distillation as a defense to adversarial perturbations
play

Distillation as a Defense to Adversarial Perturbations against Deep - PowerPoint PPT Presentation

Apr 20, 2023 •966 likes •1.38k views

Distillation as a Defense to Adversarial Perturbations against Deep Neural Networks Nicolas Papernot , Patrick McDaniel, Xi Wu, Somesh Jha, and Ananthram Swami May 24th, 2016 @ 37th IEEE Symposium on Security and Privacy @NicolasPapernot 1 M

  1. Distillation as a Defense to Adversarial Perturbations against Deep Neural Networks Nicolas Papernot , Patrick McDaniel, Xi Wu, Somesh Jha, and Ananthram Swami May 24th, 2016 @ 37th IEEE Symposium on Security and Privacy @NicolasPapernot 1

  2. M components N components p0=0.01 … p1=0.93 “Type a quote here.” … … … p8=0.02 { pN=0.01 –Johnny Appleseed Input Layer Hidden Layers Output Layer (e.g., convolutional, rectified linear, …) Neuron Weighted Link (weight is a parameter part of ) θ O 2

  3. M components N components p0=0.01 … p1=0.02 “Type a quote here.” … … … p8=0.89 { pN=0.01 –Johnny Appleseed Input Layer Hidden Layers Output Layer (e.g., convolutional, rectified linear, …) Neuron Weighted Link (weight is a parameter part of ) θ O 3

  4. 4

  5. Deep Learning for Classification 5

  6. M components N components … … … { Hidden Layers Input Layer Output Layer (e.g., convolutional, rectified linear, …) Neuron Weighted Link (weight is a parameter part of ) θ O 6

  7. M components N components … … … { Hidden Layers Input Layer Output Layer (e.g., convolutional, rectified linear, …) Neuron Weighted Link (weight is a parameter part of ) θ O 7

  8. M components N components … … … { Hidden Layers Input Layer Output Layer (e.g., convolutional, rectified linear, …) Neuron Weighted Link (weight is a parameter part of ) θ O 8

  9. M components N components … … … { Hidden Layers Input Layer Output Layer (e.g., convolutional, rectified linear, …) Neuron Weighted Link (weight is a parameter part of ) θ O 9

  10. M components N components … … … { Hidden Layers Input Layer Output Layer (e.g., convolutional, rectified linear, …) Neuron Weighted Link (weight is a parameter part of ) θ O 10

  11. M components N components … … … { Hidden Layers Input Layer Output Layer (e.g., convolutional, rectified linear, …) Neuron Weighted Link (weight is a parameter part of ) θ O 11

  12. M components N components … … … { Hidden Layers Input Layer Output Layer (e.g., convolutional, rectified linear, …) Neuron Weighted Link (weight is a parameter part of ) θ O 12

  13. M components N components p0=0.01 p1=0.93 … … … p8=0.02 pN=0.01 { Hidden Layers Input Layer Output Layer (e.g., convolutional, rectified linear, …) Neuron Weighted Link (weight is a parameter part of ) θ O 13

  14. Language Model Meaning Decision Trees Sentence Word Feature Extraction Phoneme NLP State Frame Lexicon Audio Acoustic Model Source: Tara N. Sainath, Google @ ICML DL Workshop 2015 14

  15. Adversarial Samples 15

  16. Output classification 0 1 2 3 4 5 6 7 8 9 CIFAR10 Dataset 9 8 7 6 5 4 3 2 1 0 truck automobile bird airplane bird Input class 16

  17. Adversarial strategy 17

  18. Defending against Adversarial Perturbations 18

  19. DNN Robustness 19

  20. Defense Design • Low impact on the architecture • Maintain accuracy • Robust in space relatively close to the legitimate distribution • Maintain speed of network 20

  21. Softmax Layer and Probabilities 21

  22. Defensive Distillation 22

  23. Defensive Distillation 23

  24. Defensive Distillation 24

  25. Defensive Distillation 25

  26. Defensive Distillation 26

  27. Defensive Distillation 27

  28. Defensive Distillation 28

  29. Defensive Distillation Set temperature T=1 for predictions 29

  30. Intuition behind Defensive Distillation Constraining Training Reducing Jacobian Amplitudes 0 if i not correct class never equal to 0 30

