Ian Goodfellow, Staff Research Scientist, Google Brain South Park Commons
San Francisco, 2018-05-24
Adversarial Machine Learning
3D-GAN AC-GAN
AdaGANAffGAN
AL-CGANALI
FGSM
AnoGAN
ArtGAN
BIM
Bayesian GAN
BEGAN
BiGAN
BS-GAN
CGAN
CCGAN
ATN
CoGAN
Context-RNN-GAN
C-RNN-GANC-VAE-GAN
CycleGAN
DTN
DCGAN
DiscoGAN
DR-GAN
Adversarial Training
EBGAN
f-GAN
FF-GAN
GAWWN
BPDA
Gradient Masking
IANiGAN
IcGANProgressive GAN
InfoGANLAPGAN
LR-GAN
LS-GANLSGAN
MGAN
MAGAN
MAD-GAN
MalGANPGD
McGAN
MedGAN
MIX+GAN
MPM-GAN
SN-GAN
(Goodfellow 2017)
Adversarial Machine LearningTraditional ML:
optimizationAdversarial ML:
game theory
Minimum EquilibriumOne player,
one costMore than one player, more than one cost
(Goodfellow 2017)
A Cambrian Explosion of Machine Learning Research Topics
Make ML work
RL Fairness
Accountability and Transparency
Extreme reliability
Security
Privacy
Generative Modeling
Domain adaptationLabel
efficiency
ML+neuroscience
(Goodfellow 2017)
A Cambrian Explosion of Machine Learning Research Topics
Make ML work
RL Fairness
Accountability and Transparency
Extreme reliability
Security
Privacy
Generative Modeling
Domain adaptationLabel
efficiency
ML+neuroscience
(Goodfellow 2018)
Generative Modeling: Sample Generation
Training Data Sample Generator(CelebA) (Karras et al, 2017)
(Goodfellow 2018)
Adversarial Nets Framework
x sampled from data
Differentiable function D
D(x) tries to be near 1
Input noise z
Differentiable function G
x sampled from model
D
D tries to make D(G(z)) near 0,G tries to make D(G(z)) near 1
(Goodfellow et al., 2014)
(Goodfellow 2018)
GANs for simulated training data
(Shrivastava et al., 2016)
(Goodfellow 2018)
Unsupervised Image-to-Image Translation
(Liu et al., 2017)
Day to night
(Goodfellow 2018)
CycleGAN
(Zhu et al., 2017)
(Goodfellow 2018)
Designing DNA to optimize protein binding
Figure 8: Protein binding optimization with a learned predictor model. a) Original experimentaldata contains sequences and measured binding scores (horizontal axis); we fit a model to this data(vertical axis) to serve as an oracle for scoring generated sequences. Plot shows scores on held-outtest data (Spearman correlation 0.97). b) Data is restricted to sequences with oracle scores in the40th percentile (orange distribution), then used to train a generator and predictor model. Generatedsequences are optimized to have as high binding score as possible. These genererated samples arethen scored with the oracle (green distribution). The design process has clearly picked up enoughstructure that it can generalize well beyond the training data.
a predictor and a generator on this restricted dataset. To emphasize, neither model saw any scores
beyond the 40th percentile. Nevertheless, as can be seen in Fig. 8, after optimization using our jointmethod, the designed sequences nearly all have scores higher than anything seen in the training set.Some designed sequences even have binding values three times higher than anything in the trainingdata. This result indicates that a generative DNA design approach can be quite powerful for designingprobe sequences even when only a weak binding signal is available.
3.2.3 Optimizing Multiple Properties
As noted in Sec. 2.2.1, the activation maximization method can be used to simultaneously optimizemultiple – possibly competing – properties. The joint method already does this to some extent. Thepredictor directs generated data to more desirable configurations; at the same time, the generatorconstrains generated data to be realistic. In this experiment, we performed a simultaneous activationmaximization procedure on two predictors, each computing a different binding score. While we donot employ a generator, in principle one could also be included.
Design process Our protein-binding dataset contains binding measurements on the same probesequences for multiple proteins from the same family. Leveraging this, our goal is the following: todesign DNA sequences which preferentially bind to one protein in a family but not the other. We alsoundertake this challenge for the situation where the two predictors model binding of the same protein,but under two different molecular concentrations. Sample results of this design process are shown inFig. 9. Like in Sec. 3.2.2, we are able to design many sequences with characteristics that generalizewell beyond the explicit content of the training data. Because of the underlying similarities, the twopredictors largely capture the same structure, differing only in subtle ways. Our design process letsus explore these subtle differences by generating sequences which exhibit them.
