Universal Adversarial Networks
|
|
- Nathan Alexander
- 5 years ago
- Views:
Transcription
1 1 Universal Adversarial Networks Jamie Hayes University College London Abstract Neural networks are known to be vulnerable to adversarial examples, inputs that have been intentionally perturbed to remain visually similar to the source input, but cause a misclassification. It was recently shown that given a target dataset and classifier, there exists so called universal adversarial perturbations, a single perturbation that causes a misclassification when applied to any input. In this work, we introduce universal adversarial networks, a generative network that is capable of fooling a target classifier when it s generated output is combined with a clean sample. We show that this technique improves on known universal adversarial attacks. I. I N T R O D U C T I O N Machine Learning models are increasingly relied upon for safety and business critical tasks such as in medicine [1], [16], [4], robotics and automotive [15], [18], [3], security [1], [8], [] and financial [6], [9], [0] applications. Recent research shows that machine learning models trained on entirely uncorrupted data, are still vulnerable to adversarial examples [4], [5], [13], [14], [19], [1]: samples that have been maliciously altered so as to be misclassified by a target model while appearing unaltered to the human eye. Most work focuses on generating perturbations that cause a specific input to be misclassified, however, it has been shown that adversarial perturbations generalize across many inputs [19]. Moosavi-Dezfooli et al. [10] showed, in the most extreme case, that given a target model and a dataset, it is possible to compute a single perturbation that when applied to any input, will cause a misclassification with high likelihood. These are referred to as universal adversarial perturbations (UAPs). In this work, we study the capacity for generative models to learn to craft UAPs, we refer to these networks as universal adversarial networks (UANs). We show that a UAN is able to sample from noise and generate a perturbation such that when applied to any input from the dataset, it will result in a misclassification in the target model. Furthermore, perturbations produced by UANs have robust transferable properties. I I. B A C K G R O U N D We define adversarial examples and UAPs along with some terminology and notation. We then introduce the threat model considered, and the datasets we use to evaluate the attacks. A. Adversarial Examples Szegedy et al. [19] casts the construction of adversarial examples as an optimization problem. Given a target model, f, and a source input x, which is sometimes referred to in the literature as a clean or original input. The input x is classified correctly by f as y. The attacker aims to find an adversarial input, x + c, which is perceptually identical to x but f(x + c) y. Then the adversary attempts to find argmin c f(x + c) = l such that x + c is a legitimate input and f(x) l. The problem space can be extended to find a specific misclassification in a targeted attack, or any misclassification, referred to as an non-targeted attack. In the absence of a distance measure that accurately captures the perceptual differences between a source and adversarial examples, the l p distance metric is used in [19] as a measure of similarity. The l 0 distance measures the number of pixels that have changed, the l distance measures the Euclidean distance between two images, while the l distance measures the maximum perturbation between two pixels. Given a target model, f, and a dataset, X, a UAP is a perturbation, c, such that x X, x + c is a valid input, P r(f(x + c) f(x)) = 1 δ, where 0 < δ << 1. B. Threat Model We consider an attacker who wishes to craft UAPs such that when applied to any input it will be incorrectly classified by a target model with high likelihood. We also constrain the adversary input by the attacker to be visually imperceptible to a source input, evaluated through the l and l distance measures. Our attacks assume white-box access to the target model, as we backpropagate the error of the target model back to the UAN. The attacker samples an input from noise, generates a mask, and applies this to an input which is then given to the target models. In almost all experiments, we consider a worstcase scenario with respect to data access, assuming that the attacker has knowledge of, and shares access to, any training data samples. C. Datasets We evaluate attacks using two popular datasets in adversarial machine learning research, ImageNet 1 and CIFAR-10 [7]. We use the validation dataset of Imagenet, which consists of 50, 000 RGB images, scaled to 4 4. The images contain 1, 000 classes. The 50, 000 images are split into 40, 000 training set images and 10, 000 validation set images. We ensure classes are balanced, such that any class contain 40 images in the training set and 10 images in the validation set. Our pretrained models, ResNet-15, [17] and InceptionV3, used as the target models, score 78.4%, 73.1%, 77.3% top-1 test accuracy. The CIFAR-10 dataset consists of 60, 000, 3 3 RGB images of different objects in ten classes: airplane, automobile, bird, cat, deer, dog, frog, horse, ship, truck. This is split into set. 1 Due to training time constraints, we restrict experiments to the idation
2 Fig. 1: Overview of the attack. 50, 000 training images and 10, 000 validation images. Our pretrained models, ResNet-101, [17] and DenseNet, used as the target models, score 93.75%, 94.01%, 95.00% test accuracy. State-of-the-art results on CIFAR-10 are approximately 95% accurate. I I I. U N I V E R S A L A D V E R S A R I A L N E T W O R K S A. Attack Description An overview of the attack is given in Figure 1. An attacker is provided access to a target model, and attempts to train a new network, called a universal adversarial network (UAN), that learns to generate perturbations such that when applied to any input, will lead to a misclassification in the target model. The UAN is trained to minimize the distance between the source and adversarial image while causing a misclassification in the target model. The UAN accepts noise as input and outputs a candidate for a UAP, δ. To constrain δ to be of minimal norm, we apply a weighting coefficient before applying to a dataset sample, this rescales δ to the desired distance. The best method for minimizing the distance between an adversarial and clean input is for the UAN to minimize the norm of its output, however this will clearly lead