Trustworthy Machine Learning

Adam Gleave, 2023-04-27

Prior Work: Attacking Image Classifiers

​

Goodfellow et al (2015)

"Adversarial examples are inputs to machine learning models that an attacker has intentionally designed to cause the model to make a mistake"

​

- Ian Goodfellow (2017)

Adversarial Rotations

"revolver"

"mousetrap"

"vulture"

"orangutan"

Engstrom et al (2018)

Unrestricted adversarial examples: bird or bike?

Brown et al (2018)

Adversarial Policies:

Attacking Deep Reinforcement Learning

Adam Gleave, Michael Dennis, Cody Wild, �Neel Kant, Sergey Levine, Stuart Russell

Prior Work: Attacking RL Policies

​

Huang et al (2017); Kos & Song (2017)

Prior Work: Train Time

Environment

Victim

Observation & Reward

Action

Prior Work: Attack Time

Our Threat Model: Victim Train Time

Our Threat Model: Attack Time

The Adversary takes the role of an Opponent

Our Threat Model: Attack Train Time

Adversary

Environments

Kick & Defend

Sumo Humans

Kicker: score a goal.

Goalie: block a goal.

Wrestler 1 & Wrestler 2:

knock opponent out.

Bansal et al (2018): Emergent Complexity via Multi-Agent Competition

​

​

You Shall Not Pass

Runner: cross finish line.

Blocker: stop Runner.

Environments

Kick & Defend

Kicker: score a goal.

Goalie: block a goal.

Bansal et al (2018): Emergent Complexity via Multi-Agent Competition

​

​

You Shall Not Pass

Runner: cross finish line.

Blocker: stop Runner.

You Shall Not Pass: Normal (47% win rate)

Victim runner is playing blocker opponent

You Shall Not Pass: Adversary (86% win rate)

Victim runner is playing blocker opponent

Kick and Defend: Normal (80% win rate)

Victim kicker is playing goalie opponent

​

Kick and Defend: Adversary (93% win rate)

Victim kicker is playing goalie opponent

​

Sumo Humans: Normal (71% win rate)

Victim wrestler is playing wrestler opponent

​

Sumo Humans: Adversary (63% win rate)

Victim wrestler is playing wrestler opponent

​

Why do the adversaries win?

Density Modeling

t-SNE

Density Modeling

Density Modeling

t-SNE: Kick and Defend, victim 2

t-SNE: Sumo Humans, victim 2

Defence: Masked Victims

Defence: Masked Victims

Environment

Self observation (position, velocity, contact)

Opponent position

​

​

Static value

You Shall Not Pass: Adversarial Opponent

Adversarial Opponent (1%)

Masked Victim (99%)

Adversarial Opponent (86%)

Normal Victim (14%)

​

Victim runner is playing blocker opponent

You Shall Not Pass: Normal Opponent

Normal Opponent (78%)

Masked Victim (22%)

​

​

Normal Opponent (48%)

Normal Victim (52%)

Victim runner is playing blocker opponent

Why?

Defence: Adversarial Training

You Shall Not Pass: Retrained Victim

Adversarial Opponent (11% win rate)

Hardened Victim (89% win rate)

Adversarial Opponent (86% win rate)

Normal Victim (14% win rate)

​

Victim runner is playing blocker opponent

You Shall Not Pass: Retrained Adversary

New Adversary (88% win rate)

Hardened Victim (12% win rate)

New Adversary (76% win rate)

Normal Victim (24% win rate)

​

Victim runner is playing blocker opponent

Takeaways

Competing Explanations

Will transformative AI systems be vulnerable to adversarial policies?

Adversarial Policies in Narrowly Superhuman AI

Tony Wang*, Adam Gleave*, Nora Belrose, �Tom Tseng, Michael Dennis, Yawen Duan, Viktor Pogrebniak, Sergey Levine, Stuart Russell

​

Almost all deep-learning based AI models

have adversarial examples…

​

Image models

Audio models

Language models

Why test superhuman game playing models?

​

We wanted to test two hypotheses:�

1. Maybe adversarial examples go away when models are strongly superhuman?�
2. Maybe adversarial examples are a “system 1 bug”, and using system 2 reasoning (i.e. thinking ahead, reflecting on judgements, search) fixes things.

Are superhuman game-playing models vulnerable to adversarial examples?

How KataGo’s strength varies with search

[1] https://arxiv.org/pdf/2211.00241.pdf#figure.caption.16

• 10x the amount of search �→ constant increase in Elo.�
• 400 pts of Elo = 90% win rate.

1 node / move ≈ top Go player in Europe�10³ nodes / move ≈ Superhuman�10⁶-10⁷ nodes / move ≈ Strongly superhuman

(tournament strength)

​

​

​

Is KataGo vulnerable to adversarial examples?

​

KataGo only wins 40% of the time as black…

KataGo is vulnerable to adversarial board states.

But such board states never show up in real games…

Can KataGo be tricked starting from an empty board?

