1
00:00:00,599 --> 00:00:04,120
hello everyone my name is H I'm very

2
00:00:04,120 --> 00:00:07,040
glad to have this opportunity to share

3
00:00:07,040 --> 00:00:10,759
our work in a SNP conference the paper

4
00:00:10,759 --> 00:00:14,400
title is lakas latent concept masking

5
00:00:14,400 --> 00:00:18,080
for General robustness enhancement of

6
00:00:18,080 --> 00:00:21,960
DNS the ERS are from

7
00:00:21,960 --> 00:00:26,320
University from CS J from University of

8
00:00:26,320 --> 00:00:28,640
New sou Wales

9
00:00:28,640 --> 00:00:31,920
Benjamin from col University and mean

10
00:00:31,920 --> 00:00:34,320
share from

11
00:00:34,520 --> 00:00:37,680
CSL I would like start this presentation

12
00:00:37,680 --> 00:00:41,559
by introducing the background of machine

13
00:00:41,559 --> 00:00:43,640
learning in machine learning we have

14
00:00:43,640 --> 00:00:46,160
training data and this data can be

15
00:00:46,160 --> 00:00:49,079
images text audio and

16
00:00:49,079 --> 00:00:51,440
video once we have collected this

17
00:00:51,440 --> 00:00:53,760
training data we can put them into a

18
00:00:53,760 --> 00:00:55,920
learning algorithm to train a machine

19
00:00:55,920 --> 00:00:58,280
learning model and once the model is

20
00:00:58,280 --> 00:01:00,480
trained it can be deployed in many

21
00:01:00,480 --> 00:01:03,000
applications and this applications can

22
00:01:03,000 --> 00:01:06,080
include like chatbot like image

23
00:01:06,080 --> 00:01:09,000
generator and video generator but

24
00:01:09,000 --> 00:01:11,320
although machine learning and especially

25
00:01:11,320 --> 00:01:13,799
deep learning they have achieved so

26
00:01:13,799 --> 00:01:16,520
Advanced

27
00:01:16,520 --> 00:01:20,079
results one fundamental problem is the

28
00:01:20,079 --> 00:01:23,640
robustness remains an open

29
00:01:23,640 --> 00:01:27,240
question robustness is important to deep

30
00:01:27,240 --> 00:01:29,960
neural networks Because deep NE because

31
00:01:29,960 --> 00:01:33,200
in many practical applications we need

32
00:01:33,200 --> 00:01:37,960
to ensure that the model is Lous to

33
00:01:37,960 --> 00:01:40,200
different conditions and to different

34
00:01:40,200 --> 00:01:43,520
adversary attacks however even in

35
00:01:43,520 --> 00:01:46,240
traditional classification

36
00:01:46,240 --> 00:01:49,680
tasks the Deep neural networks are

37
00:01:49,680 --> 00:01:51,880
suspicious to different kind of

38
00:01:51,880 --> 00:01:53,119
adversary

39
00:01:53,119 --> 00:01:55,439
attacks and now I want to introduce

40
00:01:55,439 --> 00:01:58,280
three typical scenarios that the model

41
00:01:58,280 --> 00:02:01,000
will cause misclassification

42
00:02:01,000 --> 00:02:04,079
the first one is adversary robus so

43
00:02:04,079 --> 00:02:06,880
adversary robus means the model can make

44
00:02:06,880 --> 00:02:08,959
correct predictions on the original

45
00:02:08,959 --> 00:02:12,280
benign samples but if we add some pixel

46
00:02:12,280 --> 00:02:15,560
level probations that is very difficult

47
00:02:15,560 --> 00:02:19,680
to notice by human but the model will

48
00:02:19,680 --> 00:02:22,560
make incorrect prediction results and

49
00:02:22,560 --> 00:02:24,879
cause

50
00:02:25,120 --> 00:02:26,920
misclassifications the second one is

51
00:02:26,920 --> 00:02:29,400
sematic robustness the semantic

52
00:02:29,400 --> 00:02:32,200
robustness means the model can make

53
00:02:32,200 --> 00:02:35,599
correct predictions on be samples but if

54
00:02:35,599 --> 00:02:38,160
we change the sematic condition for

55
00:02:38,160 --> 00:02:40,360
example like we put the face under

56
00:02:40,360 --> 00:02:43,920
different L conditions the model cannot

57
00:02:43,920 --> 00:02:46,480
recognize these samples anymore and the

