches to Adversarial Robustness

Adversarial Approaches to Bayesian Learning and Bayesian Approaches to Adversarial Robustness

Adversarial Approaches to Bayesian Learning and Bayesian Approaches to Adversarial Robustness Ian Goodfellow, OpenAI Research Scientist NIPS 2016 Workshop on Bayesian Deep Learning Barcelona, 2016-12-10 Speculation on Three Topics Can we

769 views • 21 slides
Adversarial Examples and Adversarial Training Ian Goodfellow, Sta ff Research Scientist, Google

Adversarial Examples and Adversarial Training Ian Goodfellow, Sta ff Research Scientist, Google

Adversarial Examples and Adversarial Training Ian Goodfellow, Sta ff Research Scientist, Google Brain CS 231n, Stanford University, 2017-05-30 Overview What are adversarial examples? Why do they happen? How can they be used to

866 views • 43 slides
A Closer Look at Adversarial Examples for Separated Data Kamalika Chaudhuri University of

A Closer Look at Adversarial Examples for Separated Data Kamalika Chaudhuri University of

A Closer Look at Adversarial Examples for Separated Data Kamalika Chaudhuri University of California, San Diego Adversarial Examples Gibbon Panda Small perturbation to legitimate inputs causing misclassification Adversarial Examples Can

1.41k views • 42 slides
Adversarial Robustness for Code Pavol Bielik , Martin Vechev pavol.bielik@inf.ethz.ch,

Adversarial Robustness for Code Pavol Bielik , Martin Vechev pavol.bielik@inf.ethz.ch,

ICML 2020 Adversarial Robustness for Code Pavol Bielik , Martin Vechev pavol.bielik@inf.ethz.ch, martin.vechev@inf.ethz.ch Department of Computer Science 1 Adversarial Robustness panda gibbon Vision + = Explaining and Harnessing

429 views • 32 slides
Synthesizing Robust Adversarial Examples Anish Athalye*, Logan Engstrom*, Andrew Ilyas*, Kevin

Synthesizing Robust Adversarial Examples Anish Athalye*, Logan Engstrom*, Andrew Ilyas*, Kevin

Synthesizing Robust Adversarial Examples Anish Athalye*, Logan Engstrom*, Andrew Ilyas*, Kevin Kwok Adversarial examples Adversarial examples Imperceptible perturbations to an input can change a neural network's prediction adversarial

1.06k views • 23 slides
On the Connection Between Adversarial Robustness and Saliency Map Interpretability Christian

On the Connection Between Adversarial Robustness and Saliency Map Interpretability Christian

On the Connection Between Adversarial Robustness and Saliency Map Interpretability Christian Etmann , 1 , 3 , Sebastian Lunz , 2 , Peter Maass 1 , Carola-Bibiane Sch onlieb 2 13th June, 2019 1: ZeTeM, University of Bremen, 2: Cambridge

673 views • 19 slides
Thermometer Encoding: One Hot Way to Resist Adversarial Examples Stanford, 2017-11-16 Aurko Roy*

Thermometer Encoding: One Hot Way to Resist Adversarial Examples Stanford, 2017-11-16 Aurko Roy*

Thermometer Encoding: One Hot Way to Resist Adversarial Examples Stanford, 2017-11-16 Aurko Roy* Colin Ra ff el Jacob Ian Buckman* Goodfellow *joint first author Adversarial Examples Adversarial Definitely Probably panda perturbation

607 views • 15 slides
Adversarial Robustness of Machine Learning Models for Graphs Prof. Dr. Stephan Gnnemann

Adversarial Robustness of Machine Learning Models for Graphs Prof. Dr. Stephan Gnnemann

Adversarial Robustness of Machine Learning Models for Graphs Prof. Dr. Stephan Gnnemann Department of Informatics Technical University of Munich 28.10.2019 Adversarial Robustness of Machine Learning Models for Graphs S. Gnnemann Can you

669 views • 27 slides
Adversarial Examples in NLP Sameer Singh sameer@uci.edu @sameer_ sameersingh.org What are

Adversarial Examples in NLP Sameer Singh sameer@uci.edu @sameer_ sameersingh.org What are

Slides: http://tiny.cc/adversarial Adversarial Examples in NLP Sameer Singh sameer@uci.edu @sameer_ sameersingh.org What are Adversarial Examples? panda gibbon 57.7% confidence 99.3% confidence [Goodfellow et al, ICLR 2015 ]

1.56k views • 43 slides
? AdVersarial: Defeating Perceptual Ad Blocking with Adversarial Examples Florian Tramr

? AdVersarial: Defeating Perceptual Ad Blocking with Adversarial Examples Florian Tramr

Todays Story: How I got my first Death Threat ? AdVersarial: Defeating Perceptual Ad Blocking with Adversarial Examples Florian Tramr October 8 th 2019 Joint work with Pascal Dupr, Gili Rusak, Giancarlo Pellegrino and Dan Boneh The

415 views • 29 slides
Understanding and Mitigating the Tradeoff Between Robustness and Accuracy Aditi Raghunathan*

Understanding and Mitigating the Tradeoff Between Robustness and Accuracy Aditi Raghunathan*

Understanding and Mitigating the Tradeoff Between Robustness and Accuracy Aditi Raghunathan* Sang Michael Xie* Fanny Yang John C. Duchi Percy Liang Stanford University Adversarial examples Standard training leads to models that are not

619 views • 50 slides
ON THE ADVERSARIAL ROBUSTNESS OF UNCERTAINTY AWARE DEEP NEURAL NETWORKS APRIL 29 TH , 2019

ON THE ADVERSARIAL ROBUSTNESS OF UNCERTAINTY AWARE DEEP NEURAL NETWORKS APRIL 29 TH , 2019

ON THE ADVERSARIAL ROBUSTNESS OF UNCERTAINTY AWARE DEEP NEURAL NETWORKS APRIL 29 TH , 2019 PREPARED BY: ALI HARAKEH QUESTION Can a neural network mitigate the effects of adversarial attacks by estimating the uncertainty in its predictions ?

1.14k views • 26 slides

More recommend