  31. Validation 31

  32. Experimental Setup 32

  33. Adversarial Samples Success Rate (MNIST) Adversarial Samples Baseline Rate (MNIST) Adversarial Samples Success Rate (CIFAR10) Adversarial Samples Baseline Rate (CIFAR10) 100 90 Adversarial Sample Success Rate 80 70 60 50 40 30 20 10 0 1 10 100 Distillation Temperature 33

  34. Impact on accuracy 34

  35. Impact on Jacobian Amplitude 35

  36. Estimation of Robustness 36

  37. Conclusions 37

  38. Take aways • Distillation significantly reduces attack success • Yields model smoothness • Easy implementation, low overhead • Acceptable impact on accuracy 38

  39. Questions? https://www.papernot.fr nicolas@papernot.fr @NicolasPapernot

Recommend

On Evaluation of Adversarial Perturbations for Sequence-to-Sequence Models Paul Michel, Xian Li,

On Evaluation of Adversarial Perturbations for Sequence-to-Sequence Models Paul Michel, Xian Li,

On Evaluation of Adversarial Perturbations for Sequence-to-Sequence Models Paul Michel, Xian Li, Graham Neubig, Juan Pino Adversarial Attacks/Perturbations Apply a small (indistinguishable) perturbation to the input that elicit large

908 views • 75 slides
Adversarial Training and Robustness for Multiple Perturbations Poster #87 Florian Tramr &

Adversarial Training and Robustness for Multiple Perturbations Poster #87 Florian Tramr &

Adversarial Training and Robustness for Multiple Perturbations Poster #87 Florian Tramr & Dan Boneh NeurIPS 2019 Adversarial examples 88% Tabby Cat 99% Guacamole Szegedy et al., 2014 Goodfellow et al., 2015 Athalye, 2017 Adversarial

564 views • 23 slides
Fundamental Tradeoffs between Invariance and Sensitivity to Adversarial Perturbations Florian

Fundamental Tradeoffs between Invariance and Sensitivity to Adversarial Perturbations Florian

Fundamental Tradeoffs between Invariance and Sensitivity to Adversarial Perturbations Florian Tramr Jens Behrmann Nicholas Carlini Nicolas Papernot Jrn-Henrik Jacobsen What are Adversarial Examples? any input to a ML model that is

1.13k views • 16 slides
Learning Universal Adversarial Perturbations with Generative Models Jamie Hayes & George

Learning Universal Adversarial Perturbations with Generative Models Jamie Hayes & George

Learning Universal Adversarial Perturbations with Generative Models Jamie Hayes & George Danezis UCL Adversarial examples transfer between different models. An adversarial example crafted against one model will generally fool other models.

515 views • 18 slides
Defense Against Adversarial Images using Web-Scale Nearest-Neighbor Search Abhimanyu Dubey,

Defense Against Adversarial Images using Web-Scale Nearest-Neighbor Search Abhimanyu Dubey,

Defense Against Adversarial Images using Web-Scale Nearest-Neighbor Search Abhimanyu Dubey, Laurens van der Maaten, I. Zeki Yalniz, Yixuan Li and Dhruv Mahajan Adversarial Images adversarial swan pelican perturbation

457 views • 8 slides
Adversarial Perturbations of Opinion Dynamics in Networks Jason Gaitonde (Cornell University)

Adversarial Perturbations of Opinion Dynamics in Networks Jason Gaitonde (Cornell University)

Adversarial Perturbations of Opinion Dynamics in Networks Jason Gaitonde (Cornell University) EC 2020 Joint work with Jon Kleinberg (Cornell) and va Tardos (Cornell) Problem Setup Peoples opinions evolve via their interactions with

519 views • 4 slides
Towards Attack-Agnostic Defense for 2D and 3D Recognition Hao Su Workshop on Adversarial Machine

Towards Attack-Agnostic Defense for 2D and 3D Recognition Hao Su Workshop on Adversarial Machine

Towards Attack-Agnostic Defense for 2D and 3D Recognition Hao Su Workshop on Adversarial Machine Learning in Real-World Computer Vision Systems Long Beach, CA, USA 1 Outline Background and Motivation Project-based Defense Mechanism