58
00:02:46,480 --> 00:02:48,800
this CA

59
00:02:48,800 --> 00:02:51,440
misclassification the third one is

60
00:02:51,440 --> 00:02:52,720
distribution

61
00:02:52,720 --> 00:02:55,720
robustness so some samples if they are

62
00:02:55,720 --> 00:02:59,000
out of distribution then the model is

63
00:02:59,000 --> 00:03:01,560
very difficult to recognizing and this

64
00:03:01,560 --> 00:03:04,159
also cause

65
00:03:04,840 --> 00:03:07,319
misclassifications and so how to enhance

66
00:03:07,319 --> 00:03:11,319
the less of DNN so aular training is a

67
00:03:11,319 --> 00:03:14,400
popular defense method to enhance the

68
00:03:14,400 --> 00:03:16,720
less of G

69
00:03:16,720 --> 00:03:19,920
networks so what is adversity training

70
00:03:19,920 --> 00:03:22,360
so in traditional training we have

71
00:03:22,360 --> 00:03:24,840
benign samples we just use the benign s

72
00:03:24,840 --> 00:03:27,200
to train the model and once the model

73
00:03:27,200 --> 00:03:30,280
train the lossess is not guaranteed

74
00:03:30,280 --> 00:03:33,280
ination here is because the model has

75
00:03:33,280 --> 00:03:37,280
never seen like examples so the bossness

76
00:03:37,280 --> 00:03:40,879
of the model is very low and this is

77
00:03:40,879 --> 00:03:42,480
traditional

78
00:03:42,480 --> 00:03:45,920
training so adversarial training is when

79
00:03:45,920 --> 00:03:49,280
we train the model we not only feed the

80
00:03:49,280 --> 00:03:52,360
benign samples to the model we also feed

81
00:03:52,360 --> 00:03:56,079
aoral samples to the model because

82
00:03:56,079 --> 00:03:59,200
during training the model now has seen

83
00:03:59,200 --> 00:04:00,280
the other vers

84
00:04:00,280 --> 00:04:04,480
samples so the Lotus of the model is

85
00:04:04,480 --> 00:04:09,640
enhanced and this is the process ofers

86
00:04:09,640 --> 00:04:11,879
chain however there are several

87
00:04:11,879 --> 00:04:14,200
limitations of existing adversor

88
00:04:14,200 --> 00:04:16,720
chaining meod and we identify four

89
00:04:16,720 --> 00:04:18,199
research

90
00:04:18,199 --> 00:04:20,959
gaps the first research Gap is the

91
00:04:20,959 --> 00:04:24,160
current adversary training the

92
00:04:24,160 --> 00:04:27,880
effectiveness is attex basic so this

93
00:04:27,880 --> 00:04:30,400
means if the adversary

94
00:04:30,400 --> 00:04:33,560
example is generated by attack a then

95
00:04:33,560 --> 00:04:36,520
the trend model can mitigate attack a

96
00:04:36,520 --> 00:04:41,479
but for attack B the effectiveness is a

97
00:04:41,479 --> 00:04:44,759
question the second research Gap is

98
00:04:44,759 --> 00:04:46,720
valuation

99
00:04:46,720 --> 00:04:49,720
specific for example if the adversar

100
00:04:49,720 --> 00:04:53,720
example is generated by pixel probation

101
00:04:53,720 --> 00:04:57,440
based attack then the model can mitigate

102
00:04:57,440 --> 00:05:00,400
pixel based attack but for semantic

103
00:05:00,400 --> 00:05:04,360
attacks the effectiveness is a

104
00:05:04,360 --> 00:05:07,560
question the third Gap is robustness and

105
00:05:07,560 --> 00:05:09,000
the utility sh

106
00:05:09,000 --> 00:05:12,680
off because we have put aders examples

107
00:05:12,680 --> 00:05:17,039
into the training of the model so the

108
00:05:17,039 --> 00:05:19,720
result is the lostness of the model is

109
00:05:19,720 --> 00:05:23,000
improved but it will affect the normal

110
00:05:23,000 --> 00:05:25,280
utility of the

111
00:05:25,280 --> 00:05:28,880
model the last Gap we identify is the

112
00:05:28,880 --> 00:05:32,000
adversor example has low level

113
00:05:32,000 --> 00:05:34,880
abstraction and the feasibility of the

114
00:05:34,880 --> 00:05:38,560
adversary example can be a question so

115