to both the clean and adversarial image being assigned the same, correct, label by the target model namely no attack. Therefore we train the UAN via a cost function that reflects the level of success in fooling the target model, while in parallel, updating the weighting coefficient to minimize the norm of candidate UAPs. We adapt the loss functions defined by Carlini and Wagner [] and Chen et al. [3] to learn to craft UAPs. Given a UAN U, target model f, a candidate UAP δ, an input x X and the output layer of f, F, we define the loss of U as: TABLE I: UAN model architecture. IS refers to the image size, 3 for CIFAR-10 experiments and 99 or 4 for ImageNet experiments. Layer Shape Input 100 Deconv + Batch Norm + ReLU Deconv + Batch Norm + ReLU Deconv + Batch Norm + ReLU Deconv + Batch Norm + ReLU Deconv + Batch Norm + ReLU FC + Batch Norm + ReLU 51 FC + Batch Norm + ReLU 104 FC 3 IS IS TABLE II: UAN hyperparameters. Parameter CIFAR-10 Dataset ImageNet Learning Rate Beta Beta Batch Size Epochs Weight coefficient Weight coefficient update l reg factor l loss weight (α) The full description of the attack is given in Algorithm 1 and the UAN model description and hyperparameters are given in Table I and Table II. We define the relative perturbation as the ratio of the norm of the UAP over the norm of the original image. This is set to 4 in all experiments. I V. AT TA C K E VA L U AT I O N A. Comparison with previous work L = log(f (x + δ) F (x) ) max i F (x) log(f (x + δ) i) + α δ, L can be thought of as a success measure of the UAN, reducing L means the distance between the originally predicted class, and the next highest class reduces. The logarithmic term is necessary since most target models have a skewed probability distribution, with one class prediction dominating all others, the logarithmic term reduces the effect of this dominance. In addition to the weighting coefficient, to further constrain the norm of the adversarial perturbation we include l -regularization in the UAN and a loss term constraining the maximum perturbation. We now compare our method for crafting UAPs with two state-of-the-art methods: Moosavi-Dezfooli et al. [10] construct the perturbation iteratively; at each step an input is combined with the current constructed UAP, if the combination does not fool the target model, a new perturbation with minimal norm is found that does fool the target model. The attack terminates when a threshold fooling rate is met. Mopuri et al. [11] develop a method for finding a UAP for a target model that is independent of the dataset. They construct Code available at
3 3 TABLE III: Comparison of fooling rates (%) for UAN and three other universal adversarial perturbation methods. ATTACK CIFAR-10 ImageNet INCEPTIONV3 UA N Moosavi-Dezfooli et al. [10] (` ) Moosavi-Dezfooli et al. [10] (` ) Mopuri et al. [11] TABLE IV: Success of fooling (%). UAPs are constructed using row models and tested against pre-trained column models. ENSEMBLE (a) V. T R A N S F E R A B I L I T Y, G E N E R A L I Z A B I L I T Y & TA R G E T E D AT T A C K S A. Transferability An adversarial image is transferable if it successfully fools a model that was not its original target. Transferability is a yardstick for the robustness of adversarial examples, and is the main property used by Papernot et al. [13], [14] to construct (b) black-box adversarial examples. They construct a white-box attack on a local target model that has been trained to replicate the intended target models decision boundaries, and show that the adversarial examples can successfully transfer to fool the black-box target model. We create 10,000 adversarial images - one for each image in the CIFAR-10 validation set - and apply them to a different target model. Table IV gives results for transferability of a (c) non-targeted attack on three target models - ResNet, DenseNet Fig. : Non-targeted attacks against. From left to and. We find that UAPs crafted using a UAN do right: original, UAP, adversarial image. transfer to other models. For a UAN trained on, and evaluated on ResNet, fooling success is 61.%, a drop of just 7.7% from evaluating on the original target model (). We also measure the capacity for a UAN to learn to fool an a UAP by first starting with a random noise UAP and iteratively ensemble of target models. We trained a UAN against VGGalter it to over-saturate features learned at successive layers in 19, DenseNet and ResNet on CIFAR-10, where the UAN loss the target model, essentially causing neurons at each layer to function is a linear combination of the losses on each target output useless information to cause the desired misclassification. model. From Table IV, we see that a UAN trained against an They optimize the UAP by adjusting it with respect to the loss ensemble of target models is able to fool at comparable rates term: to single target models. K Q L = log( l i (δ)), such that δ < α B. Generalizability i=1 where, l i (δ) is the average of the output at layer i for Moosavi-Dezfooli et al. [10] have shown that UAPs are not perturbation δ, and α is the maximum permitted perturbation. unique; there exists many candidates that perform equally well Table III compares our UAN method of generating UAPs at fooling images in a dataset. If a UAN is truly modeling against the two attacks described above for both CIFAR-10 the distribution of UAPs the output should not be unique. and ImageNet. We see we consistently outperform both attack In Figure 4, we measure the MSE (mean square error) and methods. SSIM (structural similarity index) between outputs of the UAN
