Life update: After few amazing years doing PhD
@MIT
, I am thrilled to share that I've joined
@OpenAI
!
Super excited for this chapter of my life and can't wait to help shape the future with the amazing talent at OpenAI!
Super excited to announce that we have received the *best paper award*
@iclr_conf
workshop on trustworthy ML!
Amazing work by
@edwardjhu
in collaboration w
@adith387
&
@TheGregYang
!
Talk:
Paper:
Code:
Improved Wasserstein Attacks and Defenses by J. Edward Hu (Microsoft Research AI); Greg Yang (Microsoft Research AI); Adith Swaminathan (Microsoft Research); Hadi Salman (Microsoft Research)
Watch me discuss *adversarial examples beyond security* at the
@MLStreetTalk
show!
Thank you guys
@ecsquendor
@ykilcher
@RisingSayak
for the great effort and for having me on the show! It was a super fun and exciting discussion, and the production quality is really incredible!
1/4 Wanna get a *provably* robust classifier from your pretrained one? Simply stack our *custom trained denoiser* in front of your model and you're good to go!
Paper:
Code:
w/
@Eric_jie_thu
@TheGregYang
@akapoor_av8r
@zicokolter
Check out *3DB*: our new tool for debugging computer vision models via 3D simulation! A year-long effort from our lab
@MIT
and
@MSFTResearch
.
We have extensive demos, docs, code and blogpost!
Introducing 3DB, a framework for debugging models using 3D rendering. Reproduce your favorite robustness analyses or design your own analyses/experiments in just a few lines of code! (1/3)
Paper:
Code:
Blog:
Excited to announce the keynote speakers for the Muslims in Machine Learning (MusIML) workshop at
#NeurIPS2023
! We have four fantastic speakers, covering topics in ML with important societal implications. Come join us on December 11!
; 🧵👇
Last week on
@TheDailyShow
,
@Trevornoah
asked
@OpenAI
@miramurati
a (v. important) Q: how can we safeguard against AI-powered photo editing for misinformation?
My
@MIT
students hacked a way to "immunize" photos against edits: (1/8)
We're building several efforts at OpenAI: Preparedness, reliable AI deployment research, and AI security research.
Up for chatting with us about these at NeurIPS?
Fill out this form (by Dec 1):
Come watch our
#NeurIPS2020
oral presentation on how adversarial robustness improves transfer learning *today at 6:30PM PT*!
Talk:
Paper:
Code:
Blogpost:
Last week on
@TheDailyShow
,
@Trevornoah
asked
@OpenAI
@miramurati
a (v. important) Q: how can we safeguard against AI-powered photo editing for misinformation?
My
@MIT
students hacked a way to "immunize" photos against edits: (1/8)
Check out our updated
#NeurIPS2019
spotlight paper! We boost our provable L2-robustness results on CIFAR10 via pre-training on
#ImageNet
. Our best provably L2-robust model gives SOTA provable linfty robustness at a radius of 2/255
New SOTA on CIFAR10 for provable robustness for L2 and Linfty adversary: pretrain on imagenet w/ SmoothAdv then finetune on CIFAR10. Adding unlabeled data helps too
Code:
Follow mah boi
@hadisalmanX
who made all of this work!
Join me tomorrow during the *live* poster session of
@iclr_conf
workshop on Trustworthy ML () if you wanna learn more about our work on effective randomized smoothing for pretrained classifiers.
Live: Sunday 1-3 PM ET
#ICLR2020
1/4 Wanna get a *provably* robust classifier from your pretrained one? Simply stack our *custom trained denoiser* in front of your model and you're good to go!
Paper:
Code:
w/
@Eric_jie_thu
@TheGregYang
@akapoor_av8r
@zicokolter
We have reached an agreement in principle for Sam Altman to return to OpenAI as CEO with a new initial board of Bret Taylor (Chair), Larry Summers, and Adam D'Angelo.
We are collaborating to figure out the details. Thank you so much for your patience through this.
