SlideShare a Scribd company logo

Adversarial ml

J
JunfeiWang1

presentation mad on August,2020

Technology
1 of 22
Adversarial Machine Learning Junfei Wang Supervisor: Pirathayini Srikantha Graduated form UWO in April,2020 Now a Phd student at York University
Outline Presentation Title Here 1. Introduction 2. Connections Between Standard ML and Adversarial ML 3. Attack Algorithm 4. Defense Mechanism
Introduction Presentation Title Here Self-driving car: physical change on traffic sign may cause misclassifying. ASR system: https://adversarial-attacks.net/ …….  Small change cause huge difference on output  Not really a noise  Use case:
Introduction  In 2014, the phenomenen is discovered in [1]  Definition: legitimate inputs altered by adding small, often imperceptible, perturbations to force a learned classier to misclassify the resulting adversarial inputs, while remaining correctly classified by a human observer.  The perturbation can be physical. Example of traffic sign. Presentation Title Here [1]C. Szegedy, et al. Intriguing properties of neural networks. In Proceedings of the International Conference on Learning Representations, 2014.
Recap of Machine Learning Training Process (1) Presentation Title Here Given inputs and labels, keep updating weights of the model to fit them
Recap of Machine Learning Training Process (1) Presentation Title Here Given the model, we change input to travel across the boundary
Recap of Machine Learning Process (2) Presentation Title Here Loss w
Recap of Machine Learning Process (2) Presentation Title Here Loss X
White-box Adversarial Attack (1)  Perspective 1: Given the model and the original label, we keep updating input so as to change the output label.  Perspective 2: Instead travel downhill the loss curve, we can do gradient ascent to increase the loss.  Perspective 3: For any input, it can be perturbed, and fool the target model, but it may not be stealthy enough.  So, a successful adversarial attack should evade the detection Presentation Title Here
Detector and Stealthiness  Detector: a. Image & audio attack: human observer b. Fraud transaction (time series): Anomaly detection mechanism c. Can be defense mechanism toward adversarial attack  How to make stealthy attack? Impossible to build model for detector, restrict the norm of perturbation. a. L0 Norm: number of dimensions can be perturbed b. L2: Euclidean Distance c. L-∞: maximum change among all dimensions Presentation Title Here
Threat Model Presentation Title Here  Assumptions of attack’s knowledge:
White-box Attack Algorithm(1) 1. Projected Gradient Descent(PGD)[2]:Using Gradient Descent with L-∞ constraint. Presentation Title Here [2] Madry, Aleksander, et al. "Towards deep learning models resistant to adversarial attacks."
White-box Attack Algorithm(2) 2. Fast Gradient Sign Method (FGSM)[3]: Rely on the first order-derivative, using sgn function to avoid too small gradient. Presentation Title Here http://jlin.xyz/advis/ [3] Ian J Goodfellow, et al. Explaining and harnessing adversarial examples. In Proceedings of the International Conference on Learning Representations, 2015.
White-box Attack Algorithm(3) 3. Jacobian Saliency Map Attack(JSMA)[4]: • JSMA: Iteratively modify the most sensitive pixel (dimension) • Jacobian Saliency Map: sensitivity function • A 70 km/h speed limit sign misclassified as a 30km/h speed limit sign. Presentation Title Here [4]Papernot, Nicolas, et al. "Practical black-box attacks against machine learning." Proceedings of the 2017 ACM on Asia conference on computer and communications security. 2017.
White-box Attack Algorithm(4) 4. AdvGAN[5]: Presentation Title Here [5]Xiao, Chaowei, et al. "Generating adversarial examples with adversarial networks." arXiv preprint arXiv:1801.02610 (2018).
Black-box Attack Strategy • Black-box: More practical but harder Presentation Title Here
Black-box Attack Strategy  Train substitute model: a local representative model built based on strategically querying the targeted model  Transferability: Adversarial examples generated by model A can also fool model B  Jacobian-based Dataset Augmentation: on substitute F, identifying directions in which the model's output is varying Presentation Title Here [6]Papernot, Nicolas, et al. "Practical black-box attacks against machine learning." Proceedings of the 2017 ACM on Asia conference on computer and communications security. 2017.
Defense Mechanism  Unavoidable: a little bit pessimistic  Robustness: is the price that attackers have to pay  Defense mechanisms: a. Detection-based defense b. Adversarial training: training set augmentation, reducing sensitivity of the model c. Input data sanitization: denoise the input data, mapping back to learned manifold Presentation Title Here
MagNet: AE-based Defence Detector + Reformer Presentation Title Here [7]Meng, Dongyu, and Hao Chen. "Magnet: a two-pronged defense against adversarial examples." Proceedings of the 2017 ACM SIGSAC conference on computer and communications security. 2017.
DefenseGAN  Training Stage: standard GAN training  Inference Stage: Presentation Title Here [8]Samangouei, Pouya, Maya Kabkab, and Rama Chellappa. "Defense-gan: Protecting classifiers against adversarial attacks using generative models." arXiv preprint arXiv:1805.06605 (2018).
Q&A
Adversarial ml

