Adversarial Perturbation Attacks on Nested Dichotomies Classification Systems

Abstract

The study of robustness of deep classifiers has exposed their vulnerability to perturbation attacks. Prior work has largely focused on adversarial attacks targeting one-stage-classifiers. By contrast, here we investigate the susceptibility of Nested Dichotomies Classifiers (NDCs), which decompose a multiclass problem into a collection of binary ones, to such types of individual attacks. First, we show that the overall regret of an NDC is the sum of regrets of the binary classifiers along the path from the root to the leaf nodes of these dichotomies. Then, we formulate an optimization program to generate perturbations fooling NDCs and propose an algorithmic solution based on a convex relaxation. A solution is obtained by developing an ADMM-based solver to the convex programs. The experiments show that NDCs are more robust than their single stage counterpart in that the optimal perturbations inducing misclassifications are more perceptible.