AI News, Deep Neural Networks can by fooled by adversarial examples, and ... artificial intelligence

Microsoft Research Blog

It is rapidly changing the economy, both by creating new opportunities (it’s the backbone of the gig economy) and by bringing venerable institutions, like transportation, into the 21st century.

Today, most successful AI applications use machine learning (more specifically, supervised learning) by training big neural networks to mimic input-output mappings on sample data.

These manipulated inputs, or adversarial examples, pose tremendous threats for applications such as automated insurance claim processing, and they can even be life-threatening if used to target autonomous vehicle systems.

Very roughly speaking there are two camps of research: those who try to develop robust training techniques (creating robust neural networks), and those who try to find adversarial examples (breaking down neural networks).

More specifically, by combining adversarial training with a technique called randomized smoothing, our method achieves state-of-the-art results for training networks that are provably robust against adversarial attacks.

For a couple of years, as everyone focused on creating better and bigger networks, the robustness question was ignored—until 2013 came and with it also came the publication of a paper titled “Intriguing properties of neural networks,” by Goodfellow and others.

In this work, the authors showed that the ghosts of the AI past were coming back to haunt us yet again: conventionally trained neural networks are extremely non-robust, just like conventional training for SVMs used to produce non-robust linear models.

As mentioned earlier, after this paper a back-and-forth cycle began, where researchers would develop a more robust AI only to have it broken by new adversarial attacks, and the cycle would continue.

critical difference between the neural network problem and the SVM example is that, in this case, adversarial training is merely an empirical technique: there is no guarantee of success, and one can only test empirically whether the resulting network is robust on a given input.

The key implications of the Weierstrass transform for neural networks are that smoothness exactly implies provable robustness and that the evaluation of the Weierstrass transform is probabilistically efficient (meaning that with high probability one can get a very good approximation to the value of the transform).

To train the transformed function, we evaluate this approximation under our loss function of choice and leverage the powerful automatic differentiation features of modern deep learning frameworks to perform gradient descent.

(One of our researchers also wrote this blog post with a deeper dive into the technical details as well.) The simple idea of adversarially training the smoothed classifier establishes new state-of-the-art results in provably robust image classification.

We plot the provably robust accuracy on the y-axis against the radius on the x-axis above, in blue solid lines, and compare against the prior state of the art, in red solid lines.

Our method for adversarially training smooth classifiers raises the bar by obtaining state-of-the-art results in provably robust image classification, which takes a step closer to solving the problem of malicious adversarial attacks.

At present, all robust training methods fall into the category of having small perturbations, which means that when increasing the dimensionality of the problem (such as increasing the resolution of an image), no substantial improvement in robustness occurs as it relates to perturbation size.

Tricking Artificial Intelligence by Adversarial examples | Patch (Google)

Most existing machine learning classifiers are highly vulnerable to adversarial examples. In this video we deep dive into how adversarial examples generalize ...

'How neural networks learn' - Part II: Adversarial Examples

In this episode we dive into the world of adversarial examples: images specifically engineered to fool neural networks into making completely wrong decisions!

[GreHack 2017] Efficient Defenses against Adversarial Examples for Deep Neural Networks

Following the recent adoption of deep neural networks (DNN) in a wide range of application fields, adversarial attacks against these models have proven to be ...

Adversarial Examples Are Not Bugs, They Are Features

Abstract: Adversarial examples have attracted significant attention in machine learning, but the reasons for their existence and pervasiveness remain unclear.

Adversarial-Playground_ A Visualization Suite Showing How Adversarial Examples Fool Deep Learning

Our Paper: Adversarial-Playground_ A Visualization Suite Showing How Adversarial Examples Fool Deep Learning at VizSec 2017 The code at: ...

Fooling Image Recognition with Adversarial Examples

More info: Paper: .

Adversarial Attacks on Neural Networks - Bug or Feature?

Support us on Patreon: The paper "Adversarial Examples Are Not Bugs, They Are Features" is available here: ..

Breaking Deep Learning Systems With Adversarial Examples | Two Minute Papers #43

Artificial neural networks are computer programs that try to approximate what the human brain does to solve problems like recognizing objects in images. In this ...

NDSS 2018 - Feature Squeezing: Detecting Adversarial Examples in Deep Neural Networks

Session 3A: Deep Learning and Adversarial ML - 04 Feature Squeezing: Detecting Adversarial Examples in Deep Neural Networks SUMMARY Although deep ...

Feature Squeezing: Detecting Adversarial Examples in Deep Neural Networks

Talk slides @ On December 21 @ 12noon, Dr Qi gave a distinguished webinar ..