0.25
0.5
0.75
1.25
1.5
1.75
2
Adversarial Attacks On ML Systems
Published on Oct 08, 201931 Views
As neural network classifiers become increasingly successful at various tasks ranging from speech recognition and image classification to various natural language processing tasks and even recognizing
Related categories
Chapter list
Adversarial attacks on machine learning systems00:00
Acknowledgements00:10
Introducing me00:18
CMU00:39
Artificial intelligence00:45
Best graduate computer science programs00:56
The story of “O”01:00
One day in summer 201301:19
One day in summer 2013 - 201:42
One day in summer 2013 - 301:47
One day in summer 2013 - 401:55
One day in summer 2013 - 502:01
One day in summer 2013 - 602:10
One day in summer 2013 - 702:17
O makes a monkey an 802:34
O makes a monkey an 8 - 203:35
O can make a monkey anything03:56
O makes a monkey anything04:01
The monkey digits04:17
Other figures04:33
Fooling a classifier04:44
Unfortunately we were late to the party!05:12
The History of Email05:28
The History of Email Spam05:38
The History of Email Spam defences05:58
The History of adversarial attacks on Email Spam defences06:13
And counter defences06:24
And counter adversarial atacks06:39
Spam becomes a thing of the past06:57
Spam filtering in 200007:05
The “goodword” attack07:50
Naive Bayes classifiers are linear classifiers08:55
Beating linear classifier spam filters10:04
2004-present: adversarial attacks on simple linear and non-linear classifiers10:11
2010s.. Neural networks rule10:54
Nnets are universal approximators11:15
Szegedy et al. Intriguing properties of neural networks. ICLR 201411:36
Goodfellow 201412:40
Many other attack methods13:26
Deepfool14:20
Deepfool - 214:52
Deepfool - 315:17
Techniques are increasingly sophisticated15:37
You can simply have an instance misclassified15:51
Or even choose what it is misclassified as17:18
You don’t even need to know the classifier17:24
But these are only artificial, right?17:28
Right!18:08
Right! - 218:59
These only work on images though19:40
Fooling a speech recognizer20:03
But this requires the loss to be differentiable21:14
The Proxy loss21:49
Image segmentation example22:09
Image segmentation example - 222:22
Image segmentation example - 322:28
Image segmentation example - 422:35
Speech recognition (Google Voice)22:52
So why are classifiers so fragile23:18
Perceptual reasoning24:05
Human perception is very forgiving24:56
Human perception is very forgiving - 225:06
Human perception is very forgiving - 325:40
The perceptual radius27:23
The perceptual rationale - 227:47
The perceptual rationale28:09
Statistical reasoning29:03
Spurious inputs29:38
What will the algorithm learn30:15
Sufficient statistic32:05
Sufficient statistic: Linear example32:30
Sufficient statistic - 233:06
The susceptibility of networks33:44
The susceptibility of networks - 234:01
The susceptibility of networks - 334:23
Defences34:41
Adding adversarial samples to training34:54
Making the function nondifferentiable36:16
Making the function nondifferentiable - 237:05
Non-differentiable classifiers remain exploitable38:51
Making it robust to (perceptually) acceptable variations39:33
Standard Machine Learning Paradigm40:17
Standard Machine Learning Paradigm - 241:08
Solution42:10
Making it robust to (perceptually) acceptable variations - Testing for adversariality43:01
What are we missing?44:07
Detecting Adversariality: Spectral band redundancy44:59
Detecting Adversariality: Spectral band redundancy - 245:35
Detecting Adversariality: time-frequency redundancy46:57
Detecting Adversariality: time-frequency redundancy - 247:46
The bad news48:30
Looking ahead49:05
The abrupt stop49:34