►
From YouTube: Defending Against Adversarial Model Attacks Using Kubeflow - Animesh Singh & Andrew Butler, IBM
Description
Don’t miss out! Join us at our next event: KubeCon + CloudNativeCon Europe 2022 in Valencia, Spain from May 17-20. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Defending Against Adversarial Model Attacks Using Kubeflow - Animesh Singh & Andrew Butler, IBM
The application of AI algorithms in domains such as self-driving cars, facial recognition, and hiring holds great promise. At the same time, it raises legitimate concerns about AI algorithms robustness against adversarial attacks. Widespread adoption of AI algorithms where the predictions are hidden or obscured from the trained eye of the subject expert, opportunities for a malicious actor to take advantage of the AI algorithms grow considerably, necessitating the addition of adversarial robustness training and checking. To protect against and mitigate the damages caused by these malicious actors, this talk will examine how to build a pipeline that’s robust against adversarial attacks by leveraging Kubeflow Pipelines and integration with LFAI Adversarial Robustness Toolbox (ART). Additionally we will show how to test a machine learning model's adversarial robustness in production on Kubeflow Serving, by virtue of Payload logging (KNative eventing) and ART.
A
Hello
and
welcome
everyone
to
kubecon,
2021,
north
america
and
good
morning,
good
evening,
good
afternoon,
from
wherever
you
are
watching
this.
Hopefully
you
are
enjoying
and
are
keeping
yourself
safe.
Myself
is
animation,
I'm
the
cto
for
watson,
data
and
ai,
open
technology,
and
with
me
I
have
my
colleague
andrew
butler,
and
you
do
you
want
to
introduce
yourself.
A
A
If
you
are
not
aware
right,
there
were
thousands
of
ibm's
who
actually
worked
very
closely
with
nasa
and
participated
in
the
first
moon
landing
right.
We
have
been
doing
a
lot
of
research
and
contributing
to
the
field
in
human
genome,
sequencing
offline
with
call
for
code
efforts,
ibm
has
been
very,
very
active
in
areas
like
infectious
disease
response
or
climate
change,
working
jointly
with
united
nations
health
cross
and
others
right.
So
there
is
a
lot
of
work.
A
Ibm
has
been
doing
in
the
field,
which
is
you
know
in
general,
for
the
largest
social
good
and
carrying
forward
that
tradition.
We
have
also
been
working
responsibly
to
bring
trust
and
transparency
into
a.I.
Now.
What
do
we
mean
right?
What
is
our
vision
for
trusted?
Ai?
Essentially,
you
know
we
look
at
this
world
from
the
pillars
of
these
four
pillars:
robustness,
fairness,
explainability
and
lineage.
Robustness
means
okay.
Can
anybody
tamper
with
it?
Did
anyone
tamper
with
it
fairness?
Is
it
fair,
unbiased,
ethical
explainability?
A
Can
you
explain
what
your
ai
is
doing
and
then
last,
but
not
the
least
lineage
right?
Can
we
trace
back
the
lineage
and
have
an
audit
trail
when
we
translate
that
back
to
open
source
projects,
the
projects
which
we
have
in
the
corresponding
areas,
for
example
in
robustness,
we
call
it
robustness,
360
or
r,
there's
one
of
the
first
projects
which
we
moved
out
in
this
particular
space
into
open
source,
and
then
you
know
followed
with
fairness,
ai
fairness,
360,
which
was
followed
by
explainability
360
and
of
late.
A
A
Similarly,
you
know
we
have
ai
explainability
360,
which
has
a
lot
of
proprietary
algorithms
from
ibm
research
to
explain
model
predictions
both
at
a
global
level
as
well
as
you
know,
at
the
local
level,
and
explain
not
only
models
right,
but
also
you
know.
Data
sets
and
data
sets
features
one
of
the
things
which
we
also
did
when
we
moved
and
after
we
moved
these
tools
in
open
sources,
we
essentially
move
them
in
open
governance,
because
we
firmly
believe
just
open
source
is
not
enough.
A
Now
this
committee
has
essentially
you
know,
with
the
input
from
a
lot
of
these
participating
member
companies,
has
come
up
with
eight
principles,
what
it
means
for
ai
to
be
trusted.
So
these
are,
you
know:
reproducibility
robustness,
equality,
privacy,
explainability,
accountability,
transparency
and
security.
Today,
our
focus
is
on
this
particular
area,
which
is
security.
A
So
let's
talk
about
security
right
now.
