Florian Tramèr Stanford University Google ETHZ ML suffers from adversarial examples 2 90 Tabby Cat 100 Guacamole Adversarial noise Robust classification is hard 3 Clean Adversarial ID: 1001977
Download Presentation The PPT/PDF document "Detecting Adversarial Examples Is (Nearl..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
1. Detecting Adversarial Examples Is (Nearly) As Hard As Classifying ThemFlorian TramèrStanford University, Google, ETHZ
2. ML suffers from adversarial examples.290% Tabby Cat100% GuacamoleAdversarial noise
3. Robust classification is hard! 3CleanAdversarial ()
4. Can we solve an easier problem?4 Computationally robust classification Randomized robust classification Robust transductive classification Robust detection
5. Can we solve an easier problem?5 Computationally robust classification Randomized robust classification Robust transductive classification Robust detectionabstainabstaincorrectε
6. Are these relaxed problems truly easier?6Robust classificationRobust detection
7. Are these relaxed problems truly easier? If YES: promising direction for useful robustness! If NO: we shouldn’t expect a breakthrough...7Robust classificationRobust detection
8. Our result.Detecting adversarial examples is as hard as classifying them!8
9. What’s a hardness reduction?9“Famously hard” problemsP vs NPRiemann HypothesisAGI (lol)Problem XreductionIf we find a solution to Problem X, we also solve a super hard problem
10. What’s a hardness reduction?10“Famously hard” problemsP vs NPRiemann HypothesisAGI (lol)Problem XreductionCorollary: if someone claims to solve Problem X, you might be a bit skeptical...
11. “Famously hard” problemsHardness reductions for robustness.11Robust classifierCleanAdv.CleanAdv.hardRobust detectorreduction
12. Detecting adversarial examples is as hard as classifying them!12CleanAdv.reductionRobust detector Robust classifierdetectorCleanAdv.
13. Detecting adversarial examples is (nearly) as hard as classifying them!13reductionRobust detector efficient robust at distance inefficient (at inference) robust at distance Robust classifierdetectorMain technical tool: Minimum Distance Decoding
14. Interpretation #1: information theoretically robust detection = robust classification Same sample complexity [Schmidt et al., 2018] Same accuracy-robustness tradeoffs [Tsipras et al., 2019, Zhang et al., 2019] Same multi-robustness tradeoffs [T & Boneh, 2019, Maini et al., 2020] Same connection with error on noise [Ford et al., 2020] ...14
15. Interpretation #2: robust detectors imply a breakthrough in robust classification.15World 1: traininferenceCleanAdv.
16. Interpretation #2: robust detectors imply a breakthrough in robust classification.16World 2: traininferenceCleanAdv.?Can we build much more robust classifiers in World 2?(we don’t know...)inefficient
17. Interpretation #2: robust detectors imply a breakthrough in robust classification.17World 2: traininferenceCleanAdv.Can we build much more robust classifiers in World 2?(we don’t know...)But any sufficiently robust detector implies a positive answer!inefficient
18. Many detectors implicitly claim such a breakthrough!18robustness claims from detector defenses(13 in the paper)SOTA robust classification for attacks on CIFAR-10
19. Many detectors implicitly claim such a breakthrough!19our reduction implies a robust classifier for ε/2
20. Many detectors implicitly claim such a breakthrough!20Optimistic interpretation: this is an actual breakthrough in (inefficient) robust classification!
21. Pessimistic (realistic?) interpretation: These detectors are not robust!21
22. Conclusion.22Robust classificationRobust detection
23. Conclusion.23Robust classificationRobust detection
24. Conclusion.24Reductions/separations for other “easier” approaches to robustness?https://arxiv.org/abs/2107.11630https://floriantramer.comRobust classificationRobust detection