EFFECTIVE AND EFFICIENT VOTE ATTACK ON CAP-SULE NETWORKS

Abstract

Standard Convolutional Neural Networks (CNNs) can be easily fooled by images with small quasi-imperceptible artificial perturbations. As alternatives to CNNs, the recently proposed Capsule Networks (CapsNets) are shown to be more robust to white-box attacks than CNNs under popular attack protocols. Besides, the class-conditional reconstruction part of CapsNets is also used to detect adversarial examples. In this work, we investigate the adversarial robustness of CapsNets, especially how the inner workings of CapsNets change when the output capsules are attacked. The first observation is that adversarial examples misled CapsNets by manipulating the votes from primary capsules. Another observation is the high computational cost, when we directly apply multi-step attack methods designed for CNNs to attack CapsNets, due to the computationally expensive routing mechanism. Motivated by these two observations, we propose a novel vote attack where we attack votes of CapsNets directly. Our vote attack is not only effective but also efficient by circumventing the routing process. Furthermore, we integrate our vote attack into the detection-aware attack paradigm, which can successfully bypass the class-conditional reconstruction based detection method. Extensive experiments demonstrate the superior attack performance of our vote attack on CapsNets.

1. INTRODUCTION

A hardly perceptible small artificial perturbation can cause Convolutional Neural Networks (CNNs) to misclassify an image. Such vulnerability of CNNs can pose potential threats to security-sensitive applications, e.g., face verification (Sharif et al., 2016) and autonomous driving (Eykholt et al., 2018) . Besides, the existence of adversarial images demonstrates that the object recognition process in CNNs is dramatically different from that in human brains. Hence, the adversarial examples have received increasing attention since it was introduced (Szegedy et al., 2014; Goodfellow et al., 2015) . Many works show that network architectures play an important role in adversarial robustness (Madry et al., 2018; Su et al., 2018; Xie & Yuille, 2020; Guo et al., 2020) . As alternatives to CNNs, Capsule Networks (CapsNets) have also been explored to resist adversarial images since they are more biologically inspired (Sabour et al., 2017) . The CapsNet architectures are significantly different from those of CNNs. Under popular attack protocols, CapsNets are shown to be more robust to white-box attacks than counter-part CNNs (Hinton et al., 2018; Hahn et al., 2019) . Furthermore, the reconstruction part of CapsNets is also applied to detect adversarial images (Qin et al., 2020) . In image classifications, CapsNets first extract primary capsules from the pixel intensities and transform them to make votes. The votes reach an agreement via an iterative routing process. It is not clear how these components change when CapsNets are attacked. By attacking output capsules directly, the robust accuracy of CapsNets is 17.3%, while it is reduced to 0 on the counter-part CNNs in the same setting. Additionally, it is computationally expensive to apply multi-step attacks (e.g., PGD (Madry et al., 2018) ) to CapsNets directly, due to the costly routing mechanism. The two observations motivate us to propose an effective and efficient vote attack on CapsNets. The contributions of our work can be summarised as follows: 1). We investigate the inner working changes of CapsNets when output capsules are attacked; 2). Motivated by the findings, we propose an effective and efficient vote attack; 3). We integrate the vote attack in the detection-aware attack to bypass class-conditional reconstruction based adversarial detection. The next section introduces background knowledge and related work. Sec. 3 and 4 investigate capsule attack and introduce our vote attack, respectively. The last two sections show experiments and our conclusions.

2. BACKGROUND KNOWLEDGE AND RELATED WORK

Capsule Networks The overview of CapsNets is shown in Figure 1 . CapsNets first extract primary capsules u u u i from the input image x x x with pure convolutional layers (or CNN backbones). Each primary capsule u u u i is then transformed to make votes for high-level capsules. The voting process, also called transformation process, is formulated as û û ûj|i = W W W ij u u u i . Next, a dynamic routing process is applied to identify weights c ij for the votes û û ûj|i , with i ∈ {1, 2, . . . , N } corresponding to indices of primary capsules and j ∈ {1, 2, . . . , M } to indices of high-level capsules. Specifically, the routing process iterates over the following three steps s s s (t) j = N i c (t) ij û û ûj|i , v v v (t) j = g(s s s (t) j ), c (t+1) ij = exp(bij + t r=1 v v v (r) j û û ûj|i ) k exp(b ik + t r=1 v v v (r) k û û ûk|i ) , where the superscript t indicates the index of iterations starting from 1, and g(•) is a squashing function (Sabour et al., 2017) that maps the length of the vector s s s j into the range of [0, 1). The b ik is the log prior probability. Note that the routing process is the most expensive part of CapsNets. The final output capsules are computed as v v v j = g( N i=1 c ij * û û ûj|i ) where c ij is the output of the last routing iteration. The output capsules are represented by vectors, the length of which indicates the confidence of the entitys' existence. In the training phase, the class-conditional reconstruction net reconstructs the input image from the capsule corresponding to the ground-truth class t, i.e., x x x = r(v v v t ). The reconstruction error d(x x x, x x x) = x x x -x x x 2 works as a regularization term. All above notations will be used across this manuscript. To improve CapsNets (Sabour et al., 2017) , various routing mechanisms have been proposed, such as (Hinton et al., 2018; Zhang et al., 2018; Hahn et al., 2019; Tsai et al., 2020) . The advanced techniques of building CNNs or GNNs have also been integrated into CapsNets successfully. For example, the multi-head attention-based graph pooling is applied to replace the routing mechanism (Gu & Tresp, 2020b) . The CNN backbones are applied to extract more accurate primary capsules (Rajasegaran et al., 2019; Phaye et al., 2018) . To understand CapsNets, (Gu & Tresp, 2020a) investigates the contribution of dynamic routing to the input affine transformation robustness. This work focuses on its contribution to the adversarial robustness. (Hinton et al., 2018; Hahn et al., 2019) demonstrated the high adversarial robustness of CapsNets. However, it has been shown in (Michels et al., 2019) that the robustness does not hold for all attacks. In addition, many defense strategies proposed for CNNs are circumvented by later defense-aware white-box attacks (Athalye et al., 2018) . Given the previous research line, we argue that it is necessary to explore CapsNet architecture-aware attacks, before we give any claim on the robustness



Figure 1: The overview of Capsule Networks: the CapsNet architecture consists of four components, i.e., primary capsule extraction, voting, routing, and class-conditional reconstruction.