With little training data or compute, transfer learning is a simple way to obtain performant ML models. Learn how researchers at
@MSFTresearch
&
@MIT
found adversarially robust ML models can improve transfer learning on downstream computer vision tasks:
[1/6] How tight can convex-relaxed robustness verification for neural networks be in practice? We thoroughly investigate this in our new paper !
In collaboration w\
@TheGregYang
, Huan Zhang, Cho-Jui Hsieh, and Pengchuan Zhang. Special thanks to
@ilyaraz2
!
[1/4] Everybody knows adversarial examples are a problem, and a lot of people tried to provably verify NN robustness. But seems convex relaxation alone runs into a theoretical and empirical barrier --- not tight enough! See our new paper
Are you at
#NeurIPS2019
? Come to my spotlight talk and posters to learn about my work on adversarial robustness! All happening on *Thursday*.
Spotlight: 10:20 am @ West Exh Hall A
Poster1: 10:45 AM -- 12:45 PM @ East Exh Hall B + C
#24
Poster2: 5-7PM @ East Exh Hall B + C
#152
Check out our latest work! We present *Smoothed ViTs* with remarkable certified robustness to adv. patches. We get std. accuracies & inference speeds comparable to non-robust models!
Paper:
Blog post:
Code:
Does certified (patch) robustness need to come at a steep std. accuracy/runtime cost? No, if you leverage ViTs. (And you get better robustness too!) W/
@hadisalmanX
,
@saachi_jain_
, and
@RICEric22
. &
Paper:
Today at 6 pm ET, I will talk about our recent work on *Smoothed Vision Transformers* at the ATVA 2021 workshop on Security and Reliability of ML. Join if you are interested in learning about recent advances in certified patch defenses.
Zoom link here:
Join us for the ATVA 2021 Workshop on Security and Reliability of Machine Learning (SRML) on Oct 18! Two keynote talks given by David Wagner and
@zicokolter
+ 2 panels + 10 invited talks. See our website for the Zoom link for joining and detailed schedules
Excited to be in Vancouver for
#CVPR2023
!
@hadisalmanX
and I will be presenting our poster on a data-based perspective on transfer learning on Tuesday (10:30-12).
If you're around, drop by and say hi!
Come talk to us
@ICLR2019
's SafeML workshop this Monday to learn more about our recent work on convex-relaxed robustness verification for neural networks! Also, check out our new repo accompanying this work!
@TheGregYang
Where would your NN robustness verification algo lie in this plot of the current frontiers? Now you can measure against our convex relaxation barrier explicitly, via our new repo . Talk to us at
@ICLR2019
SafeML, Monday 10:30am/4pm, Room R06!
@hadisalman94
Happy to announce that our recent paper "A Convex Relaxation Barrier to Tight Robustness Verification of Neural Networks" () is accepted to the SafeML workshop
@iclr2019
!
In collaboration w\
@TheGregYang
, Huan Zhang, Cho-Jui Hsieh, and Pengchuan Zhang
[1/6] How tight can convex-relaxed robustness verification for neural networks be in practice? We thoroughly investigate this in our new paper !
In collaboration w\
@TheGregYang
, Huan Zhang, Cho-Jui Hsieh, and Pengchuan Zhang. Special thanks to
@ilyaraz2
!
Check out our new ICLR 2022 paper! We show how vision transformers can avoid the "missingness bias" which usually occurs when one removes part of an image in tasks such as model debugging.
Come chat with us at our poster next week, Wednesday 27th at 1:30-3:30pm ET!
What's the right way to remove part of an image? We show that typical strategies distort model predictions and introduce bias when debugging models. Good news: leveraging ViTs enables a way to side-step this bias.
Paper:
Blog post:
@tonyduan_
@edwardjhu
& I will present Randomized Smoothing of All Shapes & Sizes (the
#WulffCrystal
paper) at ICLR Trustworthy ML workshop!
Recording:
Poster at 1pm ET!
paper:
code:
Hello world!