4 Summary & Future Work
We have introduced several ways to generate and design genomic sequences using deep generativemodels. We presented a GAN-based generative model for DNA, proposed a variant of activationmaximization for DNA sequence data, and combined these two methods together into a joint method.Our computational experiments indicate that these generative tools learn important structure from
9
(Killoran et al, 2017)
(Goodfellow 2018)
Personalized GANufacturing
(Hwang et al 2018)
(Goodfellow 2018)
Self-Attention GANState of the art FID on ImageNet: 1000 categories, 128x128 pixels
(Zhang et al, 2018)Indigo Bunting
Goldfish Redshank
Saint Bernard
Tiger Cat
Stone Wall
Broccoli
Geyser
(Goodfellow 2017)
A Cambrian Explosion of Machine Learning Research Topics
Make ML work
RL Fairness
Accountability and Transparency
Extreme reliability
Security
Privacy
Generative Modeling
Domain adaptationLabel
efficiency
ML+neuroscience
(Goodfellow 2017)
Adversarial Examples
X ✓
xy
(Goodfellow 2017)
Adversarial Examples in the Physical World
(Kurakin et al, 2016)
(Goodfellow 2017)
Training on Adversarial Examples
0 50 100 150 200 250 300
Training time (epochs)
10�2
10�1
100
Tes
tm
iscl
ass
ifica
tion
rate Train=Clean, Test=Clean
Train=Clean, Test=Adv
Train=Adv, Test=Clean
Train=Adv, Test=Adv
(CleverHans tutorial, using method of Goodfellow et al 2014)
(Goodfellow 2018)
Adversarial Logit Pairing
clean logits
adv logits
Adversarial perturbation
Logit pairingState of the art
defense on ImageNet
(Kannan et al, 2018)
(Goodfellow 2017)
A Cambrian Explosion of Machine Learning Research Topics
Make ML work
RL Fairness
Accountability and Transparency
Extreme reliability
Security
Privacy
Generative Modeling
Domain adaptationLabel
efficiency
ML+neuroscience
(Goodfellow 2017)
Adversarial Examples for RL
(Huang et al., 2017)
(Goodfellow 2017)
Self-Play1959: Arthur Samuel’s checkers agent
(Silver et al, 2017) (Bansal et al, 2017)
(OpenAI, 2017)
(Goodfellow 2017)
A Cambrian Explosion of Machine Learning Research Topics
Make ML work
RL Fairness
Accountability and Transparency
Extreme reliability
Security
Privacy
Generative Modeling
Domain adaptationLabel
efficiency
ML+neuroscience
(Goodfellow 2017)
Extreme Reliability• We want extreme reliability for
• Autonomous vehicles
• Air traffic control
• Surgery robots
• Medical diagnosis, etc.
• Adversarial machine learning research techniques can help with this
• Katz et al 2017: verification system, applied to air traffic control
(Goodfellow 2017)
A Cambrian Explosion of Machine Learning Research Topics
Make ML work
RL Fairness
Accountability and Transparency
Extreme reliability
Security
Privacy
Generative Modeling
Domain adaptationLabel
efficiency
ML+neuroscience
(Goodfellow 2018)
Supervised Discriminator for Semi-Supervised Learning
Input
Real
Hidden units
Fake
Input
Real dog
Hidden units
FakeReal cat
(Odena 2016, Salimans et al 2016)
Learn to read with 100 labels rather
than 60,000
(Goodfellow 2018)
Virtual Adversarial Training
(Oliver+Odena+Raffel et al, 2018)
Miyato et al 2015: regularize for robustness to adversarial perturbations of unlabeled data
(Goodfellow 2017)
A Cambrian Explosion of Machine Learning Research Topics
Make ML work
RL Fairness
Accountability and Transparency
Extreme reliability
Security
Privacy
Generative Modeling
Domain adaptationLabel
efficiency
ML+neuroscience
(Goodfellow 2018)
Privacy of training data
X ✓ X
(Goodfellow 2018)
Defining (ε, δ)-Differential Privacy
(Abadi 2017)
(Goodfellow 2018)
Private Aggregation of Teacher Ensembles
(Papernot et al 2016)
(Goodfellow 2017)
A Cambrian Explosion of Machine Learning Research Topics
Make ML work
RL Fairness
Accountability and Transparency
Extreme reliability
Security
Privacy
Generative Modeling
Domain adaptationLabel
efficiency
ML+neuroscience
(Goodfellow 2017)
Domain Adaptation
• Domain Adversarial Networks (Ganin et al, 2015)
• Professor forcing (Lamb et al, 2016): Domain-Adversarial learning in RNN hidden state
(Raffel, 2017)
GANs for domain adaptation
(Bousmalis et al., 2016)
(Goodfellow 2017)
A Cambrian Explosion of Machine Learning Research Topics
Make ML work
RL Fairness
Accountability and Transparency
Extreme reliability
Security
Privacy
Generative Modeling
Domain adaptationLabel
efficiency
ML+neuroscience
(Goodfellow 2017)
Adversarially Learned Fair Representations
• Edwards and Storkey 2015
• Learn representations that are useful for classification
• An adversary tries to recover a sensitive variable S from the representation. Primary learner tries to make S impossible to recover
• Final decision does not depend on S
(Goodfellow 2017)
A Cambrian Explosion of Machine Learning Research Topics
Make ML work
RL Fairness
Accountability and Transparency
Extreme reliability
Security
Privacy
Generative Modeling
Domain adaptationLabel
efficiency
ML+neuroscience
(Goodfellow 2017)
How do machine learning models work?
(Selvaraju et al, 2016)
(Goodfellow et al, 2014)Interpretability literature: our analysis tools show that deep nets work about how you would expect them to.
Adversarial ML literature: ML models are very easy to fool and even linear models work in counter-intuitive ways.
(Goodfellow 2017)
A Cambrian Explosion of Machine Learning Research Topics
Make ML work
RL Fairness
Accountability and Transparency
Extreme reliability
Security
Privacy
Generative Modeling
Domain adaptationLabel
efficiency
ML+neuroscience
(Goodfellow 2017)
Adversarial Examples that Fool both Human and Computer Vision
Gamaleldin et al 2018
(Goodfellow 2018)
Questions