Neural networks are prone to misclassify slightly modified input images. Recently, many defences have been proposed, but none have improved the robustness of neural networks consistently. Here, we propose to use adversarial attacks as a function evaluation to search for neural architectures that can resist such attacks automatically. Experiments on neural architecture search algorithms from the literature show that although accurate, they are not able to find robust architectures. A significant reason for this lies in their limited search space. By creating a novel neural architecture search with options for dense layers to connect with convolution layers and vice-versa as well as the addition of concatenation layers in the search, we were able to evolve an architecture that is inherently accurate on adversarial samples. Interestingly, this inherent robustness of the evolved architecture rivals state-ofthe-art defences such as adversarial training while being trained only on the non-adversarial samples. Moreover, the evolved architecture makes use of some peculiar traits which might be useful for developing even more robust ones. Thus, the results here confirm that more robust architectures exist as well as opens up a new realm of feasibilities for the development and exploration of neural networks.
Neural Architecture Search (NAS) and adversarial samples have rarely appeared together. Regarding adversarial samples, they were discovered in 2013 when neural networks were shown to behave strangely for nearly the same images [Szegedy, 2014]. Afterwards, a series of vulnerabilities were found in [Moosavi-Dezfooli et al., 2017; Su et al., 2019]. Such adversarial attacks can also be easily applied to real-world scenarios which confer a big problem for current deep neural networks’ applications. Currently, there is not any known learning algorithm or procedure that can defend against adversarial attacks consistently.
Regarding NAS, the automatic design of architectures has been of broad interest for many years. The aim is to develop methods that do not need specialists in order to be applied to a different application. This would confer not only generality but also easy of use. Most of the algorithms for NAS are either based on reinforcement learning [Pham et al., 2018; Zoph et al., 2018] or evolutionary computation [Real et al., 2017; Miikkulainen et al., 2019]. On the one hand, in reinforcement learning approaches, architectures are created from a sequence of actions which are afterwards rewarded proportionally to the crafted architecture’s accuracy. On the other hand, in evolutionary computation based methods, small changes in the architecture (mutations) and recombinations (crossover) are used to create new architectures. All architectures evolved are evaluated based on their accuracy. Some of the best architectures based on this accuracy are chosen to continue to the next generation.
Here we propose the use of NAS to tackle the robustness issues exposed by adversarial samples. In other words, architecture search will be employed not only to find accurate neural networks but also robust ones. This is based on the principle that robustness of neural networks can be assessed by using accuracy on adversarial samples as an evaluation function. We hypothesise that if there is a solution in a given architecture search space, the search algorithm would be able to find it. This is not only a blind search for a cure. The best architectures found should also hint which structures and procedures provide robustness for neural networks. Therefore, it would be possible to use the results of the search to understand further how to improve the representation of models as well as design yet more robust ones. 2
Adversarial machine learning is a constrained optimisation problem. Let f (x) 2 [[1::N ]] be the output of a machine learning algorithm in multi-label classification setting. Here, x 2 Rk is the input of the algorithm for the input of size k and N is the number of classes in which x can be classified. In Image Classification problem k = m n 3 where m n is the the size of the image. Adversarial samples x0 can be thus defined as follows: in which x 2 Rk is a small perturbation added to the input. Therefore, adversarial machine learning can be defined as an optimization problem1: minimize g(x + x)c x subject to k xk th (2) where th is a pre-defined threshold value and g()c is the softlabel or confidence for the correct class c such that f (x) = argmax g(x)
Moreover, attacks can be divided according to the function optimised. In this way, there are L0 (limited number of pixels attacked), L1, L2 and L1 (limited amount of variation in each pixel) types of attacks. There are many types of attacks as well as their improvements. Universal perturbation types of attacks were shown possible in which a single perturbation added to most of the samples is capable of fooling a neural network in most of the cases [MoosaviDezfooli et al., 2017]. Moreover, extreme attacks such as only modifying one pixel (L0 = 1) called one-pixel attack is also shown to be surprisingly effective [Su et al., 2019; Vargas and Kotyan, 2019]. Most of these attacks canbe easily transferred to real scenarios by using printed out versions of them [Kurakin et al., 2016]. Moreover, carefully crafted glasses [Sharif et al., 2016] or even general 3D adversarial objects are also capable of causing misclassification [Athalye and Sutskever, 2018]. Regarding understanding the phenomenon, it is argued in [Goodfellow et al., 2014] that neural networks’ linearity is one of the main reasons. Another recent investigation proposes the conflicting saliency added by adversarial samples as the reason for misclassification [Vargas and Su, 2019].
