Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

NERO-Net: A Neuroevolutionary Approach for the Design of Adversarially Robust CNNs

Inês Valentim, Nuno Antunes, Nuno Lourenço

Abstract

Neuroevolution automates the complex task of neural network design but often ignores the inherent adversarial fragility of evolved models which is a barrier to adoption in safety-critical scenarios. While robust training methods have received significant attention, the design of architectures exhibiting intrinsic robustness remains largely unexplored. In this paper, we propose NERO-Net, a neuroevolutionary approach to design convolutional neural networks better equipped to resist adversarial attacks. Our search strategy isolates architectural influence on robustness by avoiding adversarial training during the evolutionary loop. As such, our fitness function promotes candidates that, even trained with standard (non-robust) methods, achieve high post-attack accuracy without sacrificing the accuracy on clean samples. We assess NERO-Net on CIFAR-10 with a specific focus on $L_\infty$-robustness. In particular, the fittest individual emerged from evolutionary search with 33% accuracy against FGSM, used as an efficient estimator for robustness during the search phase, while maintaining 87% clean accuracy. Further standard training of this individual boosted these metrics to 47% adversarial and 93% clean accuracy, suggesting inherent architectural robustness. Adversarial training brings the overall accuracy of the model up to 40% against AutoAttack.

NERO-Net: A Neuroevolutionary Approach for the Design of Adversarially Robust CNNs

Abstract

Neuroevolution automates the complex task of neural network design but often ignores the inherent adversarial fragility of evolved models which is a barrier to adoption in safety-critical scenarios. While robust training methods have received significant attention, the design of architectures exhibiting intrinsic robustness remains largely unexplored. In this paper, we propose NERO-Net, a neuroevolutionary approach to design convolutional neural networks better equipped to resist adversarial attacks. Our search strategy isolates architectural influence on robustness by avoiding adversarial training during the evolutionary loop. As such, our fitness function promotes candidates that, even trained with standard (non-robust) methods, achieve high post-attack accuracy without sacrificing the accuracy on clean samples. We assess NERO-Net on CIFAR-10 with a specific focus on -robustness. In particular, the fittest individual emerged from evolutionary search with 33% accuracy against FGSM, used as an efficient estimator for robustness during the search phase, while maintaining 87% clean accuracy. Further standard training of this individual boosted these metrics to 47% adversarial and 93% clean accuracy, suggesting inherent architectural robustness. Adversarial training brings the overall accuracy of the model up to 40% against AutoAttack.

Paper Structure

This paper contains 28 sections, 5 equations, 4 figures, 2 tables.

Table of Contents

  1. Introduction
  2. Adversarial Robustness
  3. Related Work
  4. NERO-Net
  5. Overview of DENSER
  6. Fitness Function
  7. Warm-up Period
  8. Detection of Ill-Fitted Individuals
  9. Representation and Variation Operators
  10. Blocks of Layers
  11. Connections between Layers
  12. New Types for Real-Valued Parameters
  13. Training Time Mutation
  14. Initial Population
  15. Evolutionary Search
  16. ...and 13 more sections

Figures (4)

  • Figure 1: Snippet of a grammar with new rules for the convblock layer type.
  • Figure 2: An illustration of the connections between layers, assuming the number of levels back is 2. The original implementation does not allow layer 3 to have layer 1 as its only input (red connection). Layer 2 would always have to be an input of layer 3 (dashed red connection).
  • Figure 3: Grammar used in NERO-Net.
  • Figure 4: Evolution of the best individual per generation. The red dotted lines mark the transition based on the $\tau$ threshold.