On Certifying Non-uniform Bounds against Adversarial Attacks Chen Liu - - PowerPoint PPT Presentation

On Certifying Non-uniform Bounds against Adversarial Attacks

Chen Liu†, Ryota Tomioka‡, Volkan Cevher†

†´ Ecole Polytechnique F´ ed´ erale de Lausanne ‡Microsoft Research Cambridge

June 11th, 2019

Liu et al. (EPFL) Non-uniform Bounds June 11th, 2019 1 / 9

Background

Problem (Certification Problem)

Given the label set C, a classification model f : Rn → C and an input data point x ∈ Rn, we would like to find the largest neighborhood S around x such that f (x) = f (x′) ∀x′ ∈ S.

Set S is called adversarial budget and x ∈ S.

Liu et al. (EPFL) Non-uniform Bounds June 11th, 2019 2 / 9

Motivation

S(p)

ǫ (x) = {x′ = x + ǫv|vp ≤ 1}

ǫ ∈ R

Liu et al. (EPFL) Non-uniform Bounds June 11th, 2019 3 / 9

Motivation

S(p)

ǫ (x) = {x′ = x + ǫv|vp ≤ 1}

ǫ ∈ R S(p)

ǫ (x) = {x′ = x + ǫ ⊙ v|vp ≤ 1}

ǫ ∈ Rn

Liu et al. (EPFL) Non-uniform Bounds June 11th, 2019 3 / 9

Motivation

S(p)

ǫ (x) = {x′ = x + ǫv|vp ≤ 1}

ǫ ∈ R S(p)

ǫ (x) = {x′ = x + ǫ ⊙ v|vp ≤ 1}

ǫ ∈ Rn

Advantages of non-uniform bounds:

Larger overall volumes. Quantitative metric of feature robustness.

Liu et al. (EPFL) Non-uniform Bounds June 11th, 2019 3 / 9

Formulation

A N-layer fully connected neural network, parameterized by {W(i), b(i)}N−1

i=1

z(i+1) = W(i)ˆ z(i) + b(i) i = 1, 2, ..., N − 1 ˆ z(i) = σ(z(i)) i = 2, 3, ..., N − 1 (1)

Liu et al. (EPFL) Non-uniform Bounds June 11th, 2019 4 / 9

Formulation

A N-layer fully connected neural network, parameterized by {W(i), b(i)}N−1

i=1

z(i+1) = W(i)ˆ z(i) + b(i) i = 1, 2, ..., N − 1 ˆ z(i) = σ(z(i)) i = 2, 3, ..., N − 1 (1) Given a model {W(i), b(i)} and a data point x labeled as c ∈ C, we want to min

ǫ

  −

n1−1

• j=0

log ǫj    ˆ z(1) ∈ Sǫ(x) z(i+1) = W(i)ˆ z(i) + b(i) i = 1, 2, ..., N − 1 ˆ z(i) = σ(z(i)) i = 2, 3, ..., N − 1 z(N)

c

− z(N)

j

≥ δ j = 0, 1,..., nN − 1; j = c (2)

Liu et al. (EPFL) Non-uniform Bounds June 11th, 2019 4 / 9

Formulation

A N-layer fully connected neural network, parameterized by {W(i), b(i)}N−1

i=1

z(i+1) = W(i)ˆ z(i) + b(i) i = 1, 2, ..., N − 1 ˆ z(i) = σ(z(i)) i = 2, 3, ..., N − 1 (1) Given a model {W(i), b(i)} and a data point x labeled as c ∈ C, we want to min

ǫ

  −

n1−1

• j=0

log ǫj    ˆ z(1) ∈ Sǫ(x) z(i+1) = W(i)ˆ z(i) + b(i) i = 1, 2, ..., N − 1 ˆ z(i) = σ(z(i)) i = 2, 3, ..., N − 1 z(N)

c

− z(N)

j

≥ δ j = 0, 1,..., nN − 1; j = c (2) Generally intractable (at least NP-complete)! [Weng et al. 18]

