Optimization for Robustness Evaluation beyond $\ell_p$ Metrics

TL;DR

This paper introduces PWCF, a new optimization framework that improves robustness evaluation of deep learning models by handling general attack models without hyperparameter tuning, surpassing traditional PGD limitations.

Contribution

The paper presents PWCF, a novel constrained-optimization solver that offers reliable solutions for robustness evaluation across diverse attack models, unlike PGD which is limited to specific norms.

Findings

PWCF effectively handles general $oldsymbol{ extit{ ext{l}}}_p$ and perceptual attacks.

PWCF requires no delicate hyperparameter tuning.

PWCF outperforms PGD in robustness evaluation.

Abstract

Empirical evaluation of deep learning models against adversarial attacks entails solving nontrivial constrained optimization problems. Popular algorithms for solving these constrained problems rely on projected gradient descent (PGD) and require careful tuning of multiple hyperparameters. Moreover, PGD can only handle $\ell_1$, $\ell_2$, and $\ell_\infty$ attack models due to the use of analytical projectors. In this paper, we introduce a novel algorithmic framework that blends a general-purpose constrained-optimization solver PyGRANSO, With Constraint-Folding (PWCF), to add reliability and generality to robustness evaluation. PWCF 1) finds good-quality solutions without the need of delicate hyperparameter tuning, and 2) can handle general attack models, e.g., general $\ell_p$ ($p \geq 0$) and perceptual attacks, which are inaccessible to PGD-based algorithms.