Recommended

Attacks on Victim Model! A Defense Strategy
Attacks on Victim Model! A Defense StrategyAttacks on Victim Model! A Defense Strategy
Attacks on Victim Model! A Defense Strategy
Sivaranjanikumar1
 
Research of adversarial example on a deep neural network
Research of adversarial example on a deep neural networkResearch of adversarial example on a deep neural network
Research of adversarial example on a deep neural network
NAVER Engineering
 
QF_Dr_Preneel
QF_Dr_PreneelQF_Dr_Preneel
QF_Dr_Preneel
Johan Dentant
 
The evaluation for the defense of adversarial attacks
The evaluation for the defense of adversarial attacksThe evaluation for the defense of adversarial attacks
The evaluation for the defense of adversarial attacks
Simossyi Funabashi
 
Robustness in deep learning
Robustness in deep learningRobustness in deep learning
Robustness in deep learning
Ganesan Narayanasamy
 
Format Preserving Encryption for Small Domain
Format Preserving Encryption for Small DomainFormat Preserving Encryption for Small Domain
Format Preserving Encryption for Small Domain
ijcoa
 
adversarial robustness through local linearization
adversarial robustness through local linearization adversarial robustness through local linearization
adversarial robustness through local linearization
taeseon ryu
 
Crypto cameraready(1) (2)
Crypto cameraready(1) (2)Crypto cameraready(1) (2)
Crypto cameraready(1) (2)
Stefan Dziembowski
 

Recommended

Attacks on Victim Model! A Defense Strategy
Attacks on Victim Model! A Defense StrategyAttacks on Victim Model! A Defense Strategy
Attacks on Victim Model! A Defense Strategy
Sivaranjanikumar1
 
Research of adversarial example on a deep neural network
Research of adversarial example on a deep neural networkResearch of adversarial example on a deep neural network
Research of adversarial example on a deep neural network
NAVER Engineering
 
QF_Dr_Preneel
QF_Dr_PreneelQF_Dr_Preneel
QF_Dr_Preneel
Johan Dentant
 
The evaluation for the defense of adversarial attacks
The evaluation for the defense of adversarial attacksThe evaluation for the defense of adversarial attacks
The evaluation for the defense of adversarial attacks
Simossyi Funabashi
 
Robustness in deep learning
Robustness in deep learningRobustness in deep learning
Robustness in deep learning
Ganesan Narayanasamy
 
Format Preserving Encryption for Small Domain
Format Preserving Encryption for Small DomainFormat Preserving Encryption for Small Domain
Format Preserving Encryption for Small Domain
ijcoa
 
adversarial robustness through local linearization
adversarial robustness through local linearization adversarial robustness through local linearization
adversarial robustness through local linearization
taeseon ryu
 
