Adversarial Parameter Attack on Deep Neural Networks

TL;DR

This paper introduces a novel adversarial parameter attack on deep neural networks that subtly alters parameters to significantly reduce robustness without decreasing accuracy, making attacks harder to detect.

Contribution

It proposes a new, more effective parameter perturbation attack method and provides an algorithm to generate adversarial parameters that lower robustness while maintaining accuracy.

Findings

Adversarial parameters can drastically reduce DNN robustness.

The attack is more difficult to detect than previous methods.

Effective training algorithms for adversarial parameters are demonstrated.

Abstract

In this paper, a new parameter perturbation attack on DNNs, called adversarial parameter attack, is proposed, in which small perturbations to the parameters of the DNN are made such that the accuracy of the attacked DNN does not decrease much, but its robustness becomes much lower. The adversarial parameter attack is stronger than previous parameter perturbation attacks in that the attack is more difficult to be recognized by users and the attacked DNN gives a wrong label for any modified sample input with high probability. The existence of adversarial parameters is proved. For a DNN $F_{\Theta}$ with the parameter set $\Theta$ satisfying certain conditions, it is shown that if the depth of the DNN is sufficiently large, then there exists an adversarial parameter set $\Theta_a$ for $\Theta$ such that the accuracy of $F_{\Theta_a}$ is equal to that of $F_{\Theta}$, but the robustness measure of $F_{\Theta_a}$ is smaller than any given bound. An effective training algorithm is given to compute adversarial parameters and numerical experiments are used to demonstrate that the algorithms are effective to produce high quality adversarial parameters.