00:05:38,560 --> 00:05:41,960
the first lowlevel abstraction means is

116
00:05:41,960 --> 00:05:44,440
very difficult to understand what the

117
00:05:44,440 --> 00:05:45,479
noise

118
00:05:45,479 --> 00:05:49,280
means and the visibility means in some

119
00:05:49,280 --> 00:05:51,880
applications we only have limited access

120
00:05:51,880 --> 00:05:55,440
to the training data so we can't have

121
00:05:55,440 --> 00:05:58,880
plenty of adversary examples and this

122
00:05:58,880 --> 00:06:01,240
makes the effectiveness of adversary

123
00:06:01,240 --> 00:06:03,560
training based on large amount of

124
00:06:03,560 --> 00:06:06,800
adversary examples a

125
00:06:06,800 --> 00:06:09,840
question so we off all solution latent

126
00:06:09,840 --> 00:06:12,280
concept masking for robustness

127
00:06:12,280 --> 00:06:15,840
enhancement that is luckas to improve

128
00:06:15,840 --> 00:06:18,080
the existing adversor

129
00:06:18,080 --> 00:06:21,440
training so in lakas at the beginning we

130
00:06:21,440 --> 00:06:24,840
have a sample x with its label y

131
00:06:24,840 --> 00:06:28,160
z and we put the sample into the

132
00:06:28,160 --> 00:06:31,199
encoder so function of the in holder is

133
00:06:31,199 --> 00:06:34,160
to map High dimensional X into the low

134
00:06:34,160 --> 00:06:36,880
dimensional

135
00:06:36,880 --> 00:06:40,120
representation and here each V is a d

136
00:06:40,120 --> 00:06:41,440
dimensional

137
00:06:41,440 --> 00:06:44,840
Vector the cor idea of lmas is we have a

138
00:06:44,840 --> 00:06:48,680
prain code book and in the code book

139
00:06:48,680 --> 00:06:52,039
each C is a concept and each concept

140
00:06:52,039 --> 00:06:55,240
captures the structure attribute of the

141
00:06:55,240 --> 00:06:58,080
sample and each concept is a d

142
00:06:58,080 --> 00:07:01,160
dimensional vector because the dimension

143
00:07:01,160 --> 00:07:03,400
of the concept and the dimension of V is

144
00:07:03,400 --> 00:07:06,160
the same so we can use Vector conation

145
00:07:06,160 --> 00:07:09,160
methods to transfer the representation

146
00:07:09,160 --> 00:07:12,639
by V to the representation by

147
00:07:12,639 --> 00:07:16,000
concept so once we have the concept

148
00:07:16,000 --> 00:07:19,000
magic then we can use concept masking

149
00:07:19,000 --> 00:07:22,080
mechanism to mask one of the concept in

150
00:07:22,080 --> 00:07:25,759
the magic for example we can mask the

151
00:07:25,759 --> 00:07:29,599
concept of C9 and change the concept of

152
00:07:29,599 --> 00:07:33,440
C9 to c0 and once we have finished this

153
00:07:33,440 --> 00:07:37,440
step we can map this concept magic back

154
00:07:37,440 --> 00:07:39,599
to the vector

155
00:07:39,599 --> 00:07:42,800
magic and the vector magic is then put

156
00:07:42,800 --> 00:07:45,759
into a decoder and the function of the

157
00:07:45,759 --> 00:07:49,360
decoder is to reconstruct the sample X

158
00:07:49,360 --> 00:07:52,080
Prime which has the same Dimension as

159
00:07:52,080 --> 00:07:55,639
the sample X and we put the sample X

160
00:07:55,639 --> 00:07:57,840
Prime to the model X

161
00:07:57,840 --> 00:08:01,319
FX and we want ensure that the

162
00:08:01,319 --> 00:08:04,599
reconstructed sample X Prime the label

163
00:08:04,599 --> 00:08:08,319
predicted by the model is not equal to

164
00:08:08,319 --> 00:08:11,360
the original label y

165
00:08:11,360 --> 00:08:15,560
Zer if we can ensure that then together

166
00:08:15,560 --> 00:08:19,440
the sample X Prime and the label y z we

167
00:08:19,440 --> 00:08:22,800
construct a new type of AAL example

168
00:08:22,800 --> 00:08:25,319
called conceptual

169
00:08:25,319 --> 00:08:29,000
example now we have conceptual example

170
00:08:29,000 --> 00:08:31,240
