A randomized gradient-free attack on ReLU networks
This addresses the vulnerability of neural networks to adversarial attacks, offering a more effective method for security testing, though it is incremental as it builds on prior optimization approaches.
The paper tackles the problem of finding optimal adversarial inputs for ReLU networks, which is NP-hard and scales poorly with existing methods, by proposing a new attack scheme based on direct optimization on linear regions; it improves over the Carlini-Wagner attack in 17 out of 18 experiments with up to 9% relative improvement.
It has recently been shown that neural networks but also other classifiers are vulnerable to so called adversarial attacks e.g. in object recognition an almost non-perceivable change of the image changes the decision of the classifier. Relatively fast heuristics have been proposed to produce these adversarial inputs but the problem of finding the optimal adversarial input, that is with the minimal change of the input, is NP-hard. While methods based on mixed-integer optimization which find the optimal adversarial input have been developed, they do not scale to large networks. Currently, the attack scheme proposed by Carlini and Wagner is considered to produce the best adversarial inputs. In this paper we propose a new attack scheme for the class of ReLU networks based on a direct optimization on the resulting linear regions. In our experimental validation we improve in all except one experiment out of 18 over the Carlini-Wagner attack with a relative improvement of up to 9\%. As our approach is based on the geometrical structure of ReLU networks, it is less susceptible to defences targeting their functional properties.