4 4 idation idation idation idation idation (a) plane (b) car (c) bird (d) cat (e) deer idation idation idation idation idation (f) dog (g) frog (h) horse (i) ship (j) truck Fig. 3: CIFAR-10 targeted universal attack against. Each figures shows the success probability on transforming any image in CIFAR-10 into the chosen class, as the relative perturbation is increased. We define the relative perturbation as the ratio of the l -norm of the UAP over the l -norm of the original image. Mean squared error Epoch 0 Structural similarity index Fig. 4: MSE and SSIM scores of UAPs throughout training a UAN against for the CIFAR-10 dataset. throughout training. We see that as we continue to train, UAPs have larger differences between one another and so diversify over time. C. Targeted Attacks We follow the same experimental set-up as in Section IV-A, however now the attacker chooses a class, c, they would like the target model to classify an adversarial example as, and success is calculated as the probability that an adversarial example is classified as c. Figure 3 show, for each class in CIFAR- 10, the success probability as we allow larger perturbations. Interestingly, all targeted attacks follow a sigmoidal curve. V I. C O N C L U S I O N We presented a first-of-its-kind universal adversarial example attack that uses machine learning at the heart of its construction. We comprehensively evaluated the attack under many different settings, showing that it produces quality adversarial examples capable of fooling a target model in both targeted and non-targeted attacks. The attack transfers to many different target models, and improves on other state-of-the-art universal adversarial perturbation methods. R E F E R E N C E S [1] A. L. Buczak and E. Guven. A survey of data mining and machine learning methods for cyber security intrusion detection. IEEE Communications Surveys & Tutorials, 18(): , 016. [] N. Carlini and D. Wagner. Towards evaluating the robustness of neural networks. In Security and Privacy (SP), 017 IEEE Symposium on, pages IEEE, 017. [3] P.-Y. Chen, H. Zhang, Y. Sharma, J. Yi, and C.-J. Hsieh. ZOO: Zeroth Order Optimization based Black-box Attacks to Deep Neural Networks without ing Substitute Models. ArXiv e-prints, Aug [4] I. J. Goodfellow, J. Shlens, and C. Szegedy. Explaining and harnessing adversarial examples. arxiv preprint arxiv: , 014. [5] S. Huang, N. Papernot, I. Goodfellow, Y. Duan, and P. Abbeel. Adversarial attacks on neural network policies. arxiv preprint arxiv:1784, 017. [6] S.-J. Kim and S. Boyd. A minimax theorem with applications to machine learning, signal processing, and finance. SIAM Journal on Optimization, 19(3): , 008. [7] A. Krizhevsky. Learning multiple layers of features from tiny images [8] T. D. Lane. Machine learning techniques for the computer security domain of anomaly detection [9] W.-Y. Lin, Y.-H. Hu, and C.-F. Tsai. Machine learning in financial crisis prediction: a survey. IEEE Transactions on Systems, Man, and Cybernetics, Part C (Applications and Reviews), 4(4):41 436, 01. [10] S.-M. Moosavi-Dezfooli, A. Fawzi, O. Fawzi, and P. Frossard. Universal adversarial perturbations. arxiv preprint arxiv: , 016. [11] K. R. Mopuri, U. Garg, and R. V. Babu. Fast feature fool: A data independent approach to universal adversarial perturbations. arxiv preprint arxiv: , 017. [1] Z. Obermeyer and E. J. Emanuel. Predicting the futurebig data, machine learning, and clinical medicine. The New England journal of medicine, 375(13):116, 016. [13] N. Papernot, P. McDaniel, and I. Goodfellow. Transferability in machine learning: from phenomena to black-box attacks using adversarial samples. arxiv preprint arxiv: , 016. [14] N. Papernot, P. McDaniel, I. Goodfellow, S. Jha, Z. B. Celik, and A. Swami. Practical black-box attacks against deep learning systems using adversarial examples. arxiv preprint arxiv:16697, 016. [15] E. Rosten and T. Drummond. Machine learning for high-speed corner detection. Computer Vision ECCV 006, pages , 006. [16] M. A. Shipp, K. N. Ross, P. Tamayo, A. P. Weng, J. L. Kutok, R. C. Aguiar, M. Gaasenbeek, M. Angelo, M. Reich, G. S. Pinkus, et al. Diffuse
5 5 large b-cell lymphoma outcome prediction by gene-expression profiling and supervised machine learning. Nature medicine, 8(1):68 74, 00. [17] K. Simonyan and A. Zisserman. Very deep convolutional networks for large-scale image recognition. arxiv preprint arxiv: , 014. [18] S. Sivaraman and M. M. Trivedi. Active learning for on-road vehicle detection: A comparative study. Machine vision and applications, pages 1 13, 014. [19] C. Szegedy, W. Zaremba, I. Sutskever, J. Bruna, D. Erhan, I. Goodfellow, and R. Fergus. Intriguing properties of neural networks. arxiv preprint arxiv: , 013. [0] T. B. Trafalis and H. Ince. Support vector machine for regression and applications to financial forecasting. In Neural Networks, 000. IJCNN 000, Proceedings of the IEEE-INNS-ENNS International Joint Conference on, volume 6, pages IEEE, 000. [1] F. Tramèr, N. Papernot, I. Goodfellow, D. Boneh, and P. McDaniel. The space of transferable adversarial examples. arxiv preprint arxiv: , 017. [] F. Tramèr, F. Zhang, A. Juels, M. K. Reiter, and T. Ristenpart. Stealing machine learning models via prediction apis. In USENIX Security Symposium, pages , 016. [3] X. Wen, L. Shao, Y. Xue, and W. Fang. A rapid learning algorithm for vehicle classification. Information Sciences, 95: , 015. [4] Q.-H. Ye, L.-X. Qin, M. Forgues, P. He, J. W. Kim, A. C. Peng, R. Simon, Y. Li, A. I. Robles, Y. Chen, et al. Predicting hepatitis b virus-positive metastatic hepatocellular carcinomas using gene expression profiling and supervised machine learning. Nature medicine, 9(4):416, 003. Algorithm 1: UAN training scheme. Input: dataset X, weight factor w, weight factor increment r, epochs n, UAN U, target model T, i = 0 Output: A trained UAN, U 1 while i < n do P U(z) // Compute adversarial perturbations such that P = X 3 A P w + X // Generate adversarial examples 4 s {x X T (a) T (x), a = p w + x, p P } // Find the number of successful adversarial examples 5 Find loss and update U 6 if i = 0 then 7 curr s 8 prev curr 9 curr s 10 if curr prev then 11 w w + r 1 i i return U
ENSEMBLE METHODS AS A DEFENSE TO ADVERSAR-
ENSEMBLE METHODS AS A DEFENSE TO ADVERSAR- IAL PERTURBATIONS AGAINST DEEP NEURAL NET- WORKS Anonymous authors Paper under double-blind review ABSTRACT Deep learning has become the state of the art approach
More informationarxiv: v3 [cs.ne] 10 Mar 2017
ROBUSTNESS TO ADVERSARIAL EXAMPLES THROUGH AN ENSEMBLE OF SPECIALISTS Mahdieh Abbasi & Christian Gagné Computer Vision and Systems Laboratory, Electrical and Computer Engineering Department Université
More informationarxiv: v3 [cs.lg] 22 Mar 2018
arxiv:1710.06081v3 [cs.lg] 22 Mar 2018 Boosting Adversarial Attacks with Momentum Yinpeng Dong1, Fangzhou Liao1, Tianyu Pang1, Hang Su1, Jun Zhu1, Xiaolin Hu1, Jianguo Li2 1 Department of Computer Science
More informationLearning to Attack: Adversarial Transformation Networks
Learning to Attack: Adversarial Transformation Networks Shumeet Baluja and Ian Fischer Google Research Google, Inc. Abstract With the rapidly increasing popularity of deep neural networks for image recognition
More informationRegularizing Deep Networks Using Efficient Layerwise Adversarial Training
Related Work Many approaches have been proposed to regularize the training procedure of very deep networks. Early stopping and statistical techniques like weight decay are commonly used to prevent overfitting.
