on evaluation of adversarial perturbations for sequence
play

On Evaluation of Adversarial Perturbations for Sequence-to-Sequence - PowerPoint PPT Presentation

Mar 09, 2023 •140 likes •908 views

On Evaluation of Adversarial Perturbations for Sequence-to-Sequence Models Paul Michel, Xian Li, Graham Neubig, Juan Pino Adversarial Attacks/Perturbations Apply a small (indistinguishable) perturbation to the input that elicit large

  1. On Evaluation of Adversarial Perturbations for Sequence-to-Sequence Models Paul Michel, Xian Li, Graham Neubig, Juan Pino

  2. Adversarial Attacks/Perturbations ● Apply a small (indistinguishable) perturbation to the input that elicit large changes in the output

  3. Adversarial Attacks/Perturbations ● Apply a small (indistinguishable) perturbation to the input that elicit large changes in the output Figure from Goodfellow et al. (2014)

  4. Adversarial Attacks/Perturbations ● Apply a small (indistinguishable) perturbation to the input that elicit large changes in the output Figure from Goodfellow et al. (2014)

  5. Adversarial Attacks/Perturbations ● Apply a small (indistinguishable) perturbation to the input that elicit large changes in the output Figure from Goodfellow et al. (2014)

  6. Adversarial Attacks/Perturbations ● Apply a small (indistinguishable) perturbation to the input that elicit large changes in the output Figure from Goodfellow et al. (2014)

  7. Indistinguishable Perturbations ● Small perturbations are well defined in vision ○ Small l2 ~= indistinguishable to the human eye ... l2 distance

  8. Indistinguishable Perturbations ● Small perturbations are well defined in vision ○ Small l2 ~= indistinguishable to the human eye ... l2 distance ● What about text ?

  9. Not all Text Perturbations are Equal He’s very friendly

  10. Not all Text Perturbations are Equal He’s very friendly He’s pretty friendly [Similar meaning] ✔

  11. Not all Text Perturbations are Equal He’s very friendly He’s very annoying He’s pretty friendly [Difgerent meaning] [Similar meaning] ❌ ✔

  12. Not all Text Perturbations are Equal He’s very friendly He’s very annoying He’s pretty friendly He’s She friendly [Difgerent meaning] [Similar meaning] [Nonsensical] ❌ ✔ ❌

  13. Not all Text Perturbations are Equal He’s very friendly He’s very annoying He’s pretty friendly He’s She friendly He’s very freindly [Difgerent meaning] [Similar meaning] [Nonsensical] [Typo] ❌ ✔ ❌ ✔

  14. Not all Text Perturbations are Equal He’s very friendly He’s very annoying He’s pretty friendly He’s She friendly He’s very freindly [Difgerent meaning] [Similar meaning] [Nonsensical] [Typo] ❌ ✔ ❌ ✔ ⇒ Can’t expect the model to output the same output!

  15. Not all Text Perturbations are Equal He’s very friendly He’s very annoying He’s pretty friendly He’s She friendly He’s very freindly [Difgerent meaning] [Similar meaning] [Nonsensical] [Typo] ❌ ✔ ❌ ✔ ⇒ Can’t expect the model to output the same output! This paper: Why and How you should evaluate adversarial perturbations

  16. A Framework for Evaluating Adversarial Attacks

  17. Problem Definition Reference They plow it right back into filing more troll lawsuits. Original Ils le réinvestissent directement en engageant plus de procès.

  18. Problem Definition Reference They plow it right back into filing more troll lawsuits. Original Ils le réinvestissent directement en engageant plus de procès.

  19. Problem Definition Reference They plow it right back into filing more troll lawsuits. Base output They direct it directly by engaging Original Ils le réinvestissent directement en engageant more cases. plus de procès.

  20. Problem Definition Reference They plow it right back into filing more troll lawsuits. Evaluate Base output They direct it directly by engaging Original Ils le réinvestissent directement en engageant more cases. plus de procès.