We are Scaled Foundations, co-founded by
@akapoor_av8r
,
@saihv
,
@shuhang0chen
,
@dnaraya
- focusing on building safe and deployable General Robot Intelligence. We'll share official announcements and developments through this handle. Stay tuned!
#AI
#Robotics
🔥Really cool article by
@benjedwards
demonstrating the serious implications current generative models can have on our lives.
It also highlights our recent work *PhotoGuard* that attempts to solve the photo-editing aspect of this
This is John. He doesn't exist. But AI can easily put a photo of him in any situation we want—and the same process can apply to real people with just a few real photos pulled from social media:
4/4 This approach applies both to the case where one has full access to the pretrained classifier (e.g. API service providers) as well as the case where one only has query access (e.g. API users).
3/4 Our defense is simple. By prepending a custom trained denoiser to any off-the-shelf image classifier and using randomized smoothing, we effectively create a new classifier that is guaranteed to be Lp-robust to adversarial examples, without modifying the pretrained classifier.
If you are attending CVPR and would like to learn about our work on certified patch defenses, pass by our poster (
#178
) this Thursday 2:30-5pm CDT in Hall B2-C!
@saachi_jain_
@RICEric22
and I will be there!
Check out our latest work! We present *Smoothed ViTs* with remarkable certified robustness to adv. patches. We get std. accuracies & inference speeds comparable to non-robust models!
Paper:
Blog post:
Code:
2/4 We refer to our defense as *black-box smoothing*, and we demonstrate its effectiveness through extensive experiments on ImageNet and CIFAR-10. We also convert the
@Azure
,
@googlecloud
,
@awscloud
, and
@clarifai
vision APIs into *provably* robust ones! Try this using our code!
We'd like to give a major shoutout to
@deepcohen
, Elan Rosenfeld and
@zicokolter
for building a solid foundation of scalable randomized smoothing and open sourcing this foundation so that we can iterate on top of it, leading to this work today!
@thegautamkamath
@TheGregYang
You should'nt rush announcing the award... Expect to see tomorrow two posters the same size as this:p (
@TheGregYang
convinced me to print 8ft by 4ft and apparently it doesn't fit...)
@sajjad_abdoli
@MSFTResearch
Thanks Sajjad! This is great question. I think some level of robustness is retained depending on how you perform the fine-tuning (fixed-feature vs. full network). I believe this paper studies this in more detail. We don't verify this in our paper though.
@mmirman
Good question! The confidence level we use for randomized smoothing is very high (with 99.9% chance a specific certified example is actually robust) that it doesn't really matter practically. One can always rerun certification with even higher confidence level.
[4/6] We find the exact solution does not significantly improve upon the gap between exact verifiers and existing relaxed verifiers for various networks trained normally or robustly on MNIST and CIFAR-10 datasets.
[3/6] We perform extensive experiments, amounting to more than 22 CPU-Years, to obtain exact solution to the convex-relaxed problem that is optimal within our framework for ReLU networks.
@ecsquendor
Thanks Tim for having me on the show! It was a real pleasure. You are putting fantastic efforts to this podcast, with great content and *exceptional production quality*. Great job!
@Vertabia
@Gizmodo
@Alaa_Khaddaj
@gpoleclerc
@andrew_ilyas
@aleks_madry
Yeah this would work for that too! Basically, immunizing any photo makes it not "recognizable" by the generative model. And as you pointed in the 🧵, there will always be an arms race, but the hope is that this will be solved if companies providing these models get in the game.
@mmirman
@TheGregYang
@deepcohen
We clearly state in the paper that the certification method we use (
@deepcohen
's ) gives high probability results (Section 2, Section 4). We will add a note to table 3 as well clearly stating that ours and Carmon et al.'s are results with high probability
@LucaAmb
@andrew_ilyas
@logan_engstrom
@akapoor_av8r
@aleks_madry
The intuition that we have is that enforcing robustness as a prior leads to "nice" robust features which we believe are more consistent/useful across datasets than "non-robust feats". Verifying this precisely/quantitatively is an interesting avenue for future work!