More informationNAG: Network for Adversary Generation
NAG: Network for Adversary Generation Konda Reddy Mopuri*, Utkarsh Ojha*, Utsav Garg and R. Venkatesh Babu Video Analytics Lab, Computational and Data Sciences Indian Institute of Science, Bangalore, India
More informationEAD: Elastic-Net Attacks to Deep Neural Networks via Adversarial Examples
EAD: Elastic-Net Attacks to Deep Neural Networks via Adversarial Examples Pin-Yu Chen1, Yash Sharma2, Huan Zhang3, Jinfeng Yi4, Cho-Jui Hsieh3 1 AI Foundations Lab, IBM T. J. Watson Research Center, Yorktown
More informationarxiv: v1 [cs.lg] 15 Nov 2017 ABSTRACT
THE BEST DEFENSE IS A GOOD OFFENSE: COUNTERING BLACK BOX ATTACKS BY PREDICTING SLIGHTLY WRONG LABELS Yannic Kilcher Department of Computer Science ETH Zurich yannic.kilcher@inf.ethz.ch Thomas Hofmann Department
More informationNotes on Adversarial Examples
Notes on Adversarial Examples David Meyer dmm@{1-4-5.net,uoregon.edu,...} March 14, 2017 1 Introduction The surprising discovery of adversarial examples by Szegedy et al. [6] has led to new ways of thinking
More informationarxiv: v1 [cs.cv] 27 Nov 2018
Universal Adversarial Training arxiv:1811.11304v1 [cs.cv] 27 Nov 2018 Ali Shafahi ashafahi@cs.umd.edu Abstract Mahyar Najibi najibi@cs.umd.edu Larry S. Davis lsd@umiacs.umd.edu Standard adversarial attacks
More informationarxiv: v1 [cs.lg] 4 Mar 2019
A Fundamental Performance Limitation for Adversarial Classification Abed AlRahman Al Makdah, Vaibhav Katewa, and Fabio Pasqualetti arxiv:1903.01032v1 [cs.lg] 4 Mar 2019 Abstract Despite the widespread
More informationarxiv: v2 [stat.ml] 20 Nov 2017
: Elastic-Net Attacks to Deep Neural Networks via Adversarial Examples Pin-Yu Chen1, Yash Sharma2, Huan Zhang3, Jinfeng Yi4, Cho-Jui Hsieh3 1 arxiv:1709.04114v2 [stat.ml] 20 Nov 2017 AI Foundations Lab,
More informationSSCNets A Selective Sobel Convolution-based Technique to Enhance the Robustness of Deep Neural Networks against Security Attacks
A Selective Sobel Convolution-based Technique to Enhance the Robustness of Deep Neural Networks against Security Attacks Hammad Tariq*, Hassan Ali*, Muhammad Abdullah Hanif, Faiq Khalid, Semeen Rehman,
More informationIs Robustness the Cost of Accuracy? A Comprehensive Study on the Robustness of 18 Deep Image Classification Models
Is Robustness the Cost of Accuracy? A Comprehensive Study on the Robustness of 18 Deep Image Classification Models Dong Su 1*, Huan Zhang 2*, Hongge Chen 3, Jinfeng Yi 4, Pin-Yu Chen 1, and Yupeng Gao
More informationDistillation as a Defense to Adversarial Perturbations against Deep Neural Networks
Accepted to the 37th IEEE Symposium on Security & Privacy, IEEE 2016. San Jose, CA. Distillation as a Defense to Adversarial Perturbations against Deep Neural Networks 1 Nicolas Papernot, Patrick McDaniel,
More informationRobustness of classifiers: from adversarial to random noise
Robustness of classifiers: from adversarial to random noise Alhussein Fawzi, Seyed-Mohsen Moosavi-Dezfooli, Pascal Frossard École Polytechnique Fédérale de Lausanne Lausanne, Switzerland {alhussein.fawzi,
More informationAdversarial Examples Generation and Defense Based on Generative Adversarial Network
Adversarial Examples Generation and Defense Based on Generative Adversarial Network Fei Xia (06082760), Ruishan Liu (06119690) December 15, 2016 1 Abstract We propose a novel generative adversarial network
More informationQuSecNets: Quantization-based Defense Mechanism for Securing Deep Neural Network against Adversarial Attacks
QuSecNets: Quantization-based Defense Mechanism for Securing Deep Neural Network against Hassan Ali *, Hammad Tariq *, Muhammad Abdullah Hanif, Faiq Khalid, Semeen Rehman, Rehan Ahmed * and Muhammad Shafique
More informationarxiv: v1 [cs.cv] 2 Aug 2016
A study of the effect of JPG compression on adversarial images arxiv:1608.00853v1 [cs.cv] 2 Aug 2016 Gintare Karolina Dziugaite Department of Engineering University of Cambridge Daniel M. Roy Department
More informationarxiv: v1 [stat.ml] 15 Mar 2018
Large Margin Deep Networks for Classification arxiv:1803.05598v1 [stat.ml] 15 Mar 2018 Gamaleldin F. Elsayed Dilip Krishnan Hossein Mobahi Kevin Regan Samy Bengio Google Research {gamaleldin,dilipkay,hmobahi,kevinregan,bengio}@google.com
More informationarxiv: v1 [stat.ml] 22 Jan 2019
Sensitivity Analysis of Deep Neural Networks Hai Shu Department of Biostatistics The University of Texas MD Anderson Cancer Center Houston, Texas, USA Hongtu Zhu AI Labs, Didi Chuxing Beijing, China zhuhongtu@didiglobal.com
More informationarxiv: v3 [cs.cv] 28 Feb 2018
Defense against Universal Adversarial Perturbations arxiv:1711.05929v3 [cs.cv] 28 Feb 2018 Naveed Akhtar* Jian Liu* Ajmal Mian *The authors contributed equally to this work. School of Computer Science
More informationarxiv: v1 [cs.lg] 9 Oct 2018
The Adversarial Attack and Detection under the Fisher Information Metric Chenxiao Zhao East China Normal University 51174506043@stu.ecnu.edu.cn P. Thomas Fletcher University of Utah fletcher@sci.utah.edu
More informationMeasuring the Robustness of Neural Networks via Minimal Adversarial Examples
Measuring the Robustness of Neural Networks via Minimal Adversarial Examples Sumanth Dathathri sdathath@caltech.edu Stephan Zheng stephan@caltech.edu Sicun Gao sicung@ucsd.edu Richard M. Murray murray@cds.caltech.edu
