# Scaling up the randomized gradient-free adversarial attack reveals   overestimation of robustness using established attacks

**Authors:** Francesco Croce, Jonas Rauber, Matthias Hein

arXiv: 1903.11359 · 2019-09-26

## TL;DR

This paper enhances a gradient-free adversarial attack method to scale it for large neural networks, revealing that existing attacks may overestimate neural network robustness.

## Contribution

It introduces a scaled-up version of a gradient-free attack, providing more accurate robustness estimates for large neural networks compared to prior methods.

## Key findings

- The attack achieves lower robust accuracy than PGD and Carlini-Wagner attacks.
- It reveals overestimation of robustness by existing state-of-the-art attacks.
- The method is less sensitive to hyperparameters due to its gradient-free nature.

## Abstract

Modern neural networks are highly non-robust against adversarial manipulation. A significant amount of work has been invested in techniques to compute lower bounds on robustness through formal guarantees and to build provably robust models. However, it is still difficult to get guarantees for larger networks or robustness against larger perturbations. Thus attack strategies are needed to provide tight upper bounds on the actual robustness. We significantly improve the randomized gradient-free attack for ReLU networks [9], in particular by scaling it up to large networks. We show that our attack achieves similar or significantly smaller robust accuracy than state-of-the-art attacks like PGD or the one of Carlini and Wagner, thus revealing an overestimation of the robustness by these state-of-the-art methods. Our attack is not based on a gradient descent scheme and in this sense gradient-free, which makes it less sensitive to the choice of hyperparameters as no careful selection of the stepsize is required.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/1903.11359/full.md

## Figures

73 figures with captions in the complete paper: https://tomesphere.com/paper/1903.11359/full.md

## References

38 references — full list in the complete paper: https://tomesphere.com/paper/1903.11359/full.md

---
Source: https://tomesphere.com/paper/1903.11359