Profile picture
Chris Olah
@ch402
, 10 tweets, 3 min read Read on Twitter
“Adversarial Examples Are Not Bugs, They Are Features” by Ilyas et al is pretty interesting.

📝Paper: arxiv.org/pdf/1905.02175…
💻Blog: gradientscience.org/adv/

Some quick notes below.
(1) The most striking thing to me is actually a new method in their paper: creating new datasets by projecting examples into a network's representation and then doing feature inversion.
They’re basically using this to try and filter the dataset through the model’s features. It almost feels a bit like model distillation, but to a dataset.

(The method is vaguely similar in technique to Gerhos et al’s “Stylized ImageNet”, but feels pretty different.)
(2) The claim which will seems to me really remarkable if it holds up is that you can use this process to turn robust models into robust datasets, for which normal training creates robust models.
I say claim because I’ve learned to not believe any robustness claim until people like Nicholas Carlini have taken a shot at breaking it!

Note that this isn’t a robustness free lunch -- you still need to create the original robust model through adversarial training.
(3) The other interesting result is that you can create a different dataset of adversarial attacks, where you try to predict the attack class.

They find this model - trained on adversarial attacks - generalizes to clean data, which I probably wouldn’t have predicted in advance.
This does seem like non-trivial evidence for adversarial examples being genuine features of the data, rather than properties of our models or training set quirks.

Caveat to all of this: Adversarial examples are not my domain of expertise and I haven't read this super carefully!
... On more consideration, I'm a little less persuaded that (3) is strong evidence for adversarial examples being intrinsic to the data.
Clearly the adversarial directions aren't a linear feature. The model is interpolating some more complicated feature from each adversarial direction.
This suggests an alternative interpretation: Perhaps the adversarial directions just strongly correlated in parameter space with a true useful feature. When you fit to them, you get the useful feature, and vice versa.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Chris Olah
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @ch402 see all

Profile picture
Chris Olah
@ch402
So, now that I haven’t been at Google Brain for a few months and don’t have any constraints on what I can say…

I’d like to talk about how awesome Google Brain is.
I had the privilege of spending five years at Brain, as it grew from ~30 people to ~500 people.

I never felt pressured to stop doing basic research.

I consistently saw Brain leadership behave in highly principled ways, even in private.
On basic research:

I never felt pressured to work on anything other than what seemed most important to me. Brain even supported me founding an academic journal! (distill.pub)

This was true even as an intern.
Read 7 tweets
Profile picture
Chris Olah
@ch402
One of the biggest advantages of openness -- in research, in personal thinking, and life broadly -- is that it prevents evaporation.

Many of my thoughts and experiences have been lost or become illegible over time. The things I shared publicly remain.
I think a few things drive this:
(1) Sharing publicly enforces a degree of hygiene in organizing and explaining things. This is useful to my future self.
(2) We have good mechanisms for preserving and searching public data.
(3) I can access it anywhere without authentication.
This feels especially tangible in research, where the moment of publication kind of locks your contribution in place. Sometimes my research doesn't feel real until I publish. Probably too many half-finished projects that died.
Read 3 tweets
Profile picture
Chris Olah
@ch402
Our most recent paper on visualizing neural networks is one of the best thing I've ever done. distill.pub/2018/building-…

It qualitatively changes the questions we can ask. One basic example:

neuron 426 fired ~= useless
[floppy ear] fired = very interesting!
We can also use these techniques to see how the entire input image was understood at different layers of the network. First edges, then texture and 3d, then high level ideas like floppy ear and snout:
Making hidden layers meaningful like this means we can do attribution from and to them, instead of the input:
Read 7 tweets