KataGo is stronger than

LeelaZero, and probably AlphaZero too!

“Unified Elo rating for AIs” by SKHD13 (2020). https://www.reddit.com/r/baduk/comments/hma3nx/unified_elo_rating_for_ais/

KataGo is superhuman

Our Attack

1. Randomly initialize a policy and value network.
2. Play the current policy/value network against the fixed victim.
1. Victim player’s MCTS performed as usual.
2. Adversary player’s MCTS alternates between victim and adversary network depending on whose turn it is.
3. Update adversary using usual KataGo (AlphaZero-style) training procedure.
4. Repeat steps 2-3.

How our attack works

​

​

Adversary architecture

1. Selects moves via neural-net guided tree-search.
2. Adversary uses A-MCTS instead of MCTS.

How our attack works

​

How our attack works

​

​

Training procedure

1. Randomly initialize a policy and value network.
2. Play the adversary with A-MCTS against the victim.
3. Train the adversary neural-net to imitate the behavior of the adversary from step 2.
4. Repeat steps 2-3.
5. Optionally train against a curriculum of victims.

Adversary architecture

• Selects moves via neural-net guided tree-search.
• Adversary uses A-MCTS instead of MCTS.

Success Metrics

Key metrics:

• Strength relative to victim: win rate.
• Efficiency: samples to train attacker vs victim.
• Capability of victim: how many visits?

Auxiliary criteria:

• Non-transitivity: is adversary strong against victim but weak more generally?
• Bizarreness: does adversary pursue unintuitive strategies?

Adversary: The passer

> 99% win-rate against KataGo w/o search

�Trained for 0.3% as many SGD steps as KataGo

Adversary: The passer

Pass-alive defense

Adversary: The cyclic-exploit

Adversary: The cyclic-exploit

1. Adversary plays low (2nd/3rd line), generally subpar moves.
2. Builds a “dead” four-square group in top-left quadrant.
3. Uses “dead” stones to encircle victim in top-left. Victim could still win had it played at “A”.
4. 17 moves later, adversary captures black group, decisive victory.

Adversary (W) vs KataGo (B)

Non-Transitivity

Tony Wang (B) vs Cycler (W)

How reliable is the

Cyclic-Exploit?

​

1 node / move ≈ top Go player in Europe�10³ nodes / move ≈ Superhuman�10⁶-10⁷ nodes / move ≈ Tournament settings

​

​

​

Our adversary AI (600 nodes / move) wins:

vs. KataGo (no search) ⇒ 1000 / 1000 games won.

vs. KataGo (2048 nodes / move) ⇒ 973 / 1000 games won.

vs. KataGo (1e7 nodes / move) ⇒ 36 / 50 games won (72%)

Kellin (resident Go-expert on our team) wins:

vs. JBXKata005 (9-dan KataGo bot on KGS) ⇒ 14 / 15 games won.

...but search does help

Success Metrics

The Cyclic-Exploit transfers!

Algorithmic Transfer

Human Transfer

62

Human Transfer

Human Transfer

Adversarial examples tell us…

Deep learning systems (even if very capable) diverge from human cognition / expectation under strong optimization pressure.

People want to deploy AI in high-stakes scenarios�(where often there is large optimization pressure)

Many plans to building "aligned" AI systems involve optimizing a student AI against a teacher AI.

Adversarial examples tell us…

Deep learning systems (even if very capable) diverge from human cognition / expectation under strong optimization pressure.

People want to deploy AI in high-stakes scenarios�(where often there is large optimization pressure)

Many plans to building "aligned" AI systems involve optimizing a student AI against a teacher AI.

Technical problem

Governance problem

Implications for alignment

• We should expect systems to be adversarially vulnerable.
• Maybe not superintelligence, but systems right before we develop transformative AI.
• Alignment assistants, automated interpretability, scalable overseers probably all exploitable.
• Option 1: solve adversarial robustness
• Impactful, but probably intractable.
• ML community has been trying to solve special case of this (l_p norm perturbations) for a decade, limited progress.
• Option 2: make alignment fault tolerant
• Direction I'm most excited about right now.
• We control the game. Can we make it harder for ML system to exploit our helper agents? E.g. online vs offline trained reward model.
• Or control the optimization pressure so it never wants to do so? IDA > RL.

More info: AI Safety in a World of Vulnerable Machine Learning Systems

Future work: Interpretability

Understand why KataGo (and most strong Go AIs) misjudge cyclic groups.

Preliminary results on interpretability

• Still working on why things go wrong. Can we tell where?

​

• Compare activations in cyclic/non-cyclic positions

​

• Problem is right here?

Future work: Adversarial training

Develop improved algorithms to make KataGo robust.

Preliminary results on adversarial training

Future work: scaling laws

How do strength and exploitability scale as a function of training?

​

72

More information

Robotics exploit: adversarialpolicies.github.io

KataGo exploit: goattack.far.ai

About me/my work: gleave.me, Twitter @ARGleave

FAR: job openings far.ai/jobs contact hello@far.ai