SlideShare a Scribd company logo

phd-defense

Han Xiao
Han Xiao

The document discusses adversarial learning, robust learning, and scalable learning. It explores how machine learning algorithms can be exploited by adversaries and how to develop robust and scalable algorithms. Key contributions include showing vulnerabilities in classifiers to exploratory and causative attacks, developing models for multi-labeler learning from unreliable sources, and algorithms for online and client-server learning from noisy data streams. The goal is to learn effectively from unfaithful or incomplete training data and enable learning at large scales required for real-time applications.

1 of 38
Download to read offline
From Adversarial Learning to Robust and Scalable Learning Ph.D. Presentation 1 Han Xiao (I20) xiaoh@in.tum.de Advisor: Prof. Dr. Claudia Eckert
Introduction Adversarial Learning Robust Learning Scalable Learning Motivation 2 Machine learning algorithms in real-world applications are vulnerable to adversaries. Machine learning algorithms Spam filtering Recommendation system Spammer may disguise the spam by adding image and “good words” to cheat the filter. Spam users may give false ratings on tail items, leading to a biased recommendation system. Explorative attack Causative attack Application Threat
Introduction Adversarial Learning Robust Learning Scalable Learning Explorative attack vs. causative attack 3
Introduction Adversarial Learning Robust Learning Scalable Learning Why shall we care? 4 “Know your enemies and yourself, you will not be imperiled in a hundred battles.” Robust anti-virus software High quality recommendation system Spam-free social network service Cost-effective crowd- sourcing system Traditional machine learning and data mining rarely focus on adversarial settings.
Introduction Adversarial Learning Robust Learning Scalable Learning outlier detection Related work Multi-labeler Semi-supervised learning Active learning Outlier detection multi- labeler learning active learning semi- supervised learning 1 1 2 3 4 2 3 4 Research Idea Data are labeled by multiple labelers Data are partially labeled An oracle provides labels Noisy data points do not fit distribution 5 Some labelers are adversaries Even those limited labels can not be fully trusted The oracle can provide wrong label Noise does not follow any predefined distribution Adversarial setting
Introduction Adversarial Learning Robust Learning Scalable Learning Roadmap of my dissertation Contribution Adversarial learning Robust learning 6 Robust and scalable learning How can adversaries exploit the vulnerabilities of learning algorithms? How to learn from unfaithful training data? Are current algorithms fast enough for online learning? How to learn from noisy data stream for real-time applications? ProblemTopic Showed that convex- inducing classifiers are vulnerable to explorative attack Showed that SVMs are vulnerable to causative label-flip attack Developed a hierarchical Gaussian process model and a graph-based model for multi- labeler learning Developed an approximate Gaussian process for online regression Developed online algorithm learning from partially labeled data in client-server setting
Introduction Adversarial Learning Robust Learning Scalable Learning Exploratory attack notations 7
Introduction Adversarial Learning Robust Learning Scalable Learning Exploratory attack: an optimization formulation 8
Introduction Adversarial Learning Robust Learning Scalable Learning Illustrative example: is convex and loss function is 9
Introduction Adversarial Learning Robust Learning Scalable Learning Exploratory attack algorithm 10
Introduction Adversarial Learning Robust Learning Scalable Learning Theoretical results 11 A polynomial time algorithm!
Introduction Adversarial Learning Robust Learning Scalable Learning Causative label flip attack 12 Adversary
Introduction Adversarial Learning Robust Learning Scalable Learning A bilevel formulation of label flip attack 13
Introduction Adversarial Learning Robust Learning Scalable Learning A bilevel formulation of label flip attack 14 Classifier (defender) Adversary (attacker)
Introduction Adversarial Learning Robust Learning Scalable Learning A relax formulation 15
Introduction Adversarial Learning Robust Learning Scalable Learning Decision boundaries of SVMs under different flip strategies 16
Introduction Adversarial Learning Robust Learning Scalable Learning Error rate of SVMs vs. the number of label flips 17
Introduction Adversarial Learning Robust Learning Scalable Learning Learning from multiple yet unreliable labelers 18 • Each instance is labeled by several labelers • Labeler can be genuine or adversary • Groundtruth label is unknown
Introduction Adversarial Learning Robust Learning Scalable Learning Latent space model for connecting the input space and label space 19
Introduction Adversarial Learning Robust Learning Scalable Learning Gaussian process for modeling joint probability 20 Latent space GP model Labeler GP model Maximum a posterior
Introduction Adversarial Learning Robust Learning Scalable Learning Synthetic examples: recover from the responses of four observers 21
Introduction Adversarial Learning Robust Learning Scalable Learning 22 Synthetic examples: recover from the responses of four observers
Introduction Adversarial Learning Robust Learning Scalable Learning A graph-based approach for multi-labeler problem 23 • Not all instances are labeled • A labeler only label a set of instances • Some labelers are adversaries Problem setting Goal • Compute the label and uncertainty of each instance • Compute the confidence of each labeler Idea: joint smoothness on graph • Instances that are similar in item feature space should have similar label • Labeler that are similar in labeler feature space should have similar confidence i µi
Introduction Adversarial Learning Robust Learning Scalable Learning Joint smoothness on labeler-graph and instance-graph 24 Labeler similarity graph Item similarity graph Instances that are close together should have similar predicted labels, unless their uncertainties are large. Predicted labeled should be close to their assigned labels, unless the instance is uncertain or the corresponding labelers are not confidence Labelers that are close together should have similar confidence. The uncertainty of an instance/labeler should not be too large or too close to zero. joint smoothness on two graphs
