Presentation is loading. Please wait.

Presentation is loading. Please wait.

Image recognition: Defense adversarial attacks

Published byLeif Antonsen Modified over 5 years ago

Similar presentations

Presentation on theme: "Image recognition: Defense adversarial attacks"โ€” Presentation transcript:

1 Image recognition: Defense adversarial attacks
using Generative Adversarial Network (GAN) Speaker: Guofei Pang Division of Applied Mathematics Brown University Presentation after reading the paper: Ilyas, Andrew, et al. "The Robust Manifold Defense: Adversarial Training using Generative Models." arXiv preprint arXiv: (2017).

2 Generative Adversarial Network (GAN) How to defense attacks using GAN
Outline Adversarial attacks Generative Adversarial Network (GAN) How to defense attacks using GAN Numerical results 2/25

3 Adversarial Attacks 3/25

4 Adversarial Attacks 4/25

5 n = m n*m Adversarial Attacks ๐ˆ๐ฆ๐š๐ ๐ž ๐š๐ฌ ๐š ๐ฏ๐ž๐œ๐ญ๐จ๐ซ: ๐ฑ= ๐ฑ๐ฃ , ๐ฃ=๐Ÿ,๐Ÿ,โ€ฆ,๐งโˆ—๐ฆ
๐ฑ= ๐ฑ๐ฃ , ๐ฃ=๐Ÿ,๐Ÿ,โ€ฆ,๐งโˆ—๐ฆ m n*m 5/25

6 Adversarial examples for a classifier C(): A pair of input x1 and x2
Adversarial Attacks ๐ฑ๐Ÿ ๐ฑ๐Ÿ ๐ฑ๐Ÿโˆ’๐ฑ๐Ÿ ๐Ÿ<๐ž๐ŸŽ ๐‚(๐ฑ๐Ÿ)โˆ’๐‚(๐ฑ๐Ÿ) >๐Ÿ๐ŸŽ Adversarial examples for a classifier C(): A pair of input x1 and x2 A person says they are of the same class But a classifier will they are completely different! 6/25

7 Why does classifier become fool for these examples?
Adversarial Attacks Why does classifier become fool for these examples? 7/25

8 Why does classifier become fool for these examples?
Adversarial Attacks Why does classifier become fool for these examples? An intuition from the authors: Natural image: Low-dimensional manifold Noisy image: High-dimensional manifold High dimensionality is tough for classifier. 8/25

9 Generative adversarial network (GAN)
x and xโ€™ have similar PDF G() has learned the underlying distribution of image dataset after training GAN The DNN G() is a nonlinear mapping from low-dimensional space, z, to high-dimensional space, xโ€™ Original image x Synthetic image /Generative model xโ€™=G(z) GAN Generator G(z) Noisy input z, say, z โ€“ N(0,I) 9/25

10 Convergence state: pdata(x)=pG(x)
Generative adversarial network (GAN) Convergence state: pdata(x)=pG(x) Green solid line: probability density function (PDF) of the generator G() Black dotted line: PDF of original image x, i.e., pdata(x) Blue dash line: PDF of discriminator D() 10/25

11 Generative adversarial network (GAN)
11/25

12 Invert and Classify How to defense attacks using GAN
G() is pre-trained and has learned the underlying distribution of the training (image) dataset after training GAN Invert and Classify Synthetic image xโ€™=G(z*) (Preserve low-dimensional manifold) Classifier C() Original image x (Could include high-dimensional manifold when noise enters) 12/25

13 Enhanced Invert and Classify
How to defense attacks using GAN G() is pre-trained and has learned the underlying distribution of the training (image) dataset after training GAN Enhanced Invert and Classify Synthetic image xโ€™=G(z*) (Preserve low-dimensional manifold) Classifier C() (retrain the classifier) Upper bound of attack magnitude Classification loss 13/25

14 First-order classifier attacks for handwritten digit classification
Numerical results First-order classifier attacks for handwritten digit classification 14/25

15 First-order classifier attacks for handwritten digit classification
Numerical results First-order classifier attacks for handwritten digit classification 15/25

16 First-order classifier attacks for handwritten digit classification
Numerical results First-order classifier attacks for handwritten digit classification 16/25

17 First-order classifier attacks for gender classification
Numerical results First-order classifier attacks for gender classification 17/25

18 First-order classifier attacks for gender classification
Numerical results First-order classifier attacks for gender classification 18/25

19 Substitute model attacks
Numerical results Substitute model attacks Results from Invert and Classify 19/25

20 Invert and Classify and Enhanced Invert and Classify
Numerical results Comparison between Invert and Classify and Enhanced Invert and Classify 20/25

21 Numerical results 21/25

22 Numerical results 22/25

23 Numerical results 23/25

24 Numerical results 24/25

25 GAN for regression problems? GAN versus other neural networks?
Thinking GAN for regression problems? GAN versus other neural networks? One defense strategy for all types of attacks? 25/25

Download ppt "Image recognition: Defense adversarial attacks"

Similar presentations

1 Image Classification MSc Image Processing Assignment March 2003.

1 Image Classification MSc Image Processing Assignment March 2003.
Image classification Given the bag-of-features representations of images from different classes, how do we learn a model for distinguishing them?

