limits on robustness to adversarial examples
play

Limits on Robustness to Adversarial Examples Elvis Dohmatob Criteo - PowerPoint PPT Presentation

Feb 19, 2024 •23 likes •763 views

Preliminaries on adversarial robustness Classifier-dependent lower bounds Universal lower bounds Limits on Robustness to Adversarial Examples Elvis Dohmatob Criteo AI Lab October 2, 2019 Elvis Dohmatob Limits on Robustness to Adversarial

  1. Preliminaries on adversarial robustness Classifier-dependent lower bounds Universal lower bounds Limits on Robustness to Adversarial Examples Elvis Dohmatob Criteo AI Lab October 2, 2019 Elvis Dohmatob Limits on Robustness to Adversarial Examples – slide 1 / 41

  2. Preliminaries on adversarial robustness Classifier-dependent lower bounds Universal lower bounds Table of contents Preliminaries on adversarial robustness 1 Classifier-dependent lower bounds 2 Universal lower bounds 3 Elvis Dohmatob Limits on Robustness to Adversarial Examples – slide 2 / 41

  3. Preliminaries on adversarial robustness Classifier-dependent lower bounds Universal lower bounds Preliminaries on adversarial robustness Elvis Dohmatob Limits on Robustness to Adversarial Examples – slide 3 / 41

  4. Preliminaries on adversarial robustness Classifier-dependent lower bounds Universal lower bounds Definition of adversarial attacks A classifier is trained and deployed (e.g the computer vision system on a self-driving car) At test / inference time, an attacker may submit queries to the classifier by sampling a real sample point x with true label k (e.g “pig”), modifying it x �→ x adv given to a prescribed threat model . Goal of attacker is to make classifier label x adv as � = k (e.g airliner) Elvis Dohmatob Limits on Robustness to Adversarial Examples – slide 4 / 41

  5. Preliminaries on adversarial robustness Classifier-dependent lower bounds Universal lower bounds The flying pig! (Picture is courtesy of https: // gradientscience. org/ intro_ adversarial/ ) x �→ x adv := x + noise , � noise � ≤ ε = 0 . 005 (in example above) Fast Gradient Sign Method : noise = sign( ∇ x loss ( h ( x ) , y )) Elvis Dohmatob Limits on Robustness to Adversarial Examples – slide 5 / 41

  6. Preliminaries on adversarial robustness Classifier-dependent lower bounds Universal lower bounds FGSM for generating adversarial examples [Goodfellow ’14] x �→ x adv := clip( x + ε sign( ∇ x loss ( h ( x ) , y ))) Elvis Dohmatob Limits on Robustness to Adversarial Examples – slide 6 / 41

  7. Preliminaries on adversarial robustness Classifier-dependent lower bounds Universal lower bounds Adversarial attacks and defenses, an arms race! Image courtesy of [Goldstein’ 19; Shafahi ’19] Elvis Dohmatob Limits on Robustness to Adversarial Examples – slide 7 / 41

  8. Problem setup Preliminaries on adversarial robustness No Free Lunch Theorems Classifier-dependent lower bounds The Strong No Free Lunch Theorem Universal lower bounds Corollaries Classifier-dependent lower bounds Elvis Dohmatob Limits on Robustness to Adversarial Examples – slide 8 / 41

  9. Problem setup Preliminaries on adversarial robustness No Free Lunch Theorems Classifier-dependent lower bounds The Strong No Free Lunch Theorem Universal lower bounds Corollaries Problem setup A classifier is simply a Borel-measurable mapping h : X → Y from feature space X (with metric d ) to label space Y := { 1 , . . . , K } . A classifier is trained and deployed (e.g the computer vision system on a self-driving car) At test / inference time, an attacker may submit queries to the classifier by sampling a real sample point x ∈ X with true label k ∈ Y , and modifying it x �→ x adv according to a prescribed threat model. For example, modifying a few pixels on a road traffic sign [Su et al. ’17] Modifying intensity of pixels by a limited amount determined by a prescribed tolerance level [Tsipras ’18], etc., on it. Elvis Dohmatob Limits on Robustness to Adversarial Examples – slide 9 / 41