  21. Problem Definition Reference They plow it right back into filing more troll lawsuits. Evaluate Base output They direct it directly by engaging Original Ils le réinvestissent directement en engageant more cases. plus de procès. Attack Ilss le réinvestissent dierctement en engagaent Adv. src plus de procès.

  22. Problem Definition Reference They plow it right back into filing more troll lawsuits. Evaluate Base output They direct it directly by engaging Original Ils le réinvestissent directement en engageant more cases. plus de procès. Attack Adv. output .. de plus. Ilss le réinvestissent dierctement en engagaent Adv. src plus de procès.

  23. Problem Definition Reference They plow it right back into filing more troll lawsuits. Evaluate Base output They direct it directly by engaging Original Ils le réinvestissent directement en engageant more cases. plus de procès. Attack Evaluate too! Adv. output .. de plus. Ilss le réinvestissent dierctement en engagaent Adv. src plus de procès.

  24. Source Side Evaluation ● Evaluate meaning preservation on the source side ● Where is a similarity metric such that > He’s very friendly He’s pretty friendly He’s very friendly He’s very annoying > He’s very friendly He’s pretty friendly He’s very friendly He’s She friendly [...]

  25. Target Side Evaluation ● Given , a similarity metric on the target side

  26. Target Side Evaluation ● Given , a similarity metric on the target side ● Evaluate relative meaning destruction on the target side

  27. Target Side Evaluation ● Given , a similarity metric on the target side ● Evaluate relative meaning destruction on the target side

  28. Target Side Evaluation ● Given , a similarity metric on the target side ● Evaluate relative meaning destruction on the target side

  29. Target Side Evaluation ● Given , a similarity metric on the target side ● Evaluate relative meaning destruction on the target side

  30. Target Side Evaluation ● Given , a similarity metric on the target side ● Evaluate relative meaning destruction on the target side

  31. Target Side Evaluation ● Given , a similarity metric on the target side ● Evaluate relative meaning destruction on the target side

  32. Successful Adversarial Attacks ● Ensure that:

  33. Successful Adversarial Attacks ● Ensure that: Source meaning destruction

  34. Successful Adversarial Attacks ● Ensure that: Source meaning destruction Target meaning destruction

  35. Successful Adversarial Attacks ● Ensure that: Source meaning destruction Target meaning destruction ● Destroy the meaning on the target side more than on the source side

  36. Which similarity metric to use? “How would you rate the similarity between the meaning of these two sentences?” 0. The meaning is completely difgerent or one of the sentences ● Human evaluation is meaningless 1. The topic is the same but the meaning is difgerent ○ 6 point scale, details in paper 2. Some key information is difgerent 3. The key information is the same but the details difger 4. Meaning is essentially the same but some expressions are unnatural 5. Meaning is essentially equal and the two sentences are well-formed [Language]

  37. Which similarity metric to use? “How would you rate the similarity between the meaning of these two sentences?” 0. The meaning is completely difgerent or one of the sentences ● Human evaluation is meaningless 1. The topic is the same but the meaning is difgerent ○ 6 point scale, details in paper 2. Some key information is difgerent 3. The key information is the same but the details difger 4. Meaning is essentially the same but some expressions are unnatural 5. Meaning is essentially equal and the two sentences are ● BLEU [Papineni et al., 2002] well-formed [Language] ○ Geometric mean of n-gram precision + length penalty

  38. Which similarity metric to use? “How would you rate the similarity between the meaning of these two sentences?” 0. The meaning is completely difgerent or one of the sentences ● Human evaluation is meaningless 1. The topic is the same but the meaning is difgerent ○ 6 point scale, details in paper 2. Some key information is difgerent 3. The key information is the same but the details difger 4. Meaning is essentially the same but some expressions are unnatural 5. Meaning is essentially equal and the two sentences are ● BLEU [Papineni et al., 2002] well-formed [Language] ○ Geometric mean of n-gram precision + length penalty ● METEOR [Banerjee and Lavie, 2005] ○ Word matching taking into account stemming, synonyms, paraphrases...

