Presentation is loading. Please wait.

Presentation is loading. Please wait.

Artifacts of Adversarial Examples

Published byElmer Montgomery Modified over 5 years ago

Similar presentations

Presentation on theme: "Artifacts of Adversarial Examples"— Presentation transcript:

1 Artifacts of Adversarial Examples
Reuben Feinman

2 Motivation Something fundamentally interesting about the adversarial example phenomenon Adversarial examples are pathological If we can understand the pathology, we can build universal adversarial example detectors that cannot be bypassed w/out changing the true label of a test point

3 CNN Overview Images are points in high-D pixel space
Images have small intrinsic dimensionality Pixel space is large, but perceptually meaningful structure has fewer independent degrees of freedom i.e. images lie on a lower-D manifold Different classes of images have different manifolds CNN classifier objective: approximate an embedding space wherein class manifolds can be linearly separated Tenenbaum et al. 2000

4 CNN Classifier Objective
Input Space Embedding Space

5 Adversarial Examples Basic iterative method (BIM):
Can be targeted or untargeted Small perturbations cause misclassification

6 Where will adversarial points land?
We don’t know… Only know that they will cross the decision boundary x* x* x* Our hypothesis: in the embedding space, points lie off of the data manifold of the target class x Source Target x*

7 Artifacts of Adversarial Examples
Kernel density estimation: observe a prediction t, compute density of the point w.r.t. training points of class t, using CNN embedding space 𝜙() Bayesian uncertainty estimates: exploit connection between dropout NNs and deep GP, compute confidence intervals for predictions * *

8 Artifacts of Adversarial Examples
% of time that density(x*) < density(x): % of time that uncert(x*) > uncert(x): MNIST CIFAR-10 BIM-A 98.0% 76.4% BIM-B 90.5% 98.8% Combine these two features in a classifier and we get a pretty detector with nice ROCs… MNIST CIFAR-10 BIM-A 99.2% 83.4% BIM-B 60.7% 4.0% Feinman et al. 2017

9 Adaptive Attacks Rather than guide sample toward target class, guide it toward a specific embedding vector of a sample from the target class Replace softmax loss in BIM with embedding vector distance Detector fails… x Source Target x*

10 What’s going on? Attacks can manipulate sample to look however desired in the CNN embedding space Remember that CNN embedding is merely an approximation of the lower-dimensional Hilbert space where our data manifolds are formed Pixel space is vast, and for many points our approximation breaks down Can we detect the breakdown? i.e. detect when our embedding space is irrelevant for a given point

11 PCA Detector Idea: Perform PCA on our normal training data
At test time, project test points into PCA basis and observe the lowest-ranked component values If values are large, assume adversarial Adversarial point

12 PCA Detector Findings: adversarial examples place large emphasis on lowest-ranked components Hendrycks & Gimpel 2017

13 Can we find a better method?
PCA is a gross simplification of the embedding space learned by a CNN Future direction: is there an analogous off-manifold analysis we can find for our CNN embedding? e.g. “Swiss roll” dataset Tenenbaum et al. 2000

14 FYI: Carlini Evaluation
Conclusion: Feinman et al. method most effective Requires 5x more distortion to evade than any other defense Good way to evaluate going forward: amount of perceptual distortion required to evade a defense Ultimate goal: find a defense that requires true label of the image to change

15 Thank you! Work done in collaboration with
Symantec Center for Advanced Machine Learning & Symantec Research Labs

Download ppt "Artifacts of Adversarial Examples"

Similar presentations

Applications of one-class classification

Applications of one-class classification
DIMENSIONALITY REDUCTION: FEATURE EXTRACTION & FEATURE SELECTION Principle Component Analysis.

DIMENSIONALITY REDUCTION: FEATURE EXTRACTION & FEATURE SELECTION Principle Component Analysis.
Biointelligence Laboratory, Seoul National University

Biointelligence Laboratory, Seoul National University
Lecture notes for Stat 231: Pattern Recognition and Machine Learning 1. Stat 231. A.L. Yuille. Fall 2004 PAC Learning and Generalizability. Margin Errors.

