tutorial on adversarial machine learning with cleverhans
play

Tutorial on Adversarial Machine Learning with CleverHans Nicholas - PowerPoint PPT Presentation

Feb 14, 2024 •33 likes •493 views

@NicolasPapernot Tutorial on Adversarial Machine Learning with CleverHans Nicholas Carlini University of California, Berkeley Nicolas Papernot Pennsylvania State University Did you git clone https://github.com/carlini/odsc_adversarial_nn ?

  1. @NicolasPapernot Tutorial on Adversarial Machine Learning with CleverHans Nicholas Carlini University of California, Berkeley Nicolas Papernot Pennsylvania State University Did you git clone https://github.com/carlini/odsc_adversarial_nn ? November 2017 - ODSC

  2. Getting setup If you have not already: git clone https://github.com/carlini/odsc_adversarial_nn cd odsc_adversarial_nn python test_install.py 2

  3. Why neural networks? 3

  4. Classification with neural networks Machine Learning [0.01, 0.84 , 0.02, 0.01, 0.01, 0.01, 0.05, 0.01, 0.03, 0.01] Classifier [p(0|x,θ), p(1|x,θ), p(2|x,θ), …, p(7|x,θ), p(8|x,θ), p(9|x,θ)] x f(x,θ) Classifier : map inputs to one class among a predefined set 4

  5. 5

  6. 6

  7. 7

  8. D I N E J O A S F K P B T G L Q C H M R 8

  9. 9

  10. 10

  11. [0 1 0 0 0 0 0 0 0 0] [0 1 0 0 0 0 0 0 0 0] [1 0 0 0 0 0 0 0 0 0] [0 0 0 0 0 0 0 1 0 0] Machine Learning [0 0 0 0 0 0 0 0 0 1] [0 0 0 1 0 0 0 0 0 0] Classifier [0 0 0 0 0 0 0 0 1 0] [0 0 0 0 0 0 1 0 0 0] [0 1 0 0 0 0 0 0 0 0] [0 0 0 0 1 0 0 0 0 0] Learning : find internal classifier parameters θ that minimize a cost/loss function (~model error) 11

  12. NNs give better results than any other approach But there’s a catch ... 12

  13. Adversarial examples 13 [GSS15] Goodfellow et al. Explaining and Harnessing Adversarial Examples

  14. 14

  15. Crafting adversarial examples: fast gradient sign method During training, the classifier uses a loss function to minimize model prediction errors After training, attacker uses loss function to maximize model prediction error 1. Compute its gradient with respect to the input of the model 2. Take the sign of the gradient and multiply it by a threshold 15 [GSS15] Goodfellow et al. Explaining and Harnessing Adversarial Examples

  16. Transferability 16

  17. Not specific to neural networks Logistic regression SVM 17 Nearest Neighbors Decision Trees

  18. Machine Learning with TensorFlow import tensorflow as tf sess = tf.Session() five = tf.constant(5) six = tf.constant(6) sess.run(five+six) # 11 18

  19. Machine Learning with TensorFlow import tensorflow as tf sess = tf.Session() five = tf.constant(5) number = tf.placeholder(tf.float32, []) added = five+number sess.run(added, {number: 6}) # 11 sess.run(added, {number: 8}) # 13 19

  20. Machine Learning with TensorFlow import tensorflow as tf number = tf.placeholder(tf.float32, []) squared = number * number derivative = tf.gradients(squared, [number])[0] sess.run(derivative, {number: 5}) # 10 20

  21. Classifying ImageNet with the Inception Model [Hands On] 21

  22. Attacking ImageNet 22

  23. 23

  24. Growing community 1.3K+ stars 300+ forks 40+ contributors 24

  25. Attacking the Inception Model for ImageNet [Hands On] python attack.py Replace panda.png with adversarial_panda.png python classify.py Things to try: 1. Replace the given image of a panda with your own image 2. Change the target label which the adversarial example should be classified as 25

  26. Adversarial Training 7 Training 2 26

  27. Adversarial Training 7 Attack Attack 2 27

  28. Adversarial Training 7 Training 2 7 2 28

  29. Adversarial training Intuition: injecting adversarial example during training with correct labels Goal: improve model generalization outside of training manifold Training time (epochs) 29 Figure by Ian Goodfellow

  30. Adversarial training Intuition: injecting adversarial example during training with correct labels Goal: improve model generalization outside of training manifold Training time (epochs) 30 Figure by Ian Goodfellow

  31. Adversarial training Intuition: injecting adversarial example during training with correct labels Goal: improve model generalization outside of training manifold Training time (epochs) 31 Figure by Ian Goodfellow

