Attacking Convolutional Neural Network using Differential Evolution
This work addresses security risks in AI systems by demonstrating that even simple black-box attacks can compromise CNNs, which is an incremental but practical contribution for cybersecurity and machine learning practitioners.
The paper tackles the vulnerability of Convolutional Neural Networks (CNNs) to adversarial attacks by proposing a differential evolution-based method, achieving non-targeted attack success rates of up to 78.24% with minimal pixel modifications (e.g., 5 pixels changed).
The output of Convolutional Neural Networks (CNN) has been shown to be discontinuous which can make the CNN image classifier vulnerable to small well-tuned artificial perturbations. That is, images modified by adding such perturbations(i.e. adversarial perturbations) that make little difference to human eyes, can completely alter the CNN classification results. In this paper, we propose a practical attack using differential evolution(DE) for generating effective adversarial perturbations. We comprehensively evaluate the effectiveness of different types of DEs for conducting the attack on different network structures. The proposed method is a black-box attack which only requires the miracle feedback of the target CNN systems. The results show that under strict constraints which simultaneously control the number of pixels changed and overall perturbation strength, attacking can achieve 72.29%, 78.24% and 61.28% non-targeted attack success rates, with 88.68%, 99.85% and 73.07% confidence on average, on three common types of CNNs. The attack only requires modifying 5 pixels with 20.44, 14.76 and 22.98 pixel values distortion. Thus, the result shows that the current DNNs are also vulnerable to such simpler black-box attacks even under very limited attack conditions.