exploring the landscape of spa5al robustness
play

Exploring the Landscape of Spa5al Robustness Logan Engstrom (with - PowerPoint PPT Presentation

Sep 13, 2023 •145 likes •604 views

Exploring the Landscape of Spa5al Robustness Logan Engstrom (with Brandon Tran*, Dimitris Tsipras*, Ludwig Schmidt, Aleksander Mdry) madry-lab.ml ML Glitch: Adversarial Examples ML Glitch: Adversarial Examples pig small,

  1. Exploring the Landscape of Spa5al Robustness Logan Engstrom (with Brandon Tran*, Dimitris Tsipras*, Ludwig Schmidt, Aleksander Mądry) madry-lab.ml

  2. ML “Glitch”: Adversarial Examples

  3. ML “Glitch”: Adversarial Examples “pig” small, nonrandom noise “airliner”

  4. ML “Glitch”: Adversarial Examples “pig” small, non-random noise “airliner”

  5. ML “Glitch”: Adversarial Examples “pig” small, non-random noise “airliner”

  6. ML “Glitch”: Adversarial Examples “pig” small , non-random noise “airliner” What does small mean here?

  7. ML “Glitch”: Adversarial Examples “pig” small , non-random noise “airliner” What does small mean here? Traditionally: perturbations that have small l_p norm

  8. ML “Glitch”: Adversarial Examples “pig” small , non-random noise “airliner” What does small mean here? Traditionally: perturbations that have small l_p norm Do small l_p norms capture every sense of “small”?

  9. Spa5al Perturba5ons

  10. Spa5al Perturba5ons

  11. Spa5al Perturba5ons rotation up to 30°

  12. Spa5al Perturba5ons rotation up to 30° x, y translations up to ~10%

  13. Spa5al Perturba5ons rotation up to 30° x, y translations up to ~10% These are not small l_p perturbations!

  14. Spa5al Perturba5ons rotation up to 30° x, y translations up to ~10% These are not small l_p perturbations! How robust are models to spatial perturbations?

  15. Spa5al Robustness

  16. Spa5al Robustness Spoiler: models are not robust

  17. Spa5al Robustness Spoiler: models are not robust

  18. Spa5al Robustness Spoiler: models are not robust Can we train more spatially robust classifiers?

  19. Spa5al Defenses

  20. Spa5al Defenses Lesson from l_p robustness: use robust optimization (= train on worst-case perturbed inputs) [Goodfellow et al ‘15 ][Madry et al ’18]

  21. Spa5al Defenses Lesson from l_p robustness: use robust optimization (= train on worst-case perturbed inputs) [Goodfellow et al ‘15 ][Madry et al ’18] Key question : how to find worst-case translations, rotations?

  22. Spa5al Defenses Lesson from l_p robustness: use robust optimization (= train on worst-case perturbed inputs) [Goodfellow et al ‘15 ][Madry et al ’18] Key question : how to find worst-case translations, rotations? Attempt #1: first-order methods

  23. Spa5al Defenses Lesson from l_p robustness: use robust optimization (= train on worst-case perturbed inputs) [Goodfellow et al ‘15 ][Madry et al ’18] Key question : how to find worst-case translations, rotations? Attempt #1: first-order methods

  24. Spa5al Defenses Lesson from l_p robustness: use robust optimization (= train on worst-case perturbed inputs) [Goodfellow et al ‘15 ][Madry et al ’18] Key question : how to find worst-case translations, rotations? Attempt #1: first-order methods

  25. Spa5al Defenses Lesson from l_p robustness: use robust optimization (= train on worst-case perturbed inputs) [Goodfellow et al ‘15 ][Madry et al ’18] Key question : how to find worst-case translations, rotations? Attempt #1: first-order methods

  26. Spa5al Defenses Lesson from l_p robustness: use robust optimization (= train on worst-case perturbed inputs) [Goodfellow et al ‘15 ][Madry et al ’18] Key question : how to find worst-case translations, rotations? Attempt #1: first-order methods Attempt #2: exhaustive search

  27. Spa5al Defenses Lesson from l_p robustness: use robust optimization (= train on worst-case perturbed inputs) [Goodfellow et al ‘15 ][Madry et al ’18] Key question : how to find worst-case translations, rotations? Attempt #1: first-order methods Attempt #2: exhaustive search Exhaustive search is feasible, and a strong adversary! (discretize translations and rotations, try every combination)

  28. Spa5al Defenses Lesson from l_p robustness: use robust optimization (= train on worst-case perturbed inputs) [Goodfellow et al ‘15 ][Madry et al ’18] Key question : how to find worst-case translations, rotations? Attempt #1: first-order methods Attempt #2: exhaustive search Exhaustive search is feasible, and a strong adversary! (discretize translations and rotations, try every combination)