  10. Problem setup Preliminaries on adversarial robustness No Free Lunch Theorems Classifier-dependent lower bounds The Strong No Free Lunch Theorem Universal lower bounds Corollaries Problem setup A classifier is simply a Borel-measurable mapping h : X → Y from feature space X (with metric d ) to label space Y := { 1 , . . . , K } . A classifier is trained and deployed (e.g the computer vision system on a self-driving car) At test / inference time, an attacker may submit queries to the classifier by sampling a real sample point x ∈ X with true label k ∈ Y , and modifying it x �→ x adv according to a prescribed threat model. For example, modifying a few pixels on a road traffic sign [Su et al. ’17] Modifying intensity of pixels by a limited amount determined by a prescribed tolerance level [Tsipras ’18], etc., on it. Elvis Dohmatob Limits on Robustness to Adversarial Examples – slide 9 / 41

  11. Problem setup Preliminaries on adversarial robustness No Free Lunch Theorems Classifier-dependent lower bounds The Strong No Free Lunch Theorem Universal lower bounds Corollaries Problem setup: notations Standard accuracy: acc( h | k ) := 1 − err( h | k ), where err( h | k ) := P X | k ( h ( X ) � = k ) is the error of h on class k . Small acc( h | k ) = ⇒ h is inaccurate on class k . Adversarial robustness accuracy: acc ε ( h | k ) := 1 − err ε ( h | k ), where err ε ( h | k ) := P X | k ( ∃ x ′ ∈ Ball( X ; ε ) | h ( x ′ ) � = k ) is the adversarial robustness error of h on class k . Small acc ε ( h | k ) = ⇒ h is vulnerable to attacks on class k . Elvis Dohmatob Limits on Robustness to Adversarial Examples – slide 10 / 41

  12. Problem setup Preliminaries on adversarial robustness No Free Lunch Theorems Classifier-dependent lower bounds The Strong No Free Lunch Theorem Universal lower bounds Corollaries Problem setup: notations Standard accuracy: acc( h | k ) := 1 − err( h | k ), where err( h | k ) := P X | k ( h ( X ) � = k ) is the error of h on class k . Small acc( h | k ) = ⇒ h is inaccurate on class k . Adversarial robustness accuracy: acc ε ( h | k ) := 1 − err ε ( h | k ), where err ε ( h | k ) := P X | k ( ∃ x ′ ∈ Ball( X ; ε ) | h ( x ′ ) � = k ) is the adversarial robustness error of h on class k . Small acc ε ( h | k ) = ⇒ h is vulnerable to attacks on class k . Distance to error set: d ( h | k ) := E P X | k [ d ( X , B ( h , k ))] denotes the average distance of a sample point of true label k , from the error set B ( h , k ) := { x ∈ X | h ( x ) � = k } of samples assigned to another label. Small d ( h | k ) = ⇒ h is vulnerable to attacks on class k . Elvis Dohmatob Limits on Robustness to Adversarial Examples – slide 10 / 41

  13. Problem setup Preliminaries on adversarial robustness No Free Lunch Theorems Classifier-dependent lower bounds The Strong No Free Lunch Theorem Universal lower bounds Corollaries Problem setup: notations Standard accuracy: acc( h | k ) := 1 − err( h | k ), where err( h | k ) := P X | k ( h ( X ) � = k ) is the error of h on class k . Small acc( h | k ) = ⇒ h is inaccurate on class k . Adversarial robustness accuracy: acc ε ( h | k ) := 1 − err ε ( h | k ), where err ε ( h | k ) := P X | k ( ∃ x ′ ∈ Ball( X ; ε ) | h ( x ′ ) � = k ) is the adversarial robustness error of h on class k . Small acc ε ( h | k ) = ⇒ h is vulnerable to attacks on class k . Distance to error set: d ( h | k ) := E P X | k [ d ( X , B ( h , k ))] denotes the average distance of a sample point of true label k , from the error set B ( h , k ) := { x ∈ X | h ( x ) � = k } of samples assigned to another label. Small d ( h | k ) = ⇒ h is vulnerable to attacks on class k . Elvis Dohmatob Limits on Robustness to Adversarial Examples – slide 10 / 41

  14. Problem setup Preliminaries on adversarial robustness No Free Lunch Theorems Classifier-dependent lower bounds The Strong No Free Lunch Theorem Universal lower bounds Corollaries A motivating example (from [Tsipras ’18]) Consider the following classification problem: Prediction target : Y ∼ Bern(1 / 2 , {± 1 } ) based on p ≥ 2 explanatory variables X := ( X 1 , X 2 , . . . , X p ) given by Robust feature : X 1 | Y = + Y w.p 70% and − Y w.p. 30%. Elvis Dohmatob Limits on Robustness to Adversarial Examples – slide 11 / 41

