Exploiting Vulnerability of Pooling in Convolutional Neural Networks by Strict Layer-Output Manipulation for Adversarial Attacks

TL;DR

This paper introduces a novel adversarial attack method called SLOM that exploits the vulnerability of pooling layers in CNNs, demonstrating increased susceptibility of pooling to adversarial manipulation in neural networks.

Contribution

The paper proposes the SLOM methodology and the SPM attack technique, revealing pooling layers as more vulnerable to adversarial attacks than other CNN operations.

Findings

Pooling layers are more vulnerable to adversarial attacks than other operations.

The SPM attack effectively performs both type I and type II attacks.

Attack performance varies with network depth and layer operation.

Abstract

Convolutional neural networks (CNN) have been more and more applied in mobile robotics such as intelligent vehicles. Security of CNNs in robotics applications is an important issue, for which potential adversarial attacks on CNNs are worth research. Pooling is a typical step of dimension reduction and information discarding in CNNs. Such information discarding may result in mis-deletion and mis-preservation of data features which largely influence the output of the network. This may aggravate the vulnerability of CNNs to adversarial attacks. In this paper, we conduct adversarial attacks on CNNs from the perspective of network structure by investigating and exploiting the vulnerability of pooling. First, a novel adversarial attack methodology named Strict Layer-Output Manipulation (SLOM) is proposed. Then an attack method based on Strict Pooling Manipulation (SPM) which is an instantiation of the SLOM spirit is designed to effectively realize both type I and type II adversarial attacks on a target CNN. Performances of attacks based on SPM at different depths are also investigated and compared. Moreover, performances of attack methods designed by instantiating the SLOM spirit with different operation layers of CNNs are compared. Experiment results reflect that pooling tends to be more vulnerable to adversarial attacks than other operations in CNNs.