now we can combine the conceptual

171
00:08:31,240 --> 00:08:33,080
adversary example with adversary

172
00:08:33,080 --> 00:08:35,880
training to enhance the less of the

173
00:08:35,880 --> 00:08:38,799
model and the high level intuition is we

174
00:08:38,799 --> 00:08:40,760
want to force in the model to make

175
00:08:40,760 --> 00:08:43,240
predictions based on essential

176
00:08:43,240 --> 00:08:45,519
conceptual elements rather than

177
00:08:45,519 --> 00:08:47,680
non-common conceptual

178
00:08:47,680 --> 00:08:50,519
features for the technical details

179
00:08:50,519 --> 00:08:52,680
please check our

180
00:08:52,680 --> 00:08:55,640
paper now let me introduce the

181
00:08:55,640 --> 00:08:58,440
experimental results of

182
00:08:58,440 --> 00:09:01,880
lmas so in the experiment setting we

183
00:09:01,880 --> 00:09:04,320
only utilize less than 1% of the

184
00:09:04,320 --> 00:09:06,200
original training sample in both

185
00:09:06,200 --> 00:09:08,200
adversarial training and evaluation

186
00:09:08,200 --> 00:09:10,160
phase for all

187
00:09:10,160 --> 00:09:12,880
scenarios so the first experiment

188
00:09:12,880 --> 00:09:14,480
investigate the utility and the

189
00:09:14,480 --> 00:09:16,160
robustness of the

190
00:09:16,160 --> 00:09:19,640
model the research question we asked is

191
00:09:19,640 --> 00:09:22,079
how the model Utility change when using

192
00:09:22,079 --> 00:09:24,040
conceptual adversary example for

193
00:09:24,040 --> 00:09:27,519
adversor training and the table one here

194
00:09:27,519 --> 00:09:30,320
shows the performance of the model after

195
00:09:30,320 --> 00:09:32,360
adversor training with conceptual

196
00:09:32,360 --> 00:09:35,279
adversor example on clean test and

197
00:09:35,279 --> 00:09:38,320
adversor test image M by

198
00:09:38,320 --> 00:09:40,680
accuracy and as we can see from this

199
00:09:40,680 --> 00:09:44,320
table the takeways here is LM maintains

200
00:09:44,320 --> 00:09:47,120
or even includes a model's accuracy on

201
00:09:47,120 --> 00:09:49,839
clean date and highly influence the

202
00:09:49,839 --> 00:09:53,560
Lotus against the conceptual example

203
00:09:53,560 --> 00:09:56,479
after ad

204
00:09:56,920 --> 00:10:00,240
training the second experience we want

205
00:10:00,240 --> 00:10:03,560
to show is how the model performance

206
00:10:03,560 --> 00:10:07,240
against adversor and sematic

207
00:10:07,240 --> 00:10:10,320
attacks and the question here is how the

208
00:10:10,320 --> 00:10:13,720
model Lobos generalized to noers and

209
00:10:13,720 --> 00:10:15,519
sematic

210
00:10:15,519 --> 00:10:18,880
attacks and we provide table two the

211
00:10:18,880 --> 00:10:20,760
accuracy of models after of the

212
00:10:20,760 --> 00:10:22,680
adversarial training with conceptual

213
00:10:22,680 --> 00:10:25,440
adversarial example against the values

214
00:10:25,440 --> 00:10:28,320
of the veral and sematic attacks for

215
00:10:28,320 --> 00:10:33,320
example aders attacks of fgsm pgd pixel

216
00:10:33,320 --> 00:10:36,399
attack and the semantic attacks of spal

217
00:10:36,399 --> 00:10:40,079
attack and spare attack and this table

218
00:10:40,079 --> 00:10:43,040
only show the results of amist data set

219
00:10:43,040 --> 00:10:45,040
and for the other data set we provide it

220
00:10:45,040 --> 00:10:48,959
in paper and the takeways here is using

221
00:10:48,959 --> 00:10:51,680
lakas alone enhances a model's

222
00:10:51,680 --> 00:10:55,040
resilience against a broader spectum of

223
00:10:55,040 --> 00:11:01,240
CA pixel other and semantic other typ

224
00:11:01,880 --> 00:11:04,360
the third experiment investigate the

225
00:11:04,360 --> 00:11:06,399
model performance against the data

226
00:11:06,399 --> 00:11:08,560
