Measuring the Robustness of Neural Networks via Minimal Adversarial Examples

Neural networks are highly sensitive to adversarial examples, which cause large 1 output deviations with only small input perturbations. However, little is known 2 quantitatively about the distribution and prevalence of such adversarial examples. 3 To address this issue, we propose a rigorous search method that provably finds the 4 smallest possible adversarial example. The key benefit of our method is that it 5 gives precise quantitative insight into the distribution of adversarial examples, and 6 guarantees the absence of adversarial examples if they are not found. The primary 7 idea is to consider the nonlinearity exhibited by the network in a small region of the 8 input space, and search exhaustively for adversarial examples in that region. We 9 show that the frequency of adversarial examples and robustness of neural networks 10 is up to twice as large as reported in previous works that use empirical adversarial 11 attacks. In addition, we provide an approach to approximate the nonlinear behavior 12 of neural networks, that makes our search method computationally feasible. 13Neural networks are not robust: Szegedy et al.[2013] first showed that neural networks can be made 14 to incorrectly classify correctly labeled inputs by perturbing the input by a small amount. Hence, 15 there are no safety and security guarantees when applying neural networks in real-world applications 16 (eg autonomous vehicles). A key issue is to compute objective measures for network robustness, eg 17 how many adversarial examples arise (frequency) and the size of (the smallest) adversarial example 18 (severity). However, this is challenging, as state-of-the-art …