0% found this document useful (0 votes)

4 views50 pages

Unlearnable Adversarial Samples: Jonathan Peck 21 May 2021

Uploaded by

Jonathan Peck

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

4 views50 pages

Unlearnable Adversarial Samples: Jonathan Peck 21 May 2021

Uploaded by

Jonathan Peck

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 50

Unlearnable adversarial samples

Jonathan Peck

21 May 2021
Adversarial samples

2
Adversarial samples

3
Adversarial samples

4
Adversarial samples

Can also target other objectives, e.g.

5
Adversarial samples

Can also target other objectives, e.g.

●
Making files uncompressible

6
Adversarial samples

Can also target other objectives, e.g.

●
Making files uncompressible
●
Producing erroneous machine translations

7
Adversarial samples

Can also target other objectives, e.g.

●
Making files uncompressible
●
Producing erroneous machine translations
●
Circumventing content filtering systems

8
Adversarial samples

Can also target other objectives, e.g.

●
Making files uncompressible
●
Producing erroneous machine translations
●
Circumventing content filtering systems

Basically any disruption of ML at inference time

9
Adversarial samples

Can also target other objectives, e.g.

●
Making files uncompressible
●
Producing erroneous machine translations
●
Circumventing content filtering systems

Basically any disruption of ML at inference time

Not necessarily always a bad thing!

10
Adversarial samples

Maximize model loss via minimal perturbations:

subject to norm constraint

11
Adversarial samples

Maximize model loss via minimal perturbations:

subject to norm constraint

Basically add imperceptible “decoy” signals to a

sample that trigger incorrect model outputs

12
Adversarial samples

Common countermeasure: adversarial training

13
Adversarial samples

Common countermeasure: adversarial training

Turns model fitting into bi-level optimization:

subject to norm constraint

14
Adversarial samples

Common countermeasure: adversarial training

Turns model fitting into bi-level optimization:

subject to norm constraint

Can be very effective against known attacks

15
Unlearnable samples

16
Unlearnable samples

Interesting case studies in unauthorized

exploitation of personal data:

17
Unlearnable samples

Interesting case studies in unauthorized

exploitation of personal data:
●
ImageNet

18
Unlearnable samples

Interesting case studies in unauthorized

exploitation of personal data:
●
ImageNet
●
CASIA-WebFace

19
Unlearnable samples

Interesting case studies in unauthorized

exploitation of personal data:
●
ImageNet
●
CASIA-WebFace
●
VGG Face

20
Unlearnable samples

Interesting case studies in unauthorized

exploitation of personal data:
●
ImageNet
●
CASIA-WebFace
●
VGG Face
●
The Human Genome Diversity Project

21
Unlearnable samples

Train model via bi-level optimization:

subject to norm constraint

22
Unlearnable samples

Train model via bi-level optimization:

subject to norm constraint

Basically add imperceptible “decoy” signals to

make model overfit!

23
Unlearnable samples

Goal is to make data useless for training

24
Unlearnable samples

Goal is to make data useless for training

Problem. Classifiers trained on natural data will

still generalize to unlearnable samples

25
Unlearnable adversarial samples

Can we have unlearnable samples that are also

adversarial?

26
Unlearnable adversarial samples

Can we have unlearnable samples that are also

adversarial?

“Best” of both worlds:

1. Existing models are unreliable against our
samples

27
Unlearnable adversarial samples

Can we have unlearnable samples that are also

adversarial?

“Best” of both worlds:

1. Existing models are unreliable against our
samples
2. Models cannot be retrained on our data
without sacrificing generalization

28
Unlearnable adversarial samples

Observation. Unlearnable and adversarial

samples can be restricted to specific regions of
the input images

29
Unlearnable adversarial samples

Observation. Unlearnable and adversarial

samples can be restricted to specific regions of
the input images

Basic idea. Create two disjoint regions: one for

the unlearnable perturbation and one for the
adversarial perturbation.

30
Unlearnable adversarial samples

Regions created uniformly at random: each pixel

has equal probability of belonging to the
unlearnable region or the adversarial region.

31
Unlearnable adversarial samples

Regions created uniformly at random: each pixel

has equal probability of belonging to the
unlearnable region or the adversarial region.

Leads to discontiguous regions: harder to detect

and remove but still effective!