  15. Problem setup Preliminaries on adversarial robustness No Free Lunch Theorems Classifier-dependent lower bounds The Strong No Free Lunch Theorem Universal lower bounds Corollaries A motivating example (from [Tsipras ’18]) Consider the following classification problem: Prediction target : Y ∼ Bern(1 / 2 , {± 1 } ) based on p ≥ 2 explanatory variables X := ( X 1 , X 2 , . . . , X p ) given by Robust feature : X 1 | Y = + Y w.p 70% and − Y w.p. 30%. Non-robust features : X j | Y ∼ N ( η Y , 1) , for j = 2 , . . . , p , where η ∼ p − 1 / 2 is a fixed scalar which controls the difficulty. Elvis Dohmatob Limits on Robustness to Adversarial Examples – slide 11 / 41

  16. Problem setup Preliminaries on adversarial robustness No Free Lunch Theorems Classifier-dependent lower bounds The Strong No Free Lunch Theorem Universal lower bounds Corollaries A motivating example (from [Tsipras ’18]) Consider the following classification problem: Prediction target : Y ∼ Bern(1 / 2 , {± 1 } ) based on p ≥ 2 explanatory variables X := ( X 1 , X 2 , . . . , X p ) given by Robust feature : X 1 | Y = + Y w.p 70% and − Y w.p. 30%. Non-robust features : X j | Y ∼ N ( η Y , 1) , for j = 2 , . . . , p , where η ∼ p − 1 / 2 is a fixed scalar which controls the difficulty. The linear classifier h lin ( x ) ≡ sign( w T x ) with w = (0 , 1 / p , . . . , 1 / p ), where we allow ℓ ∞ -perturbations of maximum size ε ≥ 2 η , solves the problem perfectly (100% accuracy) but its adversarial robustness is zero ! Elvis Dohmatob Limits on Robustness to Adversarial Examples – slide 11 / 41

Recommend

Adversarial Training and Robustness for Multiple Perturbations Poster #87 Florian Tramr &

Adversarial Training and Robustness for Multiple Perturbations Poster #87 Florian Tramr &

Adversarial Training and Robustness for Multiple Perturbations Poster #87 Florian Tramr & Dan Boneh NeurIPS 2019 Adversarial examples 88% Tabby Cat 99% Guacamole Szegedy et al., 2014 Goodfellow et al., 2015 Athalye, 2017 Adversarial

564 views • 23 slides
Certified Robustness to Adversarial Examples with Di ff erential Privacy Mathias Lcuyer,

Certified Robustness to Adversarial Examples with Di ff erential Privacy Mathias Lcuyer,

Certified Robustness to Adversarial Examples with Di ff erential Privacy Mathias Lcuyer, Vaggelis Atlidakis, Roxana Geambasu, Daniel Hsu, Suman Jana Columbia University Code: https://github.com/columbia/pixeldp Contact:

680 views • 48 slides
Lessons Learned from Evaluating the Robustness of Defenses to Adversarial Examples Nicholas

Lessons Learned from Evaluating the Robustness of Defenses to Adversarial Examples Nicholas

Lessons Learned from Evaluating the Robustness of Defenses to Adversarial Examples Nicholas Carlini Google Research Lessons Learned from Evaluating the Robustness of Defenses to Adversarial Examples Lessons Learned from Evaluating the

1.28k views • 127 slides
How CLEVER is is your neural network? Robustness evaluation against adversarial examples Pin-Yu

How CLEVER is is your neural network? Robustness evaluation against adversarial examples Pin-Yu

How CLEVER is is your neural network? Robustness evaluation against adversarial examples Pin-Yu Chen IBM Research AI OReilly AI Conference @ London 2018 IBM Research AI Label it! IBM Research AI Label it! AI model says: ostrich IBM

852 views • 36 slides
Confidence-Calibrated Adversarial Training Generalizing to Unseen Attacks David Stutz, Matthias

Confidence-Calibrated Adversarial Training Generalizing to Unseen Attacks David Stutz, Matthias

Confidence-Calibrated Adversarial Training Generalizing to Unseen Attacks David Stutz, Matthias Hein, Bernt Schiele 2-Minute Overview Problem: Robustness to various adversarial examples. Adversarial training on L adversarial examples:

635 views • 34 slides
Exploring the Landscape of Spa5al Robustness Logan Engstrom (with Brandon Tran*, Dimitris

Exploring the Landscape of Spa5al Robustness Logan Engstrom (with Brandon Tran*, Dimitris

Exploring the Landscape of Spa5al Robustness Logan Engstrom (with Brandon Tran*, Dimitris Tsipras*, Ludwig Schmidt, Aleksander Mdry) madry-lab.ml ML Glitch: Adversarial Examples ML Glitch: Adversarial Examples pig small,

