Poisoning the Search Space in Neural Architecture Search

TL;DR

This paper investigates the vulnerability of Neural Architecture Search algorithms, specifically ENAS, to poisoning attacks that manipulate the search space, leading to increased error rates in object detection and image segmentation tasks.

Contribution

It introduces a novel search space poisoning method and demonstrates its effectiveness against ENAS, highlighting potential security risks in NAS-based architecture design.

Findings

Poisoning attacks significantly increase prediction errors in NAS-generated models.

The proposed SSP method exploits design flaws in ENAS to manipulate search outcomes.

NAS algorithms are vulnerable to data-agnostic poisoning, affecting model robustness.

Abstract

Deep learning has proven to be a highly effective problem-solving tool for object detection and image segmentation across various domains such as healthcare and autonomous driving. At the heart of this performance lies neural architecture design which relies heavily on domain knowledge and prior experience on the researchers' behalf. More recently, this process of finding the most optimal architectures, given an initial search space of possible operations, was automated by Neural Architecture Search (NAS). In this paper, we evaluate the robustness of one such algorithm known as Efficient NAS (ENAS) against data agnostic poisoning attacks on the original search space with carefully designed ineffective operations. By evaluating algorithm performance on the CIFAR-10 dataset, we empirically demonstrate how our novel search space poisoning (SSP) approach and multiple-instance poisoning attacks exploit design flaws in the ENAS controller to result in inflated prediction error rates for child networks. Our results provide insights into the challenges to surmount in using NAS for more adversarially robust architecture search.