POPQORN: Quantifying Robustness of Recurrent Neural Networks

TL;DR

This paper introduces POPQORN, a novel method to reliably quantify the robustness of recurrent neural networks against adversarial attacks, addressing a gap in existing robustness evaluation techniques for RNN variants like LSTM and GRU.

Contribution

We propose POPQORN, the first general algorithm to compute robustness bounds for RNNs, including complex architectures like LSTM and GRU, handling multi-step inputs and gate interactions.

Findings

Effective robustness quantification for various RNN architectures.

Step-wise robustness analysis provides new insights into network vulnerabilities.

Demonstrated applicability on multiple RNN models.

Abstract

The vulnerability to adversarial attacks has been a critical issue for deep neural networks. Addressing this issue requires a reliable way to evaluate the robustness of a network. Recently, several methods have been developed to compute $\textit{robustness quantification}$ for neural networks, namely, certified lower bounds of the minimum adversarial perturbation. Such methods, however, were devised for feed-forward networks, e.g. multi-layer perceptron or convolutional networks. It remains an open problem to quantify robustness for recurrent networks, especially LSTM and GRU. For such networks, there exist additional challenges in computing the robustness quantification, such as handling the inputs at multiple steps and the interaction between gates and states. In this work, we propose $\textit{POPQORN}$ ($\textbf{P}$ropagated-$\textbf{o}$ut$\textbf{p}$ut $\textbf{Q}$uantified R$\textbf{o}$bustness for $\textbf{RN}$Ns), a general algorithm to quantify robustness of RNNs, including vanilla RNNs, LSTMs, and GRUs. We demonstrate its effectiveness on different network architectures and show that the robustness quantification on individual steps can lead to new insights.