first order adversarial vulnerability of neural networks
play

First-order Adversarial Vulnerability of Neural Networks and Input - PowerPoint PPT Presentation

Sep 26, 2022 •516 likes •805 views

First-order Adversarial Vulnerability of Neural Networks and Input Dimension C.-J. Simon-Gabriel , Y. Ollivier , L. Bottou , B. Schlkopf , D. Lopez-Paz Max-Planck-Institute for Intelligent Systems Facebook AI Research

  1. First-order Adversarial Vulnerability of Neural Networks and Input Dimension C.-J. Simon-Gabriel † , Y. Ollivier ‡ , L. Bottou ‡ , B. Schölkopf † , D. Lopez-Paz ‡ † Max-Planck-Institute for Intelligent Systems ‡ Facebook AI Research First-order Adv Vul of NNs & Input Dim 1

  2. Relation to Literature First-order Adv Vul of NNs & Input Dim Carl-Johann SIMON-GABRIEL

  3. Relation to Literature [1,2] : “Under specific data assumptions, vulnerability Increases with input dimension.” [1] Adversarial Spheres, Gilmer et al., ICLR Workshop 2018 [2] Are adversarial examples inevitable?, Shafahi et al., ICLR 2019 First-order Adv Vul of NNs & Input Dim Carl-Johann SIMON-GABRIEL

  4. Relation to Literature [1,2] : “Under specific data assumptions, vulnerability Increases with input dimension.” - No-free-lunch-like result: “If data can be anything, then there exists datasets that make the problem arbitrarily hard” [1] Adversarial Spheres, Gilmer et al., ICLR Workshop 2018 [2] Are adversarial examples inevitable?, Shafahi et al., ICLR 2019 First-order Adv Vul of NNs & Input Dim Carl-Johann SIMON-GABRIEL

  5. Relation to Literature [1,2] : “Under specific data assumptions, vulnerability Increases with input dimension.” - No-free-lunch-like result: “If data can be anything, then there exists datasets that make the problem arbitrarily hard” - Cannot apply to image-datasets, because humans are a non vulnerable classifiers for which higher dimension (higher resolution) helps . [1] Adversarial Spheres, Gilmer et al., ICLR Workshop 2018 [2] Are adversarial examples inevitable?, Shafahi et al., ICLR 2019 First-order Adv Vul of NNs & Input Dim Carl-Johann SIMON-GABRIEL

  6. Relation to Literature [1,2] : “Under specific data assumptions, vulnerability Increases with input dimension.” - No-free-lunch-like result: “If data can be anything, then there exists datasets that make the problem arbitrarily hard” - Cannot apply to image-datasets, because humans are a non vulnerable classifiers for which higher dimension (higher resolution) helps . - Hence the question: not : what’s wrong with our data? but : what’s wrong with our classifiers? [1] Adversarial Spheres, Gilmer et al., ICLR Workshop 2018 [2] Are adversarial examples inevitable?, Shafahi et al., ICLR 2019 First-order Adv Vul of NNs & Input Dim Carl-Johann SIMON-GABRIEL

  7. Relation to Literature [1,2] : “Under specific data assumptions, vulnerability Increases with input dimension.” Here : “Under specific classifier assumptions, vulnerability Increases with input dimension.” - No-free-lunch-like result: “If data can be anything, then there exists datasets that make the problem arbitrarily hard” - Cannot apply to image-datasets, because humans are a non vulnerable classifiers for which higher dimension (higher resolution) helps . - Hence the question: not : what’s wrong with our data? but : what’s wrong with our classifiers? [1] Adversarial Spheres, Gilmer et al., ICLR Workshop 2018 [2] Are adversarial examples inevitable?, Shafahi et al., ICLR 2019 First-order Adv Vul of NNs & Input Dim Carl-Johann SIMON-GABRIEL

  8. Main Theorem First-order Adv Vul of NNs & Input Dim Carl-Johann SIMON-GABRIEL

  9. Main Theorem Theorem: At initialization, using “He-initialization”, and for a very wide class of neural nets, adversarial damage increases like ! ( ! : input dimension). First-order Adv Vul of NNs & Input Dim Carl-Johann SIMON-GABRIEL

