Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.
Fooling Computer
Vision
Jesús Seijas
RootedCon 2018
Who am I
Fooling Computer Vision
Morphing
Fooling Computer Vision
Autonomous Warfare
Fooling Computer Vision
ACTUV is the largest autonomous
vehicle in the world.
Is Anti-Submarine Warfare...
Neural Network
Fooling Computer Vision
Gradient Descent
Fooling Computer Vision
SGD
Nesterov
Adam
Adagrad
Windowgrad
Adadelta
What is Computer Vision
Fooling Computer Vision
0
5
10
15
20
25
2010 2011 2012 2013 2014 2015 2016
1.200.000 Training Images
1000 Classes
ILSVRC ChallengeAlexnet
Fooling ...
Convolution: dot product between two matrixes
Convolutional Neural Network
Fooling Computer Vision
Convolutional Neural Network
Pooling: reducing size of a matrix
Fooling Computer Vision
Convolutional Neural Network
Fooling Computer Vision
Demo Neural Network
Fooling Computer Vision
https://playai.herokuapp.com
Attacks
SmallLarge
In Real LifeIn Picture
Low Risk Low Risk
Medium Risk High Risk
Fooling Computer Vision
Fooling Computer Vision
You can read 20+ papers or…
Threat of Adversarial Attacks on Deep Learning in
Computer Vision: A S...
One Pixel Attack
Fooling Computer Vision
Stickers
Fooling Computer Vision
Stickers
Fooling Computer Vision
Input size 32x32 px
Using Custom topology and not a real Autonomous Car
The Topology is t...
Adversarial
Fooling Computer Vision
Given an input image x, the result of the CNN is a probability distribution
over label...
Adversarial
Fooling Computer Vision
Adversarial
Fooling Computer Vision
Christian Szegedy 2014 – Research at Google
Adversarial
Fooling Computer Vision
Demo time!
https://github.com/jseijas/adversarial_rootedcon2018
Adversarial
Fooling Computer Vision
The generated adversarial is not rotation invariant. But given a distribution of
trans...
Real Life Attacks
Fooling Computer Vision
https://arxiv.org/pdf/1707.07397.pdf
¿Questions
?
Thank You!
Próxima SlideShare
Cargando en…5
×

Jesús Seijas - Fooling Computer Vision [rooted2018]

54 visualizaciones

Publicado el

Computer Vision is one of the technologies that has been growing faster in the last 3 years, and enterprises are adopting it in a very fast way. Are our companies totally safe using this new technologies or there is a way to fool them? We will see a brief introduction of how computer vision works internally, and different kind of attacts: One Pixel Attack, real life stickers, adversarial gradients and adversarial gradients in real life. Remember that the auto-driving cars is a reallity, can our cars been fooled using those attacks?

Publicado en: Tecnología
  • Sé el primero en comentar

  • Sé el primero en recomendar esto

Jesús Seijas - Fooling Computer Vision [rooted2018]

  1. 1. Fooling Computer Vision Jesús Seijas RootedCon 2018
  2. 2. Who am I Fooling Computer Vision
  3. 3. Morphing Fooling Computer Vision
  4. 4. Autonomous Warfare Fooling Computer Vision ACTUV is the largest autonomous vehicle in the world. Is Anti-Submarine Warfare Of course it has weapons
  5. 5. Neural Network Fooling Computer Vision
  6. 6. Gradient Descent Fooling Computer Vision SGD Nesterov Adam Adagrad Windowgrad Adadelta
  7. 7. What is Computer Vision Fooling Computer Vision
  8. 8. 0 5 10 15 20 25 2010 2011 2012 2013 2014 2015 2016 1.200.000 Training Images 1000 Classes ILSVRC ChallengeAlexnet Fooling Computer Vision
  9. 9. Convolution: dot product between two matrixes Convolutional Neural Network Fooling Computer Vision
  10. 10. Convolutional Neural Network Pooling: reducing size of a matrix Fooling Computer Vision
  11. 11. Convolutional Neural Network Fooling Computer Vision
  12. 12. Demo Neural Network Fooling Computer Vision https://playai.herokuapp.com
  13. 13. Attacks SmallLarge In Real LifeIn Picture Low Risk Low Risk Medium Risk High Risk Fooling Computer Vision
  14. 14. Fooling Computer Vision You can read 20+ papers or… Threat of Adversarial Attacks on Deep Learning in Computer Vision: A Survey (Naveed Akhtar and Ajmal Mian) https://arxiv.org/pdf/1801.00553.pdf
  15. 15. One Pixel Attack Fooling Computer Vision
  16. 16. Stickers Fooling Computer Vision
  17. 17. Stickers Fooling Computer Vision Input size 32x32 px Using Custom topology and not a real Autonomous Car The Topology is too simple compared to a real one Not previous image filtering Not aumegtation
  18. 18. Adversarial Fooling Computer Vision Given an input image x, the result of the CNN is a probability distribution over labels: To build an adversary we choose a label y’ and we want to find the x’ such as: is maximized for the target y’ We also want that: is the minimum as posible, so we choose an épsilon that will be an small perturbation. We are talking about pixels with colors, so we accept a minimum modification of color for each pixel, example 2 over 255
  19. 19. Adversarial Fooling Computer Vision
  20. 20. Adversarial Fooling Computer Vision Christian Szegedy 2014 – Research at Google
  21. 21. Adversarial Fooling Computer Vision Demo time! https://github.com/jseijas/adversarial_rootedcon2018
  22. 22. Adversarial Fooling Computer Vision The generated adversarial is not rotation invariant. But given a distribution of transformations (in this case the possible rotations) we can calculate each gradient descent This process is more complex than a simple adversarial, and a GPU is needed to do it in an acceptable time. Also this training requires more steps and is more susceptible to have less probability depending on the input and the desired class.
  23. 23. Real Life Attacks Fooling Computer Vision https://arxiv.org/pdf/1707.07397.pdf
  24. 24. ¿Questions ?
  25. 25. Thank You!

×