32
Unlearnable adversarial samples

Preliminary results. Using a ResNet-50 on the

CIFAR-10 data set:

Model Natural Unlearnable Adversarial Unlearnable

adversarial

Standard 81.05% 99.76% 44.03% 27.20%

Retrained 39.20% 99.94% 39.66% 100.00%

33
Unlearnable adversarial samples

Preliminary results. Using a ResNet-50 on the

ImageNette data set:

Model Natural Unlearnable Adversarial Unlearnable

adversarial

Standard 83.72% 100.00% 31.40% 10.56%

Retrained 33.71% 98.65% 39.02% 98.17%

34
Unlearnable adversarial samples

Perfect storm. More complex models typically

yield more impressive results, however…

35
Unlearnable adversarial samples

Perfect storm. More complex models typically

yield more impressive results, however…

… they are more susceptible to adversarials

36
Unlearnable adversarial samples

Perfect storm. More complex models typically

yield more impressive results, however…

… they are more susceptible to adversarials

… they overfit more easily on unlearnables

37
Unlearnable adversarial samples

Perfect storm. More complex models typically

yield more impressive results, however…

… they are more susceptible to adversarials

… they overfit more easily on unlearnables

Smaller networks are more resistant to this

attack but significantly less accurate!

38
Unlearnable adversarial samples

Unlearnable and adversarial perturbations seem

to be “orthogonal” to a significant extent

39
Unlearnable adversarial samples

Unlearnable and adversarial perturbations seem

to be “orthogonal” to a significant extent

Can use any adversarial attack including

transferable and universal perturbations!

40
Unlearnable adversarial samples

Unlearnable and adversarial perturbations seem

to be “orthogonal” to a significant extent

Can use any adversarial attack including

transferable and universal perturbations!

Adversarial training by itself already tends to

negatively affect generalization

41
Conclusion

Unlearnable adversarial samples

●
look normal to people

42
Conclusion

Unlearnable adversarial samples

●
look normal to people
●
cause existing models to fail

43
Conclusion

Unlearnable adversarial samples

●
look normal to people
●
cause existing models to fail
●
cannot be effectively learned from

44
Conclusion

Unlearnable adversarial samples

●
look normal to people
●
cause existing models to fail
●
cannot be effectively learned from

Can theoretically be used to protect data from

being exploited for training as well as inference

45
Conclusion

Possible shortcomings:

46
Conclusion

Possible shortcomings:
●
Image transformations (cropping, rotating)

47
Conclusion

Possible shortcomings:
●
Image transformations (cropping, rotating)
●
Adversarially robust models

48
Conclusion

Possible shortcomings:
●
Image transformations (cropping, rotating)
●
Adversarially robust models
●
Specific restoration techniques

49
Conclusion

Possible shortcomings:
●
Image transformations (cropping, rotating)
●
Adversarially robust models
●
Specific restoration techniques