  10. Main Theorem Theorem: At initialization, using “He-initialization”, and for a very wide class of neural nets, adversarial damage increases like ! ( ! : input dimension). Remarks: • Vulnerability is independent of the network topology (inside a wide class). First-order Adv Vul of NNs & Input Dim Carl-Johann SIMON-GABRIEL

  11. Main Theorem Theorem: At initialization, using “He-initialization”, and for a very wide class of neural nets, adversarial damage increases like ! ( ! : input dimension). Remarks: • Vulnerability is independent of the network topology (inside a wide class). • Includes any succession of FC-, conv-, ReLU-, and subsampling layers at He-init. First-order Adv Vul of NNs & Input Dim Carl-Johann SIMON-GABRIEL

  12. Main Theorem Theorem: At initialization, using “He-initialization”, and for a very wide class of neural nets, adversarial damage increases like ! ( ! : input dimension). Remarks: • Vulnerability is independent of the network topology (inside a wide class). • Includes any succession of FC-, conv-, ReLU-, and subsampling layers at He-init. Question: Does it hold after training? → Experiments First-order Adv Vul of NNs & Input Dim Carl-Johann SIMON-GABRIEL

  13. Experimental Setting First-order Adv Vul of NNs & Input Dim Carl-Johann SIMON-GABRIEL

  14. Experimental Setting • Up-sample CIFAR-10 • Yields 4 datasets with input sizes: (3x)32x32, 64x64, 128x128, 256x256. First-order Adv Vul of NNs & Input Dim Carl-Johann SIMON-GABRIEL

  15. Experimental Setting • Up-sample CIFAR-10 • Yields 4 datasets with input sizes: (3x)32x32, 64x64, 128x128, 256x256. • Train a conv net for each input size • Use same architecture for all networks (up to convolution dilation and subsampling layers). First-order Adv Vul of NNs & Input Dim Carl-Johann SIMON-GABRIEL

  16. Experimental Setting • Up-sample CIFAR-10 • Yields 4 datasets with input sizes: (3x)32x32, 64x64, 128x128, 256x256. • Train a conv net for each input size • Use same architecture for all networks (up to convolution dilation and subsampling layers). • Compare their adversarial vulnerability First-order Adv Vul of NNs & Input Dim Carl-Johann SIMON-GABRIEL

  17. Experimental Results (after training) First-order Adv Vul of NNs & Input Dim Carl-Johann SIMON-GABRIEL

  18. Experimental Results (after training) 350 300 E x k ∂ x L k 1 250 200 150 100 p 32 64 128 image-width / d First-order Adv Vul of NNs & Input Dim Carl-Johann SIMON-GABRIEL

  19. Experimental Results (after training) 350 300 E x k ∂ x L k 1 250 200 150 100 p 32 64 128 image-width / d First-order Adv Vul of NNs & Input Dim Carl-Johann SIMON-GABRIEL

  20. Experimental Results (after training) 350 300 E x k ∂ x L k 1 250 Adversarial damage ∝ " 200 150 100 p 32 64 128 image-width / d First-order Adv Vul of NNs & Input Dim Carl-Johann SIMON-GABRIEL

  21. Conclusion First-order Adv Vul of NNs & Input Dim Carl-Johann SIMON-GABRIEL

  22. Conclusion We show: • Our networks are vulnerable by design: vulnerability increases like ! . First-order Adv Vul of NNs & Input Dim Carl-Johann SIMON-GABRIEL

  23. Conclusion We show: • Our networks are vulnerable by design: vulnerability increases like ! . • Proven theoretically at initialization First-order Adv Vul of NNs & Input Dim Carl-Johann SIMON-GABRIEL

  24. Conclusion We show: • Our networks are vulnerable by design: vulnerability increases like ! . • Proven theoretically at initialization • Verified empirically after usual and robust training First-order Adv Vul of NNs & Input Dim Carl-Johann SIMON-GABRIEL

  25. Conclusion We show: • Our networks are vulnerable by design: vulnerability increases like ! . • Proven theoretically at initialization • Verified empirically after usual and robust training • Theoretical result is independent of network topology First-order Adv Vul of NNs & Input Dim Carl-Johann SIMON-GABRIEL