Many defensive systems were proposed to mitigate some of the problems. However, current solutions are still far from solving the problems. Defensive distillation [Papernot et al., 2016] uses a smaller neural network to learn the content from the original one; however, it was shown not to be robust enough [Carlini and Wagner, 2017]. The addition of adversarial samples to the training dataset, called adversarial training, was also proposed [Goodfellow et al., 2014; Huang et al., 2015; Madry et al., 2018]. However, adversarial training has a strong bias in the type of adversarial samples used and is still vulnerable to attacks Many recent variations of defences were proposed which are carefully analysed, and many of their shortcomings explained in [Athalye et al., 2018; Uesato et al., 2018]. In this article, different from previous approaches, we aim to tackle the robustness problems of neural networks by automatically searching for inherent robust architectures. 3
There are three components to a neural architecture search: search space, search strategy and performance estimation. A search space substantially limits the representation of the architecture in a given space. A search strategy must be employed to search for architectures in a defined search space. Some widely used search strategies for NAS are: Random 1Here the definition will only concern untargeted attacks but a similar optimization problem can be defined for targeted attacks Search, Bayesian Optimization, Evolutionary Methods, Reinforcement Learning, and Gradient Based Methods. Finally, a performance estimation (usually error rate) is required to evaluate the explored architectures.
Currently, most of the current NAS suffer from high computational cost while searching in a relatively small search space [Lee et al., 2018; Lima and Pozo, 2019].It is already shown in [Yu and Kim, 2018] that, if there is a possibility of fitness approximation at small search spaces, we could evolve algorithms in an ample search space. Moreover, many architecture searches focus primarily on the hyper-parameter search while using architecture search spaces around previously hand-crafted architecture [Lee et al., 2018; He et al., 2019] such as DenseNet which are proved to be vulnerable to adversarial attacks [Vargas and Kotyan, 2019]. Therefore, for finding robust architectures, it is crucial to expand the search space beyond the current NAS.
SMASH [Brock et al., 2017] uses a neural network to generate the weights of the primary model. The main strength of this approach lies in preventing high computational cost, which is incurred in other searches. However, this comes at the cost of not being able of tweaking hyperparameters which affect weights like initialisers and regularisers. Deep Architect [Negrinho and Gordon, 2017] follows a hierarchical approach using various search algorithms such as Monte Carlo Tree Search (MCTS) and Sequential Model based Global Optimization (SMBO). 4
A robust evaluation (defined in Section 4.1) and search algorithm must be defined to search for robust architectures. The search algorithm may be a NAS provided that some modifications are made (Section 4.2). However, to allow for a more extensive search space, which is better suited to the problem, we also propose the Robust Architecture Search (Section 5). 4.1
Adversarial accuracy may seem like a natural evaluation function for assessing neural networks’ robustness. However, there are many types of perturbations possible; each will result in a different type of robustness assessment and evolution. For example, let us suppose an evaluation with th = 5 is chosen, robust networks against th = 5 might be developed. At the same time, nothing can be said for other th and attack types (different L). Therefore, th plays a role but the different types of L0, L1, L2 and L1 completely change the type of robustness, such as wide perturbations (L1), punctual perturbations (L0) and a mix of both (L1 and L2). To avoid creating neural networks that are only robust against one type of robustness and at the same time to allow robustness to slowly build-up from any partial robustness, a set of adversarial attacks for varying th and L are necessary.
To evaluate the robustness of architectures in varying th and L while at the same time keeping computational cost low, we use here a transferable type of attack. In other words, adversarial samples previously found by attacking other methods are stored and used as possible adversarial samples to the current model under evaluation. This solves the problem that
Layer1 Layer4 Layer5 Layer16
most of the attacks are usually slow to be put inside a loop which can make the search for architectures too expensive.