More informationAdversarial Examples for Semantic Segmentation and Object Detection
Adversarial Examples for Semantic Segmentation and Object Detection Cihang Xie 1, Jianyu Wang 2, Zhishuai Zhang 1, Yuyin Zhou 1, Lingxi Xie 1( ), Alan Yuille 1 1 Department of Computer Science, The Johns
More informationTOWARDS DEEP LEARNING MODELS RESISTANT TO ADVERSARIAL ATTACKS
Published as a conference paper at ICLR 8 TOWARDS DEEP LEARNING MODELS RESISTANT TO ADVERSARIAL ATTACKS Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, Adrian Vladu Department of
More informationLower bounds on the robustness to adversarial perturbations
Lower bounds on the robustness to adversarial perturbations Jonathan Peck 1,2, Joris Roels 2,3, Bart Goossens 3, and Yvan Saeys 1,2 1 Department of Applied Mathematics, Computer Science and Statistics,
More informationarxiv: v1 [cs.cv] 21 Jul 2017
CONFIDENCE ESTIMATION IN DEEP NEURAL NETWORKS VIA DENSITY MODELLING Akshayvarun Subramanya Suraj Srinivas R.Venkatesh Babu Video Analytics Lab, Department of Computational and Data Sciences Indian Institute
More informationReinforcing Adversarial Robustness using Model Confidence Induced by Adversarial Training
Reinforcing Adversarial Robustness using Model Confidence Induced by Adversarial Training Xi Wu * 1 Uyeong Jang * 2 Jiefeng Chen 2 Lingjiao Chen 2 Somesh Jha 2 Abstract In this paper we study leveraging
More informationStable and Efficient Representation Learning with Nonnegativity Constraints. Tsung-Han Lin and H.T. Kung
Stable and Efficient Representation Learning with Nonnegativity Constraints Tsung-Han Lin and H.T. Kung Unsupervised Representation Learning Layer 3 Representation Encoding Sparse encoder Layer 2 Representation
More informationarxiv: v2 [stat.ml] 23 May 2017 Abstract
The Space of Transferable Adversarial Examples Florian Tramèr 1, Nicolas Papernot 2, Ian Goodfellow 3, Dan Boneh 1, and Patrick McDaniel 2 1 Stanford University, 2 Pennsylvania State University, 3 Google
More informationarxiv: v1 [cs.lg] 30 Nov 2018
Adversarial Examples as an Input-Fault Tolerance Problem Angus Galloway 1,2, Anna Golubeva 3,4, and Graham W. Taylor 1,2 arxiv:1811.12601v1 [cs.lg] Nov 2018 1 School of Engineering, University of Guelph
More informationAdversarial Examples
Adversarial Examples presentation by Ian Goodfellow Deep Learning Summer School Montreal August 9, 2015 In this presentation. - Intriguing Properties of Neural Networks. Szegedy et al., ICLR 2014. - Explaining
More informationArt of singular vectors and universal adversarial perturbations
Art of singular vectors and universal adversarial perturbations Valentin Khrulkov Skolkovo Institute of Science and Technology valentin.khrulkov@skolkovotech.ru Ivan Oseledets Skolkovo Institute of Science
More informationPROVEN: Certifying Robustness of Neural Networks with a Probabilistic Approach
PROVEN: Certifying Robustness of Neural Networks with a Probabilistic Approach Tsui-Wei Weng 1, Pin-Yu Chen 2, Lam M. Nguyen 2, Mark S. Squillante 2, Ivan Oseledets 3, Luca Daniel 1 1 MIT, 2 IBM Research,
More informationSajid Anwar, Kyuyeon Hwang and Wonyong Sung
Sajid Anwar, Kyuyeon Hwang and Wonyong Sung Department of Electrical and Computer Engineering Seoul National University Seoul, 08826 Korea Email: sajid@dsp.snu.ac.kr, khwang@dsp.snu.ac.kr, wysung@snu.ac.kr
More informationSMALL but structured perturbations to the input, called
1 Generalizable Data-free Objective for Crafting Universal Adversarial Perturbations Konda Reddy Mopuri, Aditya Ganeshan, R. Venkatesh Babu, Senior Member, IEEE arxiv:1801.08092v2 [cs.cv] 21 Jun 2018 Abstract
More informationarxiv: v1 [stat.ml] 27 Nov 2018
Robust Classification of Financial Risk arxiv:1811.11079v1 [stat.ml] 27 Nov 2018 Suproteem K. Sarkar suproteemsarkar@g.harvard.edu Daniel Giebisch * danielgiebisch@college.harvard.edu Abstract Kojin Oshiba
More informationarxiv: v1 [cs.lg] 24 Jan 2019
Cross-Entropy Loss and Low-Rank Features Have Responsibility for Adversarial Examples Kamil Nar Orhan Ocal S. Shankar Sastry Kannan Ramchandran arxiv:90.08360v [cs.lg] 24 Jan 209 Abstract State-of-the-art
More informationDefense against Universal Adversarial Perturbations
Defense against Universal Adversarial Perturbations Naveed Akhtar* Jian Liu* Ajmal Mian *The authors contributed equally to this work. Computer Science and Software Engineering The University of Western
More informationarxiv: v1 [cs.lg] 13 Mar 2017 ABSTRACT
Blocking Transferability of Adversarial Examples in Black-Box Learning Systems arxiv:73.438v [cs.lg] 3 Mar 27 ABSTRACT Hossein Hosseini hosseinh@uw.edu Baosen Zhang zhangbao@uw.edu Yize Chen yizechen@uw.edu
More informationAdversarial Image Perturbation for Privacy Protection A Game Theory Perspective Supplementary Materials
Adversarial Image Perturbation for Privacy Protection A Game Theory Perspective Supplementary Materials 1. Contents The supplementary materials contain auxiliary experiments for the empirical analyses
More informationAdversarial Examples for Semantic Segmentation and Object Detection
Examples for Semantic Segmentation and Object Detection Cihang Xie 1, Jianyu Wang 2, Zhishuai Zhang 1, Yuyin Zhou 1, Lingxi Xie 1( ), Alan Yuille 1 1 Department of Computer Science, The Johns Hopkins University,
More informationUNIVERSALITY, ROBUSTNESS, AND DETECTABILITY
