Biologically Inspired Methods for Adversarially Robust Deep Learning

MuhammadAhmedShah2 36 views 62 slides Apr 29, 2024
Slide 1
Slide 1 of 62
Slide 1
1
Slide 2
2
Slide 3
3
Slide 4
4
Slide 5
5
Slide 6
6
Slide 7
7
Slide 8
8
Slide 9
9
Slide 10
10
Slide 11
11
Slide 12
12
Slide 13
13
Slide 14
14
Slide 15
15
Slide 16
16
Slide 17
17
Slide 18
18
Slide 19
19
Slide 20
20
Slide 21
21
Slide 22
22
Slide 23
23
Slide 24
24
Slide 25
25
Slide 26
26
Slide 27
27
Slide 28
28
Slide 29
29
Slide 30
30
Slide 31
31
Slide 32
32
Slide 33
33
Slide 34
34
Slide 35
35
Slide 36
36
Slide 37
37
Slide 38
38
Slide 39
39
Slide 40
40
Slide 41
41
Slide 42
42
Slide 43
43
Slide 44
44
Slide 45
45
Slide 46
46
Slide 47
47
Slide 48
48
Slide 49
49
Slide 50
50
Slide 51
51
Slide 52
52
Slide 53
53
Slide 54
54
Slide 55
55
Slide 56
56
Slide 57
57
Slide 58
58
Slide 59
59
Slide 60
60
Slide 61
61
Slide 62
62

About This Presentation

Presentation of Muhammad's research on Biologically Inspired Methods for Adversarially Robust Deep Learning at MIT on April 12 2024. The talk covers work that integrates various sensory, and cerebral biological mechanisms into Deep Neural Networks (DNNs) and evaluates the impact on robustness to...

Size: 16.22 MB
Language: en
Added: Apr 29, 2024
Slides: 62 pages

Slide Content

Biologically Inspired Methods for Adversarially Robust Deep Learning Muhammad Ahmed Shah

Robustness of DNNs to Input Perturbations DNNs are sensitive to perturbations that humans are invariant to This causes them to fail in counter-intuitive ways and raises questions about their reliability goldfinch crow 2

Adversarial Attacks Pernicious because they are imperceptible Can be realized in the physical world Need to defend against them Goodfellow, Ian J., Jonathon Shlens , and Christian Szegedy . "Explaining and harnessing adversarial examples."  arXiv preprint arXiv:1412.6572  (2014).       3

Various Types of Adversarial Attacks bounded perturbations   Unbounded Parametric Perceptual distance bounded perturbations Wasserstein distance bounded perturbations Adversarial Patch Physically Realisable Ideally DNNs should be robust to all such perturbations But, often, they are not 4

Defenses Against Adversarial Attacks Adversarial Defenses Attack Aware Defenses Certified Defenses Image Transforms Attack Detectors Attack Agnostic Defenses Adversarial Training Neural Architecture Search Pruning Do not generalize Do not make the DNN robust Only adds computational load Generalizable 5 Attack Neutralizers

Attack Agnostic Defenses Structural Priors Design elements conducive to robustness. Biological Priors Biological principles related to robustness. 6

My Work Robustness Priors Structural Priors Design elements conducive to robustness. Biological Priors Biological principles related to robustness. Foveation via adaptive blurring and desaturation Fixed Inter-Neuron Covariability Cerebral Priors Sensory Priors Bio-plausible Audio Features Recurrence 7

Differences Between Human and DNN Decision Functions Enable Adversarial Attacks 8 cat +

Hypothesis: Aligning DNNs with Human Perception Will Make Them More Robust 9 Dapello+20

Overview 10 1. Foveation via Adaptive Blurring and Desaturation 2. Biologically Inspired Audio Features 3. Fixed Interneuron Covariability 4. Recurrence

Biological Priors 11 1. Foveation via Adaptive Blurring and Desaturation 2. Biologically Inspired Audio Features 3. Fixed Interneuron Covariability 4. Recurrence

R-Blur: Foveation via Adaptive Blurring and Desaturation 12 Shah, M.A., Kashaf, A. and Raj, B., 2023. Training on Foveated Images Improves Robustness to Adversarial Attacks.  NeurIPS (2023)

R-Blur: Overview 13       Select fixation point Add Gaussian Noise Split into color and grey channels and apply adaptive blurring Combine the color and grey channels Shah, M.A., Kashaf, A. and Raj, B., 2023. Training on Foveated Images Improves Robustness to Adversarial Attacks.  NeurIPS (2023)

Computing Eccentricity Eccentricity Distance from fixation point Generally measured radially, i.e. Euclidian distance Need to extract circular regions to blur – inefficient We use a different distance metric Regions with same eccentricity are squares – can be extracted by slicing the image tensor   14