761 views • 72 slides
On the Defense Against Adversarial Examples Beyond the Visible Spectrum Anthony Ortiz 1 , Olac

On the Defense Against Adversarial Examples Beyond the Visible Spectrum Anthony Ortiz 1 , Olac

On the Defense Against Adversarial Examples Beyond the Visible Spectrum Anthony Ortiz 1 , Olac Fuentes 1 , Dalton Rosario 2 , Christopher Kiekintveld 1 1 Department of Computer Science, UTEP 2 US Army Research Laboratory Adversarial Examples on

460 views • 19 slides
Synthesizing Robust Adversarial Examples Anish Athalye*, Logan Engstrom*, Andrew Ilyas*, Kevin

Synthesizing Robust Adversarial Examples Anish Athalye*, Logan Engstrom*, Andrew Ilyas*, Kevin

Synthesizing Robust Adversarial Examples Anish Athalye*, Logan Engstrom*, Andrew Ilyas*, Kevin Kwok Adversarial examples Adversarial examples Imperceptible perturbations to an input can change a neural network's prediction adversarial

1.06k views • 23 slides
Mag Net A Two-Pronged Defense against Adversarial Examples Dongyu Meng Hao Chen ShanghaiTech

Mag Net A Two-Pronged Defense against Adversarial Examples Dongyu Meng Hao Chen ShanghaiTech

Mag Net A Two-Pronged Defense against Adversarial Examples Dongyu Meng Hao Chen ShanghaiTech University, China University of California, Davis, USA Neural networks in real-life applications user authentication autonomous

600 views • 30 slides
Defense Against the Dark Arts: An overview of adversarial example security research and future

Defense Against the Dark Arts: An overview of adversarial example security research and future

Defense Against the Dark Arts: An overview of adversarial example security research and future research directions Ian Goodfellow, Sta ff Research Scientist, Google Brain 1st IEEE Deep Learning and Security Workshop, May 24, 2018 This document

726 views • 36 slides
Kevin Roth*, Yannic Kilcher *, Thomas Hofmann ETH Zrich 2 6 # r e t s o p Log-Odds

Kevin Roth*, Yannic Kilcher *, Thomas Hofmann ETH Zrich 2 6 # r e t s o p Log-Odds

Kevin Roth*, Yannic Kilcher *, Thomas Hofmann ETH Zrich 2 6 # r e t s o p Log-Odds & Adversarial Examples Log-Odds & Adversarial Examples Adversarial examples cause atypically large feature space perturbations along the

238 views • 21 slides
Effective Topic Distillation Effective Topic Distillation with Key Resource Pre- -selection

Effective Topic Distillation Effective Topic Distillation with Key Resource Pre- -selection

Effective Topic Distillation Effective Topic Distillation with Key Resource Pre- -selection selection with Key Resource Pre Yiqun Liu, Min Zhang and Shaoping Ma State Key Lab of Intelligent Tech. & Sys. Tsinghua University, Beijing,

266 views • 22 slides
Distillation. Optimal operation using simple control structures Sigurd Skogestad, NTNU, Trondheim

Distillation. Optimal operation using simple control structures Sigurd Skogestad, NTNU, Trondheim

Distillation. Optimal operation using simple control structures Sigurd Skogestad, NTNU, Trondheim EFCE Working Group on Separations, Gteborg, Sweden, June 2019 Distillation is part of the future 1. Its a myth that distillation is bad in

652 views • 53 slides
Certified Adversarial Robustness via Randomized Smoothing Jeremy Cohen Elan Rosenfeld

Certified Adversarial Robustness via Randomized Smoothing Jeremy Cohen Elan Rosenfeld

Certified Adversarial Robustness via Randomized Smoothing Jeremy Cohen Elan Rosenfeld Zico Kolter Carnegie Mellon University Introduction We study a certified adversarial defense in " norm which scales to ImageNet

1.5k views • 12 slides
CVPR 2020 Universal Adversarial Attacks Image agnostic and transferable across networks

CVPR 2020 Universal Adversarial Attacks Image agnostic and transferable across networks