Likely another “arms race” scenario

Wallmart Project Report
79% (24)
Wallmart Project Report
26 pages
Presentation SaTML 2023
No ratings yet
Presentation SaTML 2023
28 pages
Lecture2 Attack
No ratings yet
Lecture2 Attack
44 pages
Recruitment & Selection Process at Vodafone
50% (2)
Recruitment & Selection Process at Vodafone
73 pages
Bài Tập Bổ Trợ Tiếng Anh 9 Global 4 Kỹ Năng Siêu Hay HS UNIT 2
No ratings yet
Bài Tập Bổ Trợ Tiếng Anh 9 Global 4 Kỹ Năng Siêu Hay HS UNIT 2
17 pages
57 Brochure
No ratings yet
57 Brochure
42 pages
COP WFP CHK 01 2013 v1 All Checklists
100% (1)
COP WFP CHK 01 2013 v1 All Checklists
47 pages
Adversarial Attacks in ML
No ratings yet
Adversarial Attacks in ML
37 pages
PNB vs. CA 217 Scra 347
100% (1)
PNB vs. CA 217 Scra 347
2 pages
Deep Learning Notes
No ratings yet
Deep Learning Notes
155 pages
L12 Generative Models en
No ratings yet
L12 Generative Models en
65 pages
Deep Generative Models
No ratings yet
Deep Generative Models
55 pages
(Fall 2024) Deep Learning 3
No ratings yet
(Fall 2024) Deep Learning 3
54 pages
Week 9 Generative Adversarial Networks
No ratings yet
Week 9 Generative Adversarial Networks
50 pages
A Review of Adversarial Attacks in Computer Vision: Zhang Y., Li Y., Li Y., Guo Z., Zhang D
No ratings yet
A Review of Adversarial Attacks in Computer Vision: Zhang Y., Li Y., Li Y., Guo Z., Zhang D
37 pages
2019 Adversarial Examples in Modern Machine Learning - A Review
No ratings yet
2019 Adversarial Examples in Modern Machine Learning - A Review
97 pages
Deep Neural Networks: Mutual Information Insights
No ratings yet
Deep Neural Networks: Mutual Information Insights
59 pages
Theoretically Principled Trade-Off Between Robustness and Accuracy
No ratings yet
Theoretically Principled Trade-Off Between Robustness and Accuracy
31 pages
Advanced Design For AI Algorithms: Lec.: 1 GAN
No ratings yet
Advanced Design For AI Algorithms: Lec.: 1 GAN
223 pages
Woodhouse: Midgley Gardens
No ratings yet
Woodhouse: Midgley Gardens
36 pages
Chapter 5
No ratings yet
Chapter 5
140 pages
Unit 3 Notes
No ratings yet
Unit 3 Notes
15 pages
Bucket Bag
100% (1)
Bucket Bag
8 pages
Introtodeeplearning MIT 6.S191
No ratings yet
Introtodeeplearning MIT 6.S191
36 pages
Adversarial Attacks and Defenses in Images, Graphs and Text - A Review
No ratings yet
Adversarial Attacks and Defenses in Images, Graphs and Text - A Review
28 pages
D T A E - B - A: Elving Into Ransferable Dversarial X Amples and Lack BOX Ttacks
No ratings yet
D T A E - B - A: Elving Into Ransferable Dversarial X Amples and Lack BOX Ttacks
24 pages
Gans Stanford
No ratings yet
Gans Stanford
39 pages
7.explaining and Harnessing Adversarial Examples
No ratings yet
7.explaining and Harnessing Adversarial Examples
11 pages
NeurIPS 2023 Content Based Unrestricted Adversarial Attack Paper Conference
No ratings yet
NeurIPS 2023 Content Based Unrestricted Adversarial Attack Paper Conference
15 pages
Unlearnable Examples
No ratings yet
Unlearnable Examples
17 pages
Roscrea Suffolk Sale Catalogue
100% (1)
Roscrea Suffolk Sale Catalogue
78 pages
Robust Unlearnable Examples PR
No ratings yet
Robust Unlearnable Examples PR
22 pages
Oracle Exadata Training Extended
No ratings yet
Oracle Exadata Training Extended
3 pages
Adversarial Machine Learning at Scale - Kurakin Et Al, 2017
No ratings yet
Adversarial Machine Learning at Scale - Kurakin Et Al, 2017
17 pages
Support 1
No ratings yet
Support 1
7 pages
Understanding Adversarial Examples
No ratings yet
Understanding Adversarial Examples
3 pages
Deeplearning2015 Goodfellow Adversarial Examples 01
No ratings yet
Deeplearning2015 Goodfellow Adversarial Examples 01
43 pages
Intro to Generative Adversarial Networks
No ratings yet
Intro to Generative Adversarial Networks
31 pages
Lecture 06
No ratings yet
Lecture 06
22 pages
Analytical VaR VaR Mapping
No ratings yet
Analytical VaR VaR Mapping
13 pages
AAI - Module 1 - Generative Adversarial Network and Probabilistic Models
No ratings yet
AAI - Module 1 - Generative Adversarial Network and Probabilistic Models
12 pages
Adversarial Examples Are Misaligned in Diffusion Model Manifolds
No ratings yet
Adversarial Examples Are Misaligned in Diffusion Model Manifolds
23 pages
Secure Machine Learning Against Adversarial Samples at Test Time
No ratings yet
Secure Machine Learning Against Adversarial Samples at Test Time
15 pages
Survey TPAMI 2023 Preprint
No ratings yet
Survey TPAMI 2023 Preprint
20 pages
Defending Adversarials
No ratings yet
Defending Adversarials
18 pages
Synthesizing Robust Adversarial Examples
No ratings yet
Synthesizing Robust Adversarial Examples