  39. Which similarity metric to use? “How would you rate the similarity between the meaning of these two sentences?” 0. The meaning is completely difgerent or one of the sentences ● Human evaluation is meaningless 1. The topic is the same but the meaning is difgerent ○ 6 point scale, details in paper 2. Some key information is difgerent 3. The key information is the same but the details difger 4. Meaning is essentially the same but some expressions are unnatural 5. Meaning is essentially equal and the two sentences are ● BLEU [Papineni et al., 2002] well-formed [Language] ○ Geometric mean of n-gram precision + length penalty ● METEOR [Banerjee and Lavie, 2005] ○ Word matching taking into account stemming, synonyms, paraphrases... ● chrF [Popović, 2015] ○ Character n-gram F-score

  40. Experimental Setting

  41. Data and Models ● Data ○ IWSLT 2016 dataset ○ {Czech, German, French} → English ● Models ○ LSTM based model ○ Transformer based model ○ Both word and sub-word based models

Recommend

Adversarial Training and Robustness for Multiple Perturbations Poster #87 Florian Tramr &

Adversarial Training and Robustness for Multiple Perturbations Poster #87 Florian Tramr &

Adversarial Training and Robustness for Multiple Perturbations Poster #87 Florian Tramr & Dan Boneh NeurIPS 2019 Adversarial examples 88% Tabby Cat 99% Guacamole Szegedy et al., 2014 Goodfellow et al., 2015 Athalye, 2017 Adversarial

564 views • 23 slides
Fundamental Tradeoffs between Invariance and Sensitivity to Adversarial Perturbations Florian

Fundamental Tradeoffs between Invariance and Sensitivity to Adversarial Perturbations Florian

Fundamental Tradeoffs between Invariance and Sensitivity to Adversarial Perturbations Florian Tramr Jens Behrmann Nicholas Carlini Nicolas Papernot Jrn-Henrik Jacobsen What are Adversarial Examples? any input to a ML model that is

1.13k views • 16 slides
Learning Universal Adversarial Perturbations with Generative Models Jamie Hayes & George

Learning Universal Adversarial Perturbations with Generative Models Jamie Hayes & George

Learning Universal Adversarial Perturbations with Generative Models Jamie Hayes & George Danezis UCL Adversarial examples transfer between different models. An adversarial example crafted against one model will generally fool other models.

515 views • 18 slides
Distillation as a Defense to Adversarial Perturbations against Deep Neural Networks Nicolas

Distillation as a Defense to Adversarial Perturbations against Deep Neural Networks Nicolas

Distillation as a Defense to Adversarial Perturbations against Deep Neural Networks Nicolas Papernot , Patrick McDaniel, Xi Wu, Somesh Jha, and Ananthram Swami May 24th, 2016 @ 37th IEEE Symposium on Security and Privacy @NicolasPapernot 1 M

1.38k views • 39 slides
Adversarial Perturbations of Opinion Dynamics in Networks Jason Gaitonde (Cornell University)

Adversarial Perturbations of Opinion Dynamics in Networks Jason Gaitonde (Cornell University)

Adversarial Perturbations of Opinion Dynamics in Networks Jason Gaitonde (Cornell University) EC 2020 Joint work with Jon Kleinberg (Cornell) and va Tardos (Cornell) Problem Setup Peoples opinions evolve via their interactions with

519 views • 4 slides
Synthesizing Robust Adversarial Examples Anish Athalye*, Logan Engstrom*, Andrew Ilyas*, Kevin

Synthesizing Robust Adversarial Examples Anish Athalye*, Logan Engstrom*, Andrew Ilyas*, Kevin

Synthesizing Robust Adversarial Examples Anish Athalye*, Logan Engstrom*, Andrew Ilyas*, Kevin Kwok Adversarial examples Adversarial examples Imperceptible perturbations to an input can change a neural network's prediction adversarial

1.06k views • 23 slides
CS 331: Artificial Intelligence Adversarial Search II 1 Outline 1. Evaluation Functions 2.

CS 331: Artificial Intelligence Adversarial Search II 1 Outline 1. Evaluation Functions 2.

