Challenging the adversarial robustness of DNNs based on error-correcting output codes

TL;DR

This paper critically examines the robustness of error-correcting output codes (ECOC) in deep neural networks against adversarial attacks, revealing their vulnerability despite previous claims of security.

Contribution

It introduces a new adversarial attack tailored for ECOC-based multi-label classifiers and demonstrates their susceptibility through extensive experiments.

Findings

ECOC networks can be easily attacked with small perturbations

Adversarial examples can achieve high confidence in target classes

ECOC robustness claims are challenged by new attack methods

Abstract

The existence of adversarial examples and the easiness with which they can be generated raise several security concerns with regard to deep learning systems, pushing researchers to develop suitable defense mechanisms. The use of networks adopting error-correcting output codes (ECOC) has recently been proposed to counter the creation of adversarial examples in a white-box setting. In this paper, we carry out an in-depth investigation of the adversarial robustness achieved by the ECOC approach. We do so by proposing a new adversarial attack specifically designed for multi-label classification architectures, like the ECOC-based one, and by applying two existing attacks. In contrast to previous findings, our analysis reveals that ECOC-based networks can be attacked quite easily by introducing a small adversarial perturbation. Moreover, the adversarial examples can be generated in such a way to achieve high probabilities for the predicted target class, hence making it difficult to use the prediction confidence to detect them. Our findings are proven by means of experimental results obtained on MNIST, CIFAR-10 and GTSRB classification tasks.