Constrained Gradient Descent: A Powerful and Principled Evasion Attack Against Neural Networks

TL;DR

This paper introduces Constrained Gradient Descent (CGD), a new principled attack method that effectively fools neural networks within a bounded distance, outperforming existing attacks in success rate and efficiency.

Contribution

The paper presents CGD, a novel attack method that explicitly optimizes for misclassification and bounded input perturbation simultaneously, improving attack success and efficiency.

Findings

CGD outperforms state-of-the-art attacks on CIFAR10 and ImageNet.

CGD achieves higher attack success rates with less computational time.

Statistical tests confirm CGD's superiority against leading defenses.

Abstract

We propose new, more efficient targeted white-box attacks against deep neural networks. Our attacks better align with the attacker's goal: (1) tricking a model to assign higher probability to the target class than to any other class, while (2) staying within an $\epsilon$-distance of the attacked input. First, we demonstrate a loss function that explicitly encodes (1) and show that Auto-PGD finds more attacks with it. Second, we propose a new attack method, Constrained Gradient Descent (CGD), using a refinement of our loss function that captures both (1) and (2). CGD seeks to satisfy both attacker objectives -- misclassification and bounded $\ell_{p}$-norm -- in a principled manner, as part of the optimization, instead of via ad hoc post-processing techniques (e.g., projection or clipping). We show that CGD is more successful on CIFAR10 (0.9--4.2%) and ImageNet (8.6--13.6%) than state-of-the-art attacks while consuming less time (11.4--18.8%). Statistical tests confirm that our attack outperforms others against leading defenses on different datasets and values of $\epsilon$.