Introduction Adversarial Learning Robust Learning Scalable Learning Significant improvement over simple average method (#users ) 25 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.2 0.3 0.4 0.5 0.6 0.7 0.8 Majority vote accuracy Modelaccuracy australian.scale lb_num win: 139, lose: 61 10.00 20.00 40.00 80.00 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 Majority vote accuracy Modelaccuracy breast.scale lb_num win: 121, lose: 79 10.00 20.00 40.00 80.00 0.2 0.25 0.3 0.35 0.4 0.45 0.5 0.55 0.6 0.65 0.7 0.2 0.25 0.3 0.35 0.4 0.45 0.5 0.55 0.6 0.65 0.7 Majority vote accuracy Modelaccuracy diabetes.scale lb_num win: 187, lose: 13 10.00 20.00 40.00 80.00 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.1 0.2 0.3 0.4 0.5 0.6 0.7 Majority vote accuracy Modelaccuracy fourclass.scale lb_num win: 171, lose: 28 10.00 20.00 40.00 80.00 0.25 0.3 0.35 0.4 0.45 0.5 0.55 0.6 0.65 0.25 0.3 0.35 0.4 0.45 0.5 0.55 0.6 0.65 Majority vote accuracy Modelaccuracy german.scale lb_num win: 197, lose: 3 10.00 20.00 40.00 80.00 0.25 0.3 0.35 0.4 0.45 0.5 0.55 0.6 0.25 0.3 0.35 0.4 0.45 0.5 0.55 0.6 Majority vote accuracy Modelaccuracy splice.scale lb_num win: 189, lose: 11 10.00 20.00 40.00 80.00 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 Majority vote accuracy Modelaccuracy svmguide1 lb_num win: 194, lose: 6 10.00 20.00 40.00 80.00 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.1 0.2 0.3 0.4 0.5 0.6 0.7 Majority vote accuracy Modelaccuracy svmguide2 lb_num win: 165, lose: 35 10.00 20.00 40.00 80.00 Better W orse 10 20 40 80
Introduction Adversarial Learning Robust Learning Scalable Learning From robust learning to scalable learning 26
Introduction Adversarial Learning Robust Learning Scalable Learning Divide and conquer: lazy Gaussian process committee 27 Prediction
Introduction Adversarial Learning Robust Learning Scalable Learning Which GP member should receive new point for training? 28
Introduction Adversarial Learning Robust Learning Scalable Learning Active selection for lazy Gaussian process committee 29
Introduction Adversarial Learning Robust Learning Scalable Learning Proposed method achieves better performance in less time 30 Accuracy (root mean square error) Efficiency (training and prediction time)
Introduction Adversarial Learning Robust Learning Scalable Learning Scalable robust learning in client-server settings 31 Which instance should I query? Homogenous clients Heterogenous clients Which instance should I query? Who should I ask for labeling? Learn a good model under limited bandwidth Client Server Unlabeled data Goal Problem
Introduction Adversarial Learning Robust Learning Scalable Learning Subset selection under given budget (Homogenous) Client uploads only crucial data according to the selection policy Unlabeled data Keysteps Candidate pool Selection policy Upload selections Two-learner model Update selection policy Client Server PurposeMethod • Select a small set of data from the candidate pool for uploading Requirement • Uploaded data should improve the classification performance on the server • Selection procedure should be light-weight for the client • Selection policy should be light-weight for the network • Select by optimizing a function consists of two criterions • Utility of instance (w.r.t. SCW) • Redundancy w.r.t. the candidate pool 32
Introduction Adversarial Learning Robust Learning Scalable Learning Server employs a two-learner model to learn unlabeled data from client 33 Unlabeled data Candidate pool Selection policy Upload selections Two-learner model Update selection policy Client Server PurposeMethod • Incrementally learn a binary classifier from unlabeled data Requirement • Leverage neighbor information for exploiting unlabeled data • Learn in online fashion • Be efficient enough to handle large-volume of data • Be easily parameterized as a selection policy • Two-learner structure • Harmonic solution (HS) • Soft confidence-weighted (SCW) Keysteps
Introduction Adversarial Learning Robust Learning Scalable Learning Proposed selection strategy reduces communication cost and gives high accuracy 34 }FrameworkClient Communication Server Selection policy on client Labeling rate (a mount of human effort) Sampling rate (a mount of communication cost) Accuracy averaged on 10 data sets Full 100% 20% 92.16% All 2% 100% 86.32% Rand 2% 20% 86.38% Proposed 2% 20% 87.08% Unlabeled data Candidate pool Selection policy Upload selections Two-learner model Update selection policy Client Server Keysteps
Introduction Adversarial Learning Robust Learning Scalable Learning Heterogenous clients: ask the most confident client for labeling most uncertain instance 35
Introduction Adversarial Learning Robust Learning Scalable Learning From adversarial learning to robust and scalable learning 36 Contribution Adversarial learning Robust learning Robust and scalable learning How can adversaries exploit the vulnerabilities of learning algorithms? How to learn from unfaithful training data? Are current algorithms fast enough for online learning? How to learn from noisy data stream for real-time applications? ProblemTopic Showed that convex- inducing classifiers are vulnerable to explorative attack Showed that SVMs are vulnerable to causative label-flip attack Developed a hierarchical Gaussian process model and a graph-based model for multi- labeler learning Developed an approximate Gaussian process for online regression Developed online algorithm learning from partially labeled data in client-server setting
Introduction Adversarial Learning Robust Learning Scalable Learning Conclusion 37 • Traditional machine learning algorithms are vulnerable to the attack. • Through labelers may contain adversaries, robust learning can still be achieved. • Multi-labeler learning (crowdsourcing) could have more and more applications in the next couple of years.
Introduction Adversarial Learning Robust Learning Scalable Learning Thanks for your attention 38