604 views • 44 slides
Reinforcing Adversarial Robustness using Model Confidence Induced by Adversarial Training Xi Wu

Reinforcing Adversarial Robustness using Model Confidence Induced by Adversarial Training Xi Wu

Reinforcing Adversarial Robustness using Model Confidence Induced by Adversarial Training Xi Wu xiwu@cs.wisc.edu Joint work with Uyeong Jang, Jiefeng Chen, Lingjiao Chen, and Somesh Jha July 19, 2018 Xi Wu Model Confidence and Adversarial

740 views • 9 slides
Adversarial Examples Hanxiao Liu April 2, 2018 1 / 22 Adversarial Examples Inputs to ML

Adversarial Examples Hanxiao Liu April 2, 2018 1 / 22 Adversarial Examples Inputs to ML

Adversarial Examples Hanxiao Liu April 2, 2018 1 / 22 Adversarial Examples Inputs to ML models that an attacker has intentionally designed to cause the model to make a mistake 1 Why this is interesting: Safety. Interpretability.

881 views • 22 slides
Adversarial Domain Adaptation and Adversarial Robustness Judy Hoffman + = Big Deep success

Adversarial Domain Adaptation and Adversarial Robustness Judy Hoffman + = Big Deep success

Adversarial Domain Adaptation and Adversarial Robustness Judy Hoffman + = Big Deep success data learning Benchmark Performance 100 95 Accuracy 90 85 Millions of Images 80 Deep models 75 Challenge to recognize 1000

1.2k views • 60 slides
Improving Adversarial Robustness via Promoting Ensemble Diversity Tianyu

Improving Adversarial Robustness via Promoting Ensemble Diversity Tianyu

Improving Adversarial Robustness via Promoting Ensemble Diversity Tianyu Pang, Kun Xu, Chao Du, Ning Chen and Jun Zhu Department of Computer Science and Technology Tsinghua University TSAIL ICML | 2019 Adversarial

864 views • 14 slides
Adversarial Approaches to Bayesian Learning and Bayesian Approaches to Adversarial Robustness

Adversarial Approaches to Bayesian Learning and Bayesian Approaches to Adversarial Robustness

Adversarial Approaches to Bayesian Learning and Bayesian Approaches to Adversarial Robustness Ian Goodfellow, OpenAI Research Scientist NIPS 2016 Workshop on Bayesian Deep Learning Barcelona, 2016-12-10 Speculation on Three Topics Can we

769 views • 21 slides
Adversarial Examples and Adversarial Training Ian Goodfellow, Sta ff Research Scientist, Google

Adversarial Examples and Adversarial Training Ian Goodfellow, Sta ff Research Scientist, Google

Adversarial Examples and Adversarial Training Ian Goodfellow, Sta ff Research Scientist, Google Brain CS 231n, Stanford University, 2017-05-30 Overview What are adversarial examples? Why do they happen? How can they be used to

866 views • 43 slides
A Closer Look at Adversarial Examples for Separated Data Kamalika Chaudhuri University of

A Closer Look at Adversarial Examples for Separated Data Kamalika Chaudhuri University of

A Closer Look at Adversarial Examples for Separated Data Kamalika Chaudhuri University of California, San Diego Adversarial Examples Gibbon Panda Small perturbation to legitimate inputs causing misclassification Adversarial Examples Can

1.41k views • 42 slides
Adversarial Robustness for Code Pavol Bielik , Martin Vechev pavol.bielik@inf.ethz.ch,

Adversarial Robustness for Code Pavol Bielik , Martin Vechev pavol.bielik@inf.ethz.ch,

ICML 2020 Adversarial Robustness for Code Pavol Bielik , Martin Vechev pavol.bielik@inf.ethz.ch, martin.vechev@inf.ethz.ch Department of Computer Science 1 Adversarial Robustness panda gibbon Vision + = Explaining and Harnessing

429 views • 32 slides
Synthesizing Robust Adversarial Examples Anish Athalye*, Logan Engstrom*, Andrew Ilyas*, Kevin

Synthesizing Robust Adversarial Examples Anish Athalye*, Logan Engstrom*, Andrew Ilyas*, Kevin

Synthesizing Robust Adversarial Examples Anish Athalye*, Logan Engstrom*, Andrew Ilyas*, Kevin Kwok Adversarial examples Adversarial examples Imperceptible perturbations to an input can change a neural network's prediction adversarial

1.06k views • 23 slides
Certified Adversarial Robustness via Randomized Smoothing Jeremy Cohen Elan Rosenfeld