If
we
have
followed,
you
know
we
are
living
in
this
unprecedented
time
and
over
the
course
of
last
year
right
we
have
seen
the
the
state
of
security
attacks
increasing
quite
a
lot
right.
There
have
been
many
ransomware
attacks.
A
lot
of
these
attacks
have
actually
prompted
if
we
noticed
you
know,
just
lost
one
president
and
calling
you
know
the
ceos
of
all
these
companies.
A
Major
tech
companies,
including
you
know
our
ceo
from
ibm
r,
when
kreshna
was
there
in
terms
of
you,
know,
figuring
out
and
forming
a
task
force
how
to
handle
these
security
and
ransomware
attacks.
Now
the
the
other
part
of
it
is.
You
know
when
we
actually
look
at
the
state
of
security
for
ai,
what
we
find
out
that
in
general,
you
know,
the
awareness
of
risk
is
low
right
or
you
know
there
is
a
low
understanding
of
what
ai
security
means,
so
that
translates
in
general
right
that
security
posture
is
close
to
zero.
A
Now,
if
you
look
at,
you
know
what
adversarial
threats
to
ai
can
do
now.
This
is
probably
one
of
the
worst
case
scenarios
like
now.
This
is
a
when
we
actually
launched
address
cylinder
business
toolbox
right.
This
is
one
of
those
scenarios
we
we
prepared
for.
We
had
notebooks
around
it.
Like
you
know,
these
are
physical
attacks.
A
Where
stop
sign
images
right
in
this
case
either
you
know,
can
be
intentionally
perturbed,
or
you
know
over
a
course,
a
period
of
time,
because
you
know
because
of
physical
weather,
wear
and
tear
these
top
sign.
Images
are
not
as
as
accurate
as
they
should
be
right.
An
air
model,
in
this
case
a
self-driving
car
can
essentially
you
know,
not
detect
a
stop
sign,
and
you
can
imagine
the
consequences
can
be
terrifying
right.
A
So
this,
essentially,
you
know,
highlights
the
the
importance
and
and
to
the
extent
that
which
you
know
adversarial
threats
to
ai
can
cause
the
damage
so
to
handle
all
these
kind
of
different
attacks
ibm
launched
a
toolkit
called
adversarial,
robustness,
toolbox
or
art.
We
will
be
using
the
word
art
quite
a
lot
moving
forward
in
this
session,
so
that
refers
to
this
toolkit
at
the
cellular
business
toolbox.
A
It's
essentially
a
python
library
which
works
across
different
kind
of
frameworks,
whether
it's
the
deep
learning
frameworks
like
tensorflow,
keras
fighters,
mxnet,
etcetera
or
you
know,
machine
learning
frameworks
like
cyclical
and
hd
boost
cad
boost.
The
goal
is,
you
know,
to
actually
evaluate
different,
certified,
verified
machine
learning
models
and
applications
right
against
adversarial
threats.
A
Okay,
so
let's
look
at
the
toolkit
a
bit,
so
you
can
go
and
look
at
this
demo
at
art
dash
demo.
I
tried
my
bluemix.net
so
very
quickly.
This
is
the
website.
If
you
want
to
go
and
try
it
on
your
own,
and
essentially
you
know,
it
just
gives
you
a
way
to
try
out
art
in
a
very
quick
format.
For
example,
this
is
a
siamese
cat
and
if
you
see
the
model
is
92
percent,
confident
that
this
is
a
calcium
scat.
A
Now,
if
I
choose
an
attack,
let's
say
projected
gradient
descent,
but
which
is
one
of
the
attack
methods
which
art
provides
even
with
a
low
strength
of
that
attack.
The
model's
confidence
has
reduced
to
four
percent.
If
you
see
them
right,
and
this
is
just
low
now,
if
I
change
this
attack
to
medium
now,
the
model
actually
thinks
this
is
a
basketball.
A
So
if
we,
you
know,
introduce
this
defense
algorithm
at
a
low
strength,
the
model
is
back
to
76
percent,
confident
right
that
it
is
a
cat
great
if
you
make
it
medium
92,
that's
where
we
started
right.
So,
as
you
can
see,
that's
how
you
can
use
the
both.
You
know
red
team
attack
methods,
as
well
as
blue
team,
different
methods
which
are
provides
you
to
to
actually
implement
okay.
Let's
go
back
to
this.
A
So
we
covered
this.
If
you
were
interested
here
right
so
very
quickly,
I
think
we
are
at
your
phone.
