Constrained Gradient Descent: A Powerful and Principled Evasion Attack Against Neural Networks
This work addresses the challenge of developing more effective adversarial attacks for security testing and robustness evaluation in machine learning, though it is incremental as it builds on existing attack methods.
The paper tackles the problem of creating efficient targeted white-box evasion attacks against deep neural networks by proposing Constrained Gradient Descent (CGD), which optimizes for misclassification and bounded perturbation in a principled way, achieving higher success rates (e.g., 0.9–4.2% on CIFAR10 and 8.6–13.6% on ImageNet) and faster execution (11.4–18.8% less time) than state-of-the-art attacks.
We propose new, more efficient targeted white-box attacks against deep neural networks. Our attacks better align with the attacker's goal: (1) tricking a model to assign higher probability to the target class than to any other class, while (2) staying within an $ε$-distance of the attacked input. First, we demonstrate a loss function that explicitly encodes (1) and show that Auto-PGD finds more attacks with it. Second, we propose a new attack method, Constrained Gradient Descent (CGD), using a refinement of our loss function that captures both (1) and (2). CGD seeks to satisfy both attacker objectives -- misclassification and bounded $\ell_{p}$-norm -- in a principled manner, as part of the optimization, instead of via ad hoc post-processing techniques (e.g., projection or clipping). We show that CGD is more successful on CIFAR10 (0.9--4.2%) and ImageNet (8.6--13.6%) than state-of-the-art attacks while consuming less time (11.4--18.8%). Statistical tests confirm that our attack outperforms others against leading defenses on different datasets and values of $ε$.