  26. Conclusion We show: • Our networks are vulnerable by design: vulnerability increases like ! . • Proven theoretically at initialization • Verified empirically after usual and robust training • Theoretical result is independent of network topology Suggests that: • Current networks are not yet data-specific enough. First-order Adv Vul of NNs & Input Dim Carl-Johann SIMON-GABRIEL

  27. Conclusion We show: • Our networks are vulnerable by design: vulnerability increases like ! . • Proven theoretically at initialization • Verified empirically after usual and robust training • Theoretical result is independent of network topology Suggests that: • Current networks are not yet data-specific enough. • Architectural tweaks may not be sufficient to solve adversarial vulnerability. First-order Adv Vul of NNs & Input Dim Carl-Johann SIMON-GABRIEL

  28. Thank you for listening! Yann Ollivier Léon Bottou Bernhard Schölkopf David Lopez-Paz First-order Adversarial Vulnerability of Neural Networks and Input Dimension Poster Pacific Ballroom #62 First-order Adv Vul of NNs & Input Dim Carl-Johann SIMON-GABRIEL

Recommend

ON THE ADVERSARIAL ROBUSTNESS OF UNCERTAINTY AWARE DEEP NEURAL NETWORKS APRIL 29 TH , 2019

ON THE ADVERSARIAL ROBUSTNESS OF UNCERTAINTY AWARE DEEP NEURAL NETWORKS APRIL 29 TH , 2019

ON THE ADVERSARIAL ROBUSTNESS OF UNCERTAINTY AWARE DEEP NEURAL NETWORKS APRIL 29 TH , 2019 PREPARED BY: ALI HARAKEH QUESTION Can a neural network mitigate the effects of adversarial attacks by estimating the uncertainty in its predictions ?

1.14k views • 26 slides
Distillation as a Defense to Adversarial Perturbations against Deep Neural Networks Nicolas

Distillation as a Defense to Adversarial Perturbations against Deep Neural Networks Nicolas

Distillation as a Defense to Adversarial Perturbations against Deep Neural Networks Nicolas Papernot , Patrick McDaniel, Xi Wu, Somesh Jha, and Ananthram Swami May 24th, 2016 @ 37th IEEE Symposium on Security and Privacy @NicolasPapernot 1 M

1.38k views • 39 slides
Toward Adversarial Robustness by Diversity in an Ensemble of Specialized Deep Neural Networks

Toward Adversarial Robustness by Diversity in an Ensemble of Specialized Deep Neural Networks

Toward Adversarial Robustness by Diversity in an Ensemble of Specialized Deep Neural Networks presented at Canadian AI 2020 Mahdieh Abbasi 1 , Arezoo Rajabi 2 , Christian Gagn 1,3 , and Rakesh B. Bobba 2 1. IID, Universit Laval, Qubec,

728 views • 20 slides
Adversarial Examples are Not Easily Detected: Bypassing Ten Detection Methods Nicholas Carlini,

Adversarial Examples are Not Easily Detected: Bypassing Ten Detection Methods Nicholas Carlini,

Adversarial Examples are Not Easily Detected: Bypassing Ten Detection Methods Nicholas Carlini, David Wagner University of California, Berkeley Background Neural Networks I assume knowledge of neural networks ... This talk: neural

5.49k views • 57 slides
Efficient Defenses Against Adversarial Examples for Deep Neural Networks Valentina Zantedeschi

Efficient Defenses Against Adversarial Examples for Deep Neural Networks Valentina Zantedeschi

Efficient Defenses Against Adversarial Examples for Deep Neural Networks Valentina Zantedeschi Irina Nicolae Ambrish Rawat @vzantedesc @ririnicolae @ambrishrawat Jean Monnet University IBM Research AI GreHack #5 November 17, 2017

483 views • 37 slides
Interpreting Adversarial Trained Convolutional Neural Networks Tianyuan Zhang , Zhanxing Zhu

Interpreting Adversarial Trained Convolutional Neural Networks Tianyuan Zhang , Zhanxing Zhu

Interpreting Adversarial Trained Convolutional Neural Networks Tianyuan Zhang , Zhanxing Zhu Peking University 1600012888@pku.edu.cn zhanxing.zhu@pku.edu.cn Poster: Pacific Ballroom #148 1 Contents Normally trained CNNs typically