Crypto cameraready(1) (2)
Crypto cameraready(1) (2)Crypto cameraready(1) (2)
Crypto cameraready(1) (2)
Stefan Dziembowski
 
J017446568
J017446568J017446568
J017446568
IOSR Journals
 
SchuurmansLecture.doc
SchuurmansLecture.docSchuurmansLecture.doc
SchuurmansLecture.doc
butest
 
Securing Web Communication Using Three Layer Image Shielding
Securing Web Communication Using Three Layer Image ShieldingSecuring Web Communication Using Three Layer Image Shielding
Securing Web Communication Using Three Layer Image Shielding
Kamal Pradhan
 
20051128.doc
20051128.doc20051128.doc
20051128.doc
butest
 
[Paper Reading] Unsupervised Learning of Sentence Embeddings using Compositi...
[Paper Reading] Unsupervised Learning of Sentence Embeddings using Compositi...[Paper Reading] Unsupervised Learning of Sentence Embeddings using Compositi...
[Paper Reading] Unsupervised Learning of Sentence Embeddings using Compositi...
Hiroki Shimanaka
 
Machine Learning under Attack: Vulnerability Exploitation and Security Measures
Machine Learning under Attack: Vulnerability Exploitation and Security MeasuresMachine Learning under Attack: Vulnerability Exploitation and Security Measures
Machine Learning under Attack: Vulnerability Exploitation and Security Measures
Pluribus One
 
Meta-argumentation Frameworks For Modelling Dialogues with Information from S...
Meta-argumentation Frameworks For Modelling Dialogues with Information from S...Meta-argumentation Frameworks For Modelling Dialogues with Information from S...
Meta-argumentation Frameworks For Modelling Dialogues with Information from S...
Gideonbms
 
Visual Studio Code Metrics
Visual Studio Code MetricsVisual Studio Code Metrics
Visual Studio Code Metrics
Zain Naboulsi
 
Security of Machine Learning
Security of Machine LearningSecurity of Machine Learning
Security of Machine Learning
Institute of Contemporary Sciences
 
Survey of Adversarial Attacks in Deep Learning Models
Survey of Adversarial Attacks in Deep Learning ModelsSurvey of Adversarial Attacks in Deep Learning Models
Survey of Adversarial Attacks in Deep Learning Models
IRJET Journal
 
Security in Machine Learning
Security in Machine LearningSecurity in Machine Learning
Security in Machine Learning
Flavio Clesio
 
Research on White-Box Counter-Attack Method based on Convolution Neural Netwo...
Research on White-Box Counter-Attack Method based on Convolution Neural Netwo...Research on White-Box Counter-Attack Method based on Convolution Neural Netwo...
Research on White-Box Counter-Attack Method based on Convolution Neural Netwo...
IJCI JOURNAL
 
Adversarial Training is all you Need.pptx
Adversarial Training is all you Need.pptxAdversarial Training is all you Need.pptx
Adversarial Training is all you Need.pptx
Prerana Khatiwada
 
Key-Recovery Attacks on KIDS, a Keyed Anomaly Detection System
Key-Recovery Attacks on KIDS, a Keyed Anomaly Detection SystemKey-Recovery Attacks on KIDS, a Keyed Anomaly Detection System
Key-Recovery Attacks on KIDS, a Keyed Anomaly Detection System
1crore projects
 
Paper-1 PPT.pptx
Paper-1 PPT.pptxPaper-1 PPT.pptx
Paper-1 PPT.pptx
Sangeeta Mehta
 
[DSC Europe 23] Aleksandar Tomcic - Adversarial Attacks
[DSC Europe 23] Aleksandar Tomcic - Adversarial Attacks[DSC Europe 23] Aleksandar Tomcic - Adversarial Attacks
[DSC Europe 23] Aleksandar Tomcic - Adversarial Attacks
DataScienceConferenc1
 
