Deep networks and convolutional neural networks enjoy high interest nowadays. They have become the state-ofart methods in many fields of machine learning, and have been applied to various problems, including image recognition, speech recognition, and natural language processing [ 5 ].

In [ 12 ] a counter-intuitive property of deep networks is described. It relates to the stability of a neural network with respect to small perturbation of their inputs. The paper shows that applying an imperceptible non-random perturbation to an input image, it is possible to arbitrarily change the network prediction. These perturbations are found by optimizing the input to maximize the prediction error. Such perturbed examples are known as adversarial examples. On some datasets, such as ImageNet, the adversarial examples were so close to the original examples that the differences were indistinguishable to the human eye.

Paper [ 4 ] suggests that it is the linear behaviour in highdimensional spaces what is sufficient to cause adversarial examples (for example, a linear classifier exhibits this behaviour too). They designed a fast method of generating adversarial examples (adding small vector in the direction of the sign of the derivation) and showed that adding these examples to the training set further improves the generalization of the model. In [ 4 ], in addition, the authors state that adversarial examples are relatively robust, and they generalize between neural networks with varied number of layers, activations, or trained on different subsets of the training data. In other words, if we use one neural network to generate a set of adversarial examples, these examples are also misclassified by another neural network even when it was trained with different hyperparameters, or when it was trained on a different set of examples. Another results of fooling deep and convolutional networks can be found in [ 10 ].

This paper examines a vulnerability to adversarial examples throughout variety of machine learning methods. We propose a genetic algorithm for generating adversarial examples. Though the evolution is slower than techniques described in [ 12, 4 ], it enables us to obtain adversarial examples even without the access to model’s weights. The only thing we need is to be able to query the network to classify a given example. From this point of view, the misclassification of adversarial examples represent a security flaw.

This paper is organized as follows. Section 2 brings a brief overview of machine learning models considered in this paper. Section 3 describes the proposed genetic algorithm. Section 4 describes the results of our experiments. Finally, Section 5 concludes our paper. 2 2.1

Deep and Shallow Architectures

Deep and Convolutional Networks Deep neural networks are feedforward neural networks with multiple hidden layers between the input and output layer. The layers typically have different units depending on the task at hand. Among the units, there are traditional perceptrons, where each unit (neuron) realizes a nonlinear function, such as the sigmoid function: y(z) = 1 tanh(z) or y(z) = 1+e−z . Another alternative to the perceptron is the rectified linear unit (ReLU): y(z) = max(0, z). Like the sigmoid neurons, rectified linear units can be used to compute any function, and they can be trained using algorithms such as back-propagation and stochastic gradient descent.

Convolutional layers contain the so called convolutional units that take advantage of the grid-like structure of the inputs, such as in the case of 2-D bitmap images, time series, etc. Convolutional units perform a simple discrete convolution operation, which – for 2-D data – can be represented by a matrix multiplication. Usually, to deal with large data (such as large images), the convolution is applied multiple times by sliding a small window over the data. The convolutional units are typically used to extract some features from the data, and they are often used together with the socalled max pooling layers that perform an input reduction by selecting one of many inputs, typically the one with maximal value. Thus, the overall architecture of a deep network for image classification tasks resembles a pyramid with smaller number of units in higher layers of the networks.

For the output layer, mainly for classification tasks, the softmax function: y(z) j = ∑kK=ez1jezk is often used. It has the advantage that the output values can be interpreted as probabilities of individual classes.

Networks with at least one convolutional layer are called convolutional neural networks (CNN), while networks with all hidden layers consisting of perceptrons are called multi-layer perceptrons (MLP). 2.2

RBF networks and Kernel Methods The history of radial basis function (RBF) networks can be traced back to the 1980s, particularly to the study of interpolation problems in numerical analysis [ 8 ]. The RBF network [3] is a feedforward network with one hidden layer realizing the basis functions and linear output layer. It represents an alternative to classical models, such as multilayer perceptrons. There is variety of learning methods for RBF networks [ 9 ].

In 1990s, a family of machine learning algorithms, known as kernel methods, became very popular. They have been applied to a number of real-world problems, and they are still considered to be state-of-the-art methods in various domains [ 14 ].

Based on theoretical results on kernel approximation, the popular support vector machine (SVM) [ 2, 13 ] algorithm was developed. Its architecture is similar to RBF – one hidden layer of kernel units and a linear output layer. The learning algorithm is different, based on search for a separating hyperplane with the highest margin. Common kernel functions used for SVM learning are linear hx, x′i, polynomial (γ hx, x′i + r)d , Gaussian exp(−γ |x − x′|2), and sigmoid tanh(γ hx, x′i + r).

Recently, due to popularity of deep architectures, such models with only one hidden layer are often referred to as shallow models. 3

To obtain an adversarial example for the trained machine learning model (such as a neural network), we need to optimize the input image with respect to network output. For this task we employ genetic algorithms (GA). GA represent a robust optimization method working with the whole population of feasible solutions [ 7 ]. The population evolves using operators of selection, mutation, and crossover. Both the machine learning model and the target output are fixed during the optimization.

Each individual represents one possible input vector, i.e. one image encoded as a vector of pixel values:

I = {i1, i2, . . . , iN }, where ii ∈< 0, 1 > are levels of grey, and N is the size of a flatten image. (For the sake of simplicity, we consider only greyscale images in this paper, but it can be seen that the same principle can be used for RGB images as well.)

The crossover operator performs a classical two-point crossover. The mutation introduces a small change to some pixels. With the probability pmutate_pixel each pixel is changed:

ii = ii + r, where r is drawn from Gaussian distribution. As a selection, the tournament selection with tournament size 3 is used.

The fitness function should reflect the following two criteria: 1. the individual should resemble the target image 2. if we evaluate the individual by our machine learning model, we aim to obtain a prescribed target output (i.e., misclassify it).

Thus, in our case, a fitness function is defined as: f (I) = −(0.5 ∗ cdist(I, target_image) + 0.5 ∗ cdist(model(I), target_answer)), where cdist is a Euclidean distance. 4

The goal of our experiments is to test various machine learning models and their vulnerability to adversarial examples. 4.1

We proposed a genetic algorithm for generating adversarial examples for machine learning models. Our experiment show that many machine models suffer from vulnerability to adversarial examples, i.e. examples designed to be misclassified. Some models are quite resistant to such behaviour, namely models with local units – RBF networks and SVMs with Gaussian kernels. It seems that it is the local behaviour of units that prevents the models from being fooled.

Adversarial examples evolved for one model are often misclassified also by some of other models, as was elaborated in the experiments.