Trust Region Based Adversarial Attack on Neural Networks
This addresses the efficiency bottleneck in adversarial attack methods for machine learning practitioners, though it is incremental as it builds on existing optimization techniques.
The paper tackles the problem of adversarial attacks on neural networks being computationally expensive by proposing a new family of trust region based attacks, achieving comparable results to the Carlini-Wagner attack with up to 37x speedup and reducing ResNet-50 accuracy to less than 0.1% in 1.02 seconds.
Deep Neural Networks are quite vulnerable to adversarial perturbations. Current state-of-the-art adversarial attack methods typically require very time consuming hyper-parameter tuning, or require many iterations to solve an optimization based adversarial attack. To address this problem, we present a new family of trust region based adversarial attacks, with the goal of computing adversarial perturbations efficiently. We propose several attacks based on variants of the trust region optimization method. We test the proposed methods on Cifar-10 and ImageNet datasets using several different models including AlexNet, ResNet-50, VGG-16, and DenseNet-121 models. Our methods achieve comparable results with the Carlini-Wagner (CW) attack, but with significant speed up of up to $37\times$, for the VGG-16 model on a Titan Xp GPU. For the case of ResNet-50 on ImageNet, we can bring down its classification accuracy to less than 0.1\% with at most $1.5\%$ relative $L_\infty$ (or $L_2$) perturbation requiring only $1.02$ seconds as compared to $27.04$ seconds for the CW attack. We have open sourced our method which can be accessed at [1].