Adversarial Attacks and Defenses in Malware Classification: A Survey
Adversarial Attacks and Defenses in Malware Classification: A SurveyAdversarial Attacks and Defenses in Malware Classification: A Survey
Adversarial Attacks and Defenses in Malware Classification: A Survey
CSCJournals
 
Attack detection and prevention in the cyber
Attack detection and prevention in the cyberAttack detection and prevention in the cyber
Attack detection and prevention in the cyber
Jahangirnagar University
 
Spam email filtering
Spam email filteringSpam email filtering
Spam email filtering
National Institute
 
Defending deep learning from adversarial attacks
Defending deep learning from adversarial attacksDefending deep learning from adversarial attacks
Defending deep learning from adversarial attacks
Svetlana Levitan, PhD
 
Approximating Attack Surfaces with Stack Traces [ICSE 15]
Approximating Attack Surfaces with Stack Traces [ICSE 15]Approximating Attack Surfaces with Stack Traces [ICSE 15]
Approximating Attack Surfaces with Stack Traces [ICSE 15]
Chris Theisen
 
Who is responsible for adversarial defense
Who is responsible for adversarial defenseWho is responsible for adversarial defense
Who is responsible for adversarial defense
Kishor Datta Gupta
 

More Related Content

What's hot

SchuurmansLecture.doc
SchuurmansLecture.docSchuurmansLecture.doc
SchuurmansLecture.doc
butest
 
Securing Web Communication Using Three Layer Image Shielding
Securing Web Communication Using Three Layer Image ShieldingSecuring Web Communication Using Three Layer Image Shielding
Securing Web Communication Using Three Layer Image Shielding
Kamal Pradhan
 
20051128.doc
20051128.doc20051128.doc
20051128.doc
butest
 
Visual Studio Code Metrics
Visual Studio Code MetricsVisual Studio Code Metrics
Visual Studio Code Metrics
Zain Naboulsi
 

What's hot (8)

J017446568
J017446568J017446568
J017446568
 
SchuurmansLecture.doc
SchuurmansLecture.docSchuurmansLecture.doc
SchuurmansLecture.doc
 
Securing Web Communication Using Three Layer Image Shielding
Securing Web Communication Using Three Layer Image ShieldingSecuring Web Communication Using Three Layer Image Shielding
Securing Web Communication Using Three Layer Image Shielding
 
20051128.doc
20051128.doc20051128.doc
20051128.doc
 
[Paper Reading] Unsupervised Learning of Sentence Embeddings using Compositi...
[Paper Reading] Unsupervised Learning of Sentence Embeddings using Compositi...[Paper Reading] Unsupervised Learning of Sentence Embeddings using Compositi...
[Paper Reading] Unsupervised Learning of Sentence Embeddings using Compositi...
 
Machine Learning under Attack: Vulnerability Exploitation and Security Measures
Machine Learning under Attack: Vulnerability Exploitation and Security MeasuresMachine Learning under Attack: Vulnerability Exploitation and Security Measures
Machine Learning under Attack: Vulnerability Exploitation and Security Measures
 
Meta-argumentation Frameworks For Modelling Dialogues with Information from S...
Meta-argumentation Frameworks For Modelling Dialogues with Information from S...Meta-argumentation Frameworks For Modelling Dialogues with Information from S...
Meta-argumentation Frameworks For Modelling Dialogues with Information from S...
 
Visual Studio Code Metrics
Visual Studio Code MetricsVisual Studio Code Metrics
Visual Studio Code Metrics
 

Similar to Adversarial ml

Research on White-Box Counter-Attack Method based on Convolution Neural Netwo...
Research on White-Box Counter-Attack Method based on Convolution Neural Netwo...Research on White-Box Counter-Attack Method based on Convolution Neural Netwo...
Research on White-Box Counter-Attack Method based on Convolution Neural Netwo...
IJCI JOURNAL
 
