《2019年无处不在的对抗样本攻防.pptx》由会员分享,可在线阅读,更多相关《2019年无处不在的对抗样本攻防.pptx(23页珍藏版)》请在三个皮匠报告上搜索。
1、A Short Intro:无处不在的对抗样本攻防,扇贝算法团队负责人,无处不在的对抗样本攻防,01,What is an Adversarial Example?矛与盾(常见攻击和防御算法)新的趋势和风险,02,03,StyleGAN(2018),Tacotron(2017),GPT-2(2019),深度学习模型生成结果已经可以欺骗人类,那么模型可以被欺骗吗?,What is an Adversarial Example(对抗样本)?,Inputs that have been intentionally designed to cause a model to make a mistake
2、 Theyre like optical illusions for machines.,Adversarial Stop Sign,Adversarial Glasses,Adversarial Patch,Ian Goodfellow(Google Brain),Alexey Kurakin(Google Brain),Dawn Song(UC Berkeley),GeekPwn,Competition on Adversarial Attacks and Defenses 2018,CAAD CTF Ruleset,Non-Targeted Adversarial Attack(非定向攻
3、击)Slightly modify source image in a way that image will be classified incorrectly by generally unknown classifier.Targeted Adversarial Attack(定向攻击)Slightly modify source image in a way that image will be classified as specified target class by generally unknown classifier.Defense Against Adversarial
4、 Attack,无处不在的对抗样本攻防,01,What is an Adversarial Example?矛与盾(常见攻击和防御算法)新的趋势和风险,02,03,Example Attack Scenarios,FGSM(Fast Gradient Sign Method)BIM(Basic Iterative Method)MIM(Momentum Iterative FGSM)ATN(Adversarial Transformation Networks),Fun Results(transferability),Butterfly,Rabbit,Fun Results(transfer
5、ability),parachute,vehicle,Fun Results(transferability),aircraft carrier,guillotine,Example Defense Scenarios,Gradient maskingDetectionImage processing and randomization Adversarial training,Gradient Masking,24Papernot,Nicolas,et al.Practical black-box attacks against machine learning.Proceedings of
6、 the 2017 ACM on Asia Conference on Computer and Communications Security.ACM,2017.,Construct a model that does not have useful gradients24They break gradient-based white box attacks.But then they dont break black box attacks(e.g.,adversarial examples made for other models),Detection,Image processing
7、 and randomization,Image processing and randomization,2 most significant bits=quantification,Adversarial Training,10F.Tramr,A.Kurakin,N.Papernot,I.Goodfellow,D.Boneh,and P.McDaniel,“Ensemble Adversarial Training:Attacks and Defenses,”arXiv:1705.07204 cs,stat,May 2017.,Augments a models training data
8、 with adversarial examples crafted on other static pre-trained models 10Adversarial logit paringFeature Denoising(128 Nvidia V100 GPUs,52 hours for Imagenet),无处不在的对抗样本攻防,01,What is an Adversarial Example?矛与盾(常见攻击和防御算法)新的趋势和风险,02,03,Imperceptible,Robust,and Targeted Adversarial Examples for Automatic
9、 Speech Recognition,“研表究明,汉字的序顺并不定一能影阅响读,比如当你看完这句话后,才发这现里的字全是乱的。”,Ref,Authors:Ian Goodfellow,Kaiming He,Jun ZhuConferences:NIPS,ICML,CVPRToolkits:CleverHans,AdvBox,adversarial-robustness-toolbox,1I.J.Goodfellow,J.Shlens,and C.Szegedy,“Explaining and Harnessing Adversarial Examples,”arXiv:1412.6572 c
10、s,stat,Dec.2014.2A.Kurakin,I.Goodfellow,and S.Bengio,“Adversarial examples in the physical world,”arXiv:1607.02533 cs,stat,Jul.2016.3N.Papernot et al.,“CleverHans v2.1.0:an adversarial machine learning library,”arXiv:1610.00768 cs,stat,Oct.2016.4S.Baluja and I.Fischer,“Adversarial Transformation Net
11、works:Learning to Generate Adversarial Examples,”arXiv:1703.09387 cs,Mar.2017.5Y.Dong et al.,“Boosting Adversarial Attacks with Momentum,”arXiv:1710.06081 cs,stat,Oct.2017.6C.Guo,M.Rana,M.Cisse,and L.van der Maaten,“Countering Adversarial Images using Input Transformations,”arXiv:1711.00117 cs,Oct.2
12、017.7J.Hayes and G.Danezis,“Learning Universal Adversarial Perturbations with Generative Models,”arXiv:1708.05207 cs,stat,Aug.2017.8F.Liao,M.Liang,Y.Dong,T.Pang,X.Hu,and J.Zhu,“Defense against Adversarial Attacks Using High-Level Representation Guided Denoiser,”arXiv:1712.02976 cs,Dec.2017.9T.Pang,C
13、.Du,Y.Dong,and J.Zhu,“Towards Robust Detection of Adversarial Examples,”arXiv:1706.00633 cs,Jun.2017.10F.Tramr,A.Kurakin,N.Papernot,I.Goodfellow,D.Boneh,and P.McDaniel,“Ensemble Adversarial Training:Attacks and Defenses,”arXiv:1705.07204 cs,stat,May 2017.11C.Xie,J.Wang,Z.Zhang,Z.Ren,and A.Yuille,“Mi
14、tigating Adversarial Effects Through Randomization,”arXiv:1711.01991 cs,Nov.2017.12A.Athalye,N.Carlini,and D.Wagner,“Obfuscated Gradients Give a False Sense of Security:Circumventing Defenses to Adversarial Examples,”arXiv:1802.00420 cs,Feb.2018.13G.F.Elsayed et al.,“Adversarial Examples that Fool b
15、oth Computer Vision and Time-Limited Humans,”arXiv:1802.08195 cs,q-bio,stat,Feb.2018.14J.Gilmer,R.P.Adams,I.Goodfellow,D.Andersen,and G.E.Dahl,“Motivating the Rules of the Game for Adversarial Example Research,”arXiv:1807.06732 cs,stat,Jul.2018.15H.Kannan,A.Kurakin,and I.Goodfellow,“Adversarial Logi
16、t Pairing,”arXiv:1803.06373 cs,stat,Mar.2018.16A.Kurakin et al.,“Adversarial Attacks and Defences Competition,”arXiv:1804.00097 cs,stat,Mar.2018.17M.-I.Nicolae et al.,“Adversarial Robustness Toolbox v0.3.0,”arXiv:1807.01069 cs,stat,Jul.2018.18A.Prakash,N.Moran,S.Garber,A.DiLillo,and J.Storer,“Deflec
17、ting Adversarial Attacks with Pixel Deflection,”arXiv:1801.08926 cs,Jan.2018.19D.Su,H.Zhang,H.Chen,J.Yi,P.-Y.Chen,and Y.Gao,“Is Robustness the Cost of Accuracy?-A Comprehensive Study on the Robustness of 18 Deep Image Classification Models,”arXiv:1808.01688 cs,Aug.2018.20J.Uesato,B.ODonoghue,A.van d
18、en Oord,and P.Kohli,“Adversarial Risk and the Dangers of Evaluating Against Weak Attacks,”arXiv:1802.05666 cs,stat,Feb.2018.21S.Wang et al.,“Defensive Dropout for Hardening Deep Neural Networks under Adversarial Attacks,”arXiv:1809.05165 cs,stat,Sep.2018.22K.Xu et al.,“Structured Adversarial Attack:Towards General Implementation and Better Interpretability,”arXiv:1808.01664 cs,stat,Aug.2018.,