Image classification Given the bag-of-features representations of images from different classes, how do we learn a model for distinguishing them?
SVM - Support Vector Machines A new classification method for both linear and nonlinear data It uses a nonlinear mapping to transform the original training.

SVM - Support Vector Machines A new classification method for both linear and nonlinear data It uses a nonlinear mapping to transform the original training.
An Introduction of Support Vector Machine

An Introduction of Support Vector Machine
SVMโ€”Support Vector Machines

SVMโ€”Support Vector Machines
CSCI 347 / CS 4206: Data Mining Module 07: Implementations Topic 03: Linear Models.

CSCI 347 / CS 4206: Data Mining Module 07: Implementations Topic 03: Linear Models.
Self Organization of a Massive Document Collection

Self Organization of a Massive Document Collection
ENN: Extended Nearest Neighbor Method for Pattern Recognition

ENN: Extended Nearest Neighbor Method for Pattern Recognition
July 11, 2001Daniel Whiteson Support Vector Machines: Get more Higgs out of your data Daniel Whiteson UC Berkeley.

July 11, 2001Daniel Whiteson Support Vector Machines: Get more Higgs out of your data Daniel Whiteson UC Berkeley.
Hurieh Khalajzadeh Mohammad Mansouri Mohammad Teshnehlab

Hurieh Khalajzadeh Mohammad Mansouri Mohammad Teshnehlab
1 SUPPORT VECTOR MACHINES ฤฐsmail GรœNEลž. 2 What is SVM? A new generation learning system. A new generation learning system. Based on recent advances in.

1 SUPPORT VECTOR MACHINES ฤฐsmail GรœNEลž. 2 What is SVM? A new generation learning system. A new generation learning system. Based on recent advances in.
SVM Support Vector Machines Presented by: Anas Assiri Supervisor Prof. Dr. Mohamed Batouche.

SVM Support Vector Machines Presented by: Anas Assiri Supervisor Prof. Dr. Mohamed Batouche.
Learning to perceive how hand-written digits were drawn Geoffrey Hinton Canadian Institute for Advanced Research and University of Toronto.

Learning to perceive how hand-written digits were drawn Geoffrey Hinton Canadian Institute for Advanced Research and University of Toronto.
Nonlinear Data Discrimination via Generalized Support Vector Machines David R. Musicant and Olvi L. Mangasarian University of Wisconsin - Madison www.cs.wisc.edu/~musicant.

Nonlinear Data Discrimination via Generalized Support Vector Machines David R. Musicant and Olvi L. Mangasarian University of Wisconsin - Madison
Machines that Make Decisions Instructor: Edmondo Trentin

Machines that Make Decisions Instructor: Edmondo Trentin
Feature selection with Neural Networks Dmitrij Lagutin, T-61.6040 - Variable Selection for Regression 24.10.2006.

Feature selection with Neural Networks Dmitrij Lagutin, T Variable Selection for Regression
Ohad Hageby IDC 2008 1 Support Vector Machines & Kernel Machines IP Seminar 2008 IDC Herzliya.

Ohad Hageby IDC Support Vector Machines & Kernel Machines IP Seminar 2008 IDC Herzliya.
Graphing a Linear Inequality

Graphing a Linear Inequality
Classification Course web page: vision.cis.udel.edu/~cv May 14, 2003 ๏ถ Lecture 34.

Classification Course web page: vision.cis.udel.edu/~cv May 14, 2003 ๏ถ Lecture 34.
Feature Selction for SVMs J. Weston et al., NIPS 2000 ์˜ค์žฅ๋ฏผ (2000/01/04) Second reference : Mark A. Holl, Correlation-based Feature Selection for Machine.

Feature Selction for SVMs J. Weston et al., NIPS 2000 ์˜ค์žฅ๋ฏผ (2000/01/04) Second reference : Mark A. Holl, Correlation-based Feature Selection for Machine.

Similar presentations

Ads by Google