UNIVERSALITY, ROBUSTNESS, AND DETECTABILITY OF ADVERSARIAL PERTURBATIONS UNDER ADVER- SARIAL TRAINING Anonymous authors Paper under double-blind review ABSTRACT Classifiers such as deep neural networks
More informationECE 595: Machine Learning I Adversarial Attack 1
ECE 595: Machine Learning I Adversarial Attack 1 Spring 2019 Stanley Chan School of Electrical and Computer Engineering Purdue University 1 / 32 Outline Examples of Adversarial Attack Basic Terminology
More informationECE 595: Machine Learning I Adversarial Attack 1
ECE 595: Machine Learning I Adversarial Attack 1 Spring 2019 Stanley Chan School of Electrical and Computer Engineering Purdue University 1 / 32 Outline Examples of Adversarial Attack Basic Terminology
More informationTwo at Once: Enhancing Learning and Generalization Capacities via IBN-Net
Two at Once: Enhancing Learning and Generalization Capacities via IBN-Net Supplementary Material Xingang Pan 1, Ping Luo 1, Jianping Shi 2, and Xiaoou Tang 1 1 CUHK-SenseTime Joint Lab, The Chinese University
More informationLEARNING WITH A STRONG ADVERSARY
LEARNING WITH A STRONG ADVERSARY Ruitong Huang, Bing Xu, Dale Schuurmans and Csaba Szepesvári Department of Computer Science University of Alberta Edmonton, AB T6G 2E8, Canada {ruitong,bx3,daes,szepesva}@ualberta.ca
More informationEncoder Based Lifelong Learning - Supplementary materials
Encoder Based Lifelong Learning - Supplementary materials Amal Rannen Rahaf Aljundi Mathew B. Blaschko Tinne Tuytelaars KU Leuven KU Leuven, ESAT-PSI, IMEC, Belgium firstname.lastname@esat.kuleuven.be
More informationNeural Networks in an Adversarial Setting and Ill-Conditioned Weight Space
Neural Networks in an Adversarial Setting and Ill-Conditioned Weight Space Abhishek Sinha 1 [0000 0002 3598 480X], Mayank Singh 1 [0000 0001 7261 6347], and Balaji Krishnamurthy 1[0000 0003 0464 536X]
More informationarxiv: v2 [stat.ml] 21 Feb 2017
ON DETECTING ADVERSARIAL PERTURBATIONS Jan Hendrik Metzen & Tim Genewein & Volker Fischer & Bastian Bischoff Bosch Center for Artificial Intelligence, Robert Bosch GmbH Robert-Bosch-Campus 1, 71272 Renningen,
More informationLimitations of the Lipschitz constant as a defense against adversarial examples
Limitations of the Lipschitz constant as a defense against adversarial examples Todd Huster, Cho-Yu Jason Chiang, and Ritu Chadha Perspecta Labs, Basking Ridge, NJ 07920, USA. thuster@perspectalabs.com
More informationReinforcing Adversarial Robustness using Model Confidence Induced by Adversarial Training
Reinforcing Adversarial Robustness using Model Confidence Induced by Adversarial Training Xi Wu * 1 Uyeong Jang * 2 Jiefeng Chen 2 Lingjiao Chen 2 Somesh Jha 2 Abstract In this paper we study leveraging
More informationarxiv: v1 [cs.lg] 6 Dec 2018
Max-Margin Adversarial (MMA) Training: Direct Input Space Margin Maximization through Adversarial Training Gavin Weiguang Ding, Yash Sharma, Kry Yik Chau Lui, and Ruitong Huang Borealis AI arxiv:1812.02637v1
More informationarxiv: v1 [cs.lg] 30 Oct 2018
On the Effectiveness of Interval Bound Propagation for Training Verifiably Robust Models arxiv:1810.12715v1 [cs.lg] 30 Oct 2018 Sven Gowal sgowal@google.com Rudy Bunel University of Oxford rudy@robots.ox.ac.uk
More informationTowards ML You Can Rely On. Aleksander Mądry
Towards ML You Can Rely On Aleksander Mądry @aleks_madry madry-lab.ml Machine Learning: The Success Story? Image classification Reinforcement Learning Machine translation Machine Learning: The Success
More informationCS 229 Project Final Report: Reinforcement Learning for Neural Network Architecture Category : Theory & Reinforcement Learning
CS 229 Project Final Report: Reinforcement Learning for Neural Network Architecture Category : Theory & Reinforcement Learning Lei Lei Ruoxuan Xiong December 16, 2017 1 Introduction Deep Neural Network
More informationarxiv: v1 [cs.lg] 30 Jan 2019
A Simple Explanation for the Existence of Adversarial Examples with Small Hamming Distance Adi Shamir 1, Itay Safran 1, Eyal Ronen 2, and Orr Dunkelman 3 arxiv:1901.10861v1 [cs.lg] 30 Jan 2019 1 Computer
More informationarxiv: v4 [cs.lg] 28 Mar 2016
Analysis of classifiers robustness to adversarial perturbations Alhussein Fawzi Omar Fawzi Pascal Frossard arxiv:0.090v [cs.lg] 8 Mar 06 Abstract The goal of this paper is to analyze an intriguing phenomenon
More informationGeometric robustness of deep networks: analysis and improvement
Geometric robustness of deep networks: analysis and improvement Can Kanbak, Seyed-Mohsen Moosavi-Dezfooli, Pascal Frossard École Polytechnique Fédérale de Lausanne {can.kanbak, seyed.moosavi, pascal.frossard}
More informationCharacterizing and evaluating adversarial examples for Offline Handwritten Signature Verification
1 Characterizing and evaluating adversarial examples for Offline Handwritten Signature Verification Luiz G. Hafemann, Robert Sabourin, Member, IEEE, and Luiz S. Oliveira. arxiv:1901.03398v1 [cs.cv] 10
More informationMitosis Detection in Breast Cancer Histology Images with Multi Column Deep Neural Networks
Mitosis Detection in Breast Cancer Histology Images with Multi Column Deep Neural Networks IDSIA, Lugano, Switzerland dan.ciresan@gmail.com Dan C. Cireşan and Alessandro Giusti DNN for Visual Pattern Recognition
More informationLayer-wise Relevance Propagation for Neural Networks with Local Renormalization Layers