There
are
other
sections
around
qfloor.
If
you
haven't
heard
of
qfloor
right,
it's
a
tool
which
is
focused
on
the
end-to-end
air
life
cycle.
It
gives
you
tools
to
create
your
models
and
distributor
training
on
your
models.
A
You
launch,
you
know,
use
hyper,
parameter
and
then
use
neural
architecture
search
right.
So
that's
a
toolkit
called
cated
in
that,
then
it
also
gives
you
a
platform
to
deploy
your
models
and
not
only
deploy
your
models
in
production,
but
also
monitor
them
for
things
like
drift
anomaly
right
so
whole
end-to-end
platform
comes
as
part
of
the
queue
flow,
starting
from
you
know
very
beginning,
which
is
launch
integrated,
notebooks
and
start
creating
your
models
right
now.
A
Two
significant
projects
in
that
space,
where
we
invest
heavily
our
queue
flow
pipelines
and
kf
serving
right,
so
keyframe
pipelines
and
care
serving
essentially
are
the
two
projects
where
we
are
investing
heavily
in
that
particular
space
and
contribute,
and
when
we
look
at
q4
pipelines,
it's
essentially
you
know
a
platform
and
a
toolkit
which
gives
you
capability
to
create
end-to-end
machine
learning
pipelines
by
encapsulating
each
of
these
steps
inside
a
container.
A
sequence
of
these
containers,
which
you
can
orchestrate
together,
becomes
a
pipeline
right.
A
But
even
though
you
know
everything
is
running
in
containers,
you
are
manipulating
humanities
objects,
like
secrets
volumes,
etc.
There
is
a
python
interface,
so
for
data
scientists,
you
can
program
this
whole
pipeline
using
python
right
and
if
you
don't
want,
you
don't
need
to
deal
with
the
kubernetes
constructs
right.
So
that's
the
great
part
about
it
and
that's
made
what
made
it
really
popular.
A
Okay,
so
that's
kevlar
pipelines,
and
then
there
is
another
project
which
I
mentioned
right.
We
are
heavily
invested
in
called
care
serving
which
was
founded
jointly
by
google
selled
in
ibm,
bloomberg
and
microsoft.
It's
part
of
the
queue
flow
and
sure
we
focus
on
80
of
the
use
cases
right
and
we
provide
serverless
machine
learning
inferencing
with
capabilities
around
candidate
rollouts
and
also
you
know,
generating
model
explanations
as
well,
as
you
know,
plugging
in
your
own
pre-processing
and
post-processing
code
right.
A
B
Andrew
sure,
thanks
anamesh,
so
what
we're
going
to
be
looking
at
specifically
is
inside
of
each
of
the
components
so
kubeflow
pipelines
and
kf
serving
and
so
we're
going
to
take
a
look
at
the
specific
adversary,
robustness
toolbox
component
inside
of
kubeflow
pipelines
and
exactly
what
it
does,
the
inputs
that
you
would
give
to
it
and
the
output
that
you
would
expect
after
you're
done
with
it.
So
at
the
beginning,
you'll
have
some
inputs
for
this
component
and
specific
parameters
focused
around
the
individual
components,
use
case
of
the
trusted
ai
toolbox.
B
Basically,
what
happens
is
a
number
of
samples
are
given
to
the
originally
trained
model,
and
then
the
model
interprets
how
it
would
classify
those
samples
and
then
the
fast
gradient
sine
method
will
compute
the
loss
and
the
sine
gradient
of
the
loss
and
try
and
maximize
that
loss
in
order
to
get
an
image
that
makes
your
model
mispredict
and
for
output
parameters.
We
have
the
model
accuracy
on
test
data,
so
in
the
original
test
set
that
you
have
set
up.
B
You
get
the
confidence
reduced
on
correctly
acid,
classified
adversarial
samples,
so
if
your
model
is
able
to
correctly
classify
the
samples
after
they
have
been
changed,
what
was
the
amount
of
confidence
that
was
reduced
for
like
how
confident
was
your
model
before
and
how
confident
is
your
model
now
and
how
has
that
changed?
And
then
the
last
one
is
the
average
perturbation
for
misclassified.
B
So
if
you
were
able
to
get
the
model
to
misclassify,
how
far
did
the
fgsm
have
to
go
in
order
to
trick
your
model
and
we'll
look
at
this
in
a
demo
as
well?
