Combinatorial Attacks on Binarized Neural Networks
This work addresses the vulnerability of BNNs to adversarial attacks, which is crucial for safety-critical applications, but it is incremental as it builds on existing attack methods by adapting them to the discrete nature of BNNs.
The paper tackles the problem of adversarial attacks on Binarized Neural Networks (BNNs) by proposing a Mixed Integer Linear Programming (MILP) formulation and a decomposition-based algorithm called IProp, which outperforms the standard gradient-based attack (FGSM) on MNIST and Fashion-MNIST datasets and scales better than the MILP approach.
Binarized Neural Networks (BNNs) have recently attracted significant interest due to their computational efficiency. Concurrently, it has been shown that neural networks may be overly sensitive to "attacks" - tiny adversarial changes in the input - which may be detrimental to their use in safety-critical domains. Designing attack algorithms that effectively fool trained models is a key step towards learning robust neural networks. The discrete, non-differentiable nature of BNNs, which distinguishes them from their full-precision counterparts, poses a challenge to gradient-based attacks. In this work, we study the problem of attacking a BNN through the lens of combinatorial and integer optimization. We propose a Mixed Integer Linear Programming (MILP) formulation of the problem. While exact and flexible, the MILP quickly becomes intractable as the network and perturbation space grow. To address this issue, we propose IProp, a decomposition-based algorithm that solves a sequence of much smaller MILP problems. Experimentally, we evaluate both proposed methods against the standard gradient-based attack (FGSM) on MNIST and Fashion-MNIST, and show that IProp performs favorably compared to FGSM, while scaling beyond the limits of the MILP.