REFIK CAN MALLI
Back to blog

Understanding Adversarial Attacks on Neural Networks

A deep dive into perturbation-based adversarial attacks, their mathematical foundations, and defense mechanisms.

deep-learning adversarial neural-networks research

Introduction

Adversarial attacks have become a critical area of research in deep learning security. These attacks demonstrate that even state-of-the-art neural networks can be fooled by carefully crafted perturbations that are often imperceptible to humans.

NOTE

This post covers the mathematical foundations of adversarial attacks. Familiarity with gradient-based optimization is helpful but not required.

WARNING

Adversarial examples can pose real security risks in deployed ML systems. Always consider robustness when deploying models in safety-critical applications.

Mathematical Foundation

The core idea behind adversarial attacks is to find a perturbation δ\delta that, when added to an input xx, causes the model to misclassify while keeping the perturbation small:

maximizeδL(f(x+δ),y)s.t.δpϵ\underset{\delta}{\text{maximize}} \quad \mathcal{L}(f(x + \delta), y) \quad \text{s.t.} \quad \|\delta\|_p \leq \epsilon

where L\mathcal{L} is the loss function, ff is the neural network, yy is the true label, and ϵ\epsilon bounds the perturbation magnitude.

Fast Gradient Sign Method (FGSM)

One of the simplest and most effective attacks is FGSM, introduced by Goodfellow et al. The perturbation is computed as:

δ=ϵsign(xL(θ,x,y))\delta = \epsilon \cdot \text{sign}(\nabla_x \mathcal{L}(\theta, x, y))

This single-step attack follows the gradient direction to maximize the loss.

Projected Gradient Descent (PGD)

PGD extends FGSM by iteratively applying smaller perturbations:

xt+1=Πx+S(xt+αsign(xL(θ,xt,y)))x^{t+1} = \Pi_{x + \mathcal{S}} \left( x^t + \alpha \cdot \text{sign}(\nabla_x \mathcal{L}(\theta, x^t, y)) \right)

where Π\Pi projects the result back onto the valid perturbation set S\mathcal{S}.

PGD Algorithm

The complete PGD attack algorithm can be expressed as follows:

Algorithm 1: Projected Gradient Descent Attack

Loading pseudocode...

Defense Mechanisms

Several defense strategies have been proposed:

  1. Adversarial Training: Augmenting training data with adversarial examples
  2. Input Preprocessing: Applying transformations to remove perturbations
  3. Certified Defenses: Providing provable robustness guarantees

Adversarial Training Algorithm

The standard adversarial training procedure can be formalized as:

Algorithm 2: Adversarial Training

Loading pseudocode...

Conclusion

Understanding adversarial attacks is crucial for deploying neural networks in safety-critical applications. The mathematical framework provides both insight into vulnerabilities and guidance for building more robust models.

This post is based on my thesis research at Politecnico di Milano on adversarial robustness of deep neural networks.

RC

Refik Can MALLI