  29. Spa5al Defenses Lesson from l_p robustness: use robust optimization (= train on worst-case perturbed inputs) [Goodfellow et al ‘15 ][Madry et al ’18] Key question : how to find worst-case translations, rotations? Attempt #1: first-order methods Attempt #2: exhaustive search Exhaustive search is feasible, and a strong adversary! (discretize translations and rotations, try every combination) Train only on “worst” transformed input (highest loss)

  30. Spa5al Defenses Lesson from l_p robustness: use robust optimization (= train on worst-case perturbed inputs) [Goodfellow et al ‘15 ][Madry et al ’18] Key question : how to find worst-case translations, rotations? Attempt #1: first-order methods Attempt #2: exhaustive search Exhaustive search is feasible, and a strong adversary! (discretize translations and rotations, try every combination) (we approximate via 10 random samples to quicken training)

  31. Spa5al Defenses With robust optimization:

  32. Spa5al Defenses With robust optimization: CIFAR classifier accuracy: 3% adversarial to 71% adversarial

  33. Spa5al Defenses With robust optimization: CIFAR classifier accuracy: 3% adversarial to 71% adversarial (compare to 93% standard accuracy)

  34. Spa5al Defenses With robust optimization: CIFAR classifier accuracy: 3% adversarial to 71% adversarial (compare to 93% standard accuracy) ImageNet classifier accuracy: 31% adversarial to 53% adversarial

  35. Spa5al Defenses With robust optimization: CIFAR classifier accuracy: 3% adversarial to 71% adversarial (compare to 93% standard accuracy) ImageNet classifier accuracy: 31% adversarial to 53% adversarial (compare to 76% standard accuracy)

  36. Spa5al Defenses With robust optimization: (+10 sample majority vote) CIFAR classifier accuracy: 3% adversarial to 71% adversarial (compare to 93% standard accuracy) ImageNet classifier accuracy: 31% adversarial to 53% adversarial (compare to 76% standard accuracy)

  37. Spa5al Defenses With robust optimization: 82% (+10 sample majority vote) CIFAR classifier accuracy: 3% adversarial to 71% adversarial (compare to 93% standard accuracy) ImageNet classifier accuracy: 31% adversarial to 53% adversarial (compare to 76% standard accuracy)

  38. Spa5al Defenses With robust optimization: 82% (+10 sample majority vote) CIFAR classifier accuracy: 3% adversarial to 71% adversarial (compare to 93% standard accuracy) 56% ImageNet classifier accuracy: 31% adversarial to 53% adversarial (compare to 76% standard accuracy)

  39. Spa5al Defenses With robust optimization: 82% (+10 sample majority vote) CIFAR classifier accuracy: 3% adversarial to 71% adversarial (compare to 93% standard accuracy) 56% ImageNet classifier accuracy: 31% adversarial to 53% adversarial (compare to 76% standard accuracy) Still significant room for improvement!

  40. Conclusions

  41. Conclusions Robust models need more refined notions of similarity

  42. Conclusions Robust models need more refined notions of similarity We do not have true spatial robustness

  43. Conclusions Robust models need more refined notions of similarity We do not have true spatial robustness Intuitions from l_p robustness do not transfer

  44. Conclusions Robust models need more refined notions of similarity We do not have true spatial robustness Intuitions from l_p robustness do not transfer Come to our poster! Pacific Ballroom #142

Recommend

Beyond the Pixels: Exploring the Effect of Video File Corruptions on Model Robustness Trenton

Beyond the Pixels: Exploring the Effect of Video File Corruptions on Model Robustness Trenton

Beyond the Pixels: Exploring the Effect of Video File Corruptions on Model Robustness Trenton Chang Daniel Y. Fu Yixuan Li Christopher R Stanford University Workshop on Adversarial Robustness in the Real World, ECCV 2020

280 views • 13 slides
Todays Energy Landscape: Exploring economic environmental and Exploring economic,

Todays Energy Landscape: Exploring economic environmental and Exploring economic,

Todays Energy Landscape: Exploring economic environmental and Exploring economic, environmental and technological trends October 11, 2010 Presentation to the PJM Board Sue Tierney Managing Principal Managing Principal BOSTON CHICAGO

522 views • 35 slides
Function and Robustness of Gene Regulatory Network: Toward the Landscape Picture of Evolution

Function and Robustness of Gene Regulatory Network: Toward the Landscape Picture of Evolution

Function and Robustness of Gene Regulatory Network: Toward the Landscape Picture of Evolution Macoto Kikuchi (Collaborators: S. Nagata and T. Kaneko) 2019/3/7 Contents Motivation 1 Gene

984 views • 57 slides
Conjectures from Quantum Gravity - Exploring the Landscape inside the Swampland - Florian Wolf

Conjectures from Quantum Gravity - Exploring the Landscape inside the Swampland - Florian Wolf