669 views • 20 slides
EXPLORATION OF DEEP CONVOLUTIONAL AND DOMAIN ADVERSARIAL NEURAL NETWORKS IN MINERVA. 1

EXPLORATION OF DEEP CONVOLUTIONAL AND DOMAIN ADVERSARIAL NEURAL NETWORKS IN MINERVA. 1

JONATHAN MILLER UNIVERSIDAD TECNICA FEDERICO SANTA MARIA FOR THE MINERVA COLLABORATION EXPLORATION OF DEEP CONVOLUTIONAL AND DOMAIN ADVERSARIAL NEURAL NETWORKS IN MINERVA. 1 ACKNOWLEDGEMENTS THE MINERVA COLLABORATION The MINERvA

511 views • 27 slides
Robust Statistics and Generative Adversarial Networks Yuan YAO HKUST Chao Gao (Chicago) Jiyu

Robust Statistics and Generative Adversarial Networks Yuan YAO HKUST Chao Gao (Chicago) Jiyu

Robust Statistics and Generative Adversarial Networks Yuan YAO HKUST Chao Gao (Chicago) Jiyu Liu (Yale) Weizhi Zhu (HKUST) Deep Learning is Notoriously Not Robust! Imperceivable adversarial examples are ubiquitous to fail neural networks

1.8k views • 133 slides
Lecture 21: Adversarial Networks CS109B Data Science 2 Pavlos Protopapas and Mark Glickman 1

Lecture 21: Adversarial Networks CS109B Data Science 2 Pavlos Protopapas and Mark Glickman 1

Lecture 21: Adversarial Networks CS109B Data Science 2 Pavlos Protopapas and Mark Glickman 1 How vulnerable are Neural Networks? Uses of Neural Networks CS109B, P ROTOPAPAS , G LICKMAN How vulnerable are Neural Networks? CS109B, P ROTOPAPAS ,

417 views • 27 slides
Adversarial Examples and Adversarial Training Ian Goodfellow, OpenAI Research Scientist Security

Adversarial Examples and Adversarial Training Ian Goodfellow, OpenAI Research Scientist Security

Adversarial Examples and Adversarial Training Ian Goodfellow, OpenAI Research Scientist Security Seminar, Stanford University, 2017-01-17 In this presentation Intriguing Properties of Neural Networks Szegedy et al, 2013

939 views • 44 slides
Adversarial Examples and Adversarial Training Ian Goodfellow, OpenAI Research Scientist Guest

Adversarial Examples and Adversarial Training Ian Goodfellow, OpenAI Research Scientist Guest

Adversarial Examples and Adversarial Training Ian Goodfellow, OpenAI Research Scientist Guest lecture for CS 294-131, UC Berkeley, 2016-10-05 In this presentation Intriguing Properties of Neural Networks Szegedy et al, 2013

660 views • 44 slides
Adversarial Examples and Adversarial Training Ian Goodfellow, OpenAI Research Scientist

Adversarial Examples and Adversarial Training Ian Goodfellow, OpenAI Research Scientist

Adversarial Examples and Adversarial Training Ian Goodfellow, OpenAI Research Scientist Presentation at San Francisco AI Meetup, 2016-08-18 In this presentation Intriguing Properties of Neural Networks Szegedy et al, 2013

690 views • 32 slides
ShenaniGANs: A Discussion of Generative Adversarial Networks Quinn Meier and John Pace

ShenaniGANs: A Discussion of Generative Adversarial Networks Quinn Meier and John Pace

ShenaniGANs: A Discussion of Generative Adversarial Networks Quinn Meier and John Pace https://arxiv.org/pdf/1406.2661.pdf Review of Neural Networks Feature Vector -> Feed Into First Layer -> Matrix Multiplication with Weights ->

654 views • 16 slides
Vulnerability of machine learning models to adversarial examples Petra Vidnerov Institute of

Vulnerability of machine learning models to adversarial examples Petra Vidnerov Institute of

Vulnerability of machine learning models to adversarial examples Petra Vidnerov Institute of Computer Science The Czech Academy of Sciences Hora Informaticae 2016 Outline Introduction Works on adversarial examples Our work Genetic

855 views • 46 slides
Outline Evolution of neurocomputing Artificial neural networks Feed forward