Recommended

Property Industry Project Thesis
Property Industry Project ThesisProperty Industry Project Thesis
Property Industry Project Thesis
Tyson Warnett
 
Stability patterns presentation
Stability patterns presentationStability patterns presentation
Stability patterns presentation
Justin Dorfman
 
Processing IoT Data with Apache Kafka
Processing IoT Data with Apache KafkaProcessing IoT Data with Apache Kafka
Processing IoT Data with Apache Kafka
Matthew Howlett
 
Big Data Spain 2018: How to build Weighted XGBoost ML model for Imbalance dat...
Big Data Spain 2018: How to build Weighted XGBoost ML model for Imbalance dat...Big Data Spain 2018: How to build Weighted XGBoost ML model for Imbalance dat...
Big Data Spain 2018: How to build Weighted XGBoost ML model for Imbalance dat...
Alok Singh
 
Barga Data Science lecture 10
Barga Data Science lecture 10Barga Data Science lecture 10
Barga Data Science lecture 10
Roger Barga
 
Subverting Machine Learning Detections for fun and profit
Subverting Machine Learning Detections for fun and profitSubverting Machine Learning Detections for fun and profit
Subverting Machine Learning Detections for fun and profit
Ram Shankar Siva Kumar
 
Risk Management for LLMs
Risk Management for LLMsRisk Management for LLMs
Risk Management for LLMs
Sri Ambati
 
Adversarial Learning_Rupam Bhattacharya
Adversarial Learning_Rupam BhattacharyaAdversarial Learning_Rupam Bhattacharya
Adversarial Learning_Rupam Bhattacharya
Rupam Bhattacharya
 

Recommended

Property Industry Project Thesis
Property Industry Project ThesisProperty Industry Project Thesis
Property Industry Project Thesis
Tyson Warnett
 
Stability patterns presentation
Stability patterns presentationStability patterns presentation
Stability patterns presentation
Justin Dorfman
 
Processing IoT Data with Apache Kafka
Processing IoT Data with Apache KafkaProcessing IoT Data with Apache Kafka
Processing IoT Data with Apache Kafka
Matthew Howlett
 
Big Data Spain 2018: How to build Weighted XGBoost ML model for Imbalance dat...
Big Data Spain 2018: How to build Weighted XGBoost ML model for Imbalance dat...Big Data Spain 2018: How to build Weighted XGBoost ML model for Imbalance dat...
Big Data Spain 2018: How to build Weighted XGBoost ML model for Imbalance dat...
Alok Singh
 
Barga Data Science lecture 10
Barga Data Science lecture 10Barga Data Science lecture 10
Barga Data Science lecture 10
Roger Barga
 
Subverting Machine Learning Detections for fun and profit
Subverting Machine Learning Detections for fun and profitSubverting Machine Learning Detections for fun and profit
Subverting Machine Learning Detections for fun and profit
Ram Shankar Siva Kumar
 
Risk Management for LLMs
Risk Management for LLMsRisk Management for LLMs
Risk Management for LLMs
Sri Ambati
 
Adversarial Learning_Rupam Bhattacharya
Adversarial Learning_Rupam BhattacharyaAdversarial Learning_Rupam Bhattacharya
Adversarial Learning_Rupam Bhattacharya
Rupam Bhattacharya
 
Barga Data Science lecture 9
Barga Data Science lecture 9Barga Data Science lecture 9
Barga Data Science lecture 9
Roger Barga
 