CS 331: Artificial Intelligence Adversarial Search II 1 Outline 1. Evaluation Functions 2. State-of-the-art game playing programs 3. 2 player zero-sum finite stochastic games of perfect information 2 1 Evaluation Functions 3 Evaluation

446 views • 20 slides
Adversarial Games Lectures Contents 1. Introduction 2. Move Evaluation using MiniMax

Adversarial Games Lectures Contents 1. Introduction 2. Move Evaluation using MiniMax

Adversarial Games Lectures Contents 1. Introduction 2. Move Evaluation using MiniMax - Pruning 3. 4. Randomness and Uncertainty (and Pac-Man) COMP2240 Artificial Intelligence Lecture AG-1 Adversarial Games:

832 views • 67 slides
Kevin Roth*, Yannic Kilcher *, Thomas Hofmann ETH Zrich 2 6 # r e t s o p Log-Odds

Kevin Roth*, Yannic Kilcher *, Thomas Hofmann ETH Zrich 2 6 # r e t s o p Log-Odds

Kevin Roth*, Yannic Kilcher *, Thomas Hofmann ETH Zrich 2 6 # r e t s o p Log-Odds & Adversarial Examples Log-Odds & Adversarial Examples Adversarial examples cause atypically large feature space perturbations along the

238 views • 21 slides
SeqGAN: Sequence Generative Adversarial Nets with Policy Gradient Lantao Yu , Weinan Zhang

SeqGAN: Sequence Generative Adversarial Nets with Policy Gradient Lantao Yu , Weinan Zhang

SeqGAN: Sequence Generative Adversarial Nets with Policy Gradient Lantao Yu , Weinan Zhang , Jun Wang , Yong Yu Shanghai Jiao Tong University, University College London Attribution Multiple slides taken from

1.05k views • 67 slides
How CLEVER is is your neural network? Robustness evaluation against adversarial examples Pin-Yu

How CLEVER is is your neural network? Robustness evaluation against adversarial examples Pin-Yu

How CLEVER is is your neural network? Robustness evaluation against adversarial examples Pin-Yu Chen IBM Research AI OReilly AI Conference @ London 2018 IBM Research AI Label it! IBM Research AI Label it! AI model says: ostrich IBM

852 views • 36 slides
CS 331: Artificial Intelligence Adversarial Search II 1 Outline 1. Evaluation Functions 2 2.

CS 331: Artificial Intelligence Adversarial Search II 1 Outline 1. Evaluation Functions 2 2.

CS 331: Artificial Intelligence Adversarial Search II 1 Outline 1. Evaluation Functions 2 2. 2 player zero-sum finite stochastic games 2 pla er ero s m finite stochastic games of perfect information 3. State-of-the-art game playing programs

461 views • 21 slides
Sequence to Sequence models: Connectionist Temporal Classification 1 Sequence-to-sequence

Sequence to Sequence models: Connectionist Temporal Classification 1 Sequence-to-sequence

Deep Learning Sequence to Sequence models: Connectionist Temporal Classification 1 Sequence-to-sequence modelling Problem: A sequence goes in A different sequence comes out E.g. Speech recognition:

1.86k views • 172 slides
Measuring Perturbations Measuring Perturbations with Weak Lensing of SNe with Weak Lensing of

Measuring Perturbations Measuring Perturbations with Weak Lensing of SNe with Weak Lensing of

Univ. Frankfurt Jan 2014 Univ. Frankfurt Jan 2014 Measuring Perturbations Measuring Perturbations with Weak Lensing of SNe with Weak Lensing of SNe In collaboration with: Luca Amendola, Tiago de Castro & Valerio Marra Miguel

580 views • 47 slides
Deep Adversarial Learning for NLP 9:00 10:30 Introduction and Adversarial Training, GANs

Deep Adversarial Learning for NLP 9:00 10:30 Introduction and Adversarial Training, GANs

Deep Adversarial Learning for NLP 9:00 10:30 Introduction and Adversarial Training, GANs William Wang 10:30 11:00 Break - 11:00 12:15 Adversarial Examples Sameer Singh 12:15 12:30 Conclusions and Question Answering William

1.75k views • 105 slides
P Perturbations Perturbations P t t b ti b ti in Lee in Lee in Lee Wick Bouncing Universe

