A randomized gradient-free attack on ReLU networks

TL;DR

This paper introduces a new gradient-free attack method for ReLU neural networks that optimizes over linear regions, outperforming the existing Carlini-Wagner attack in most cases and being more robust against defenses.

Contribution

It presents a novel attack scheme based on the geometric structure of ReLU networks, improving attack success over the state-of-the-art Carlini-Wagner method.

Findings

Outperforms Carlini-Wagner attack in 17 out of 18 experiments

Achieves up to 9% relative improvement in attack effectiveness

Less susceptible to defenses targeting functional properties of ReLU networks

Abstract

It has recently been shown that neural networks but also other classifiers are vulnerable to so called adversarial attacks e.g. in object recognition an almost non-perceivable change of the image changes the decision of the classifier. Relatively fast heuristics have been proposed to produce these adversarial inputs but the problem of finding the optimal adversarial input, that is with the minimal change of the input, is NP-hard. While methods based on mixed-integer optimization which find the optimal adversarial input have been developed, they do not scale to large networks. Currently, the attack scheme proposed by Carlini and Wagner is considered to produce the best adversarial inputs. In this paper we propose a new attack scheme for the class of ReLU networks based on a direct optimization on the resulting linear regions. In our experimental validation we improve in all except one experiment out of 18 over the Carlini-Wagner attack with a relative improvement of up to 9\%. As our approach is based on the geometrical structure of ReLU networks, it is less susceptible to defences targeting their functional properties.