Introduction to MaxDiff Scaling of Importance - Parametric Marketing Slides
Introduction to MaxDiff Scaling of Importance - Parametric Marketing SlidesIntroduction to MaxDiff Scaling of Importance - Parametric Marketing Slides
Introduction to MaxDiff Scaling of Importance - Parametric Marketing Slides
QuestionPro
 
Introduction to machine learning
Introduction to machine learningIntroduction to machine learning
Introduction to machine learning
Sanghamitra Deb
 
10409004.ppt
10409004.ppt10409004.ppt
10409004.ppt
Praveen Kumar
 
Robustness Metrics for ML Models based on Deep Learning Methods
Robustness Metrics for ML Models based on Deep Learning MethodsRobustness Metrics for ML Models based on Deep Learning Methods
Robustness Metrics for ML Models based on Deep Learning Methods
Data Science Milan
 
Adversarial Attacks on A.I. Systems — NextCon, Jan 2019
Adversarial Attacks on A.I. Systems — NextCon, Jan 2019Adversarial Attacks on A.I. Systems — NextCon, Jan 2019
Adversarial Attacks on A.I. Systems — NextCon, Jan 2019
anant90
 
Connections b/w active learning and model extraction
Connections b/w active learning and model extractionConnections b/w active learning and model extraction
Connections b/w active learning and model extraction
Anmol Dwivedi
 
Correlation, causation and incrementally recommendation problems at netflix ...
Correlation, causation and incrementally recommendation problems at netflix ...Correlation, causation and incrementally recommendation problems at netflix ...
Correlation, causation and incrementally recommendation problems at netflix ...
Roelof van Zwol
 
On the Unreliability of Bug Severity Data
On the Unreliability of Bug Severity DataOn the Unreliability of Bug Severity Data
On the Unreliability of Bug Severity Data
SAIL_QU
 
Robustness in deep learning
Robustness in deep learningRobustness in deep learning
Robustness in deep learning
Ganesan Narayanasamy
 
AI and ML Skills for the Testing World Tutorial
AI and ML Skills for the Testing World TutorialAI and ML Skills for the Testing World Tutorial
AI and ML Skills for the Testing World Tutorial
Tariq King
 
Machine Learning Experimentation at Sift Science
Machine Learning Experimentation at Sift ScienceMachine Learning Experimentation at Sift Science
Machine Learning Experimentation at Sift Science
Sift Science
 
The importance of model fairness and interpretability in AI systems
The importance of model fairness and interpretability in AI systemsThe importance of model fairness and interpretability in AI systems
The importance of model fairness and interpretability in AI systems
Francesca Lazzeri, PhD
 
Managing machine learning
Managing machine learningManaging machine learning
Managing machine learning
David Murgatroyd
 
Robust Filtering Schemes for Machine Learning Systems to Defend Adversarial A...
Robust Filtering Schemes for Machine Learning Systems to Defend Adversarial A...Robust Filtering Schemes for Machine Learning Systems to Defend Adversarial A...
Robust Filtering Schemes for Machine Learning Systems to Defend Adversarial A...
Kishor Datta Gupta
 
Federated Semi-Supervised Learning with Inter-Client Consistency & Disjoint L...
Federated Semi-Supervised Learning with Inter-Client Consistency & Disjoint L...Federated Semi-Supervised Learning with Inter-Client Consistency & Disjoint L...
Federated Semi-Supervised Learning with Inter-Client Consistency & Disjoint L...
MLAI2
 
Legal Analytics Course - Class 6 - Overfitting, Underfitting, & Cross-Validat...
Legal Analytics Course - Class 6 - Overfitting, Underfitting, & Cross-Validat...Legal Analytics Course - Class 6 - Overfitting, Underfitting, & Cross-Validat...
Legal Analytics Course - Class 6 - Overfitting, Underfitting, & Cross-Validat...
Daniel Katz
 
Regression vs Deep Neural net vs SVM
Regression vs Deep Neural net vs SVMRegression vs Deep Neural net vs SVM
Regression vs Deep Neural net vs SVM
Ratul Alahy
 
Spark + AI Summit - The Importance of Model Fairness and Interpretability in ...
Spark + AI Summit - The Importance of Model Fairness and Interpretability in ...Spark + AI Summit - The Importance of Model Fairness and Interpretability in ...
Spark + AI Summit - The Importance of Model Fairness and Interpretability in ...
Francesca Lazzeri, PhD
 
Explainability and bias in AI
Explainability and bias in AIExplainability and bias in AI
Explainability and bias in AI
Bill Liu
 

More Related Content

Similar to phd-defense

Barga Data Science lecture 9
Barga Data Science lecture 9Barga Data Science lecture 9
Barga Data Science lecture 9
Roger Barga
 
Introduction to MaxDiff Scaling of Importance - Parametric Marketing Slides
Introduction to MaxDiff Scaling of Importance - Parametric Marketing SlidesIntroduction to MaxDiff Scaling of Importance - Parametric Marketing Slides
Introduction to MaxDiff Scaling of Importance - Parametric Marketing Slides
QuestionPro
 