  32. Adversarial training Intuition: injecting adversarial example during training with correct labels Goal: improve model generalization outside of training manifold Training time (epochs) 32 Figure by Ian Goodfellow

  33. Efficient Adversarial Training through Loss Modification Small when prediction is correct on legitimate input 33

  34. Efficient Adversarial Training through Loss Modification Small when prediction is Small when prediction is correct on legitimate input correct on adversarial input 34

  35. Adversarial Training Demo 35

  36. Attacking remotely hosted black-box models Remote ML sys “0” “1” “4” (1) The adversary queries remote ML system for labels on inputs of its choice. 36

  37. Attacking remotely hosted black-box models Local Remote substitute ML sys “0” “1” “4” (2) The adversary uses this labeled data to train a local substitute for the remote system. 37

  38. Attacking remotely hosted black-box models Local Remote substitute ML sys “0” “2” “9” (3) The adversary selects new synthetic inputs for queries to the remote ML system based on the local substitute’s output surface sensitivity to input variations. 38

  39. Attacking remotely hosted black-box models “yield sign” Local Remote substitute ML sys (4) The adversary then uses the local substitute to craft adversarial examples, which are misclassified by the remote ML system because of transferability. 39

  40. Attacking with transferability “yield sign” Undefended Defended model model (4) The adversary then uses the local substitute to craft adversarial examples, which are misclassified by the remote ML system because of transferability. 40

  41. Attacking Adversarial Training with Transferability Demo 41

  42. How to test your model for adversarial examples? White-box attacks One shot ● FastGradientMethod Iterative/Optimization-based ● BasicIterativeMethod, CarliniWagnerL2 Transferability attacks ● Transfer from undefended ● Transfer from defended 42

  43. Defenses Adversarial training: - Original variant - Ensemble adversarial training - Madry et al. Reduce dimensionality of input space: - Binarization of the inputs - Thermometer-encoding 43

  44. Adversarial examples represent worst-case distribution drifts 44 [DDS04] Dalvi et al. Adversarial Classification (KDD)

  45. Adversarial examples are a tangible instance of hypothetical AI safety problems 45 Image source: http://www.nerdist.com/wp-content/uploads/2013/07/Space-Odyssey-4.jpg

  46. How to reach out to us? Nicholas Carlini nicholas@carlini.com Nicolas Papernot nicolas@papernot.fr 46

Recommend

Adversarial Robustness: Theory and Practice Zico Kolter Aleksander Mdry madry-lab.ml

Adversarial Robustness: Theory and Practice Zico Kolter Aleksander Mdry madry-lab.ml

Adversarial Robustness: Theory and Practice Zico Kolter Aleksander Mdry madry-lab.ml Tutorial website: @zicokolter @aleks_madry adversarial-ml-tutorial.org Machine Learning: The Success Story Image classification Reinforcement Learning

528 views • 49 slides
SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY

SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY

SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY Christian Kaestner with slides from Eunsuk Kang Required reading: Hulten, Geoff. "Building Intelligent Systems: A Guide to Machine Learning

1.95k views • 113 slides
Wild Patterns: Ten Years After the Rise of Adversarial Machine Learning Battista Biggio * Slides

Wild Patterns: Ten Years After the Rise of Adversarial Machine Learning Battista Biggio * Slides

Pattern Recognition University of and Applications Lab Cagliari, Italy Wild Patterns: Ten Years After the Rise of Adversarial Machine Learning Battista Biggio * Slides from this talk are inspired from the tutorial I prepared with Fabio Roli on

850 views • 65 slides
Provably Secure Machine Learning Jacob Steinhardt ARO Adversarial Machine Learning Workshop

Provably Secure Machine Learning Jacob Steinhardt ARO Adversarial Machine Learning Workshop

Provably Secure Machine Learning Jacob Steinhardt ARO Adversarial Machine Learning Workshop September 14, 2017 Why Prove Things? Attackers often have more motivation/resources than defenders Heuristic defenses: arms race between attack and

738 views • 52 slides
AdVersarial: Perceptual Ad Blocking meets Adversarial Machine Learning Florian Tramr November

AdVersarial: Perceptual Ad Blocking meets Adversarial Machine Learning Florian Tramr November

AdVersarial: Perceptual Ad Blocking meets Adversarial Machine Learning Florian Tramr November 14 th 2019 Joint work with Pascal Dupr, Gili Rusak, Giancarlo Pellegrino and Dan Boneh The Future of Ad-Blocking easylist.txt markup

