1 / 22

Adversarial Defense By Convolutional Sparse Coding

Adversarial Defense By Convolutional Sparse Coding. Bo Sun. Outline. Background Motivation and Goal Method Experiments Conclusion. Outline. Background Motivation and Goal Method Experiments Conclusion. Background. Deep learning has made groundbreaking achievements on…

gbrannon
Download Presentation

Adversarial Defense By Convolutional Sparse Coding

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. AdversarialDefenseByConvolutionalSparseCoding Bo Sun

  2. Outline • Background • Motivation and Goal • Method • Experiments • Conclusion

  3. Outline • Background • Motivation and Goal • Method • Experiments • Conclusion

  4. Background • Deeplearninghasmadegroundbreakingachievementson… • However,securityproblemsbecomemoreandmoreserious.

  5. Background • Adversarialexamplesare inputs to machine learning models that an attacker has intentionally designed to cause the model to make a mistake. I. J. Goodfellow, J. Shlens, and C. Szegedy. Explain- ing and harnessing adversarial examples, 2014. CoRR, abs/1412.6572.

  6. Background TwoSources: (a).Abnormal:Outsidethenormaldatamanifold. (our focus) (b).Ambiguous:Obfuscatedlabels. bird -> people dog -> fish ship -> bird 0 or 6? bird or bicycle? 4 or 6? unobvious

  7. Background Common AdversarialAttacks. Clean • FGSM:FastGradientSignMethod • BIM:BasicIterativeMethod • DeepFool • C&W FGSM BIM DeepFool C&W

  8. Background DefenseStrategies • ModifyNetwork: Adversarialtraining:addadversarialexamplestotrainingset. • Modifylearningstrategy: Labelsmoothing:softlabel Networkdistillation • Modifyinputimage: Inputtransformation:cropandrescale,denoising,compression Projection:generativemodels

  9. Outline • Background • Motivation and Goal • Method • Experiments • Conclusion

  10. Motivation • Adversarialimagesdeviatefromnaturalmanifold. • Humancaneasilyfilterperturbation. • Theremustbesomesharedprojectionspaceofcleanandadversarial. • Wecannotenumerateallattacksandnetworks. • Universaldefenseisnecessary.

  11. Goal Universallydefendadversarialexamplesinquasi-naturalspace.

  12. Outline • Background • Motivation and Goal • Method • Experiments • Conclusion

  13. Background s.t. DictionaryLearning/SparseCoding: J. Mairal, F. Bach, and J. Ponce. Sparse modeling for image and vision processing. Foundations and Trends in Computer Graphics and Vision, 8(2-3):85–283, 2014.

  14. Background ConvolutionalDictionaryLearning(CDL): (pre-learned)dictionaryfilters:featuremap:

  15. Method

  16. Outline • Background • Motivation and Goal • Method • Experiments • Conclusion

  17. Experiments CIFAR-10(Resolution:32*32): D. Meng and H. Chen. Magnet: A two-pronged defenseagainst adversarial examples, 2017. In CCS. Y. Song, T. Kim, S. Nowozin, S. Ermon, and N. Kushman. Pixeldefend: Leveraging generative models to understand and defend against adversarial examples, 2018. In ICLR.

  18. Experiments ImageNet(Resolution:224*224):

  19. Experiments ImageNet(Resolution:224*224): C. Guo, M. Rana, M. Cisse, and L. van der Maaten. Countering adversarial images using input transformations, 2018. In ICLR. S.-M. M.-Dezfooli, A. Shrivastava, and O. Tuzel. Divide, denoise, and defend against adversarial attacks, 2018. arXiv preprint, arXiv:1802.06806v1. A. Prakash, N. Moran, S. Garber, A. DiLillo, and J. Storer. Detecting adversarial attacks with pixel deflection, 2018. In CVPR 2018.

  20. Experiments Intrinsic tradeoff between image reconstruction quality and defensive robustness.

  21. Outline • Background • Motivation and Goal • Method • Experiments • Conclusion

  22. Conclusion • We have proposed a novel state-of-the-art attack-agnostic adversarial defense method with additional increased robustness. • We design a novel sparse transformation layer (STL) to project the inputs to a low-dimensional quasi-natural space. • We evaluate the proposed method on CIFAR-10 and ImageNet and show that our defense mechanism provide state-of-the-art results. • We have also provided an analysis of the trade-off between the projection image quality and defense robustness.

More Related