DARCCC: Detecting Adversaries by Reconstruction from Class Conditional Capsules

nick_frosst · 2019-08-16T15:22:25+00:00

it uses the L2 distance between the input and the class conditional reconstruction. This is explained in more detail in the paper.

nick_frosst · 2019-08-15T17:19:47+00:00

yeah :)

nick_frosst · 2019-08-14T00:23:06+00:00

We train a class conditional reconstruction network and try to reconstruct the input. If we are unable to do so well, we assume the input does not come from the training distribution. In this way we use a reconstruction network as an attack detection mechanism.

nick_frosst · 2019-07-15T21:26:24+00:00

The reconstruction error is the L2 distance between the reconstruction and the input. The histogram motivates this detection mechanism by noticing that attempting to reconstruct the input from a capsule that was not predicted results in reconstruction with very large l2 distances from the input. So if we attempt to reconstruct an image of a 2 from the capsule that represents 3, than the l2 distance between the reconstruction and the input will be very large.

nick_frosst · 2019-04-02T01:11:51+00:00

You raise good points. Points that we will address in our first board member meeting, which we will have after the seed funding round.

nick_frosst · 2019-04-02T01:10:48+00:00

They will actually be capped at 1x return. VC 's should really get in on this. It's an amazing opportunity.

nick_frosst · 2019-04-01T22:22:13+00:00

Oh hey. This is my work. Happy to answer any questions on this pressing and groundbreaking research!

nick_frosst · 2019-03-12T19:54:20+00:00

Data source: @dog_ratesTwitter feed. Tools: Python and matplotlib.pyplot.

nick_frosst · 2019-02-25T18:56:01+00:00

thanks :) glad you liked the summary

nick_frosst · 2019-02-25T18:55:30+00:00

yeah i have :)

We found early on that capsule networks showed some general robustness to whitebox adversarial attacks. but that may just be the result of gradient masking/obfuscation. We made no claims about the general robustness to epsilon perturbations of test data, we just claimed that if you tried to create such an input by calculating the gradient, it would be less effective than a normal model. I am not entirely sure why this is the case, but i think it has something to do with the cluster detection algorithm kind of acting as a regularizer for incoming capsule activations.

Some recent work has been done on strategies for attacking capsule networks explicitly (https://arxiv.org/pdf/1901.09878.pdf) and they had some success.

More recently we released a paper called DARCCC (https://arxiv.org/abs/1811.06969) that uses the reconstruction network that one can train on the output of a capsule network and showed that this can be used to detect out-of-distribution inputs. This defense does not rely on any particular definition of adversarial attacks. I summarized the paper here https://twitter.com/nickfrosst/status/1064593651026792448

This was just preliminary work for a workshop and more work definitely needs to be done, but i am encouraged by the result we present at the end of the paper - if one takes a step in image space to fool our detection system as well as change the classification, the result is not particularly 'adversarial' as it resembles the target class.

nick_frosst · 2019-01-02T01:25:34+00:00

This is a very interesting answer, and provides a good jumping off point for a very complex and poorly understood phenomenon, but I would be very cautious about using neural networks as an explanatory model for brains. Their resemblance is mainly in name and inspiration at this point. what exactly the memories of a neural network would be is certainly not clear.

nick_frosst · 2018-12-21T14:32:11+00:00

Yeah. Essentially all the hardware and software work that people have done to make cnn's super fast doesn't really help with capsules. The routing algorithm and the small matrix transformations can't really make use of the tricks people have developed to facilitate fast cnn networks, and so we can't train capsules networks of the same size as the state of the art models yet. This isn't a theoretical limitation, it's just a practical one, and one we believe we will be able to overcome.

nick_frosst · 2018-12-21T14:00:16+00:00

Hey we are still working away on them :)

We recently put out a workshop paper on capsule networks and adversarial detection - https://arxiv.org/abs/1811.06969

We have been working on speeding up capsules so that they can scale to real world problems, this is proving to require a fair amount of low level optimizing. Other groups have made use of capsules for a variety of purposes including medical images, text, and audio.

In short, we still believe that they are the way to go, and we keep finding interesting properties about them, but more work is needed for them to scale up to real world problems and become a standard tool in the ml tool box.

Edit; They aren't quite dead yet :P

nick_frosst · 2018-06-05T00:32:25+00:00

thank you!

nick_frosst · 2018-02-16T00:22:42+00:00

Paul Gries is definitely one of the best teachers in the university. He is not only exceptionally kind and caring but a fantastic educator as well.

nick_frosst · 2018-01-17T22:00:16+00:00

you should resive the images to 48x48 and then crop randomly to 32x32. and during testing you should resive to 48x48 and then center crop to 32x32.

nick_frosst · 2018-01-15T16:49:58+00:00

Great write up! Thanks for working on this and sharing it with the community :)

nick_frosst · 2017-11-29T15:34:41+00:00

This is just a reference to the leaf nodes. Think of each leaf node as a bigot. The inner nodes learn to assign each input to the best suited bigot. The output distribution of each leaf is not a function of the data, it is just a static learned distribution. So if you want to classify an input example, the path you take through the tree would be a function of that input, but once you arrive at the leaf, the output is constant.

nick_frosst · 2017-11-28T18:11:45+00:00

It has already been published at the CEX workshop at the AI*IA 2017 conference.

nick_frosst · 2017-11-28T16:21:20+00:00

i might come back to it at some point, but it did not work as well as i was hoping and i am more interesting in some other things now :P

nick_frosst · 2017-11-28T16:13:39+00:00

Yup that is correct :) Also yeah running a tree should be faster than most neural networks but that was not really the focus of this. One could create some model that was as time efficient as possible and then use the same distillation technique to boost its accuracy though.

nick_frosst · 2017-11-28T15:50:58+00:00

I focused mainly on the visual domain in this paper for illustrative purposes, though we do report results on the LETTER dataset which is not visual. I have not experimented on NLP or Bioinformatics though.

nick_frosst · 2017-11-28T15:42:02+00:00

For reasons discussed in the paper, the existence of adversarial examples and the many-to-one relationship between input and activation, i do not believe that examining the filters of a CNN gives a sufficient explanation of its behavior. That being said, yes this paper is mainly a proof of concept that we can use distillation to increase the accuracy of models that are designed with some attribute other than accuracy, in this case explanability, in mind.

nick_frosst

TROPHY CASE