Artifacts of Adversarial Examples

Slides:

Advertisements

Similar presentations

Applications of one-class classification

Advertisements

DIMENSIONALITY REDUCTION: FEATURE EXTRACTION & FEATURE SELECTION Principle Component Analysis.

Biointelligence Laboratory, Seoul National University

Lecture notes for Stat 231: Pattern Recognition and Machine Learning 1. Stat 231. A.L. Yuille. Fall 2004 PAC Learning and Generalizability. Margin Errors.

Input Space versus Feature Space in Kernel- Based Methods Scholkopf, Mika, Burges, Knirsch, Muller, Ratsch, Smola presented by: Joe Drish Department of.

Support Vector Machines and Kernels Adapted from slides by Tim Oates Cognition, Robotics, and Learning (CORAL) Lab University of Maryland Baltimore County.

Presented by: Mingyuan Zhou Duke University, ECE April 3, 2009

Locally Constraint Support Vector Clustering

Prénom Nom Document Analysis: Data Analysis and Clustering Prof. Rolf Ingold, University of Fribourg Master course, spring semester 2008.

1 Numerical geometry of non-rigid shapes Spectral Methods Tutorial. Spectral Methods Tutorial 6 © Maks Ovsjanikov tosca.cs.technion.ac.il/book Numerical.

Active Learning with Support Vector Machines

Manifold Learning: ISOMAP Alan O'Connor April 29, 2008.

Introduction to Machine Learning course fall 2007 Lecturer: Amnon Shashua Teaching Assistant: Yevgeny Seldin School of Computer Science and Engineering.

Semi-supervised protein classification using cluster kernels Jason Weston, Christina Leslie, Eugene Ie, Dengyong Zhou, Andre Elisseeff and William Stafford.

Arizona State University DMML Kernel Methods – Gaussian Processes Presented by Shankar Bhargav.

Clustering & Dimensionality Reduction 273A Intro Machine Learning.

Face Recognition Using Neural Networks Presented By: Hadis Mohseni Leila Taghavi Atefeh Mirsafian.

Nonlinear Dimensionality Reduction Approaches. Dimensionality Reduction The goal: The meaningful low-dimensional structures hidden in their high-dimensional.

Dimensionality Reduction: Principal Components Analysis Optional Reading: Smith, A Tutorial on Principal Components Analysis (linked to class webpage)

Fuzzy Entropy based feature selection for classification of hyperspectral data Mahesh Pal Department of Civil Engineering National Institute of Technology.

Ensemble Learning Spring 2009 Ben-Gurion University of the Negev.

Pattern Recognition April 19, 2007 Suggested Reading: Horn Chapter 14.

Extending the Multi- Instance Problem to Model Instance Collaboration Anjali Koppal Advanced Machine Learning December 11, 2007.

Face Detection Ying Wu Electrical and Computer Engineering Northwestern University, Evanston, IL

GRASP Learning a Kernel Matrix for Nonlinear Dimensionality Reduction Kilian Q. Weinberger, Fei Sha and Lawrence K. Saul ICML’04 Department of Computer.

Paired Sampling in Density-Sensitive Active Learning Pinar Donmez joint work with Jaime G. Carbonell Language Technologies Institute School of Computer.

Manifold learning: MDS and Isomap

Data Mining Practical Machine Learning Tools and Techniques By I. H. Witten, E. Frank and M. A. Hall Chapter 5: Credibility: Evaluating What’s Been Learned.

1 Self-Calibration and Neural Network Implementation of Photometric Stereo Yuji IWAHORI, Yumi WATANABE, Robert J. WOODHAM and Akira IWATA.

Guest lecture: Feature Selection Alan Qi Dec 2, 2004.

Classification Course web page: vision.cis.udel.edu/~cv May 14, 2003  Lecture 34.

Learning Kernel Classifiers Chap. 3.3 Relevance Vector Machine Chap. 3.4 Bayes Point Machines Summarized by Sang Kyun Lee 13 th May, 2005.

Feature Selction for SVMs J. Weston et al., NIPS 2000 오장민 (2000/01/04) Second reference : Mark A. Holl, Correlation-based Feature Selection for Machine.

1 Chapter 8: Model Inference and Averaging Presented by Hui Fang.

Convolutional Restricted Boltzmann Machines for Feature Learning Mohammad Norouzi Advisor: Dr. Greg Mori Simon Fraser University 27 Nov

Gist 2.3 John H. Phan MIBLab Summer Workshop June 28th, 2006.

Neural Network Approximation of High- dimensional Functions Peter Andras School of Computing and Mathematics Keele University

Martina Uray Heinz Mayer Joanneum Research Graz Institute of Digital Image Processing Horst Bischof Graz University of Technology Institute for Computer.

