NERO-Net: A Neuroevolutionary Approach for the Design of Adversarially Robust CNNs

TL;DR

NERO-Net introduces a neuroevolutionary method to design CNN architectures with intrinsic adversarial robustness, achieving high post-attack accuracy without adversarial training during evolution.

Contribution

The paper presents a novel neuroevolutionary approach that isolates architecture influence on robustness, enabling the design of inherently robust CNNs without adversarial training during evolution.

Findings

Achieved 33% accuracy against FGSM with evolved architecture.

Post-training, the model reached 47% adversarial accuracy and 93% clean accuracy.

Adversarial training improved robustness to 40% against AutoAttack.

Abstract

Neuroevolution automates the complex task of neural network design but often ignores the inherent adversarial fragility of evolved models which is a barrier to adoption in safety-critical scenarios. While robust training methods have received significant attention, the design of architectures exhibiting intrinsic robustness remains largely unexplored. In this paper, we propose NERO-Net, a neuroevolutionary approach to design convolutional neural networks better equipped to resist adversarial attacks. Our search strategy isolates architectural influence on robustness by avoiding adversarial training during the evolutionary loop. As such, our fitness function promotes candidates that, even trained with standard (non-robust) methods, achieve high post-attack accuracy without sacrificing the accuracy on clean samples. We assess NERO-Net on CIFAR-10 with a specific focus on $L_\infty$-robustness. In particular, the fittest individual emerged from evolutionary search with 33% accuracy against FGSM, used as an efficient estimator for robustness during the search phase, while maintaining 87% clean accuracy. Further standard training of this individual boosted these metrics to 47% adversarial and 93% clean accuracy, suggesting inherent architectural robustness. Adversarial training brings the overall accuracy of the model up to 40% against AutoAttack.