19 pages
Adversarial Examples Are Not Bugs, They Are Features
No ratings yet
Adversarial Examples Are Not Bugs, They Are Features
13 pages
Szegedy - Intriguing Properties of Neural Networks
No ratings yet
Szegedy - Intriguing Properties of Neural Networks
10 pages
2 Template 11& 14, Annex 3A
No ratings yet
2 Template 11& 14, Annex 3A
7 pages
BE Module 5
No ratings yet
BE Module 5
16 pages
Face Recognition Attack
No ratings yet
Face Recognition Attack
6 pages
Detecting Adversarial Examples in Deep Neural Networks
No ratings yet
Detecting Adversarial Examples in Deep Neural Networks
15 pages
High-Frequency Component Helps Explain The Generalization of Convolutional Neural Networks
No ratings yet
High-Frequency Component Helps Explain The Generalization of Convolutional Neural Networks
11 pages
Poursaeed 等。 - 2018 - Generative Adversarial Perturbations
No ratings yet
Poursaeed 等。 - 2018 - Generative Adversarial Perturbations
10 pages
GDS Cycle V SOP
No ratings yet
GDS Cycle V SOP
5 pages
Research Paper Adversial Example412.6572
No ratings yet
Research Paper Adversial Example412.6572
1 page
Mock Endterm ADL 2021
No ratings yet
Mock Endterm ADL 2021
8 pages
9 Gans
No ratings yet
9 Gans
9 pages
Adversarial Training For Free
No ratings yet
Adversarial Training For Free
12 pages
Defense Against Adversarial Attacks On Deep Convolutional Neural Networks Through Nonlocal Denoising
No ratings yet
Defense Against Adversarial Attacks On Deep Convolutional Neural Networks Through Nonlocal Denoising
8 pages
Adversarial Robustness Taxonomy
No ratings yet
Adversarial Robustness Taxonomy
7 pages
Adversarial Examples & Training
No ratings yet
Adversarial Examples & Training
43 pages
GANs for Machine Learning Experts
No ratings yet
GANs for Machine Learning Experts
14 pages
Planmeca
No ratings yet
Planmeca
27 pages
Adversarial Machine Learning Survey
No ratings yet
Adversarial Machine Learning Survey
12 pages
Assignment 14 Modern AI
No ratings yet
Assignment 14 Modern AI
3 pages
2017 Beginner's Review of Generative Adversarial Networks (GAN) Architectures
No ratings yet
2017 Beginner's Review of Generative Adversarial Networks (GAN) Architectures
9 pages
"Boosting Ensemble Robustness with Diversity"
No ratings yet
"Boosting Ensemble Robustness with Diversity"
10 pages
A Hamiltonian Monte Carlo Method For Probabilistic Adversarial Attack and Learning
No ratings yet
A Hamiltonian Monte Carlo Method For Probabilistic Adversarial Attack and Learning
13 pages
AdvGAN: Enhancing GANs with Adversarial Training
No ratings yet
AdvGAN: Enhancing GANs with Adversarial Training
12 pages
Generative Adversarial Networks (GAN) : A Gentle Introduction (UPDATED)
No ratings yet
Generative Adversarial Networks (GAN) : A Gentle Introduction (UPDATED)
11 pages
Biochemical Test of Bacteria
No ratings yet
Biochemical Test of Bacteria
26 pages
STD Blanket MSDS FOR TURBINE INSULATION
No ratings yet
STD Blanket MSDS FOR TURBINE INSULATION
7 pages
Escp European Standard Clinical Practice Recommendations For Non Hodgkin Lymphoma of Childhood and
No ratings yet
Escp European Standard Clinical Practice Recommendations For Non Hodgkin Lymphoma of Childhood and
45 pages
Paper AI
No ratings yet
Paper AI
6 pages
Lesson 1 Economics As Social Science
No ratings yet
Lesson 1 Economics As Social Science
6 pages
Inverse Kinematics of Redundant Robots Using Genetic Algorithms
No ratings yet
Inverse Kinematics of Redundant Robots Using Genetic Algorithms
6 pages
Fastpath SAP Extractor
No ratings yet
Fastpath SAP Extractor
8 pages
Hygromatik Electrode Steam Humidifiers EU 2011
No ratings yet
Hygromatik Electrode Steam Humidifiers EU 2011
6 pages
Accounting Standards (Group-Ii) : AS - 4: Contingencies and Events Occurring After The Balance Sheet Date
No ratings yet
Accounting Standards (Group-Ii) : AS - 4: Contingencies and Events Occurring After The Balance Sheet Date
14 pages
Stock Transport
No ratings yet
Stock Transport
1 page
A New Ensemble Adversarial Attack Powered by Long
No ratings yet
A New Ensemble Adversarial Attack Powered by Long
10 pages
Wizz Account Terms and Conditions
No ratings yet
Wizz Account Terms and Conditions
7 pages
Bungalow Melody - Lyrics - Chords
No ratings yet
Bungalow Melody - Lyrics - Chords
1 page
Dabra, Gwalior
No ratings yet
Dabra, Gwalior
3 pages
Unit II Chap - 2 Notes
No ratings yet
Unit II Chap - 2 Notes
3 pages
Behavior Aspect of Public Sector Planning and Budg
No ratings yet
Behavior Aspect of Public Sector Planning and Budg
3 pages
Military Flight Simulators
No ratings yet
Military Flight Simulators
3 pages