Conjectures from Quantum Gravity - Exploring the Landscape inside the Swampland - Florian Wolf Young Scientists Workshop at Castle Ringberg on July 19, 2017 Swampland vs. Landscape High energy, more dimensions, Quantum Gravity e.g. String

481 views • 33 slides
Exploring the Potential Energy Landscape of Materials: from defected crystals to metallic glasses

Exploring the Potential Energy Landscape of Materials: from defected crystals to metallic glasses

Exploring the Potential Energy Landscape of Materials: from defected crystals to metallic glasses David RODNEY SIMAP, INP Grenoble, FRANCE What is the Potential Energy Landscape (PEL)? Configuration R = 1 , 2 , , a point

997 views • 25 slides
Robustness? Robustness ? Robustness?

Robustness? Robustness ? Robustness?

Robustness? Robustness ? Robustness? Thomas Mandl

245 views • 5 slides
Where Are We? Lecture 9 Robustness through Training 1 Robustness Explicit Handling of Noise

Where Are We? Lecture 9 Robustness through Training 1 Robustness Explicit Handling of Noise

Where Are We? Lecture 9 Robustness through Training 1 Robustness Explicit Handling of Noise and Channel Variations 2 Michael Picheny, Bhuvana Ramabhadran, Stanley F. Chen Robustness via Adaptation 3 IBM T.J. Watson Research Center

256 views • 22 slides
Exploring the National Landscape of Behavioral Screening in US Schools Findings from the NEEDs 2

Exploring the National Landscape of Behavioral Screening in US Schools Findings from the NEEDs 2

Exploring the National Landscape of Behavioral Screening in US Schools Findings from the NEEDs 2 project Funded by the Institute of Education Sciences (R305A140543) Symposium presented at the 2019 NASP Convention Feb. 26, 2019

724 views • 53 slides
Exploring Majorana landscape J.J. Gmez-Cadenas Instituto de Fsica Corpuscular (CSIC &

Exploring Majorana landscape J.J. Gmez-Cadenas Instituto de Fsica Corpuscular (CSIC &

Exploring Majorana landscape J.J. Gmez-Cadenas Instituto de Fsica Corpuscular (CSIC & UVEG) Florence, July, 2012 mircoles 11 de julio de 12 Double beta decay 10 Atomic Mass Difference (MeV) 136 I 8 136 Pr - 6 + /EC

1.07k views • 37 slides
Exploring and optimizing the Dutch Research Data Landscape DTL Partner Advisory Committee 28

Exploring and optimizing the Dutch Research Data Landscape DTL Partner Advisory Committee 28

Exploring and optimizing the Dutch Research Data Landscape DTL Partner Advisory Committee 28 May 2020 By Melle de Vries (Royal Netherlands Academy of Arts and Sciences, project manager for this NPOS-project) National Program for Open

568 views • 10 slides
UCSD Robustness Summer School David Donoho 20190812 David Donoho UCSD Robustness Summer School

UCSD Robustness Summer School David Donoho 20190812 David Donoho UCSD Robustness Summer School

What is Statistics? What is Statistical Research? Paradigm Shifts in Statistics How did Robustness in Statistics Emerge? What has Robustness in Statistics delivered? What has Robustness in Statistics to do with CS? UCSD Robustness

721 views • 26 slides
Robustness and Generalization Huan Xu The University of Texas at Austin Department of Electrical

Robustness and Generalization Huan Xu The University of Texas at Austin Department of Electrical

Robustness and Generalization Huan Xu The University of Texas at Austin Department of Electrical and Computer Engineering COLT, June 29, 2010 Joint work with Shie Mannor What is Robustness? What is Robustness? What is Robustness?

571 views • 53 slides
Being on the Beach Being on the Beach Exploring Sensomotoric Awareness Exploring Sensomotoric

Being on the Beach Being on the Beach Exploring Sensomotoric Awareness Exploring Sensomotoric

Being on the Beach Being on the Beach Exploring Sensomotoric Awareness Exploring Sensomotoric Awareness in a Landscape in a Landscape Aesth/Ethics in Environmental Change Aesth/Ethics in Environmental Change Hiddensee, 24-28 May 2010

407 views • 30 slides
Robustness and SMC Adam Pechner Overview What is Robustness and why do we care? Different

Robustness and SMC Adam Pechner Overview What is Robustness and why do we care? Different

Robustness and SMC Adam Pechner Overview What is Robustness and why do we care? Different types of Robust Control Techniques Sliding Mode Control (SMC) Definition and Benefits Drawbacks and Requirements Applications of SMC

538 views • 40 slides
Exploring Drupal 8 FrontEnd Landscape through Polymer ~Saket & Piyuesh Drupalcon New Orleans

Exploring Drupal 8 FrontEnd Landscape through Polymer ~Saket & Piyuesh Drupalcon New Orleans

