查看文章

While successful, neural networks have been shown to be vulnerable to adversarial example attacks. In L₀ adversarial attacks, also known as few-pixel attacks, the attacker picks t pixels from the image and arbitrarily perturbs them. To understand the robustness level of a network to these attacks, it is required to check the robustness of the network to perturbations of every set of t pixels. Since the number of sets is exponentially large, existing robustness verifiers, which can reason about a single set of pixels at a time, are impractical for L₀ robustness verification. We introduce Calzone, an L₀ robustness verifier for neural networks. To the best of our knowledge, Calzone is the first to provide a sound and complete analysis for L₀ adversarial attacks. Calzone builds on the following observation: if a classifier is robust to any perturbation of a set of k pixels, for k>t, then it is robust to any perturbation of its subsets of size t …