Liu et al. (EPFL) Non-uniform Bounds June 11th, 2019 4 / 9

Formulation

A N-layer fully connected neural network, parameterized by {W(i), b(i)}N−1

i=1

z(i+1) = W(i)ˆ z(i) + b(i) i = 1, 2, ..., N − 1 ˆ z(i) = σ(z(i)) i = 2, 3, ..., N − 1 (1) Given a model {W(i), b(i)} and a data point x labeled as c ∈ C, we want to min

ǫ

  −

n1−1

• j=0

log ǫj    ˆ z(1) ∈ Sǫ(x) z(i+1) = W(i)ˆ z(i) + b(i) i = 1, 2, ..., N − 1 ˆ z(i) = σ(z(i)) i = 2, 3, ..., N − 1 l(N)

c

− u(N)

j

≥ δ j = 0, 1,..., nN − 1; j = c (2) Generally intractable (at least NP-complete)! [Weng et al. 18] Relax the output logits!

Liu et al. (EPFL) Non-uniform Bounds June 11th, 2019 4 / 9

Optimization

l(N) and u(N) are differentiable w.r.t. ǫ.

Liu et al. (EPFL) Non-uniform Bounds June 11th, 2019 5 / 9

Optimization

l(N) and u(N) are differentiable w.r.t. ǫ. The relaxation problem is tractable min

ǫ,y≥0

  −

n1−1

• j=0

log ǫj    s.t. l(N)

c

− u(N)

j=c − δ = y

(3)

Liu et al. (EPFL) Non-uniform Bounds June 11th, 2019 5 / 9

Optimization

l(N) and u(N) are differentiable w.r.t. ǫ. The relaxation problem is tractable min

ǫ,y≥0

  −

n1−1

• j=0

log ǫj    s.t. l(N)

c

− u(N)

j=c − δ = y

(3) The problem can be solved by Augmented Lagrangian Method max

λ

min

ǫ,y≥0 −

 

n1−1

• j=0

log ǫj   + λ, v − y + ρ 2v − y2

2

(4) v is defined as l(N)

c

− u(N)

j=c − δ

Liu et al. (EPFL) Non-uniform Bounds June 11th, 2019 5 / 9

Experiments

General Result

Dataset Architecture Training Method Uniform Non-uniform Ratio MNIST 100-100-100

• 0.0295

0.0349 1.183 PGD, τ = 0.1 0.0692 0.1678 2.425 300-300-300

• 0.0309

0.0350 1.133 PGD, τ = 0.1 0.0507 0.1404 2.769 500-500-500

• 0.0319

0.0360 1.129 PGD, τ = 0.1 0.0436 0.1167 2.677 Fashion-MNIST 1024-1024-1024

• 0.0397

0.0518 1.305 PGD, τ = 0.1 0.0446 0.1134 2.543 SVHN 1024-1024-1024

• 0.0022

0.0072 3.273 PGD, τ = 0.1 0.0054 0.0281 5.204

Table: Average of uniform and non-uniform bounds in the test sets. Larger volumes covered by non-uniform bounds, especially for robust models.

Liu et al. (EPFL) Non-uniform Bounds June 11th, 2019 6 / 9

Experiments

Robustness and Feature Selection

0.00 0.05 0.10 0.15 0.20 0.25 0.30 0.35 0.40 bound 20 40 60 80 100 pixels normal robust 0.00 0.02 0.04 0.06 0.08 0.10 bound 200 400 600 800 pixels normal robust

Figure: Examples of distributions of bounds for normal and robust models among all pixels. (Left: MNIST, Right: SVHN) Features of very large bounds → Features dropped

Liu et al. (EPFL) Non-uniform Bounds June 11th, 2019 7 / 9

Experiments

Robustness and Interpretability

We can visualize bounding map ǫ ∈ Rn like an input data point. The bounding maps demonstrate better interpretability of robust models. Figure: Left: between digit 1 and 7. Right: between digit 3 and 8. Lighter pixels mean smaller bounds.

Liu et al. (EPFL) Non-uniform Bounds June 11th, 2019 8 / 9

More Details

Welcome to Poster #63 Code on GitHub: Certify Nonuniform Bounds

Liu et al. (EPFL) Non-uniform Bounds June 11th, 2019 9 / 9

More Details

Liu et al. (EPFL) Non-uniform Bounds June 11th, 2019 9 / 9