Related threads

Profile picture
Luca
@securescientist
paper available here (pre-print): arxiv.org/abs/1905.02162. See thread below for an overview 👇
A set of heuristics help humans in coping with uncertain scenarios and social expectations. The cognitive psychology literature defines six “principles of influence” (Cialdini) relating to these heuristics. Phishers exploit these “cognitive vulns” to trick their victims 1/n
The intuition behind this paper is that if we can measure the effectiveness or intensity of these cognitive attacks, we can predict to what extent a phishing email can be expected to be successful. 2/n
Read 13 tweets
Profile picture
Greg Yang
@TheGregYang
1/ Does batchnorm make optimization landscape more smooth? arxiv.org/abs/1805.11604 says yes, but our new @iclr2019 paper arxiv.org/abs/1902.08129 shows BN causes grad explosion in randomly initialized deep BN net. Contradiction? We clarify below
2/ During a visit by @aleks_madry's students @ShibaniSan @tsiprasd @andrew_ilyas to MSR Redmond few weeks ago, we figured out the apparent paradox.
3/ The former shows grad wrt weight & preactivation *right before* BN is smaller than without BN, if the batch variance is large (which they empirically find to be true in training). But this result says nothing about gradients of lower layers, or stacking of BNs.
Read 9 tweets
Profile picture
Stephen McIntyre
@ClimateAudit
Feb 2004. Responding to our Nature submission, Hughes recognized issue that we had raised relating to Mannian PCs. Mann blows off Hughes saying that our issue with his incorrect methodology was "distracting technical argument".
HughesEmails, 92. #MannEmail
July 2000. Bradley rejects proposed draft by Mann on grounds that it "will only provide ammunition to sceptics". Results presented only if they support narrative.
page 973.
June 1001 (p 976) reference to "Mann no-dendro". I don't recall seeing this - maybe in Earth Interactions. Check-
Read 54 tweets
Profile picture
nick frosst
@nickfrosst
My new paper with @NicolasPapernot and @GeoffreyHinton is out on arXiv today. It’s about the similarity structure of representations space, outlier data (e.g. adversarial attacks) and generative models. Don’t have time to read the paper? Read this instead! arxiv.org/abs/1902.01889
Our paper focused on a loss we call Soft Nearest Neighbor Loss (SNNL). It measures the entanglement of labeled data points. Data with high SNNL has muddled up classes, while the classes of a data set with low SNNL are easy to separate.
We can measure the SNNL of the data in the hidden layers of a resnet during training and show that each layer separates the data slightly more than the previous layer. the last layer learns a representation of the data which separates the classes, so it has the lowest SNNL value
Read 9 tweets
Profile picture
@DynamicWebPaige
@DynamicWebPaige
Inspired by the big ol' long list of deep learning models I saw this morning, and @SpaceWhaleRider's love of science-y A-Z lists, I've decided to create an A to Z series of tweets on popular #MachineLearning and #DeepLearning methods / algorithms.

Ready? Here we go:
A is for... the Apriori Algorithm!

Intended to mine frequent itemsets for Boolean association rules (like market basket analysis). Ex: if someone purchases the same products as you, in general, then you'd probably purchase something they've purchased.

cran.r-project.org/web/packages/a…
B is for... Bootstrapped Aggregation (Bagging)!

This is an ensemble meta-algorithm designed to improve the stability and accuracy of machine learning algorithms used in statistical classification+regression. Reduces variance, helps to avoid overfitting.

Example: Random Forests.
Read 28 tweets
Profile picture
Bradley Kavanagh
@BradleyKavanagh
Gravitational corrections to the value of the muon #gminus2 - a quick roundup.

It all started with this paper - arxiv.org/abs/1801.10246 - the 3rd in a trilogy. Claimed that a correction due to Earth's gravity should alleviate tension between theory and experiment:
In a blog post - motls.blogspot.nl/2018/02/experi… - @lumidek points out (among other things) that if you're considering corrections due to the gravitational potential, the Sun's potential should dominate, not the Earth's
On twitter (and in a blog post) - realselfenergy.blogspot.nl/2018/02/update… - @PitifulRed offers a short proof of why the gravitational correction must be zero.
Read 7 tweets

Trending hashtags

#gratuitousammoniteshotincoming #bullshit #AI #MannEmail #NeurIPS2019 #MockingbirdMedia #100DaysOfMLCode #NeurIPS2018 #livertwitter #murus #Cretaceous #comicSans #Verification #seq2qeq #PNAS #AlabamaSpecialElection #DeepLearning #crosscheck #EndCrosscheck #chi2019 #Privacy #fossils #neurips4creativity #RevThread #pt
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!