Key-Recovery Attacks on KIDS, a Keyed Anomaly Detection System
Key-Recovery Attacks on KIDS, a Keyed Anomaly Detection SystemKey-Recovery Attacks on KIDS, a Keyed Anomaly Detection System
Key-Recovery Attacks on KIDS, a Keyed Anomaly Detection System
1crore projects
 
Adversarial Attacks and Defenses in Malware Classification: A Survey
Adversarial Attacks and Defenses in Malware Classification: A SurveyAdversarial Attacks and Defenses in Malware Classification: A Survey
Adversarial Attacks and Defenses in Malware Classification: A Survey
CSCJournals
 
Attack detection and prevention in the cyber
Attack detection and prevention in the cyberAttack detection and prevention in the cyber
Attack detection and prevention in the cyber
Jahangirnagar University
 
Approximating Attack Surfaces with Stack Traces [ICSE 15]
Approximating Attack Surfaces with Stack Traces [ICSE 15]Approximating Attack Surfaces with Stack Traces [ICSE 15]
Approximating Attack Surfaces with Stack Traces [ICSE 15]
Chris Theisen
 
Network Threat Characterization in Multiple Intrusion Perspectives using Data...
Network Threat Characterization in Multiple Intrusion Perspectives using Data...Network Threat Characterization in Multiple Intrusion Perspectives using Data...
Network Threat Characterization in Multiple Intrusion Perspectives using Data...
IJNSA Journal
 
A critical review on Adversarial Attacks on Intrusion Detection Systems: Must...
A critical review on Adversarial Attacks on Intrusion Detection Systems: Must...A critical review on Adversarial Attacks on Intrusion Detection Systems: Must...
A critical review on Adversarial Attacks on Intrusion Detection Systems: Must...
PhD Assistance
 
Classification Rule Discovery Using Ant-Miner Algorithm: An Application Of N...
Classification Rule Discovery Using Ant-Miner Algorithm: An Application Of N...Classification Rule Discovery Using Ant-Miner Algorithm: An Application Of N...
Classification Rule Discovery Using Ant-Miner Algorithm: An Application Of N...
IJMER
 

Similar to Adversarial ml (20)

Security of Machine Learning
Security of Machine LearningSecurity of Machine Learning
Security of Machine Learning
 
Survey of Adversarial Attacks in Deep Learning Models
Survey of Adversarial Attacks in Deep Learning ModelsSurvey of Adversarial Attacks in Deep Learning Models
Survey of Adversarial Attacks in Deep Learning Models
 
Security in Machine Learning
Security in Machine LearningSecurity in Machine Learning
Security in Machine Learning
 
Research on White-Box Counter-Attack Method based on Convolution Neural Netwo...
Research on White-Box Counter-Attack Method based on Convolution Neural Netwo...Research on White-Box Counter-Attack Method based on Convolution Neural Netwo...
Research on White-Box Counter-Attack Method based on Convolution Neural Netwo...
 
Adversarial Training is all you Need.pptx
Adversarial Training is all you Need.pptxAdversarial Training is all you Need.pptx
Adversarial Training is all you Need.pptx
 
Key-Recovery Attacks on KIDS, a Keyed Anomaly Detection System
Key-Recovery Attacks on KIDS, a Keyed Anomaly Detection SystemKey-Recovery Attacks on KIDS, a Keyed Anomaly Detection System
Key-Recovery Attacks on KIDS, a Keyed Anomaly Detection System
 
Paper-1 PPT.pptx
Paper-1 PPT.pptxPaper-1 PPT.pptx
Paper-1 PPT.pptx
 
[DSC Europe 23] Aleksandar Tomcic - Adversarial Attacks
[DSC Europe 23] Aleksandar Tomcic - Adversarial Attacks[DSC Europe 23] Aleksandar Tomcic - Adversarial Attacks
[DSC Europe 23] Aleksandar Tomcic - Adversarial Attacks
 