Certified Adversarial Robustness via Randomized Smoothing Jeremy Cohen Elan Rosenfeld

Certified Adversarial Robustness via Randomized Smoothing Jeremy Cohen Elan Rosenfeld Zico Kolter Carnegie Mellon University Introduction We study a certified adversarial defense in " norm which scales to ImageNet

1.5k views • 12 slides
On the Connection Between Adversarial Robustness and Saliency Map Interpretability Christian

On the Connection Between Adversarial Robustness and Saliency Map Interpretability Christian

On the Connection Between Adversarial Robustness and Saliency Map Interpretability Christian Etmann , 1 , 3 , Sebastian Lunz , 2 , Peter Maass 1 , Carola-Bibiane Sch onlieb 2 13th June, 2019 1: ZeTeM, University of Bremen, 2: Cambridge

673 views • 19 slides
Thermometer Encoding: One Hot Way to Resist Adversarial Examples Stanford, 2017-11-16 Aurko Roy*

Thermometer Encoding: One Hot Way to Resist Adversarial Examples Stanford, 2017-11-16 Aurko Roy*

Thermometer Encoding: One Hot Way to Resist Adversarial Examples Stanford, 2017-11-16 Aurko Roy* Colin Ra ff el Jacob Ian Buckman* Goodfellow *joint first author Adversarial Examples Adversarial Definitely Probably panda perturbation

607 views • 15 slides
Adversarial Robustness of Machine Learning Models for Graphs Prof. Dr. Stephan Gnnemann

Adversarial Robustness of Machine Learning Models for Graphs Prof. Dr. Stephan Gnnemann

Adversarial Robustness of Machine Learning Models for Graphs Prof. Dr. Stephan Gnnemann Department of Informatics Technical University of Munich 28.10.2019 Adversarial Robustness of Machine Learning Models for Graphs S. Gnnemann Can you

669 views • 27 slides
Adversarial Examples in NLP Sameer Singh sameer@uci.edu @sameer_ sameersingh.org What are

Adversarial Examples in NLP Sameer Singh sameer@uci.edu @sameer_ sameersingh.org What are

Slides: http://tiny.cc/adversarial Adversarial Examples in NLP Sameer Singh sameer@uci.edu @sameer_ sameersingh.org What are Adversarial Examples? panda gibbon 57.7% confidence 99.3% confidence [Goodfellow et al, ICLR 2015 ]

1.56k views • 43 slides
? AdVersarial: Defeating Perceptual Ad Blocking with Adversarial Examples Florian Tramr

? AdVersarial: Defeating Perceptual Ad Blocking with Adversarial Examples Florian Tramr

Todays Story: How I got my first Death Threat ? AdVersarial: Defeating Perceptual Ad Blocking with Adversarial Examples Florian Tramr October 8 th 2019 Joint work with Pascal Dupr, Gili Rusak, Giancarlo Pellegrino and Dan Boneh The

415 views • 29 slides
Understanding and Mitigating the Tradeoff Between Robustness and Accuracy Aditi Raghunathan*

Understanding and Mitigating the Tradeoff Between Robustness and Accuracy Aditi Raghunathan*

Understanding and Mitigating the Tradeoff Between Robustness and Accuracy Aditi Raghunathan* Sang Michael Xie* Fanny Yang John C. Duchi Percy Liang Stanford University Adversarial examples Standard training leads to models that are not

619 views • 50 slides
ON THE ADVERSARIAL ROBUSTNESS OF UNCERTAINTY AWARE DEEP NEURAL NETWORKS APRIL 29 TH , 2019

ON THE ADVERSARIAL ROBUSTNESS OF UNCERTAINTY AWARE DEEP NEURAL NETWORKS APRIL 29 TH , 2019

ON THE ADVERSARIAL ROBUSTNESS OF UNCERTAINTY AWARE DEEP NEURAL NETWORKS APRIL 29 TH , 2019 PREPARED BY: ALI HARAKEH QUESTION Can a neural network mitigate the effects of adversarial attacks by estimating the uncertainty in its predictions ?

1.14k views • 26 slides
Explaining and Harnessing Adversarial Examples Ian J. Goodfellow, Jonathon Shlens, &

Explaining and Harnessing Adversarial Examples Ian J. Goodfellow, Jonathon Shlens, &

Explaining and Harnessing Adversarial Examples Ian J. Goodfellow, Jonathon Shlens, & Christian Szegedy Presented by - Kawin Ethayarajh and Abhishek Tiwari Introduction - adversarial examples : Inputs formed by applying small but

1.49k views • 103 slides

More recommend