Layer-wise Relevance Propagation for Neural Networks with Local Renormalization Layers Alexander Binder 1, Grégoire Montavon 2, Sebastian Lapuschkin 3, Klaus-Robert Müller 2,4, and Wojciech Samek 3 1 ISTD
More informationarxiv: v1 [cs.lg] 3 Jan 2018
Neural Networks in Adversarial Setting and Ill-Conditioned Weight Space Mayank Singh 1, Abhishek Sinha 1, and Balaji Krishnamurthy 1 1 Adobe Systems Inc, Noida, India arxiv:1801.00905v1 [cs.lg] 3 Jan 2018
More informationDCN: Detector-Corrector Network Against Evasion Attacks on Deep Neural Networks
DCN: Detector-Corrector Network Against Evasion Attacks on Deep Neural Networks Jing Wen Dept. of Computer Science The University of Hong Kong Email: jwen@cs.hku.hk Lucas C.K. Hui Hong Kong Applied Science
More informationLogistic Regression. COMP 527 Danushka Bollegala
Logistic Regression COMP 527 Danushka Bollegala Binary Classification Given an instance x we must classify it to either positive (1) or negative (0) class We can use {1,-1} instead of {1,0} but we will
More informationDifferentiable Fine-grained Quantization for Deep Neural Network Compression
Differentiable Fine-grained Quantization for Deep Neural Network Compression Hsin-Pai Cheng hc218@duke.edu Yuanjun Huang University of Science and Technology of China Anhui, China yjhuang@mail.ustc.edu.cn
More informationP-TELU : Parametric Tan Hyperbolic Linear Unit Activation for Deep Neural Networks
P-TELU : Parametric Tan Hyperbolic Linear Unit Activation for Deep Neural Networks Rahul Duggal rahulduggal2608@gmail.com Anubha Gupta anubha@iiitd.ac.in SBILab (http://sbilab.iiitd.edu.in/) Deptt. of
More informationOn Lyapunov exponents and adversarial perturbations
On Lyapunov exponents and adversarial perturbations Vinay Uday Prabhu UnifyID Inc San Francisco, 9417 vinay@unify.id John Whaley UnifyID Inc San Francisco, 9417 john@unify.id ABSTRACT In this paper, we
More informationConvolutional Neural Network Architecture
Convolutional Neural Network Architecture Zhisheng Zhong Feburary 2nd, 2018 Zhisheng Zhong Convolutional Neural Network Architecture Feburary 2nd, 2018 1 / 55 Outline 1 Introduction of Convolution Motivation
More informationarxiv: v1 [cs.cv] 20 Feb 2018
On Lyapunov exponents and adversarial perturbations Vinay Uday Prabhu UnifyID Inc San Francisco, 94107 vinay@unify.id Nishant Desai UnifyID Inc San Francisco, 94107 nishant@unify.id John Whaley UnifyID
More informationMax-Mahalanobis Linear Discriminant Analysis Networks
Tianyu Pang 1 Chao Du 1 Jun Zhu 1 Abstract A deep neural network (DNN) consists of a nonlinear transformation from an input to a feature representation, followed by a common softmax linear classifier.
More informationImproved Local Coordinate Coding using Local Tangents
Improved Local Coordinate Coding using Local Tangents Kai Yu NEC Laboratories America, 10081 N. Wolfe Road, Cupertino, CA 95129 Tong Zhang Rutgers University, 110 Frelinghuysen Road, Piscataway, NJ 08854
More informationDEEP neural networks (DNNs) [2] have been widely
IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, MANUSCRIPT ID 1 Detecting Adversarial Image Examples in Deep Neural Networks with Adaptive Noise Reduction Bin Liang, Hongcheng Li, Miaoqiang Su, Xirong
More informationarxiv: v1 [cs.lg] 26 Feb 2018
Tianyu Pang 1 Chao Du 1 Jun Zhu 1 arxiv:180.09308v1 [cs.lg] 6 Feb 018 Abstract A deep neural network (DNN) consists of a nonlinear transformation from an input to a feature representation, followed by
More informationTheories of Deep Learning
Theories of Deep Learning Lecture 02 Donoho, Monajemi, Papyan Department of Statistics Stanford Oct. 4, 2017 1 / 50 Stats 385 Fall 2017 2 / 50 Stats 285 Fall 2017 3 / 50 Course info Wed 3:00-4:20 PM in
More informationConvolutional Neural Networks
Convolutional Neural Networks Books» http://www.deeplearningbook.org/ Books http://neuralnetworksanddeeplearning.com/.org/ reviews» http://www.deeplearningbook.org/contents/linear_algebra.html» http://www.deeplearningbook.org/contents/prob.html»
More informationClassification goals: Make 1 guess about the label (Top-1 error) Make 5 guesses about the label (Top-5 error) No Bounding Box
ImageNet Classification with Deep Convolutional Neural Networks Alex Krizhevsky, Ilya Sutskever, Geoffrey E. Hinton Motivation Classification goals: Make 1 guess about the label (Top-1 error) Make 5 guesses
More informationEnhancing Robustness of Machine Learning Systems via Data Transformations
Enhancing Robustness of Machine Learning Systems via Data Transformations Arjun Nitin Bhagoji Princeton University Daniel Cullina Princeton University Bink Sitawarin Princeton University Prateek Mittal
More informationON THE SENSITIVITY OF ADVERSARIAL ROBUSTNESS
ON THE SENSITIVITY OF ADVERSARIAL ROBUSTNESS TO INPUT DATA DISTRIBUTIONS Anonymous authors Paper under double-blind review ABSTRACT Neural networks are vulnerable to small adversarial perturbations. Existing
More informationAdversarially Robust Optimization and Generalization
Adversarially Robust Optimization and Generalization Ludwig Schmidt MIT UC Berkeley Based on joint works with Logan ngstrom (MIT), Aleksander Madry (MIT), Aleksandar Makelov (MIT), Dimitris Tsipras (MIT),
More informationDecoupled Networks. Abstract. 1. Introduction
