Making Adversarial ML Practical
Nicholas Carlini
Google DeepMind
Thursday, 22 February 2024
11:00 AM PST
This lecture was recorded and posted to YouTube:
https://youtu.be/dV6-cqyMzUs
Abstract: After a decade of research on adversarial machine learning, the community has developed sophisticated attacks and compelling defenses across a range of problem domains. But we have had little practical impact.
The largest models today do not use adversarial training or randomized smoothing to mitigate adversarial examples; do not train with differential privacy to mitigate memorization; do not filter their training datasets to remove poisoned data; and are not served with defenses that prevent model stealing. In large part this is because current attacks, while effective in academic scenarios, are not seen as practical.
In this talk I will introduce four practical attacks targeting each of the four scenarios: evasion attacks, poisoning attacks, data privacy, and model privacy. I will show how to fool the best LLMs like ChatGPT and PaLM with transferable adversarial examples, poison the largest multimodal CLIP models, extract training data from GPT-3.5-turbo, and steal (some of) the weights of many large production models.
Nicholas Carlini is a research scientist at Google DeepMind studying the security and privacy of machine learning, for which he has received best paper awards at ICML, USENIX Security, and IEEE S&P. He received his PhD from UC Berkeley in 2018.
Hosted by: Giovanni Vigna and the ACTION AI Institute