Introduction to machine learning
Introduction to machine learningIntroduction to machine learning
Introduction to machine learning
Sanghamitra Deb
 
10409004.ppt
10409004.ppt10409004.ppt
10409004.ppt
Praveen Kumar
 
Robustness Metrics for ML Models based on Deep Learning Methods
Robustness Metrics for ML Models based on Deep Learning MethodsRobustness Metrics for ML Models based on Deep Learning Methods
Robustness Metrics for ML Models based on Deep Learning Methods
Data Science Milan
 
Adversarial Attacks on A.I. Systems — NextCon, Jan 2019
Adversarial Attacks on A.I. Systems — NextCon, Jan 2019Adversarial Attacks on A.I. Systems — NextCon, Jan 2019
Adversarial Attacks on A.I. Systems — NextCon, Jan 2019
anant90
 
Connections b/w active learning and model extraction
Connections b/w active learning and model extractionConnections b/w active learning and model extraction
Connections b/w active learning and model extraction
Anmol Dwivedi
 
Correlation, causation and incrementally recommendation problems at netflix ...
Correlation, causation and incrementally recommendation problems at netflix ...Correlation, causation and incrementally recommendation problems at netflix ...
Correlation, causation and incrementally recommendation problems at netflix ...
Roelof van Zwol
 
On the Unreliability of Bug Severity Data
On the Unreliability of Bug Severity DataOn the Unreliability of Bug Severity Data
On the Unreliability of Bug Severity Data
SAIL_QU
 
Robustness in deep learning
Robustness in deep learningRobustness in deep learning
Robustness in deep learning
Ganesan Narayanasamy
 
AI and ML Skills for the Testing World Tutorial
AI and ML Skills for the Testing World TutorialAI and ML Skills for the Testing World Tutorial
AI and ML Skills for the Testing World Tutorial
Tariq King
 
Machine Learning Experimentation at Sift Science
Machine Learning Experimentation at Sift ScienceMachine Learning Experimentation at Sift Science
Machine Learning Experimentation at Sift Science
Sift Science
 
The importance of model fairness and interpretability in AI systems
The importance of model fairness and interpretability in AI systemsThe importance of model fairness and interpretability in AI systems
The importance of model fairness and interpretability in AI systems
Francesca Lazzeri, PhD
 
Managing machine learning
Managing machine learningManaging machine learning
Managing machine learning
David Murgatroyd
 
Robust Filtering Schemes for Machine Learning Systems to Defend Adversarial A...
Robust Filtering Schemes for Machine Learning Systems to Defend Adversarial A...Robust Filtering Schemes for Machine Learning Systems to Defend Adversarial A...
Robust Filtering Schemes for Machine Learning Systems to Defend Adversarial A...
Kishor Datta Gupta
 
Federated Semi-Supervised Learning with Inter-Client Consistency & Disjoint L...
Federated Semi-Supervised Learning with Inter-Client Consistency & Disjoint L...Federated Semi-Supervised Learning with Inter-Client Consistency & Disjoint L...
Federated Semi-Supervised Learning with Inter-Client Consistency & Disjoint L...
MLAI2
 
Legal Analytics Course - Class 6 - Overfitting, Underfitting, & Cross-Validat...
Legal Analytics Course - Class 6 - Overfitting, Underfitting, & Cross-Validat...Legal Analytics Course - Class 6 - Overfitting, Underfitting, & Cross-Validat...
Legal Analytics Course - Class 6 - Overfitting, Underfitting, & Cross-Validat...
Daniel Katz
 
Regression vs Deep Neural net vs SVM
Regression vs Deep Neural net vs SVMRegression vs Deep Neural net vs SVM
Regression vs Deep Neural net vs SVM
Ratul Alahy
 
Spark + AI Summit - The Importance of Model Fairness and Interpretability in ...
Spark + AI Summit - The Importance of Model Fairness and Interpretability in ...Spark + AI Summit - The Importance of Model Fairness and Interpretability in ...
Spark + AI Summit - The Importance of Model Fairness and Interpretability in ...
Francesca Lazzeri, PhD
 
Explainability and bias in AI
Explainability and bias in AIExplainability and bias in AI
Explainability and bias in AI
Bill Liu
 

Similar to phd-defense (20)

Barga Data Science lecture 9
Barga Data Science lecture 9Barga Data Science lecture 9
Barga Data Science lecture 9
 
Introduction to MaxDiff Scaling of Importance - Parametric Marketing Slides
Introduction to MaxDiff Scaling of Importance - Parametric Marketing SlidesIntroduction to MaxDiff Scaling of Importance - Parametric Marketing Slides
Introduction to MaxDiff Scaling of Importance - Parametric Marketing Slides
 
Introduction to machine learning
Introduction to machine learningIntroduction to machine learning
Introduction to machine learning
 