Estimating Visual Acuity Visual acuity := the ability to perceive spatial details in the image The acuity of color vision decreases exponentially with eccentricity. The acuity of grey vision generally much lower, and is minimal at the fixation point. We approximate color and grey acuity as: and are the PDF for the Laplace and Cauchi distribution We set and   15 Eccentricity Estimated Acuity

Quantizing Visual Acuity The visual acuity at a pixel determines the std. dev. of Gaussian blur applied to it. #Kernels = # Unique acuity values = # unique eccentricity values = To improve efficiency, we quantize the estimated visual acuity values   16

Applying Blur We compute the std. dev. of the Gaussian kernel at each pixel as is the estimated acuity, and   17

Desaturation via Combination The blurred grey and color images are combined in a pixelwise combination The pixel weights are the normalized color and grey visual acuity values 18

Fixation Point Selection 19 DeepGaze DeepGaze DeepGaze DeepGaze Original Predefined Initial Fixation ResNet ResNet ResNet ResNet ResNet Output Average Shah, M.A., Kashaf, A. and Raj, B., 2023. Training on Foveated Images Improves Robustness to Adversarial Attacks.  NeurIPS (2023)

R-Blur Improves Adversarial Robustness of ResNet 20 Shah, M.A., Kashaf, A. and Raj, B., 2023. Training on Foveated Images Improves Robustness to Adversarial Attacks.  NeurIPS (2023) CIFAR-10 Ecoset Imagenet Std. ResNet 5 Rand. Affine Tfms R-Blur

21 R-Blur is Robust to Common Corruptions Shah, M.A., Kashaf, A. and Raj, B., 2023. Training on Foveated Images Improves Robustness to Adversarial Attacks.  NeurIPS (2023)

R-Blur Compares Favorably to Biological Defenses 22 Shah, M.A., Kashaf, A. and Raj, B., 2023. Training on Foveated Images Improves Robustness to Adversarial Attacks.  NeurIPS (2023)

Role of Number of Fixations 23 Shah, M.A., Kashaf, A. and Raj, B., 2023. Training on Foveated Images Improves Robustness to Adversarial Attacks.  NeurIPS (2023)

Role of Fixation Location 24 Shah, M.A., Kashaf, A. and Raj, B., 2023. Training on Foveated Images Improves Robustness to Adversarial Attacks.  NeurIPS (2023)

Key Takeaways R-Blur significantly improves the robustness of DNNs without being trained on perturbed data. The robustness of R-Blur generalizes better than adversarial training to different perturbation types. R-Blur shows the promise of biologically motivated approaches to improving the robustness of DNNs. 25 Shah, M.A., Kashaf, A. and Raj, B., 2023. Training on Foveated Images Improves Robustness to Adversarial Attacks.  NeurIPS (2023)

Biological Priors 26 1. Foveation via Adaptive Blurring and Desaturation 2. Biologically Inspired Audio Features 3. Fixed Interneuron Covariability 4. Recurrence

Audio Features For Automatic Speech Recognition Early ASR approaches used hand-crafted features -- often inspired by biology, particularly the cochlea The simple and popular approach Time-frequency analysis via FFT (sim. basilar membrane) Bank of band-pass Mel filters (sim. characteristic frequencies in cochlea) Non-linearity (sim. hair cell response) 27 Spectrogram Log Mel-Spectrogram STFT Waveform Mel- Filterbank Log

Bio-plausible Audio Features for ASR More bio-plausible feature extraction methods exist but not widely used Known to improve noise robustness, but adversarial robustness not evaluated We evaluate the performance of several exiting biologically plausible audio feature We also propose novel features 28

Features Evaluated So Far Feature Salient Feature Log Spectrogram Time-frequency representation + non-linearity Log Mel Spectrogram Triangular RFs with CFs on the Mel Scale Cochleagram [Feather+23] Gammatone RFs with CFs on the ERB scale + power-law non-linearity Gammatone Spectrogram Same as Cochleagram but computed by transforming the STFT Power Normalized Coefficients [Kim+10] Power-normalized Gammatone RFs with CFs on the ERB scale + temporal masking + noise suppression + power-law non-linearity Difference of Gammatones Lateral suppression by frequencies around the CF Frequency Masked Spectrogram Simulates simultaneous frequency masking 29

Lateral Suppression via Difference of Gammatone Filters Lateral Suppression: the response at a given CF may be suppressed by the energy at adjacent frequencies [Stern & Morgan 12] Enhances responses to spectral changes and reduces impact of noise The size of the suppression field is proportional to the excitatory field at the CF Excitatory fields are wider at lower frequencies than at higher frequencies (modeled by Mel and Gammatone FBs) Proposal: take a difference of Gammatone filterbank 30