Outline Evolution of neurocomputing Artificial neural networks Feed forward

Introduction to Neural Networks and Deep Learning Ling Guan References: S. Haykin, Neural Networks , 2 nd Edition, New Jersey: Prentice Hall, 1. 2004. C. M. Bishop, Neural Networks for Pattern Re cognition, New York: 2. Oxford University

451 views • 17 slides
Adversarial Training Attacks on Deep Networks and Generative Adversarial Networks Erkut Erdem

Adversarial Training Attacks on Deep Networks and Generative Adversarial Networks Erkut Erdem

images from Geris Game (Pixar, 1997) Adversarial Training Attacks on Deep Networks and Generative Adversarial Networks Erkut Erdem Aykut Erdem Levent Karacan Computer Vision Lab, Hacettepe University Outline Part 1: Attacks on

1.11k views • 72 slides
Adversarial Examples and Adversarial Training Ian Goodfellow, OpenAI Research Scientist

Adversarial Examples and Adversarial Training Ian Goodfellow, OpenAI Research Scientist

Adversarial Examples and Adversarial Training Ian Goodfellow, OpenAI Research Scientist Presentation at HORSE 2016 London, 2016-09-19 In this presentation Intriguing Properties of Neural Networks Szegedy et al, 2013 Explaining

497 views • 22 slides
Adversarial Learning Bounds for Linear Classes and Neural Nets Understanding Adversarial Learning

Adversarial Learning Bounds for Linear Classes and Neural Nets Understanding Adversarial Learning

Adversarial Learning Bounds for Linear Classes and Neural Nets Understanding Adversarial Learning through Rademacher Complexity Pranjal Awasthi, Natalie Frank, Mehryar Mohri Google Research & Courant Institute August 14, 2020 1 / 17

397 views • 17 slides
Neural Networks 0. Logistics Spring 2019 1 Neural Networks are taking over! Neural networks

Neural Networks 0. Logistics Spring 2019 1 Neural Networks are taking over! Neural networks

Neural Networks 0. Logistics Spring 2019 1 Neural Networks are taking over! Neural networks have become one of the major thrust areas recently in various pattern recognition, prediction, and analysis problems In many problems they have

852 views • 33 slides
Neural Networks 1. Introduction Fall 2017 Neural Networks are taking over! Neural networks

Neural Networks 1. Introduction Fall 2017 Neural Networks are taking over! Neural networks

Neural Networks 1. Introduction Fall 2017 Neural Networks are taking over! Neural networks have become one of the major thrust areas recently in various pattern recognition, prediction, and analysis problems In many problems they have

1.17k views • 91 slides
Audio Adversarial Examples: Targeted Attacks on Speech-To-Text Nicholas Carlini and David

Audio Adversarial Examples: Targeted Attacks on Speech-To-Text Nicholas Carlini and David

Audio Adversarial Examples: Targeted Attacks on Speech-To-Text Nicholas Carlini and David Wagner University of California, Berkeley Background Neural Networks for Automatic Speech Recognition Neural Networks for Automatic Speech

768 views • 58 slides
CONVOLUTIONAL AND RECURRENT NEURAL NETWORKS Neural networks Fully connected networks

CONVOLUTIONAL AND RECURRENT NEURAL NETWORKS Neural networks Fully connected networks

CONVOLUTIONAL AND RECURRENT NEURAL NETWORKS Neural networks Fully connected networks Neuron Non-linearity Softmax layer DNN training Loss function and regularization SGD and backprop Learning rate Overfitting

1.8k views • 86 slides
An Abstract Domain for Certifying Neural Networks Gagandeep Singh Timon Gehr Markus Pschel

An Abstract Domain for Certifying Neural Networks Gagandeep Singh Timon Gehr Markus Pschel

An Abstract Domain for Certifying Neural Networks Gagandeep Singh Timon Gehr Markus Pschel Martin Vechev Department of Computer Science 1 Adversarial input perturbations Neural network f 8 " Neural network f 7

606 views • 21 slides
Neural Networks 1. Introduction Spring 2019 1 Neural Networks are taking over! Neural

Neural Networks 1. Introduction Spring 2019 1 Neural Networks are taking over! Neural

Neural Networks 1. Introduction Spring 2019 1 Neural Networks are taking over! Neural networks have become one of the major thrust areas recently in various pattern recognition, prediction, and analysis problems In many problems they

1.57k views • 124 slides

More recommend