Decoupled Netorks Weiyang Liu 1*, Zhen Liu 1*, Zhiding Yu 2, Bo Dai 1, Rongmei Lin 3, Yisen Wang 1,4, James M. Rehg 1, Le Song 1,5 1 Georgia Institute of Technology 2 NVIDIA 3 Emory University 4 Tsinghua
More informationIntroduction to Deep Learning CMPT 733. Steven Bergner
Introduction to Deep Learning CMPT 733 Steven Bergner Overview Renaissance of artificial neural networks Representation learning vs feature engineering Background Linear Algebra, Optimization Regularization
More informationAn Inside Look at Deep Neural Networks using Graph Signal Processing
An Inside Look at Deep Neural Networks using Graph Signal Processing Vincent Gripon 1, Antonio Ortega 2, and Benjamin Girault 2 1 IMT Atlantique, Brest, France Email: vincent.gripon@imt-atlantique.fr 2
More informationObjective Metrics and Gradient Descent Algorithms for Adversarial Examples in Machine Learning
Objective Metrics and Gradient Descent Algorithms for Adversarial Examples in Machine Learning Uyeong Jang Xi Wu Somesh Jha University of Wisconsin Madison, Wisconsin wjang@cs.wisc.edu Google wu.andrew.xi@gmail.com
More informationMachine Learning for Computer Vision 8. Neural Networks and Deep Learning. Vladimir Golkov Technical University of Munich Computer Vision Group
Machine Learning for Computer Vision 8. Neural Networks and Deep Learning Vladimir Golkov Technical University of Munich Computer Vision Group INTRODUCTION Nonlinear Coordinate Transformation http://cs.stanford.edu/people/karpathy/convnetjs/
More informationarxiv: v1 [cs.lg] 10 Aug 2018
Dropout is a special case of the stochastic delta rule: faster and more accurate deep learning arxiv:1808.03578v1 [cs.lg] 10 Aug 2018 Noah Frazier-Logue Rutgers University Brain Imaging Center Rutgers
More informationNeed for Deep Networks Perceptron. Can only model linear functions. Kernel Machines. Non-linearity provided by kernels
Need for Deep Networks Perceptron Can only model linear functions Kernel Machines Non-linearity provided by kernels Need to design appropriate kernels (possibly selecting from a set, i.e. kernel learning)
More informationLocal Affine Approximators for Improving Knowledge Transfer
Local Affine Approximators for Improving Knowledge Transfer Suraj Srinivas & François Fleuret Idiap Research Institute and EPFL {suraj.srinivas, francois.fleuret}@idiap.ch Abstract The Jacobian of a neural
More informationThe Limitations of Model Uncertainty in Adversarial Settings
The Limitations of Model Uncertainty in Adversarial Settings Kathrin Grosse 1, David Pfaff 1, Michael T. Smith 2 and Michael Backes 3 1 CISPA, Saarland Informatics Campus 2 University of Sheffield 3 CISPA
More informationarxiv: v4 [cs.cr] 27 Jan 2018
A Learning and Masking Approach to Secure Learning Linh Nguyen, Sky Wang, Arunesh Sinha University of Michigan, Ann Arbor {lvnguyen,skywang,arunesh}@umich.edu arxiv:1709.04447v4 [cs.cr] 27 Jan 2018 ABSTRACT
More informationarxiv: v1 [cs.lg] 8 Nov 2018
A Geometric Perspective on the Transferability of Adversarial Directions Zachary Charles, Harrison Rosenberg, and Dimitris Papailiopoulos zcharles@wisc.edu hrosenberg@ece.wisc.edu dimitris@papail.io arxiv:1811.03531v1
More informationTowards a Data-driven Approach to Exploring Galaxy Evolution via Generative Adversarial Networks
Towards a Data-driven Approach to Exploring Galaxy Evolution via Generative Adversarial Networks Tian Li tian.li@pku.edu.cn EECS, Peking University Abstract Since laboratory experiments for exploring astrophysical
More informationarxiv: v1 [cs.cv] 11 May 2015 Abstract
Training Deeper Convolutional Networks with Deep Supervision Liwei Wang Computer Science Dept UIUC lwang97@illinois.edu Chen-Yu Lee ECE Dept UCSD chl260@ucsd.edu Zhuowen Tu CogSci Dept UCSD ztu0@ucsd.edu
More informationarxiv: v2 [cs.cr] 11 Sep 2017
MagNet: a Two-Pronged Defense against Adversarial Examples arxiv:1705.09064v2 [cs.cr] 11 Sep 2017 ABSTRACT Dongyu Meng ShanghaiTech University mengdy@shanghaitech.edu.cn Deep learning has shown impressive
More informationLecture 7 Convolutional Neural Networks
Lecture 7 Convolutional Neural Networks CMSC 35246: Deep Learning Shubhendu Trivedi & Risi Kondor University of Chicago April 17, 2017 We saw before: ŷ x 1 x 2 x 3 x 4 A series of matrix multiplications:
More informationDeep Learning Lab Course 2017 (Deep Learning Practical)
Deep Learning Lab Course 207 (Deep Learning Practical) Labs: (Computer Vision) Thomas Brox, (Robotics) Wolfram Burgard, (Machine Learning) Frank Hutter, (Neurorobotics) Joschka Boedecker University of
More informationRecurrent Neural Networks with Flexible Gates using Kernel Activation Functions
2018 IEEE International Workshop on Machine Learning for Signal Processing (MLSP 18) Recurrent Neural Networks with Flexible Gates using Kernel Activation Functions Authors: S. Scardapane, S. Van Vaerenbergh,
More informationLecture 14: Deep Generative Learning
Generative Modeling CSED703R: Deep Learning for Visual Recognition (2017F) Lecture 14: Deep Generative Learning Density estimation Reconstructing probability density function using samples Bohyung Han
More informationNeed for Deep Networks Perceptron. Can only model linear functions. Kernel Machines. Non-linearity provided by kernels
Need for Deep Networks Perceptron Can only model linear functions Kernel Machines Non-linearity provided by kernels Need to design appropriate kernels (possibly selecting from a set, i.e. kernel learning)
More information