CapsAttacks: Robust and Imperceptible Adversarial Attacks on Capsule Networks
This addresses the security of Capsule Networks for image classification tasks, but it is incremental as it extends known adversarial attack methods to a new network type.
The paper tackles the vulnerability of Capsule Networks to adversarial attacks by proposing a greedy algorithm to generate targeted imperceptible adversarial examples in a black-box scenario, showing that these attacks mislead Capsule Networks on the GTSRB dataset and comparing outcomes with CNNs.
Capsule Networks preserve the hierarchical spatial relationships between objects, and thereby bears a potential to surpass the performance of traditional Convolutional Neural Networks (CNNs) in performing tasks like image classification. A large body of work has explored adversarial examples for CNNs, but their effectiveness on Capsule Networks has not yet been well studied. In our work, we perform an analysis to study the vulnerabilities in Capsule Networks to adversarial attacks. These perturbations, added to the test inputs, are small and imperceptible to humans, but can fool the network to mispredict. We propose a greedy algorithm to automatically generate targeted imperceptible adversarial examples in a black-box attack scenario. We show that this kind of attacks, when applied to the German Traffic Sign Recognition Benchmark (GTSRB), mislead Capsule Networks. Moreover, we apply the same kind of adversarial attacks to a 5-layer CNN and a 9-layer CNN, and analyze the outcome, compared to the Capsule Networks to study differences in their behavior.