Deep Learning Overview Sources: workshop-tutorial-final.pdf

1 Bilinear Classifiers for Visual Recognition Computational Vision Lab. University of California Irvine To be presented in NIPS 2009 Hamed Pirsiavash Deva.

PATTERN RECOGNITION AND MACHINE LEARNING CHAPTER 1: INTRODUCTION.

CS 9633 Machine Learning Support Vector Machines

CSC321: Neural Networks Lecture 22 Learning features one layer at a time Geoffrey Hinton.

Convolutional Neural Fabrics by Shreyas Saxena, Jakob Verbeek

Unsupervised Riemannian Clustering of Probability Density Functions

Perceptual Loss Deep Feature Interpolation for Image Content Changes

Boosting and Additive Trees

Mixture of SVMs for Face Class Modeling

Classification with Perceptrons Reading:

Intelligent Information System Lab

Machine Learning Basics

Spectral Methods Tutorial 6 1 © Maks Ovsjanikov

Using Transductive SVMs for Object Classification in Images

Learning with information of features

Bilinear Classifiers for Visual Recognition

Principal Component Analysis (PCA)

Parametric Estimation

On Convolutional Neural Network

Support Vector Machines

Support Vector Machines and Kernels

Machine learning overview

Ch 3. Linear Models for Regression (2/2) Pattern Recognition and Machine Learning, C. M. Bishop, Previously summarized by Yung-Kyun Noh Updated.

CS639: Data Management for Data Science

Attacks on Remote Face Classifiers

Semi-Supervised Learning

Adversarial Machine Learning in Julia

Using Clustering to Make Prediction Intervals For Neural Networks

Modeling IDS using hybrid intelligent systems

Developments in Adversarial Machine Learning

Goodfellow: Chapter 14 Autoencoders

Presentation transcript:

Artifacts of Adversarial Examples Reuben Feinman reuben.feinman@nyu.edu

Motivation Something fundamentally interesting about the adversarial example phenomenon Adversarial examples are pathological If we can understand the pathology, we can build universal adversarial example detectors that cannot be bypassed w/out changing the true label of a test point

CNN Overview Images are points in high-D pixel space Images have small intrinsic dimensionality Pixel space is large, but perceptually meaningful structure has fewer independent degrees of freedom i.e. images lie on a lower-D manifold Different classes of images have different manifolds CNN classifier objective: approximate an embedding space wherein class manifolds can be linearly separated Tenenbaum et al. 2000

CNN Classifier Objective Input Space Embedding Space

Adversarial Examples Basic iterative method (BIM): Can be targeted or untargeted Small perturbations cause misclassification

Where will adversarial points land? We don’t know… Only know that they will cross the decision boundary x* x* x* Our hypothesis: in the embedding space, points lie off of the data manifold of the target class x Source Target x*

Artifacts of Adversarial Examples Kernel density estimation: observe a prediction t, compute density of the point w.r.t. training points of class t, using CNN embedding space 𝜙() Bayesian uncertainty estimates: exploit connection between dropout NNs and deep GP, compute confidence intervals for predictions * *

Artifacts of Adversarial Examples % of time that density(x*) < density(x): % of time that uncert(x*) > uncert(x): MNIST CIFAR-10 BIM-A 98.0% 76.4% BIM-B 90.5% 98.8% Combine these two features in a classifier and we get a pretty detector with nice ROCs… MNIST CIFAR-10 BIM-A 99.2% 83.4% BIM-B 60.7% 4.0% Feinman et al. 2017

Adaptive Attacks Rather than guide sample toward target class, guide it toward a specific embedding vector of a sample from the target class Replace softmax loss in BIM with embedding vector distance Detector fails… x Source Target x*

What’s going on? Attacks can manipulate sample to look however desired in the CNN embedding space Remember that CNN embedding is merely an approximation of the lower-dimensional Hilbert space where our data manifolds are formed Pixel space is vast, and for many points our approximation breaks down Can we detect the breakdown? i.e. detect when our embedding space is irrelevant for a given point

PCA Detector Idea: Perform PCA on our normal training data At test time, project test points into PCA basis and observe the lowest-ranked component values If values are large, assume adversarial Adversarial point

PCA Detector Findings: adversarial examples place large emphasis on lowest-ranked components Hendrycks & Gimpel 2017

Can we find a better method? PCA is a gross simplification of the embedding space learned by a CNN Future direction: is there an analogous off-manifold analysis we can find for our CNN embedding? e.g. “Swiss roll” dataset Tenenbaum et al. 2000

FYI: Carlini Evaluation Conclusion: Feinman et al. method most effective Requires 5x more distortion to evade than any other defense Good way to evaluate going forward: amount of perceptual distortion required to evade a defense Ultimate goal: find a defense that requires true label of the image to change

Thank you! Work done in collaboration with Symantec Center for Advanced Machine Learning & Symantec Research Labs