P Perturbations Perturbations P t t b ti b ti in Lee in Lee in Lee Wick Bouncing Universe

P Perturbations Perturbations P t t b ti b ti in Lee in Lee in Lee Wick Bouncing Universe in Lee-Wick Bouncing Universe Wick Bouncing Universe Wick Bouncing Universe Inyong Cho (Seoul National University of Science & Technology)

619 views • 37 slides
Adversarial Examples and Adversarial Training Ian Goodfellow, Sta ff Research Scientist, Google

Adversarial Examples and Adversarial Training Ian Goodfellow, Sta ff Research Scientist, Google

Adversarial Examples and Adversarial Training Ian Goodfellow, Sta ff Research Scientist, Google Brain CS 231n, Stanford University, 2017-05-30 Overview What are adversarial examples? Why do they happen? How can they be used to

866 views • 43 slides
Reinforcing Adversarial Robustness using Model Confidence Induced by Adversarial Training Xi Wu

Reinforcing Adversarial Robustness using Model Confidence Induced by Adversarial Training Xi Wu

Reinforcing Adversarial Robustness using Model Confidence Induced by Adversarial Training Xi Wu xiwu@cs.wisc.edu Joint work with Uyeong Jang, Jiefeng Chen, Lingjiao Chen, and Somesh Jha July 19, 2018 Xi Wu Model Confidence and Adversarial

740 views • 9 slides
CSE 473: Artificial Intelligence Today Spring 2012 Adversarial Search Minimax search

CSE 473: Artificial Intelligence Today Spring 2012 Adversarial Search Minimax search

4/11/2012 CSE 473: Artificial Intelligence Today Spring 2012 Adversarial Search Minimax search - search Evaluation functions Adversarial Search Ad i l S h Expectimax Dan Weld Reminder: Programming 1 due

603 views • 3 slides
Right-handed neutrinos as the source of density perturbations Lotfi Boubekeur ICTP - Trieste.

Right-handed neutrinos as the source of density perturbations Lotfi Boubekeur ICTP - Trieste.

Right-handed neutrinos as the source of density perturbations Lotfi Boubekeur ICTP - Trieste. Based on: LB and P. Creminelli , hep-ph/0602052 PRD 73 (2006) 103516. Workshop on Cosmological Perturbations, GGI Firenze 25 October,

610 views • 17 slides
? AdVersarial: Defeating Perceptual Ad Blocking with Adversarial Examples Florian Tramr

? AdVersarial: Defeating Perceptual Ad Blocking with Adversarial Examples Florian Tramr

Todays Story: How I got my first Death Threat ? AdVersarial: Defeating Perceptual Ad Blocking with Adversarial Examples Florian Tramr October 8 th 2019 Joint work with Pascal Dupr, Gili Rusak, Giancarlo Pellegrino and Dan Boneh The

415 views • 29 slides
SEQ 3 : Differentiable Sequence-to-Sequence-to-Sequence Autoencoder for Unsupervised Abstractive

SEQ 3 : Differentiable Sequence-to-Sequence-to-Sequence Autoencoder for Unsupervised Abstractive

SEQ 3 : Differentiable Sequence-to-Sequence-to-Sequence Autoencoder for Unsupervised Abstractive Sentence Compression Christos Baziotis, Ion Androutsopoulos, Ioannis Konstas, Alexandros Potamianos Ed nburgh NLP University of Edinburgh Natural

772 views • 51 slides
SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY

SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY

SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY Christian Kaestner with slides from Eunsuk Kang Required reading: Hulten, Geoff. "Building Intelligent Systems: A Guide to Machine Learning

1.95k views • 113 slides
Asynchronous sequence circuits An asynchronous sequence machine is a sequence circuit without

Asynchronous sequence circuits An asynchronous sequence machine is a sequence circuit without

Asynchronous sequence circuits An asynchronous sequence machine is a sequence circuit without flip-flops Asynchronous sequence machines are based on combinational gates with feedback Upon analysis it is assumed : Only one signal at a

1.34k views • 66 slides

More recommend