612 views • 23 slides
Adversarial Machine Learning (AML) Somesh Jha University of Wisconsin, Madison Thanks to

Adversarial Machine Learning (AML) Somesh Jha University of Wisconsin, Madison Thanks to

Adversarial Machine Learning (AML) Somesh Jha University of Wisconsin, Madison Thanks to Nicolas Papernot, Ian Goodfellow, and Jerry Zhu for some slides . Machine learning brings social disruption at scale Healthcare Energy Source: Peng and

821 views • 71 slides
Vulnerability of machine learning models to adversarial examples Petra Vidnerov Institute of

Vulnerability of machine learning models to adversarial examples Petra Vidnerov Institute of

Vulnerability of machine learning models to adversarial examples Petra Vidnerov Institute of Computer Science The Czech Academy of Sciences Hora Informaticae 2016 Outline Introduction Works on adversarial examples Our work Genetic

855 views • 46 slides
Learning is a never-ending process Tasks come and go, but learning is forever Learn more e ff

Learning is a never-ending process Tasks come and go, but learning is forever Learn more e ff

NeurIPS 2018 Tutorial on Automatic Machine Learning Learning to Learn Learning Learning Learning Learning Learning automl.org/events -> AutoML Tutorial -> Slides Frank Hutter Joaquin Vanschoren Eindhoven University of Technology

1.36k views • 40 slides
CS 294-34: Practical Machine Learning Tutorial Ariel Kleiner Content inspired by Fall 2006

CS 294-34: Practical Machine Learning Tutorial Ariel Kleiner Content inspired by Fall 2006

CS 294-34: Practical Machine Learning Tutorial Ariel Kleiner Content inspired by Fall 2006 tutorial lecture by Alexandre Bouchard-Cote and Alex Simma August 27, 2009 Machine Learning Draws Heavily On. . . Probability and Statistics

1.21k views • 34 slides
Adversarial Robustness of Machine Learning Models for Graphs Prof. Dr. Stephan Gnnemann

Adversarial Robustness of Machine Learning Models for Graphs Prof. Dr. Stephan Gnnemann

Adversarial Robustness of Machine Learning Models for Graphs Prof. Dr. Stephan Gnnemann Department of Informatics Technical University of Munich 28.10.2019 Adversarial Robustness of Machine Learning Models for Graphs S. Gnnemann Can you

669 views • 27 slides
Intro Tutorial on GANs Michela Paganini Fermilab Machine Learning Group Meeting March 21, 2018

Intro Tutorial on GANs Michela Paganini Fermilab Machine Learning Group Meeting March 21, 2018

Yale Intro Tutorial on GANs Michela Paganini Fermilab Machine Learning Group Meeting March 21, 2018 Yale Outline Overview: Generative modeling Generative Adversarial Networks (GANs) Hands-on : build vanilla GAN on FashionMNIST GAN

965 views • 22 slides
Physical Adversarial Examples Alex Kurakin Ian Goodfellow Output STOP Machine Learning

Physical Adversarial Examples Alex Kurakin Ian Goodfellow Output STOP Machine Learning

Physical Adversarial Examples Alex Kurakin Ian Goodfellow Output STOP Machine Learning Training Examples Hidden units / BICYCLE features CAR PEDESTRIA N Parameters Input ImageNet (Russakovsky et al 2015) Adversarial Examples: Images

369 views • 19 slides
When foes are friends adversarial examples as protective technologies Carmela Troncoso

When foes are friends adversarial examples as protective technologies Carmela Troncoso

When foes are friends adversarial examples as protective technologies Carmela Troncoso @carmelatroncoso Security and Privacy Engineering Lab The machine learning revolution 2 Machine Learning ) Definition (Wikipedia) Machine learning [...]

965 views • 58 slides
Recent Trends in Adversarial Machine Learning Thanks to Ian Goodfellow, Somesh Jha, Patrick

Recent Trends in Adversarial Machine Learning Thanks to Ian Goodfellow, Somesh Jha, Patrick

Recent Trends in Adversarial Machine Learning Thanks to Ian Goodfellow, Somesh Jha, Patrick McDaniel, and Nicolas Papernot for some slides December 4, 2018 Berkay Celik How it works training Learning Algorithm Training Data Model

536 views • 35 slides
Adversarial Machine Learning MIX+GAN Ian Goodfellow, Sta ff Research Scientist, Google Brain

Adversarial Machine Learning MIX+GAN Ian Goodfellow, Sta ff Research Scientist, Google Brain

