Adversarial Robustness Assessment of NeuroEvolution Approaches

TL;DR

This paper evaluates the adversarial robustness of neuroevolved neural networks on CIFAR-10, revealing significant vulnerability to iterative attacks, with some models showing unexpected resistance under specific threat models.

Contribution

It provides the first systematic assessment of adversarial robustness for models generated by NeuroEvolution approaches, highlighting their vulnerabilities and the impact of pre-processing techniques.

Findings

Evolved models are highly vulnerable to iterative adversarial attacks.

DENSER model shows some resistance under L2 threat model.

Pre-processing can worsen robustness, affecting model design choices.

Abstract

NeuroEvolution automates the generation of Artificial Neural Networks through the application of techniques from Evolutionary Computation. The main goal of these approaches is to build models that maximize predictive performance, sometimes with an additional objective of minimizing computational complexity. Although the evolved models achieve competitive results performance-wise, their robustness to adversarial examples, which becomes a concern in security-critical scenarios, has received limited attention. In this paper, we evaluate the adversarial robustness of models found by two prominent NeuroEvolution approaches on the CIFAR-10 image classification task: DENSER and NSGA-Net. Since the models are publicly available, we consider white-box untargeted attacks, where the perturbations are bounded by either the L2 or the Linfinity-norm. Similarly to manually-designed networks, our results show that when the evolved models are attacked with iterative methods, their accuracy usually drops to, or close to, zero under both distance metrics. The DENSER model is an exception to this trend, showing some resistance under the L2 threat model, where its accuracy only drops from 93.70% to 18.10% even with iterative attacks. Additionally, we analyzed the impact of pre-processing applied to the data before the first layer of the network. Our observations suggest that some of these techniques can exacerbate the perturbations added to the original inputs, potentially harming robustness. Thus, this choice should not be neglected when automatically designing networks for applications where adversarial attacks are prone to occur.