Table 1 shows a summary of the number of images used from each type of attack, totalling 2812 adversarial samples. Samples were generated using the model agnostic dual quality assessment [Vargas and Kotyan, 2019]. Specifically, we use the adversarial samples from two types of attacks (L0 and L1 attacks) with two optimization algorithms (Covariance Matrix Adaptation Evolution Strategy (CMA-ES) [Hansen et al., 2003] and Differential Evolution (DE) [Storn and Price, 1997]). We use CIFAR-10 dataset [Krizhevsky et al., 2009] to generate the adversarial samples. We attacked traditional architectures such as ResNet [He et al., 2016] and CapsNet [Sabour et al., 2017]. We also attacked some state-of-artdefences such as Adversarial Training (AT) [Madry et al., 2018] and Feature Squeezing (FS) [Xu et al., 2017] defending ResNet. The evaluation procedure consists of calculating the amount of successful adversarial samples divided by the total of possible adversarial samples. This also avoids problems with different amount of perturbation necessary for attacks to succeed, which could cause incomparable results. 4.2
By changing the fitness function (in the case of evolutionary computation based NAS) or the reward function (in the case of reinforcement learning based NAS), it is possible to create robust search versions of NAS algorithms. In other words, it is possible to convert the search for accuracy into the search for robustness and accuracy. Here we use SMASH and DeepArchitect for the tests. The reason for the choice lies in the difference between the methods and availability of the code. Both methods have their evaluation function modified to contain not only accuracy but also robustness (Section 4.1). 5
Here, we propose an evolutionary algorithm to search for robust architectures called Robust Architecture Search (RAS)2. It makes sense to focus here on search spaces that allow for unusual layer types and their combinations to happen, which is more vast than the current traditional search spaces. The motivation to consider this vast search space is that some of the most robust architectures might contain these unusual combinations which are not yet found or deeply explored. RAS Overview RAS works by creating three initial populations (layer, block and model populations). Every generation, the model population have each of its members modified five times by mutations. The modified members are added to the population as new members. Here we propose a utility evaluation in which layer and block populations are evaluated by the number of models (architectures) using them. Models are evaluated by their accuracy and attack resilience (accuracy on adversarial samples). All blocks and layers which are 2Code is available at http://bit.ly/RobustArchitectureSearch Cluster Population Model1_1
Model1_2 Model2_1
Model2_2 Model25_1
Model25_2 not used by any of the current members of the model population are removed at the end step of each generation. Moreover, architectures compete with similar ones in their subpopulation, such that only the fittest of each subpopulation survives. 5.1
For such a vast search space to be more efficiently searched, we propose to use three subpopulations, allowing for the reuse of blocks and layers. Specifically, the layers consist of: Layer Population: Raw layers (convolutional and fully connected) which make up the blocks. Block Population: Blocks which are a combination of layers. Model Population: A population of architectures which consists of interconnected blocks. Figure 1 illustrates the architecture.
The initial population consists of 25 random architectures which contain U (2; 5) blocks made up of U (2; 5) layers, in which U (a; b) is a uniform random distribution with minimum a and maximum b values. The possible available parameters for the layers are as follows: for convolutional layers, filter size might be 8, 16, 32 or 64, stride size may be 1 or 2 and kernel size is either 1, 3 or 5; for fully connected layers, the unit size may assume the values of 64, 128, 256 or 512. All the layers use Rectified Linear Unit (ReLU) as an activation function and are followed by a batch-normalisation layer. 5.2
Regarding the mutation operators used to evolve the architecture, they can be divided into layer, block and model mutations which can only be applied to the respective layer, block and model populations’ individuals. The following paragraphs define the possible mutations.
Layer Mutation Layer mutations are of the following types: a) Change Kernel: Changes the kernel size of the convolution layer, b) Change Filter: Changes the filter size of the convolution layer, c) Change Units: Changes the unit size of the fully connected layer, d) Swap Layer: Chosen layer is swapped with a random layer from the layer population. Block Mutation Block mutation change a single block in the block population. The possibilities are: e) Add Layer: A random layer is added to a chosen random block, f) Remove Layer: A random layer is removed from a chosen random block, g) Add Layer Connection: A random connection between two layers from the chosen random block is added, h) Remove Layer Connection: A random connection between the two layers from the chosen random block is removed, i) Swap Block: Chosen block is swapped with a random block from the population.
