Efficient Adversarial Input Generation via Neural Net Patching

TL;DR

This paper introduces a novel, efficient method for generating adversarial inputs by leveraging neural network patching techniques, improving scalability and naturalness of adversarial examples in safety-critical applications.

Contribution

It proposes a new approach that uses neural net patching to generate adversarial inputs efficiently, addressing scalability and naturalness issues of prior methods.

Findings

Method outperforms prior state-of-the-art techniques

Generates more natural and effective adversarial inputs

Scales well to large neural networks

Abstract

The generation of adversarial inputs has become a crucial issue in establishing the robustness and trustworthiness of deep neural nets, especially when they are used in safety-critical application domains such as autonomous vehicles and precision medicine. However, the problem poses multiple practical challenges, including scalability issues owing to large-sized networks, and the generation of adversarial inputs that lack important qualities such as naturalness and output-impartiality. This problem shares its end goal with the task of patching neural nets where small changes in some of the network's weights need to be discovered so that upon applying these changes, the modified net produces the desirable output for a given set of inputs. We exploit this connection by proposing to obtain an adversarial input from a patch, with the underlying observation that the effect of changing the weights can also be brought about by changing the inputs instead. Thus, this paper presents a novel way to generate input perturbations that are adversarial for a given network by using an efficient network patching technique. We note that the proposed method is significantly more effective than the prior state-of-the-art techniques.