Combinatorial Attacks on Binarized Neural Networks

TL;DR

This paper introduces combinatorial attack methods for Binarized Neural Networks, proposing a MILP formulation and a scalable decomposition algorithm, IProp, to effectively generate adversarial examples and improve robustness evaluation.

Contribution

It presents a novel MILP-based attack formulation for BNNs and introduces IProp, a scalable algorithm that outperforms gradient-based attacks in effectiveness and scalability.

Findings

IProp outperforms FGSM in attacking BNNs on MNIST datasets.

The MILP formulation effectively models BNN attacks but is limited by size.

IProp scales better than MILP for larger networks and perturbation spaces.

Abstract

Binarized Neural Networks (BNNs) have recently attracted significant interest due to their computational efficiency. Concurrently, it has been shown that neural networks may be overly sensitive to "attacks" - tiny adversarial changes in the input - which may be detrimental to their use in safety-critical domains. Designing attack algorithms that effectively fool trained models is a key step towards learning robust neural networks. The discrete, non-differentiable nature of BNNs, which distinguishes them from their full-precision counterparts, poses a challenge to gradient-based attacks. In this work, we study the problem of attacking a BNN through the lens of combinatorial and integer optimization. We propose a Mixed Integer Linear Programming (MILP) formulation of the problem. While exact and flexible, the MILP quickly becomes intractable as the network and perturbation space grow. To address this issue, we propose IProp, a decomposition-based algorithm that solves a sequence of much smaller MILP problems. Experimentally, we evaluate both proposed methods against the standard gradient-based attack (FGSM) on MNIST and Fashion-MNIST, and show that IProp performs favorably compared to FGSM, while scaling beyond the limits of the MILP.