Lateral Suppression via Difference of Gammatone Filters Lateral Suppression: the response at a given CF may be suppressed by the energy at adjacent frequencies [Stern & Morgan 12] Enhances responses to spectral changes and reduces impact of noise Proposal: take a difference of Gammatone filterbank 31

Difference of Gammatone Filters Create 2 Gammatone frequency response curves with different widths, and subtract. Normalize by sum of positive values   Frequency Amplitude

Difference of Gammatone Filterbank Power Normalized Gammatone Filterbank Responses Normalized Difference of Gammatone Filterbank Responses Frequency (FFT bin) Amplitude Amplitude Frequency (FFT bin)

Applying DoG Filterbank Convolve the DoG Filterbank over the STFT Half-wave Rectify Non-linear Compression   34

Example: Concord Returned To Its Place Amidst The Tents Power Normalized Gammatone Normalized Difference of Gammatone Time (Window) Frequency (FFT bin) Frequency (FFT bin) Time (Window)

Effect on Robustness 36 Model: CNN + 16 layer conformer 65 non-adversarial audio transforms Untargeted gradient-based attack SNR-bounded PGD @ 10,20,30,40 dB NWER:  

Simultaneous Frequency Masking High power at a frequency can raise the threshold of hearing for adjacent frequencies Frequencies below the threshold are inaudible, i.e. masked Exploited for MP3 compression – more compression in masked spectro -temporal regions. Proposal: Compute the hearing the hearing threshold and zero-out the masked region 37

Frequency Masked Spectrogram Estimate the masking threshold for each (FFT) frequency [Qin+19, Lin+15] Zero-out regions of the spectrogram where Power-Spectral Density (PSD) falls below the threshold 38 Time (window) Time (window) Frequency (FFT bin) Frequency (FFT bin)

Estimating the Masking Threshold [Qin+19] Smoothed Normalized PSD Two-sided spreading function   39 masker maskee

Estimating the Masking Threshold (cont.) Pairwise Threshold Global Threshold   40 Time PSD

Applying Masking Create a mask Apply Mask to Spectrogram Apply non-linearity   41 Time Time

Robustness of All Features Model: CNN + 16 layer conformer 65 non-adversarial audio transforms Untargeted gradient-based attack SNR-bounded PGD @ 10,20,30,40 dB NWER: Gammatone FB generally improves robustness Best against Adv: Difference of Gammatone Best against non-Adv: Gammatone Spectrogram   42

Clean WER of All Features Model: CNN + 16 layer conformer All features have low WER Gammatone Spectrogram lowest WER 43

Key Takeaway and Future Work Certain biological phenomenon (lateral suppression) improves robustness to adversarial attack While others (temporal masking) do not Gammatone FB generally improves robustness The gammatone spectrogram has lowest WER on clean data and non-adversarial perturbations Simulate detailed cochlear models (e.g. CARFAC [Lyon 12], Seneff) Creating efficient PyTorch implementation taking time. 44

Biological Priors 45 1. Foveation via Adaptive Blurring and Desaturation 2. Biologically Inspired Audio Features 3. Fixed Interneuron Covariability 4. Recurrence

Fixed Inter-Neuron Covariability Induces Adversarial Robustness 46 Inter-neuron correlations in the brain are rigid [Hennig+21] Inter-neuron correlations in DNNs are flexible Change based on stimulus distribution Shah, M.A. and Raj, B., Fixed Inter-Neuron Covariability Induces Adversarial Robustness , ICASSP (2024)

SCA Layer 47 Transform the activations so they respect the learned correlation For do End for   Map to correlation regularization     Shah, M.A. and Raj, B., Fixed Inter-Neuron Covariability Induces Adversarial Robustness , ICASSP (2024) Diagonal 0

Result #1: SCA Layer Reduces Change in Inter-Neuron Correlation 48 FMNIST MNIST Speech Commands Shah, M.A. and Raj, B., Fixed Inter-Neuron Covariability Induces Adversarial Robustness , ICASSP (2024)

Results #2: SCA Layer Makes Models More Robust 49 Shah, M.A. and Raj, B., Fixed Inter-Neuron Covariability Induces Adversarial Robustness , ICASSP (2024)

Biological Priors 50 1. Foveation via Adaptive Blurring and Desaturation 2. Biologically Inspired Audio Features 3. Fixed Interneuron Covariability 4. Recurrence