distribution

227
00:11:08,560 --> 00:11:12,240
DFT we asked the question how the model

228
00:11:12,240 --> 00:11:15,560
lus to data distribution DFT after lmas

229
00:11:15,560 --> 00:11:17,480
aders training

230
00:11:17,480 --> 00:11:20,880
framework and we provide Table Three the

231
00:11:20,880 --> 00:11:22,880
accuracy of the model after adversary

232
00:11:22,880 --> 00:11:25,399
training with Concept adversity example

233
00:11:25,399 --> 00:11:27,320
against data distribution

234
00:11:27,320 --> 00:11:31,399
DFT and we test two distribution DFT one

235
00:11:31,399 --> 00:11:34,279
is in distribution hard samples which

236
00:11:34,279 --> 00:11:37,279
means the samples is in the data

237
00:11:37,279 --> 00:11:39,160
distribution but they are very difficult

238
00:11:39,160 --> 00:11:40,560
to

239
00:11:40,560 --> 00:11:43,279
recognize the other is out of

240
00:11:43,279 --> 00:11:45,920
distribution corrupted

241
00:11:45,920 --> 00:11:49,120
samples and the takeways here is lakas

242
00:11:49,120 --> 00:11:52,160
has a stronger ability in handling

243
00:11:52,160 --> 00:11:54,680
harder and cored samples compared to

244
00:11:54,680 --> 00:11:57,240
standard ofil

245
00:11:57,240 --> 00:11:59,680
training now we come to the conclusions

246
00:11:59,680 --> 00:12:01,800
and the future work of this

247
00:12:01,800 --> 00:12:05,480
paper conclusions of the paper is lmas

248
00:12:05,480 --> 00:12:08,959
offers an attack agnostic model agnostic

249
00:12:08,959 --> 00:12:11,040
robustness enhancement solution with

250
00:12:11,040 --> 00:12:13,199
limited number of training

251
00:12:13,199 --> 00:12:16,040
samples the limitation of this paper is

252
00:12:16,040 --> 00:12:18,880
more advanced concept replacing strategy

253
00:12:18,880 --> 00:12:22,120
should be should be proposed in our

254
00:12:22,120 --> 00:12:25,360
current concept replacing stage although

255
00:12:25,360 --> 00:12:28,839
we have some statistical methods for how

256
00:12:28,839 --> 00:12:31,440
to select a concept and which position

257
00:12:31,440 --> 00:12:34,360
of the concept should be changed but an

258
00:12:34,360 --> 00:12:36,440
automated and adaptive selection

259
00:12:36,440 --> 00:12:39,279
mechanism can be proposed to better

260
00:12:39,279 --> 00:12:42,639
improve the current lmas

261
00:12:42,639 --> 00:12:44,720
framework and there are some future

262
00:12:44,720 --> 00:12:47,839
directions of this paper the first paper

263
00:12:47,839 --> 00:12:50,399
is in this paper we mainly evaluate

264
00:12:50,399 --> 00:12:53,240
lakas framework on traditional

265
00:12:53,240 --> 00:12:55,959
convolutional neural networks so what's

266
00:12:55,959 --> 00:12:58,120
the performance of lmas to other

267
00:12:58,120 --> 00:12:59,839
architectures like

268
00:12:59,839 --> 00:13:02,279
Vision transform

269
00:13:02,279 --> 00:13:05,399
models and what's the performance of the

270
00:13:05,399 --> 00:13:09,360
lockas to other domains like ANP

271
00:13:09,360 --> 00:13:12,320
domain we also want to emphasize that

272
00:13:12,320 --> 00:13:15,440
lakas is in its early stage and in the

273
00:13:15,440 --> 00:13:20,399
current lakas framework the auto the

274
00:13:20,399 --> 00:13:22,480
encoder and the decoder framework we

275
00:13:22,480 --> 00:13:24,560
used is

276
00:13:24,560 --> 00:13:28,519
vqv but more advanced generative models

277
00:13:28,519 --> 00:13:30,920
can also be be considered to be

278
00:13:30,920 --> 00:13:34,440
integrated to improve the current lockas

279
00:13:34,440 --> 00:13:36,480
framework thank you for your attention

280
00:13:36,480 --> 00:13:39,399
of our paper for any questions you can

281
00:13:39,399 --> 00:13:40,959
reach me through the

282
00:13:40,959 --> 00:13:44,800
email thank you