Lecture notes for Stat 231: Pattern Recognition and Machine Learning 1. Stat 231. A.L. Yuille. Fall 2004 PAC Learning and Generalizability. Margin Errors.
Input Space versus Feature Space in Kernel- Based Methods Scholkopf, Mika, Burges, Knirsch, Muller, Ratsch, Smola presented by: Joe Drish Department of.

Input Space versus Feature Space in Kernel- Based Methods Scholkopf, Mika, Burges, Knirsch, Muller, Ratsch, Smola presented by: Joe Drish Department of.
Support Vector Machines and Kernels Adapted from slides by Tim Oates Cognition, Robotics, and Learning (CORAL) Lab University of Maryland Baltimore County.

Support Vector Machines and Kernels Adapted from slides by Tim Oates Cognition, Robotics, and Learning (CORAL) Lab University of Maryland Baltimore County.
Presented by: Mingyuan Zhou Duke University, ECE April 3, 2009

Presented by: Mingyuan Zhou Duke University, ECE April 3, 2009
Locally Constraint Support Vector Clustering

Locally Constraint Support Vector Clustering
Prénom Nom Document Analysis: Data Analysis and Clustering Prof. Rolf Ingold, University of Fribourg Master course, spring semester 2008.

Prénom Nom Document Analysis: Data Analysis and Clustering Prof. Rolf Ingold, University of Fribourg Master course, spring semester 2008.
1 Numerical geometry of non-rigid shapes Spectral Methods Tutorial. Spectral Methods Tutorial 6 © Maks Ovsjanikov tosca.cs.technion.ac.il/book Numerical.

1 Numerical geometry of non-rigid shapes Spectral Methods Tutorial. Spectral Methods Tutorial 6 © Maks Ovsjanikov tosca.cs.technion.ac.il/book Numerical.
Active Learning with Support Vector Machines

Active Learning with Support Vector Machines
Manifold Learning: ISOMAP Alan O'Connor April 29, 2008.

Manifold Learning: ISOMAP Alan O'Connor April 29, 2008.
Introduction to Machine Learning course 67577 fall 2007 Lecturer: Amnon Shashua Teaching Assistant: Yevgeny Seldin School of Computer Science and Engineering.

Introduction to Machine Learning course fall 2007 Lecturer: Amnon Shashua Teaching Assistant: Yevgeny Seldin School of Computer Science and Engineering.
Semi-supervised protein classification using cluster kernels Jason Weston, Christina Leslie, Eugene Ie, Dengyong Zhou, Andre Elisseeff and William Stafford.

Semi-supervised protein classification using cluster kernels Jason Weston, Christina Leslie, Eugene Ie, Dengyong Zhou, Andre Elisseeff and William Stafford.
Arizona State University DMML Kernel Methods – Gaussian Processes Presented by Shankar Bhargav.

Arizona State University DMML Kernel Methods – Gaussian Processes Presented by Shankar Bhargav.
Clustering & Dimensionality Reduction 273A Intro Machine Learning.

Clustering & Dimensionality Reduction 273A Intro Machine Learning.
Face Recognition Using Neural Networks Presented By: Hadis Mohseni Leila Taghavi Atefeh Mirsafian.

Face Recognition Using Neural Networks Presented By: Hadis Mohseni Leila Taghavi Atefeh Mirsafian.
Nonlinear Dimensionality Reduction Approaches. Dimensionality Reduction The goal: The meaningful low-dimensional structures hidden in their high-dimensional.

Nonlinear Dimensionality Reduction Approaches. Dimensionality Reduction The goal: The meaningful low-dimensional structures hidden in their high-dimensional.
Dimensionality Reduction: Principal Components Analysis Optional Reading: Smith, A Tutorial on Principal Components Analysis (linked to class webpage)

Dimensionality Reduction: Principal Components Analysis Optional Reading: Smith, A Tutorial on Principal Components Analysis (linked to class webpage)
Fuzzy Entropy based feature selection for classification of hyperspectral data Mahesh Pal Department of Civil Engineering National Institute of Technology.

Fuzzy Entropy based feature selection for classification of hyperspectral data Mahesh Pal Department of Civil Engineering National Institute of Technology.

Similar presentations

Ads by Google