Model Mutation Model mutation modify a given architecture. The possible model mutations are: j) Add Block: A random block is added to the model, k) Remove Block: A random block is removed from the model, l) Add Block connection: A random connection between the two blocks is added, m) Remove Block connection: A random connection between the two blocks is removed.
All mutations add a new member to the population instead of substituting the previous one. In this manner, if nothing is done, the population of layers and blocks may explode, increasing the number of lesser quality layers and blocks. This would cause the probability of choosing functional layers and blocks to decrease. To avoid this, when the layer or block population exceeds 100 individuals, the only layer/block mutation available is swap layers/blocks. 5.3
Fitness of an individual of the model population is measured using the final validation accuracy of the model after training for a maximum of 200 epochs with early stopping if accuracy or validation accuracy do not change more than 0:001 in the span of 15 epochs. Regarding the fitness calculation, the fitness is calculated as the accuracy of the model plus the robustness of the model (Fitness = Accuracy + Robustness).
The Accuracy of the architecture is calculated after the model is trained for 50 epochs over the whole set of samples (50000 samples) of the CIFAR-10’s training dataset for every 10 generation(s) or over 1000 random samples of the CIFAR-10 training dataset for all other generations. This allows an efficient evolution to happen in which blocks and layers evolve at a faster rate without interfering with the architecture’s accuracy. Using entire dataset subjects to evolving the architecture to have better accuracy and using a subset of the dataset evolves the layers and blocks of the architecture at a faster rate. The Robustness of the architecture is calculated using accuracy on adversarial samples as described in Section 4.1. To keep a high amount of diversity while searching in a vast search space by using a novel algorithm described below also shown in Figure 2. This niching scheme uses the idea of Spectrum-based niching from [Vargas and Murata, 2017] but explores a different approach to it. First, all the initial population is converted into a cluster population such that each individual in the initial population is a cluster representative. Then we create two child individuals for each cluster representative by randomly applying five mutation operators on cluster representative. We then find the closest cluster representative to the child individual using spectrum described below. If the fitness of the child individual is better than the closest cluster representative than the child individual becomes the new cluster representative, and the old cluster representative is removed from the population and the generation. The process is completed for all the individuals in a cluster population. We are hence evolving a generation of the evolution.
Here, we use the spectrum as a histogram containing the features: Number of Blocks, Number of Total Layers, Number of Block Connections, Number of Total Layer Connections, Number of Dense Layers, Number of Convolution Layers, Number of Dense to Dense Connections, Number of Dense to Convolution Connections, Number of Convolution to Dense Connections, and Number of Convolution to Convolution Connections. By using this Spectrum-based niching scheme, we aim to achieve an open-ended evolution, preventing the evolution from converging to a single robust architecture. Preserving diversity in the population ensures that the exploration rate remains relatively high, allowing us to find different architectures even after many evolution steps. For the vast search space of architectures, this property is especially important, allowing the algorithm to traverse the vast search space efficiently. 6
Architecture Search
Testing ER
ER on Adversarial Samples DeepArchitect* SMASH* Ours
Here, experiments are conducted on both the proposed RAS and converted versions of DeepArchitect and SMASH. The objective is to achieve the highest robustness possible using different types of architecture search algorithms and compare their result and effectiveness. Initially, DeepArchitect and Smash found architectures which had an error rate of 11% and 4% respectively when the fitness is only based on the neural network’s testing accuracy. However, when the accuracy on adversarial samples is included in the evaluation function, the final error rate increases to 25% and 23% respectively (Table 2). This may also indicate that poisoning the dataset might cause a substantial decrease in accuracy for the architectures found by SMASH and DeepArchitect. In the case of RAS, even with a more extensive search space, an error rate of 18% is achieved.
