Adversarial Attacks in Weight-Space Classifiers

TL;DR

This paper investigates the robustness of weight-space classifiers, especially those based on Implicit Neural Representations, against adversarial attacks, revealing increased robustness due to gradient obfuscation and introducing new attack methods.

Contribution

The study provides the first in-depth analysis of adversarial robustness in weight-space classifiers, highlighting their inherent robustness and limitations without robust training.

Findings

Weight-space classifiers show increased robustness to white-box attacks.

Gradient obfuscation during INR training contributes to robustness.

New adversarial attack suite effectively targets parameter-space classifiers.

Abstract

Implicit Neural Representations (INRs) have been recently garnering increasing interest in various research fields, mainly due to their ability to represent large, complex data in a compact, continuous manner. Past work further showed that numerous popular downstream tasks can be performed directly in the INR parameter-space. Doing so can substantially reduce the computational resources required to process the represented data in their native domain. A major difficulty in using modern machine-learning approaches, is their high susceptibility to adversarial attacks, which have been shown to greatly limit the reliability and applicability of such methods in a wide range of settings. In this work, we perform an in-depth security analysis of the behavior of weight-space classifiers under adversarial attacks. Our study reveals that parameter-space models trained for classification exhibit increased robustness to standard white-box adversarial attacks compared to standard classifiers that operate in the original signal space. This is achieved without the need of any robust training. We source this robust behavior to the phenomenon of gradient-obfuscation promoted during the INR optimization process, and pinpoint the limitations of this robustness under alternative adversarial approaches. To support our claims, we develop a novel suite of adversarial attacks targeting parameter-space classifiers, and furthermore analyze practical considerations of such attacks.