Exploring Drupal 8 FrontEnd Landscape through Polymer ~Saket & Piyuesh Drupalcon New Orleans History of Web Drupalcon New Orleans Front End World - We have a plethora of tools, frameworks, languages, abstractions etc. Drupalcon New

772 views • 44 slides
EXPLORING THE MEDICAID REFORM LANDSCAPE Kathleen Nolan FEDERAL DIRECTION AND VISION 2017-18

EXPLORING THE MEDICAID REFORM LANDSCAPE Kathleen Nolan FEDERAL DIRECTION AND VISION 2017-18

W W W . H E A L T H M A N A G E M E N T . C O M EXPLORING THE MEDICAID REFORM LANDSCAPE Kathleen Nolan FEDERAL DIRECTION AND VISION 2017-18 2017 + Transition has been long and rocky + Congressional debate ruled in

347 views • 9 slides
Algorithms in Nature Network robustness Slides adapted from Carl Kingsford Network robustness

Algorithms in Nature Network robustness Slides adapted from Carl Kingsford Network robustness

Algorithms in Nature Network robustness Slides adapted from Carl Kingsford Network robustness Many complex systems show a surprising degree of tolerance to errors: Biological networks persist despite environmental noise, failures, attacks

224 views • 20 slides
Point sets, Maps and Navigation - II D.A. Forsyth Robustness is a serious problem Robustness is

Point sets, Maps and Navigation - II D.A. Forsyth Robustness is a serious problem Robustness is

Point sets, Maps and Navigation - II D.A. Forsyth Robustness is a serious problem Robustness is a serious problem Key issue: Squaring a large number produces a huge number A few wildly mismatch points can throw off R, t Fixes:

153 views • 12 slides
Trade-off between Efficiency and Robustness Doctoral Colloqium @ SenSys18, Shenzhen Robert

Trade-off between Efficiency and Robustness Doctoral Colloqium @ SenSys18, Shenzhen Robert

Institute of Operating Systems and Computer Networks E ffi ciency E ffi ciency vs Robustness = Trade-o ff Robustness Energy Budget Trade-off between Efficiency and Robustness Doctoral Colloqium @ SenSys18, Shenzhen Robert Hartung,

680 views • 19 slides
Literature for Landscape Management Inhalt 1. Landscape analyses, landscape assessments,

Literature for Landscape Management Inhalt 1. Landscape analyses, landscape assessments,

Joint Master Programme Sustainable Development 2011, Module Land Management 22/03/2011 Literature for Landscape Management Inhalt 1. Landscape analyses, landscape assessments, and landscape changes in Europe ........ 1 2. Impacts

542 views • 7 slides
S9932: LEARNING TO BOOST S9932: LEARNING TO BOOST ROBUSTNESS FOR ROBUSTNESS FOR AUTONOMOUS

S9932: LEARNING TO BOOST S9932: LEARNING TO BOOST ROBUSTNESS FOR ROBUSTNESS FOR AUTONOMOUS

S9932: LEARNING TO BOOST S9932: LEARNING TO BOOST ROBUSTNESS FOR ROBUSTNESS FOR AUTONOMOUS DRIVING AUTONOMOUS DRIVING Bernhard Firner, March 20, 2019 AUTONOMOUS DRIVING Sounds simple Actually pretty diffjcult Can start with sub-domains to

798 views • 49 slides
Key-Robustness for Cryptographic Primitives ie 1 R azvan Ros 1 ENS, CNRS, INRIA & PSL

Key-Robustness for Cryptographic Primitives ie 1 R azvan Ros 1 ENS, CNRS, INRIA & PSL

Key-Robustness for Cryptographic Primitives ie 1 R azvan Ros 1 ENS, CNRS, INRIA & PSL Research University, Paris, France ECRYPT-NET Summer School, Crete, Greece 12 th October 2017 R azvan Ros ie Key-Robustness for Cryptographic

949 views • 48 slides
Matrix Robustness, with an Application to Power System Observability Matthias Brosemann Jochen

Matrix Robustness, with an Application to Power System Observability Matthias Brosemann Jochen

Power system observability Complexity of Matrix Robustness Algorithms for Matrix Robustness Experiments Matrix Robustness, with an Application to Power System Observability Matthias Brosemann Jochen Alber Falk H uffner Rolf Niedermeier

350 views • 31 slides
COMP598: Advanced Computational Biology Methods & Research Exploring the RNA mutational

COMP598: Advanced Computational Biology Methods & Research Exploring the RNA mutational

COMP598: Advanced Computational Biology Methods & Research Exploring the RNA mutational Landscape: Algorithms & Applications Jrme Waldisphl, PhD School of Computer Science, McGill Centre for Bioinformatics, McGill University

521 views • 50 slides

More recommend