10409004.ppt
10409004.ppt10409004.ppt
10409004.ppt
 
Robustness Metrics for ML Models based on Deep Learning Methods
Robustness Metrics for ML Models based on Deep Learning MethodsRobustness Metrics for ML Models based on Deep Learning Methods
Robustness Metrics for ML Models based on Deep Learning Methods
 
Adversarial Attacks on A.I. Systems — NextCon, Jan 2019
Adversarial Attacks on A.I. Systems — NextCon, Jan 2019Adversarial Attacks on A.I. Systems — NextCon, Jan 2019
Adversarial Attacks on A.I. Systems — NextCon, Jan 2019
 
Connections b/w active learning and model extraction
Connections b/w active learning and model extractionConnections b/w active learning and model extraction
Connections b/w active learning and model extraction
 
Correlation, causation and incrementally recommendation problems at netflix ...
Correlation, causation and incrementally recommendation problems at netflix ...Correlation, causation and incrementally recommendation problems at netflix ...
Correlation, causation and incrementally recommendation problems at netflix ...
 
On the Unreliability of Bug Severity Data
On the Unreliability of Bug Severity DataOn the Unreliability of Bug Severity Data
On the Unreliability of Bug Severity Data
 
Robustness in deep learning
Robustness in deep learningRobustness in deep learning
Robustness in deep learning
 
AI and ML Skills for the Testing World Tutorial
AI and ML Skills for the Testing World TutorialAI and ML Skills for the Testing World Tutorial
AI and ML Skills for the Testing World Tutorial
 
Machine Learning Experimentation at Sift Science
Machine Learning Experimentation at Sift ScienceMachine Learning Experimentation at Sift Science
Machine Learning Experimentation at Sift Science
 
The importance of model fairness and interpretability in AI systems
The importance of model fairness and interpretability in AI systemsThe importance of model fairness and interpretability in AI systems
The importance of model fairness and interpretability in AI systems
 
Managing machine learning
Managing machine learningManaging machine learning
Managing machine learning
 
Robust Filtering Schemes for Machine Learning Systems to Defend Adversarial A...
Robust Filtering Schemes for Machine Learning Systems to Defend Adversarial A...Robust Filtering Schemes for Machine Learning Systems to Defend Adversarial A...
Robust Filtering Schemes for Machine Learning Systems to Defend Adversarial A...
 
Federated Semi-Supervised Learning with Inter-Client Consistency & Disjoint L...
Federated Semi-Supervised Learning with Inter-Client Consistency & Disjoint L...Federated Semi-Supervised Learning with Inter-Client Consistency & Disjoint L...
Federated Semi-Supervised Learning with Inter-Client Consistency & Disjoint L...
 
Legal Analytics Course - Class 6 - Overfitting, Underfitting, & Cross-Validat...
Legal Analytics Course - Class 6 - Overfitting, Underfitting, & Cross-Validat...Legal Analytics Course - Class 6 - Overfitting, Underfitting, & Cross-Validat...
Legal Analytics Course - Class 6 - Overfitting, Underfitting, & Cross-Validat...
 
Regression vs Deep Neural net vs SVM
Regression vs Deep Neural net vs SVMRegression vs Deep Neural net vs SVM
Regression vs Deep Neural net vs SVM
 
Spark + AI Summit - The Importance of Model Fairness and Interpretability in ...
Spark + AI Summit - The Importance of Model Fairness and Interpretability in ...Spark + AI Summit - The Importance of Model Fairness and Interpretability in ...
Spark + AI Summit - The Importance of Model Fairness and Interpretability in ...
 
Explainability and bias in AI
Explainability and bias in AIExplainability and bias in AI
Explainability and bias in AI
 

