The Limitations of Deep Learning in Adversarial Settings
- Nicolas Papernot, P. Mcdaniel, S. Jha, Matt Fredrikson, Z. B. Celik, A. Swami
- Computer ScienceEuropean Symposium on Security and Privacy
- 24 November 2015
This work formalizes the space of adversaries against deep neural networks (DNNs) and introduces a novel class of algorithms to craft adversarial samples based on a precise understanding of the mapping between inputs and outputs of DNNs.
MixMatch: A Holistic Approach to Semi-Supervised Learning
- David Berthelot, Nicholas Carlini, Ian J. Goodfellow, Nicolas Papernot, Avital Oliver, Colin Raffel
- Computer ScienceNeural Information Processing Systems
- 6 May 2019
This work unify the current dominant approaches for semi-supervised learning to produce a new algorithm, MixMatch, that works by guessing low-entropy labels for data-augmented unlabeled examples and mixing labeled and unlabeling data using MixUp.
Ensemble Adversarial Training: Attacks and Defenses
- Florian Tramèr, Alexey Kurakin, Nicolas Papernot, D. Boneh, P. Mcdaniel
- Computer ScienceInternational Conference on Learning…
- 19 May 2017
This work finds that adversarial training remains vulnerable to black-box attacks, where perturbations computed on undefended models are transferred to a powerful novel single-step attack that escapes the non-smooth vicinity of the input data via a small random step.
Practical Black-Box Attacks against Machine Learning
- Nicolas Papernot, P. Mcdaniel, Ian J. Goodfellow, S. Jha, Z. B. Celik, A. Swami
- Computer ScienceACM Asia Conference on Computer and…
- 8 February 2016
This work introduces the first practical demonstration of an attacker controlling a remotely hosted DNN with no such knowledge, and finds that this black-box attack strategy is capable of evading defense strategies previously found to make adversarial example crafting harder.
Distillation as a Defense to Adversarial Perturbations Against Deep Neural Networks
- Nicolas Papernot, P. Mcdaniel, Xi Wu, S. Jha, A. Swami
- Computer ScienceIEEE Symposium on Security and Privacy
- 14 November 2015
The study shows that defensive distillation can reduce effectiveness of sample creation from 95% to less than 0.5% on a studied DNN, and analytically investigates the generalizability and robustness properties granted by the use of defensive Distillation when training DNNs.
Semi-supervised Knowledge Transfer for Deep Learning from Private Training Data
- Nicolas Papernot, Martín Abadi, Ú. Erlingsson, Ian J. Goodfellow, Kunal Talwar
- Computer ScienceInternational Conference on Learning…
- 18 October 2016
Private Aggregation of Teacher Ensembles (PATE) is demonstrated, in a black-box fashion, multiple models trained with disjoint datasets, such as records from different subsets of users, which achieves state-of-the-art privacy/utility trade-offs on MNIST and SVHN.
Transferability in Machine Learning: from Phenomena to Black-Box Attacks using Adversarial Samples
- Nicolas Papernot, P. Mcdaniel, Ian J. Goodfellow
- Computer SciencearXiv.org
- 24 May 2016
New transferability attacks between previously unexplored (substitute, victim) pairs of machine learning model classes, most notably SVMs and decision trees are introduced.
Adversarial Attacks on Neural Network Policies
- Sandy H. Huang, Nicolas Papernot, Ian J. Goodfellow, Yan Duan, P. Abbeel
- Computer ScienceInternational Conference on Learning…
- 8 February 2017
This work shows existing adversarial example crafting techniques can be used to significantly degrade test-time performance of trained policies, even with small adversarial perturbations that do not interfere with human perception.
Scalable Private Learning with PATE
- Nicolas Papernot, Shuang Song, Ilya Mironov, A. Raghunathan, Kunal Talwar, Ú. Erlingsson
- Computer ScienceInternational Conference on Learning…
- 15 February 2018
This work shows how PATE can scale to learning tasks with large numbers of output classes and uncurated, imbalanced training data with errors, and introduces new noisy aggregation mechanisms for teacher ensembles that are more selective and add less noise, and prove their tighter differential-privacy guarantees.
Adversarial Examples for Malware Detection
- Kathrin Grosse, Nicolas Papernot, Praveen Manoharan, M. Backes, P. Mcdaniel
- Computer ScienceEuropean Symposium on Research in Computer…
- 11 September 2017
This paper presents adversarial examples derived from regular inputs by introducing minor—yet carefully selected—perturbations into machine learning models, showing their robustness against inputs crafted by an adversary.
...
...