Recurrent Connections in the Brain Recurrent circuits are wide spread in the brain [Bullier+01, Briggs+20] Lateral connections between neurons in the same region Feedback connections from higher cognitive areas to lower areas May fill in missing information due to crowding or occlusion [Spoerer+17, Boutin+21] Not represented in DNNs 51

Classification Adding Recurrence to DNNs 52 Input Conv-Pool Conv+Upsample Conv Conv-Pool Global Pooling Conv-Pool Linear Proj Feedforward Pathways Lateral Recurrence Feedback       Conv+Upsample

Results 53 Adding recurrence improves accuracy on clean and adversarially perturbed data CIFAR-10 Time Steps

Reconstructing From Feedback Signal Without constraints degenerate solutions are possible Recurrent connections may learn identity functions Explicitly encourage models to fill in missing information 54

Conv+Upsample Conv-Pool Reconstructing From Feedback Signal   55 Classification Conv+Upsample Conv Conv-Pool Global Pooling Conv-Pool Linear Proj Reconstruction Input Radom Occlusions tanh Prediction of occluded information    

Results 56 Adding reconstruction significantly improves accuracy on adversarially perturbed data, but reduces accuracy on clean data

Key Takeaways and Future Work Scale up experiments to larger models and datasets Explore synergies with other works like R-Blur and bio-plausible audio feature 57

Summary 58 Foveation via Adaptive Blurring and Desaturation Biologically Inspired Audio Features Fixed Interneuron Covariability Recurrence Improved robustness to adv & non-adv perturbations lateral suppression improved adv robustness Improved robustness to adv & non-adv perturbations Improved adv robustness. FB w/ recon yields better robustness.

References P. Benz, C. Zhang, and I. S. Kweon . Batch normalization increases adversarial vulnerability and decreases adversarial transferability: A non-robust feature perspective. In Proceedings of the IEEE/CVF International Conference on Computer Vision , pages 7818–7827, 2021. A. Brandmeyer , R. Lyon, and R. Weiss. Cascade of asymmetric resonators with fast-acting com- pression cochlear model, 2015. S. Bubeck and M. Sellke . A universal law of robustness via isoperimetry. Advances in Neural Information Processing Systems , 34:28811–28822, 2021. B. Choksi, M. Mozafari , C. Biggs O’May , B. Ador , A. Alamia , and R. VanRullen . Predify : Aug- menting deep neural networks with brain-inspired predictive coding dynamics. Advances in Neural Information Processing Systems , 34:14069–14083, 2021. J. Dapello , T. Marques, M. Schrimpf , F. Geiger, D. Cox, and J. J. DiCarlo. Simulating a primary visual cortex at the front of cnns improves robustness to image perturbations. Advances in Neural Information Processing Systems , 33:13073–13087, 2020.

References J. M. Gant, A. Banburski , and A. Deza . Evaluating the adversarial robustness of a foveated texture transform module in a cnn . In SVRHM 2021 Workshop@ NeurIPS , 2021. H. Hermansky , N. Morgan, A. Bayya , and P. Kohn. Rasta- plp speech analysis. In Proc. IEEE Int’l Conf. Acoustics, speech and signal processing , volume 1, pages 121–124, 1991. Y. Huang, J. Gornet , S. Dai, Z. Yu, T. Nguyen, D. Tsao, and A. Anandkumar . Neural networks with recurrent generative feedback. Advances in Neural Information Processing Systems , 33: 535–545, 2020. J. Kubilius , M. Schrimpf , A. Nayebi , D. Bear, D. L. Yamins , and J. J. DiCarlo. Cornet: Modeling the neural mechanisms of core object recognition. BioRxiv , page 408385, 2018. A. Jonnalagadda , W. Y. Wang, B. Manjunath, and M. Eckstein. Foveater : Foveated transformer for image classification, 2022. R. Lyon. Computational models of neural auditory processing. In ICASSP’84. IEEE International Conference on Acoustics, Speech, and Signal Processing , volume 9, pages 41–44. IEEE, 1984. Lin, Y. and Abdulla, W. H. Principles of psychoacoustics. In Audio Watermark, pp. 15–49. Springer, 2015.

Appendix 61

All Components of R-Blur Improve Robustness 62
Tags
artificial intelligence convolutional neural networks neuroscience computer science adversarial robustness biology mit cmu
Categories
Technology
Download
Download Slideshow Get the original presentation file
Quick Actions
Statistics
  • Views 36
  • Slides 62
  • Age 582 days
Related Slideshows
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx 11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
45 views
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx 10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
45 views
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx 13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
36 views
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx 11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
33 views
Know for Certain 21
Know for Certain
DaveSinNM
19 views
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx 17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
23 views
View More in This Category