phd-defense

  • 1. From Adversarial Learning to Robust and Scalable Learning Ph.D. Presentation 1 Han Xiao (I20) xiaoh@in.tum.de Advisor: Prof. Dr. Claudia Eckert
  • 2. Introduction Adversarial Learning Robust Learning Scalable Learning Motivation 2 Machine learning algorithms in real-world applications are vulnerable to adversaries. Machine learning algorithms Spam filtering Recommendation system Spammer may disguise the spam by adding image and “good words” to cheat the filter. Spam users may give false ratings on tail items, leading to a biased recommendation system. Explorative attack Causative attack Application Threat
  • 3. Introduction Adversarial Learning Robust Learning Scalable Learning Explorative attack vs. causative attack 3
  • 4. Introduction Adversarial Learning Robust Learning Scalable Learning Why shall we care? 4 “Know your enemies and yourself, you will not be imperiled in a hundred battles.” Robust anti-virus software High quality recommendation system Spam-free social network service Cost-effective crowd- sourcing system Traditional machine learning and data mining rarely focus on adversarial settings.
  • 5. Introduction Adversarial Learning Robust Learning Scalable Learning outlier detection Related work Multi-labeler Semi-supervised learning Active learning Outlier detection multi- labeler learning active learning semi- supervised learning 1 1 2 3 4 2 3 4 Research Idea Data are labeled by multiple labelers Data are partially labeled An oracle provides labels Noisy data points do not fit distribution 5 Some labelers are adversaries Even those limited labels can not be fully trusted The oracle can provide wrong label Noise does not follow any predefined distribution Adversarial setting
  • 6. Introduction Adversarial Learning Robust Learning Scalable Learning Roadmap of my dissertation Contribution Adversarial learning Robust learning 6 Robust and scalable learning How can adversaries exploit the vulnerabilities of learning algorithms? How to learn from unfaithful training data? Are current algorithms fast enough for online learning? How to learn from noisy data stream for real-time applications? ProblemTopic Showed that convex- inducing classifiers are vulnerable to explorative attack Showed that SVMs are vulnerable to causative label-flip attack Developed a hierarchical Gaussian process model and a graph-based model for multi- labeler learning Developed an approximate Gaussian process for online regression Developed online algorithm learning from partially labeled data in client-server setting
  • 7. Introduction Adversarial Learning Robust Learning Scalable Learning Exploratory attack notations 7
  • 8. Introduction Adversarial Learning Robust Learning Scalable Learning Exploratory attack: an optimization formulation 8
  • 9. Introduction Adversarial Learning Robust Learning Scalable Learning Illustrative example: is convex and loss function is 9
  • 10. Introduction Adversarial Learning Robust Learning Scalable Learning Exploratory attack algorithm 10
  • 11. Introduction Adversarial Learning Robust Learning Scalable Learning Theoretical results 11 A polynomial time algorithm!
  • 12. Introduction Adversarial Learning Robust Learning Scalable Learning Causative label flip attack 12 Adversary
  • 13. Introduction Adversarial Learning Robust Learning Scalable Learning A bilevel formulation of label flip attack 13
  • 14. Introduction Adversarial Learning Robust Learning Scalable Learning A bilevel formulation of label flip attack 14 Classifier (defender) Adversary (attacker)
  • 15. Introduction Adversarial Learning Robust Learning Scalable Learning A relax formulation 15
  • 16. Introduction Adversarial Learning Robust Learning Scalable Learning Decision boundaries of SVMs under different flip strategies 16
  • 17. Introduction Adversarial Learning Robust Learning Scalable Learning Error rate of SVMs vs. the number of label flips 17
  • 18. Introduction Adversarial Learning Robust Learning Scalable Learning Learning from multiple yet unreliable labelers 18 • Each instance is labeled by several labelers • Labeler can be genuine or adversary • Groundtruth label is unknown
  • 19. Introduction Adversarial Learning Robust Learning Scalable Learning Latent space model for connecting the input space and label space 19
  • 20. Introduction Adversarial Learning Robust Learning Scalable Learning Gaussian process for modeling joint probability 20 Latent space GP model Labeler GP model Maximum a posterior
  • 21. Introduction Adversarial Learning Robust Learning Scalable Learning Synthetic examples: recover from the responses of four observers 21
  • 22. Introduction Adversarial Learning Robust Learning Scalable Learning 22 Synthetic examples: recover from the responses of four observers
  • 23. Introduction Adversarial Learning Robust Learning Scalable Learning A graph-based approach for multi-labeler problem 23 • Not all instances are labeled • A labeler only label a set of instances • Some labelers are adversaries Problem setting Goal • Compute the label and uncertainty of each instance • Compute the confidence of each labeler Idea: joint smoothness on graph • Instances that are similar in item feature space should have similar label • Labeler that are similar in labeler feature space should have similar confidence i µi
  • 24. Introduction Adversarial Learning Robust Learning Scalable Learning Joint smoothness on labeler-graph and instance-graph 24 Labeler similarity graph Item similarity graph Instances that are close together should have similar predicted labels, unless their uncertainties are large. Predicted labeled should be close to their assigned labels, unless the instance is uncertain or the corresponding labelers are not confidence Labelers that are close together should have similar confidence. The uncertainty of an instance/labeler should not be too large or too close to zero. joint smoothness on two graphs