So
first
we
have
a
training
step
that
could
be
any
training
stuff
that
you
use
to
train
a
model
and
you
can
be
removed
and
placed
in
you
know
it's
portable.
B
So,
let's
create
a
run
here
and
we'll
choose
an
experiment,
one
that
we've
already
have
set
up
trusted
ai
and
we
need
to
specify
the
namespace
that
we're
going
to
use,
in
our
case
we're
going
to
use
the
keyflow
user
example
com
namespace,
and
then
you
can
see
that
we
are
actually
giving
actual
data
to
our.
These
are
the
defaults,
but
this
is
the
actual
parameter
choices
that
we
use
so
0.2
for
the
attack
epsilon.
B
When
we
want
to
identify
when
we
want
to
look
at
bias,
we
have
to
say
which
is
a
good
outcome
and
which
is
a
bad
outcome
and
then
also
which
groups
we
believe
will
be
biased
against
and
which
groups
may
be.
The
bias
may
be
in
favor
of
so
this
will
start
impending
and
then
eventually
it
will
show
running,
and
then
it
will
execute
successfully
and
we'll
see
this
walk
through.
These
are
executing
fairly
quickly
because
they're,
cached,
and
so
the
reason
for
that
is.
B
This
takes
a
very
long
amount
of
time
to
run
so
it's
much
easier
if
we
cash
in
and
just
show
it
running
through
and
collecting
from
cash.
But
the
basic
idea
here
is
that
this
step
will
train
as
we've
seen
before,
and
then
these
two
will,
once
your
model
has
been
trained,
check
the
robustness
and
then
check
the
fairness.
B
So
in
this
example,
we
see
the
inputs
that
we
have
it's
getting
from
the
original
that
we
specified
and
then
also
something
similar
to
what
we
had
before
model
accuracy
on
test
data,
all
the
things
that
we
talked
about
previously
and
we
can
see
they're
very
similar
to
what
we
had
before
and
the
robustness
status
remains
false
and
so
quickly
we
can
look
at
the
fairness
and
see
we
have
a
few
things
here
from
the
ending
the
classification
accuracy
so
similar
to
the
robustness.
It
shows
the
original
classification
accuracy
and
then.
B
On
how
biased
it
believes
your
model
performs,
and
now
we're
going
to
take
a
look
at
kf
survey,
so
we've
also
implemented
all
the
trusted
ai
components
into
kf.
Serving
so
to
give
you
an
example
of
this,
we
have
implemented
the
square
attack
method
for
art
inside
of
camp
serving
and
just
to
give
a
concrete
example.
We
have
an
mnist
image
on
the
left
and
we
see
that
it
shows
a
one
and
then
it
will
add
through
the
square
attack
method,
a
mask
that
looks
something
like
that
and
when
those
are
combined.
B
B
But
basically,
what
we're
going
to
do
here
is
we've
already
set
up
our
inference
service,
so
it's
ready
to
be
queried
both
a
predictor
and
an
explainer
and
we'll
show
that
and
then
basically,
what
we're
going
to
do
is
we're
going
to
send
a
request
to
this
explainer
to
try
and
get
our
model
in
this
classifier
like
it
does
in
this
image
here
as
well.
So
this
is
the
kind
of
mask
that
we
would
expect
to
see.
B
Let's
look
at
our
pods
here,
see
that
we
have
them
up
and
running
and
so
yep.
Here
we
go.
We
have
a
pod
for
our
explainer
and
a
pod
for
our
predictor
and
then
let's
look
that
our
inference
service
is
ready
to
be
queried
yep.
You
can
see
that
it's
ready
here
and
you
can
see
the
url
that
you
would
want
to
bring
at
I've
already
had
it
set
up
here.
B
B
You
know
an
average
person
would
be
able
to
look
at
this
image
and
tell
that
it's
a
three,
but
our
model
has
actually
predicted
to
be
a
two.
This
is
all
through
the
inference
service
and,
like
we
said
easy
to
prop
up
and
push
open.
All
you
have
to
do
is
apply
the
ammo
width
that
we've
specified
and
shown.
A
B
A
A
So
hopefully
you
know
you
all
join
us
in
this
mission
to
make
ai
more
secure,
more
robust
and-
and
you
know
much
stronger
so
and
if
you
need
any
questions
or
if
you
have
any
questions,
and
you
need
more
clarifications
about
these
projects
definitely
reach
out
to
us.
We
would
love
to
have
a
chat
with
you
that,
thanks
again
and
thanks
for
joining
us.