Deep Learning Robustness Verification for Few-Pixel Attacks

Abstract

While successful, neural networks have been shown to be vulnerable to adversarial example attacks. In L 0 adversarial attacks, also known as few-pixel attacks, the attacker picks t pixels from the image and arbitrarily perturbs them. To understand the robustness level of a network to these attacks, it is required to check the robustness of the network to perturbations of every set of t pixels. Since the number of sets is exponentially large, existing robustness verifiers, which can reason about a single set of pixels at a time, are impractical for L 0 robustness verification. We introduce Calzone, an L 0 robustness verifier for neural networks. To the best of our knowledge, Calzone is the first to provide a sound and complete analysis for L 0 adversarial attacks. Calzone builds on the following observation: if a classifier is robust to any perturbation of a set of k pixels, for k > t , then it is robust to any perturbation of its subsets of size t . Thus, to reduce the verification time, Calzone predicts the largest k that can be proven robust, via dynamic programming and sampling. It then relies on covering designs to compute a covering of the image with sets of size k . For each set in the covering, Calzone submits its corresponding box neighborhood to an existing L ∞ robustness verifier. If a set’s neighborhood is not robust, Calzone repeats this process and covers this set with sets of size k ′< k . We evaluate Calzone on several datasets and networks, for t ≤ 5. Typically, Calzone verifies L 0 robustness within few minutes. On our most challenging instances (e.g., t =5), Calzone completes within few hours. We compare to a MILP baseline and show that it does not scale already for t =3.