CapsAttacks: Robust and Imperceptible Adversarial Attacks on Capsule Networks

TL;DR

This paper investigates the vulnerability of Capsule Networks to imperceptible adversarial attacks, proposing a greedy algorithm for black-box targeted attacks and comparing their robustness to CNNs on traffic sign recognition.

Contribution

It introduces a novel greedy algorithm for generating imperceptible adversarial examples targeting Capsule Networks in a black-box setting and compares their robustness to CNNs.

Findings

Capsule Networks are vulnerable to the proposed adversarial attacks.

The attacks successfully mislead Capsule Networks on GTSRB.

Comparison shows differences in robustness between Capsule Networks and CNNs.

Abstract

Capsule Networks preserve the hierarchical spatial relationships between objects, and thereby bears a potential to surpass the performance of traditional Convolutional Neural Networks (CNNs) in performing tasks like image classification. A large body of work has explored adversarial examples for CNNs, but their effectiveness on Capsule Networks has not yet been well studied. In our work, we perform an analysis to study the vulnerabilities in Capsule Networks to adversarial attacks. These perturbations, added to the test inputs, are small and imperceptible to humans, but can fool the network to mispredict. We propose a greedy algorithm to automatically generate targeted imperceptible adversarial examples in a black-box attack scenario. We show that this kind of attacks, when applied to the German Traffic Sign Recognition Benchmark (GTSRB), mislead Capsule Networks. Moreover, we apply the same kind of adversarial attacks to a 5-layer CNN and a 9-layer CNN, and analyze the outcome, compared to the Capsule Networks to study differences in their behavior.