Excited by this direction of formal investigation for adversarial defences: Adversarial examples from computational constraints, Bubeck et al arxiv.org/abs/1805.10204

Think BatchNorm helps training due to reducing internal covariate shift? Think again. (What BatchNorm *does* seem to do though, both empirically and in theory, is to smoothen out the optimization landscape.) (with Shibani Santurkar Dimitris Tsipras Andrew Ilyas) arxiv.org/abs/1805.11604

Here's an article by University of Toronto about our new work on adversarial attacks on Face Detectors that help you preserve your privacy. news.engineering.utoronto.ca/privacy-filter…

Adversarial robustness is not free: decrease in natural accuracy may be inevitable. Silver lining: robustness makes gradients semantically meaningful (+ leads to adv. examples w/ GAN-like trajectories) arxiv.org/abs/1805.12152 (Dimitris Tsipras Shibani Santurkar Logan Engstrom Alex Turner)

Just read this paper. Short summary: when thinking of defenses to adversarial examples in ML, think of the threat model carefully. Nice paper. Also won the best paper award at ICML 2018 (ICML Conference ) Congrats to the authors!! arxiv.org/abs/1802.00420

IBM Ireland just released "The Adversarial Robustness Toolbox: Securing AI Against Adversarial Threats". This library will allow rapid crafting and analysis of attacks and defense methods for machine learning models. ibm.com/blogs/research… #MachineLearningSecurity #AdversarialML

Securing Distributed Machine Learning in High Dimensions arxiv.org/abs/1804.10140 #MachineLearningSecurity #AdversarialML

Two papers accepted to ICML 2018. Congrats to all my amazing co-authors. Both on adversarial ML. The arxiv version of the papers are up, but we will update it soon based on reviewer comments. Arxiv versions: arxiv.org/abs/1711.08001 and arxiv.org/abs/1706.03922

This paper shows how to make adversarial examples with GANs. No need for a norm ball constraint. They look unperturbed to a human observer but break a model trained to resist large perturbations. arxiv.org/pdf/1805.07894…

"No pixels are manipulated in this talk. No pandas are harmed..." Great ways to differentiate your talk from the rest of talks on adversarial examples... no more pandas please 😀

I'm speaking at the 1st Deep Learning and Security workshop (co-located with IEEE S&P ) at 1:30 today: ieee-security.org/TC/SPW2018/DLS/ I'll discuss research into defenses against adversarial examples, including future directions. Slides and lecture notes here: iangoodfellow.com/slides/2018-05…