1 1,4 2,3 2 3 4 1 CVPR 2020 Universal Adversarial Attacks Image agnostic and transferable across networks Adversarial No defense: Baseline DNN perturbation Input image Classification Feature extraction dense Perturbed image

592 views • 6 slides
Complex distillation systems. Theory and models. Pio Aguirre INGAR Santa Fe-Argentina Outline

Complex distillation systems. Theory and models. Pio Aguirre INGAR Santa Fe-Argentina Outline

Complex distillation systems. Theory and models. Pio Aguirre INGAR Santa Fe-Argentina Outline 1.- Introduction. 2.- Theory in simple columns design. 3.- Reversible distillation columns and sequences. 4.- Optimal synthesis distillation

720 views • 59 slides
Other Hydrocarbons Presented by Sachin Joshi Licensing Manager GTC Technology US, LLC

Other Hydrocarbons Presented by Sachin Joshi Licensing Manager GTC Technology US, LLC

Topic Advances in Distillation for Petrochemicals and Other Hydrocarbons Presented by Sachin Joshi Licensing Manager GTC Technology US, LLC Improving Efficiency in Distillation Advanced Distillation GT-HIDS (Heat Integrated

658 views • 29 slides
Distillation Codes and DOS Resistant Multicast Moderation Prepared for CS 624 Fabian Monrose

Distillation Codes and DOS Resistant Multicast Moderation Prepared for CS 624 Fabian Monrose

Distillation Codes and DOS Resistant Multicast Moderation Prepared for CS 624 Fabian Monrose Johns Hopkins University Kevin Snow & Ryan Gardner Recall We showed how distillation codes broke received packets into partitions to reduce

299 views • 26 slides
Tight bounds for Communication assisted agreement distillation Jaikumar Radhakrishnan Tata

Tight bounds for Communication assisted agreement distillation Jaikumar Radhakrishnan Tata

Tight bounds for Communication assisted agreement distillation Jaikumar Radhakrishnan Tata Institute of Fundamental Research, Mumbai Joint work with Venkat Guruswami, Carnegie Mellon University Agreement distillation Alice Bob Input: X {

930 views • 55 slides
Measuring Perturbations Measuring Perturbations with Weak Lensing of SNe with Weak Lensing of

Measuring Perturbations Measuring Perturbations with Weak Lensing of SNe with Weak Lensing of

Univ. Frankfurt Jan 2014 Univ. Frankfurt Jan 2014 Measuring Perturbations Measuring Perturbations with Weak Lensing of SNe with Weak Lensing of SNe In collaboration with: Luca Amendola, Tiago de Castro & Valerio Marra Miguel

580 views • 47 slides
Deep Adversarial Learning for NLP 9:00 10:30 Introduction and Adversarial Training, GANs

Deep Adversarial Learning for NLP 9:00 10:30 Introduction and Adversarial Training, GANs

Deep Adversarial Learning for NLP 9:00 10:30 Introduction and Adversarial Training, GANs William Wang 10:30 11:00 Break - 11:00 12:15 Adversarial Examples Sameer Singh 12:15 12:30 Conclusions and Question Answering William

1.75k views • 105 slides
Non-asymptotic entanglement distillation arXiv:1706.06221 Kun Fang Joint work with Xin Wang,

Non-asymptotic entanglement distillation arXiv:1706.06221 Kun Fang Joint work with Xin Wang,

Non-asymptotic entanglement distillation arXiv:1706.06221 Kun Fang Joint work with Xin Wang, Marco Tomamichel, Runyao Duan Centre for Quantum Software and Information U niversity of T echnology S ydney Entanglement distillation [Bennett,

538 views • 52 slides
P Perturbations Perturbations P t t b ti b ti in Lee in Lee in Lee Wick Bouncing Universe

P Perturbations Perturbations P t t b ti b ti in Lee in Lee in Lee Wick Bouncing Universe

P Perturbations Perturbations P t t b ti b ti in Lee in Lee in Lee Wick Bouncing Universe in Lee-Wick Bouncing Universe Wick Bouncing Universe Wick Bouncing Universe Inyong Cho (Seoul National University of Science & Technology)

619 views • 37 slides

More recommend