Progressive GAN CoGAN LR-GAN MedGAN CGAN IcGAN A ff GAN DiscoGAN LS-GAN BIM LAPGAN MPM-GAN AdaGAN FGSM iGAN LSGAN InfoGAN IAN ATN Adversarial Machine Learning MIX+GAN Ian Goodfellow, Sta ff Research Scientist, Google Brain McGAN

860 views • 45 slides
Adversarial Machine Learning MIX+GAN Ian Goodfellow, Sta ff Research Scientist, Google Brain

Adversarial Machine Learning MIX+GAN Ian Goodfellow, Sta ff Research Scientist, Google Brain

Progressive GAN CoGAN LR-GAN MedGAN CGAN IcGAN A ff GAN DiscoGAN LS-GAN BIM LAPGAN MPM-GAN AdaGAN FGSM iGAN LSGAN InfoGAN IAN ATN Adversarial Machine Learning MIX+GAN Ian Goodfellow, Sta ff Research Scientist, Google Brain McGAN

562 views • 39 slides
Adversarial Machine Learning MIX+GAN Ian Goodfellow, Sta ff Research Scientist, Google Brain

Adversarial Machine Learning MIX+GAN Ian Goodfellow, Sta ff Research Scientist, Google Brain

Progressive GAN CoGAN LR-GAN MedGAN CGAN IcGAN A ff GAN DiscoGAN LS-GAN BIM LAPGAN MPM-GAN AdaGAN FGSM iGAN LSGAN InfoGAN IAN ATN Adversarial Machine Learning MIX+GAN Ian Goodfellow, Sta ff Research Scientist, Google Brain McGAN

797 views • 42 slides
Making and Measuring Progress in Adversarial Machine Learning Nicholas Carlini Google Research

Making and Measuring Progress in Adversarial Machine Learning Nicholas Carlini Google Research

Making and Measuring Progress in Adversarial Machine Learning Nicholas Carlini Google Research Act I Background Why should we care about adversarial examples? Make ML Make ML robust better Act II An Apparent Problem Let's go

1.12k views • 79 slides
Generative Adversarial Nets(GANs) Troy Cary and Chenzhi Zhao A generative adversarial net is

Generative Adversarial Nets(GANs) Troy Cary and Chenzhi Zhao A generative adversarial net is

Generative Adversarial Nets(GANs) Troy Cary and Chenzhi Zhao A generative adversarial net is a type of neural net, used in deep learning/machine learning problems The goal of a GAN is to train two simultaneous models: a generative model

441 views • 18 slides
Machine Learning Lecture 13: Generative Adversarial Networks (I) Nevin L. Zhang

Machine Learning Lecture 13: Generative Adversarial Networks (I) Nevin L. Zhang

Machine Learning Lecture 13: Generative Adversarial Networks (I) Nevin L. Zhang lzhang@cse.ust.hk Department of Computer Science and Engineering The Hong Kong University of Science and Technology This set of notes is based on internet

826 views • 54 slides
Differential Privacy Machine Learning Li Xiong Big Data + Machine Learning + Machine

Differential Privacy Machine Learning Li Xiong Big Data + Machine Learning + Machine

CS573 Data Privacy and Security Differential Privacy Machine Learning Li Xiong Big Data + Machine Learning + Machine Learning Under Adversarial Settings Data privacy/confidentiality attacks membership attacks, model inversion

3.44k views • 63 slides
Recent Advances in Adversarial Machine Learning Nicholas Carlini Google Research Recent

Recent Advances in Adversarial Machine Learning Nicholas Carlini Google Research Recent

Recent Advances in Adversarial Machine Learning Nicholas Carlini Google Research Recent Advances in Adversarial (Examples in) Machine Learning Nicholas Carlini Google Research The Year is 2014 Someone tells you they have a new algorithm to

1.52k views • 139 slides
Adversarial Machine Learning Daniel Lowd University of Oregon

Adversarial Machine Learning Daniel Lowd University of Oregon

Adversarial Machine Learning Daniel Lowd University of Oregon Example: Spam Filtering From: spammer@example.com 1. Cheap mortgage now!!! Feature Weights cheap = 1.0

316 views • 14 slides
Limitations of Threat Modeling in Adversarial Machine Learning Florian Tramr EPFL, December 19

Limitations of Threat Modeling in Adversarial Machine Learning Florian Tramr EPFL, December 19

Limitations of Threat Modeling in Adversarial Machine Learning Florian Tramr EPFL, December 19 th 2019 Based on joint work with Jens Behrmannn, Dan Boneh, Nicholas Carlini, Pascal Dupr, Jrn-Henrik Jacobsen, Nicolas Papernot, Giancarlo

498 views • 39 slides

More recommend