Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Optimization by Directional Attacks: Solving Problems with Neural Network Surrogates

Pierre-Yves Bouchet, Thibaut Vidal

TL;DR

This work tackles optimization where the objective and constraints are defined through a trained neural network surrogate $\Phi$, possibly nonwhite-box, by introducing directional NN attacks to identify ascent directions along $\nabla f(\Phi(x))$. It then blends these attack-based steps with a derivative-free optimization method, cdsm, to achieve fast local improvement while ensuring convergence to a local solution under mild assumptions. The paper formalizes the attack operator, discusses practical construction when constraints exist, and proves convergence for the hybrid algorithm. Empirical results across three problems, including simulation-based optimization, counterfactual explanations, and bio-diesel production, show the hybrid method consistently outperforms standard DFO baselines, with the attack component providing strong early progress and cdsm delivering robust refinement.

Abstract

This paper tackles optimization problems whose objective and constraints involve a trained Neural Network (NN), where the goal is to maximize $f(Φ(x))$ subject to $c(Φ(x)) \leq 0$, with $f$ smooth, $c$ general and non-stringent, and $Φ$ an already trained and possibly nonwhite-box NN. We address two challenges regarding this problem: identifying ascent directions for local search, and ensuring reliable convergence towards relevant local solutions. To this end, we re-purpose the notion of directional NN attacks as efficient optimization subroutines, since directional NN attacks use the neural structure of $Φ$ to compute perturbations of $x$ that steer $Φ(x)$ in prescribed directions. Precisely, we develop an attack operator that computes attacks of $Φ$ at any $x$ along the direction $\nabla f(Φ(x))$. Then, we propose a hybrid algorithm combining the attack operator with derivative-free optimization (DFO) techniques, designed for numerical reliability by remaining oblivious to the structure of the problem. We consider the cDSM algorithm, which offers asymptotic guarantees to converge to a local solution under mild assumptions on the problem. The resulting method alternates between attack-based steps for heuristic yet fast local intensification and cDSM steps for certified convergence and numerical reliability. Experiments on three problems show that this hybrid approach consistently outperforms standard DFO baselines.

Optimization by Directional Attacks: Solving Problems with Neural Network Surrogates

TL;DR

This work tackles optimization where the objective and constraints are defined through a trained neural network surrogate , possibly nonwhite-box, by introducing directional NN attacks to identify ascent directions along . It then blends these attack-based steps with a derivative-free optimization method, cdsm, to achieve fast local improvement while ensuring convergence to a local solution under mild assumptions. The paper formalizes the attack operator, discusses practical construction when constraints exist, and proves convergence for the hybrid algorithm. Empirical results across three problems, including simulation-based optimization, counterfactual explanations, and bio-diesel production, show the hybrid method consistently outperforms standard DFO baselines, with the attack component providing strong early progress and cdsm delivering robust refinement.

Abstract

This paper tackles optimization problems whose objective and constraints involve a trained Neural Network (NN), where the goal is to maximize subject to , with smooth, general and non-stringent, and an already trained and possibly nonwhite-box NN. We address two challenges regarding this problem: identifying ascent directions for local search, and ensuring reliable convergence towards relevant local solutions. To this end, we re-purpose the notion of directional NN attacks as efficient optimization subroutines, since directional NN attacks use the neural structure of to compute perturbations of that steer in prescribed directions. Precisely, we develop an attack operator that computes attacks of at any along the direction . Then, we propose a hybrid algorithm combining the attack operator with derivative-free optimization (DFO) techniques, designed for numerical reliability by remaining oblivious to the structure of the problem. We consider the cDSM algorithm, which offers asymptotic guarantees to converge to a local solution under mild assumptions on the problem. The resulting method alternates between attack-based steps for heuristic yet fast local intensification and cDSM steps for certified convergence and numerical reliability. Experiments on three problems show that this hybrid approach consistently outperforms standard DFO baselines.

Paper Structure

This paper contains 35 sections, 3 theorems, 29 equations, 12 figures, 1 table, 2 algorithms.

Table of Contents

  1. Abstract:
  2. Keywords:
  3. Acknowledgements:
  4. Introduction
  5. Simulation-based optimization.
  6. Counterfactual explanations in decision-focused learning.
  7. Contributions.
  8. Notation.
  9. Related Literature
  10. Optimization Leveraging Directional NN Attacks
  11. Directional NN Attacks
  12. Background
  13. Formal Definition
  14. Numerical Tools
  15. Optimizing Through Directional NN Attacks
  16. ...and 20 more sections

Key Result

Proposition 1

Under Assumptions assumption:problem and assumption:attack_guarantees_ascent_directions, for all $x \in \mathbb{R}^n$, there exists $\overline{r}(x) > 0$ such that for all $r \in [0,\overline{r}(x)]$, every $d \in \texttt{attack}\xspace(x, r)$ is an ascent direction for Problem problem:P emanating f

Figures (12)

  • Figure 1: Targeted attack on ResNet18. (Left) Image of a Samoyed dog. (Centre left) Preprocessed image and its classification. (Centre right) Attack of the preprocessed image, targeting the class $"\mathrm{Crane}"$ and allowing to alter each pixel by at most $10^{-2}$ units, and its classification. (Right) Magnification of the image alteration performed by the attack.
  • Figure 2: \ref{['experiment:performance_algo']} in the Target Image Recovery problem from Section \ref{['section:numerical/barycenter_into_resnet']}.
  • Figure 3: \ref{['experiment:contribution_steps']} in the Target Image Recovery problem from Section \ref{['section:numerical/barycenter_into_resnet']}.
  • Figure 4: \ref{['experiment:potential_attack']} in the Target Image Recovery problem from Section \ref{['section:numerical/barycenter_into_resnet']}.
  • Figure 5: (First line) Warcraft map $\mathcal{W}_\mathrm{ini}$, its associated $\texttt{costmap}\xspace$ output, the lightest path $\mathrm{p}^*_\mathrm{ini}$ to reach the South-East from the North-West, and an alternative path $\mathrm{p}^\sharp$. (Second line) Similar displays for a counterfactual map $\mathcal{W}_\mathrm{cfa}$ with respect to $\mathrm{p}^\sharp$. This counterfactual is likely not optimal, since the two maps share limited similarities besides the surface of the mountainous area. Nevertheless, $\mathcal{W}_\mathrm{cfa}$ is well suited for $\mathrm{p}^\sharp$ since the mountain has a gorge exactly where $\mathrm{p}^\sharp$ crosses.
  • ...and 7 more figures

Theorems & Definitions (16)

  • Definition 1: Directional NN attack
  • Remark 1
  • Remark 2
  • Definition 2: attack operator
  • Proposition 1
  • Remark 3
  • Remark 4
  • Remark 5
  • Remark 6
  • Definition 3: practical attack operator
  • ...and 6 more