  • 25. Introduction Adversarial Learning Robust Learning Scalable Learning Significant improvement over simple average method (#users ) 25 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.2 0.3 0.4 0.5 0.6 0.7 0.8 Majority vote accuracy Modelaccuracy australian.scale lb_num win: 139, lose: 61 10.00 20.00 40.00 80.00 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 Majority vote accuracy Modelaccuracy breast.scale lb_num win: 121, lose: 79 10.00 20.00 40.00 80.00 0.2 0.25 0.3 0.35 0.4 0.45 0.5 0.55 0.6 0.65 0.7 0.2 0.25 0.3 0.35 0.4 0.45 0.5 0.55 0.6 0.65 0.7 Majority vote accuracy Modelaccuracy diabetes.scale lb_num win: 187, lose: 13 10.00 20.00 40.00 80.00 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.1 0.2 0.3 0.4 0.5 0.6 0.7 Majority vote accuracy Modelaccuracy fourclass.scale lb_num win: 171, lose: 28 10.00 20.00 40.00 80.00 0.25 0.3 0.35 0.4 0.45 0.5 0.55 0.6 0.65 0.25 0.3 0.35 0.4 0.45 0.5 0.55 0.6 0.65 Majority vote accuracy Modelaccuracy german.scale lb_num win: 197, lose: 3 10.00 20.00 40.00 80.00 0.25 0.3 0.35 0.4 0.45 0.5 0.55 0.6 0.25 0.3 0.35 0.4 0.45 0.5 0.55 0.6 Majority vote accuracy Modelaccuracy splice.scale lb_num win: 189, lose: 11 10.00 20.00 40.00 80.00 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 Majority vote accuracy Modelaccuracy svmguide1 lb_num win: 194, lose: 6 10.00 20.00 40.00 80.00 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.1 0.2 0.3 0.4 0.5 0.6 0.7 Majority vote accuracy Modelaccuracy svmguide2 lb_num win: 165, lose: 35 10.00 20.00 40.00 80.00 Better W orse 10 20 40 80
  • 26. Introduction Adversarial Learning Robust Learning Scalable Learning From robust learning to scalable learning 26
  • 27. Introduction Adversarial Learning Robust Learning Scalable Learning Divide and conquer: lazy Gaussian process committee 27 Prediction
  • 28. Introduction Adversarial Learning Robust Learning Scalable Learning Which GP member should receive new point for training? 28
  • 29. Introduction Adversarial Learning Robust Learning Scalable Learning Active selection for lazy Gaussian process committee 29
  • 30. Introduction Adversarial Learning Robust Learning Scalable Learning Proposed method achieves better performance in less time 30 Accuracy (root mean square error) Efficiency (training and prediction time)
  • 31. Introduction Adversarial Learning Robust Learning Scalable Learning Scalable robust learning in client-server settings 31 Which instance should I query? Homogenous clients Heterogenous clients Which instance should I query? Who should I ask for labeling? Learn a good model under limited bandwidth Client Server Unlabeled data Goal Problem
  • 32. Introduction Adversarial Learning Robust Learning Scalable Learning Subset selection under given budget (Homogenous) Client uploads only crucial data according to the selection policy Unlabeled data Keysteps Candidate pool Selection policy Upload selections Two-learner model Update selection policy Client Server PurposeMethod • Select a small set of data from the candidate pool for uploading Requirement • Uploaded data should improve the classification performance on the server • Selection procedure should be light-weight for the client • Selection policy should be light-weight for the network • Select by optimizing a function consists of two criterions • Utility of instance (w.r.t. SCW) • Redundancy w.r.t. the candidate pool 32
  • 33. Introduction Adversarial Learning Robust Learning Scalable Learning Server employs a two-learner model to learn unlabeled data from client 33 Unlabeled data Candidate pool Selection policy Upload selections Two-learner model Update selection policy Client Server PurposeMethod • Incrementally learn a binary classifier from unlabeled data Requirement • Leverage neighbor information for exploiting unlabeled data • Learn in online fashion • Be efficient enough to handle large-volume of data • Be easily parameterized as a selection policy • Two-learner structure • Harmonic solution (HS) • Soft confidence-weighted (SCW) Keysteps
  • 34. Introduction Adversarial Learning Robust Learning Scalable Learning Proposed selection strategy reduces communication cost and gives high accuracy 34 }FrameworkClient Communication Server Selection policy on client Labeling rate (a mount of human effort) Sampling rate (a mount of communication cost) Accuracy averaged on 10 data sets Full 100% 20% 92.16% All 2% 100% 86.32% Rand 2% 20% 86.38% Proposed 2% 20% 87.08% Unlabeled data Candidate pool Selection policy Upload selections Two-learner model Update selection policy Client Server Keysteps
  • 35. Introduction Adversarial Learning Robust Learning Scalable Learning Heterogenous clients: ask the most confident client for labeling most uncertain instance 35
  • 36. Introduction Adversarial Learning Robust Learning Scalable Learning From adversarial learning to robust and scalable learning 36 Contribution Adversarial learning Robust learning Robust and scalable learning How can adversaries exploit the vulnerabilities of learning algorithms? How to learn from unfaithful training data? Are current algorithms fast enough for online learning? How to learn from noisy data stream for real-time applications? ProblemTopic Showed that convex- inducing classifiers are vulnerable to explorative attack Showed that SVMs are vulnerable to causative label-flip attack Developed a hierarchical Gaussian process model and a graph-based model for multi- labeler learning Developed an approximate Gaussian process for online regression Developed online algorithm learning from partially labeled data in client-server setting
  • 37. Introduction Adversarial Learning Robust Learning Scalable Learning Conclusion 37 • Traditional machine learning algorithms are vulnerable to the attack. • Through labelers may contain adversaries, robust learning can still be achieved. • Multi-labeler learning (crowdsourcing) could have more and more applications in the next couple of years.
  • 38. Introduction Adversarial Learning Robust Learning Scalable Learning Thanks for your attention 38