Adversarial Attacks and Defenses in Malware Classification: A Survey
Adversarial Attacks and Defenses in Malware Classification: A SurveyAdversarial Attacks and Defenses in Malware Classification: A Survey
Adversarial Attacks and Defenses in Malware Classification: A Survey
 
Attack detection and prevention in the cyber
Attack detection and prevention in the cyberAttack detection and prevention in the cyber
Attack detection and prevention in the cyber
 
Spam email filtering
Spam email filteringSpam email filtering
Spam email filtering
 
Defending deep learning from adversarial attacks
Defending deep learning from adversarial attacksDefending deep learning from adversarial attacks
Defending deep learning from adversarial attacks
 
Approximating Attack Surfaces with Stack Traces [ICSE 15]
Approximating Attack Surfaces with Stack Traces [ICSE 15]Approximating Attack Surfaces with Stack Traces [ICSE 15]
Approximating Attack Surfaces with Stack Traces [ICSE 15]
 
Who is responsible for adversarial defense
Who is responsible for adversarial defenseWho is responsible for adversarial defense
Who is responsible for adversarial defense
 
Proposal defense presentation
Proposal defense presentationProposal defense presentation
Proposal defense presentation
 
Network Threat Characterization in Multiple Intrusion Perspectives using Data...
Network Threat Characterization in Multiple Intrusion Perspectives using Data...Network Threat Characterization in Multiple Intrusion Perspectives using Data...
Network Threat Characterization in Multiple Intrusion Perspectives using Data...
 
FAST DETECTION OF DDOS ATTACKS USING NON-ADAPTIVE GROUP TESTING
FAST DETECTION OF DDOS ATTACKS USING NON-ADAPTIVE GROUP TESTINGFAST DETECTION OF DDOS ATTACKS USING NON-ADAPTIVE GROUP TESTING
FAST DETECTION OF DDOS ATTACKS USING NON-ADAPTIVE GROUP TESTING
 
A critical review on Adversarial Attacks on Intrusion Detection Systems: Must...
A critical review on Adversarial Attacks on Intrusion Detection Systems: Must...A critical review on Adversarial Attacks on Intrusion Detection Systems: Must...
A critical review on Adversarial Attacks on Intrusion Detection Systems: Must...
 
Classification Rule Discovery Using Ant-Miner Algorithm: An Application Of N...
Classification Rule Discovery Using Ant-Miner Algorithm: An Application Of N...Classification Rule Discovery Using Ant-Miner Algorithm: An Application Of N...
Classification Rule Discovery Using Ant-Miner Algorithm: An Application Of N...
 
A6
A6A6
A6
 

Recently uploaded

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 

Recently uploaded (20)

Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 

Adversarial ml

  • 1. Adversarial Machine Learning Junfei Wang Supervisor: Pirathayini Srikantha Graduated form UWO in April,2020 Now a Phd student at York University
  • 2. Outline Presentation Title Here 1. Introduction 2. Connections Between Standard ML and Adversarial ML 3. Attack Algorithm 4. Defense Mechanism
  • 3. Introduction Presentation Title Here Self-driving car: physical change on traffic sign may cause misclassifying. ASR system: https://adversarial-attacks.net/ …….  Small change cause huge difference on output  Not really a noise  Use case:
  • 4. Introduction  In 2014, the phenomenen is discovered in [1]  Definition: legitimate inputs altered by adding small, often imperceptible, perturbations to force a learned classier to misclassify the resulting adversarial inputs, while remaining correctly classified by a human observer.  The perturbation can be physical. Example of traffic sign. Presentation Title Here [1]C. Szegedy, et al. Intriguing properties of neural networks. In Proceedings of the International Conference on Learning Representations, 2014.
  • 5. Recap of Machine Learning Training Process (1) Presentation Title Here Given inputs and labels, keep updating weights of the model to fit them
  • 6. Recap of Machine Learning Training Process (1) Presentation Title Here Given the model, we change input to travel across the boundary
  • 7. Recap of Machine Learning Process (2) Presentation Title Here Loss w
  • 8. Recap of Machine Learning Process (2) Presentation Title Here Loss X
  • 9. White-box Adversarial Attack (1)  Perspective 1: Given the model and the original label, we keep updating input so as to change the output label.  Perspective 2: Instead travel downhill the loss curve, we can do gradient ascent to increase the loss.  Perspective 3: For any input, it can be perturbed, and fool the target model, but it may not be stealthy enough.  So, a successful adversarial attack should evade the detection Presentation Title Here
  • 10. Detector and Stealthiness  Detector: a. Image & audio attack: human observer b. Fraud transaction (time series): Anomaly detection mechanism c. Can be defense mechanism toward adversarial attack  How to make stealthy attack? Impossible to build model for detector, restrict the norm of perturbation. a. L0 Norm: number of dimensions can be perturbed b. L2: Euclidean Distance c. L-∞: maximum change among all dimensions Presentation Title Here
  • 11. Threat Model Presentation Title Here  Assumptions of attack’s knowledge:
  • 12. White-box Attack Algorithm(1) 1. Projected Gradient Descent(PGD)[2]:Using Gradient Descent with L-∞ constraint. Presentation Title Here [2] Madry, Aleksander, et al. "Towards deep learning models resistant to adversarial attacks."
  • 13. White-box Attack Algorithm(2) 2. Fast Gradient Sign Method (FGSM)[3]: Rely on the first order-derivative, using sgn function to avoid too small gradient. Presentation Title Here http://jlin.xyz/advis/ [3] Ian J Goodfellow, et al. Explaining and harnessing adversarial examples. In Proceedings of the International Conference on Learning Representations, 2015.
  • 14. White-box Attack Algorithm(3) 3. Jacobian Saliency Map Attack(JSMA)[4]: • JSMA: Iteratively modify the most sensitive pixel (dimension) • Jacobian Saliency Map: sensitivity function • A 70 km/h speed limit sign misclassified as a 30km/h speed limit sign. Presentation Title Here [4]Papernot, Nicolas, et al. "Practical black-box attacks against machine learning." Proceedings of the 2017 ACM on Asia conference on computer and communications security. 2017.
  • 15. White-box Attack Algorithm(4) 4. AdvGAN[5]: Presentation Title Here [5]Xiao, Chaowei, et al. "Generating adversarial examples with adversarial networks." arXiv preprint arXiv:1801.02610 (2018).
  • 16. Black-box Attack Strategy • Black-box: More practical but harder Presentation Title Here
  • 17. Black-box Attack Strategy  Train substitute model: a local representative model built based on strategically querying the targeted model  Transferability: Adversarial examples generated by model A can also fool model B  Jacobian-based Dataset Augmentation: on substitute F, identifying directions in which the model's output is varying Presentation Title Here [6]Papernot, Nicolas, et al. "Practical black-box attacks against machine learning." Proceedings of the 2017 ACM on Asia conference on computer and communications security. 2017.
  • 18. Defense Mechanism  Unavoidable: a little bit pessimistic  Robustness: is the price that attackers have to pay  Defense mechanisms: a. Detection-based defense b. Adversarial training: training set augmentation, reducing sensitivity of the model c. Input data sanitization: denoise the input data, mapping back to learned manifold Presentation Title Here
  • 19. MagNet: AE-based Defence Detector + Reformer Presentation Title Here [7]Meng, Dongyu, and Hao Chen. "Magnet: a two-pronged defense against adversarial examples." Proceedings of the 2017 ACM SIGSAC conference on computer and communications security. 2017.
  • 20. DefenseGAN  Training Stage: standard GAN training  Inference Stage: Presentation Title Here [8]Samangouei, Pouya, Maya Kabkab, and Rama Chellappa. "Defense-gan: Protecting classifiers against adversarial attacks using generative models." arXiv preprint arXiv:1805.06605 (2018).
  • 21. Q&A