Regarding the robustness of the architectures found, Table 2 shows that the final architecture found by DeepArchitect and SMASH were very susceptible to attacks, with error rate on adversarial samples of 75% and 82% respectively. Despite the inclusion of the R (measured accuracy on adversarial samples) on the evaluation function, the architectures were still unable to find a robust architecture. This might be a consequence of the relatively small search space used and more focused initialisation procedures. Moreover, the proposed method (RAS) finds an architecture which has an error rate of only 42% on adversarial samples. Note, however, that in the case of the evolved architecture, this is an inherent property of the architecture found. The architecture is inherently robust without any kind of specialised training or defence such as adversarial training (i.e., the architecture was only trained on the training dataset). The addition of defences should increase its robustness further. 7
In this section, we will evaluate the proposed architecture regarding its evolution quality and how subpopulations behave throughout the process. Figure 3 shows how the mean accuracy of the architectures evolved increases over time. The pattern of behaviour is typical of evolutionary algorithms, showing that evolution is happening as expected.
In Figure 4, the overall characteristics of the evolved architectures throughout the generations are shown. The average number of blocks and the connections between them increase over the generations. However, the average number of layers never reaches the same complexity as the initial models. The number of layers decreases steeply initially while slowly increasing afterwards. Therefore, the overall behaviour is that blocks become smaller and numerous. A consequence of this is that the number of connections becomes proportional to the number of connections between blocks and therefore exhibit similar behaviour. The average number of layers per block and the average number of connections shows little change, varying only 0:5 and 0:16 respectively.
Notice that the average number of layers increases but the average number of layers per block continues to decrease albeit slowly. Consequently, blocks tend to degenerate into a few layers, resulting in around three layers per block from the first average number of 3:2 layers per block. Lastly, the average number of connections in a block is kept more or less the same, with the mean varying throughout only from 2:1 to 2:26. The behaviour described above might suggest that it is hard to create big reusable blocks. This seems to be supported by both the decrease of complexity observed as well as the increase in the number of blocks. 8
RAS found an architecture that possesses inherent robustness capable of rivalling current defences. To investigate the reason behind this robustness, we can take a more in-depth look at the architecture found. Figure 5 show(s) some peculiarities from the evolved architecture: multiple bottlenecks, projections into high-dimensional space and paths with different constraints.
Dimensional Space The first peculiarity is the use of Dense layers in-between Convolutional ones. This might seem like a bottleneck similar to the ones used in variational autoencoders. However, it is the opposite of a bottleneck (Figure 5); it is a projection in high-dimensional space. The evolved architecture uses mostly a low number of filters while, in some parts of it, high-dimensional projections exist. In the whole architecture, four Dense layers in-between Convolutional ones were used, and all of the projects into higher dimensional space. This follows directly from Cover’s Theorem which states that projecting into high dimensional space makes a training set linearly separable [Cover, 1965]. Paths with Different Constraints The second peculiarity is the use of multiple paths with the different number of filters and output sizes after high-dimensional projections. Notice how the number of filters differs in each of the Convolutional layers in these paths. This means there are different constraints over the learning in each of these paths, which should foster different types of features. Therefore, this is a multi-bottleneck structure forcing the learning of different sets of features which are now easily constructed from the previous high-dimensional projection. 9
Automatic search for robust architectures is proposed as a paradigm for developing and researching robust models. This paradigm is based on using adversarial attacks together with error rate as evaluation functions in NAS. Experiments on using this paradigm with some of the current NAS had poor results. This was justified by the small search space used by current methods. Here, we propose the RAS method, which has a broader search space, including concatenation, connections between dense to convolutional layer and viceversa. Results with RAS showed that inherently robust architectures do indeed exist. In fact, the evolved architecture achieved robust results comparable with state-of-the-art defences while not having any specialised training or defence. In other words, the evolved architecture is inherently robust. Such inherent robustness could increase if adversarial training, or other types of defence, or a combination of them are employed together with it.
Moreover, investigating the reasons behind such robustness have shown that some peculiar traits are present. The evolved architecture has overall a low number of filters and many bottlenecks. Multiple projections into high-dimensional space are also present to possibly facilitate the separation of features (Cover’s Theorem). It also uses multiple paths with different constraints after the high-dimensional projection, which should, consequently, cause a diverse set of features to be learned by the network. Thus, in the search space of neural networks, more robust architectures do exist, and more research is required to find and fully document them as well as their features.
This work was supported by JST, ACT-I Grant Number JP50243 and JSPS KAKENHI Grant Number JP20241216. Additionally, we would like to thank Prof. Junichi Murata for the kind support without which it would not be possible to conduct this research.