Papers
Topics
Authors
Recent
Search
2000 character limit reached

Elastic-Net Attacks on Deep Neural Networks

Updated 28 June 2026
  • The paper introduces EAD, formulating adversarial example generation as an elastic-net regularized optimization to achieve high attack success rates and enhanced transferability.
  • EAD leverages a projected ISTA/FISTA algorithm to manage the non-differentiable L1 term, producing targeted sparse perturbations on select pixels.
  • Empirical results on MNIST, CIFAR-10, and ImageNet demonstrate EAD’s ability to reduce L1 distortion while maintaining competitive L2 and L∞ metrics.

The elastic-net attack to deep neural networks (EAD) is a white-box adversarial attack method that formulates adversarial example generation as an elastic-net regularized (combined L1L_1+L2L_2) optimization problem. EAD generalizes strong L2L_2-based attacks by incorporating an L1L_1 penalty, producing sparse but high-magnitude perturbations and yielding attack instances with greater transferability and complementary value for adversarial training. Empirical results on benchmark datasets demonstrate that EAD achieves high attack success rates (ASR), notably reduced L1L_1 distortion, and superior cross-model transfer compared to strictly L2L_2 or LL_\infty-constrained attacks (Chen et al., 2017, Sharma et al., 2017).

1. Mathematical Formulation

EAD posits adversarial example generation as solving an elastic-net regularized optimization problem under a box constraint. For an original image x0[0,1]px_0 \in [0,1]^p (pixel values normalized to [0,1][0,1]) with ground-truth label t0t_0, and attack target L2L_20, the elastic-net attack seeks

L2L_21

where L2L_22, with L2L_23 the confidence margin parameter and L2L_24 trading off attack imperceptibility with misclassification success. Setting L2L_25 specializes EAD to the Carlini & Wagner (C&W) L2L_26 attack. For non-targeted attacks, L2L_27 can be the negative margin on the true class (Chen et al., 2017, Sharma et al., 2017).

The L2L_28 term penalizes the overall energy of the perturbation, while the L2L_29 term (weighted by L2L_20) imposes sparsity and localizes changes onto a small subset of pixels, capitalizing on visual insensitivity to concentrated alteration.

2. Optimization Algorithm

The presence of the non-differentiable L2L_21 term precludes pure gradient-based methods. EAD employs a projected iterative shrinkage-thresholding algorithm (ISTA), and typically its accelerated variant FISTA, to solve the elastic-net program under box constraints:

  1. Subgradient update: Compute the (sub)gradient of L2L_22 at current iterate.
  2. Gradient descent step: L2L_23 with adaptive learning rate L2L_24.
  3. Proximal shrinkage: Apply component-wise soft thresholding:

L2L_25

  1. Box projection: Clip L2L_26 to L2L_27.
  2. FISTA acceleration: Momentum update for L2L_28.

This inner loop is run up to L2L_29 times, embedded within a binary search for L1L_10 over 9 steps, beginning at L1L_11. Two decision rules are used for selecting successful adversarial examples: the "EN-rule" (minimum elastic-net objective among L1L_12 iterates), and the "L1-rule" (minimum L1L_13 distortion among L1L_14 iterates). L1L_15 is typically set manually, generally between L1L_16 and L1L_17, with L1L_18 providing a practical default (Chen et al., 2017, Sharma et al., 2017).

3. Empirical Evaluation and Distortion Metrics

Attacks are performed and evaluated on MNIST (LeNet), CIFAR-10 (ResNet-like), and ImageNet (Inception-v3) models using 1,000 randomly selected test samples (MNIST/CIFAR-10) and 100 for ImageNet. Baseline methods include FGM (Fast Gradient Method) and I-FGM in L1L_19, L1L_10, and L1L_11 forms, as well as the C&W L1L_12 attack.

The following summarizes mean-case results across datasets (ASR = attack success rate):

Dataset / Method ASR (%) L1L_13 L1L_14 L1L_15
MNIST
C&W (L1L_16) 100 22.46 1.97 0.514
I-FGM-L1L_17 100 32.94 2.61 0.591
EAD (EN) 100 17.40 2.00 0.594
EAD (L1L_18) 100 14.11 2.21 0.768
CIFAR-10
C&W (L1L_19) 100 13.62 0.392 0.044
I-FGM-L2L_20 100 17.53 0.502 0.055
EAD (EN) 100 8.18 0.502 0.097
EAD (L2L_21) 100 6.07 0.613 0.17
ImageNet
C&W (L2L_22) 100 232.2 0.705 0.030
I-FGM-L2L_23 77 526.4 1.609 0.054
EAD (EN) 100 69.47 1.563 0.238
EAD (L2L_24) 100 40.90 1.598 0.293

EAD achieves 100% ASR on all datasets. The L2L_25-minimizing variants produce significantly sparser perturbations than both I-FGM-L2L_26 and C&W. As L2L_27 increases, L2L_28 distortion decreases monotonically until a trade-off point, at the expense of increasing L2L_29 and LL_\infty0 norms.

4. Transferability and Adversarial Training

EAD adversarial examples display enhanced transferability across models:

  • Defensive distillation: EAD (LL_\infty1) and C&W (LL_\infty2) both maintain 100% ASR for distilled networks at all LL_\infty3 when run with LL_\infty4.
  • Cross-model transfer: On MNIST, EAD (EN) peaks at mean ASR LL_\infty5 at LL_\infty6, surpassing C&W (LL_\infty7 at LL_\infty8). I-FGM methods transfer poorly (LL_\infty9 ASR).
  • Adversarial training: Networks adversarially trained exclusively on x0[0,1]px_0 \in [0,1]^p0 (C&W) or x0[0,1]px_0 \in [0,1]^p1 (EAD) attacks raise respective distortion thresholds only for their own norm. Joint augmentation with both x0[0,1]px_0 \in [0,1]^p2 and x0[0,1]px_0 \in [0,1]^p3 attacks improves robustness in both measures beyond single-mode adversarial training, confirming complementarity of x0[0,1]px_0 \in [0,1]^p4-based perturbations (Chen et al., 2017).

5. Interpretability, Visual Distortion, and Metric Critique

EAD demonstrates that hard x0[0,1]px_0 \in [0,1]^p5 constraints, such as in the Madry Defense Model, can be evaded by permitting sparse, high-magnitude perturbations. EAD perturbations, focused on a limited set of pixels, can exhibit much higher x0[0,1]px_0 \in [0,1]^p6 while maintaining low x0[0,1]px_0 \in [0,1]^p7 and low perceptual distortion. Visualizations reveal that EAD concentrates changes along digit strokes or object edges, in contrast to PGD and FGM attacks, which diffuse small noise across all pixels. This finding undermines the sufficiency of x0[0,1]px_0 \in [0,1]^p8 as a proxy for human perceptual similarity. As shown in attacks on the Madry model, EAD with x0[0,1]px_0 \in [0,1]^p9 and [0,1][0,1]0 achieves targeted ASR [0,1][0,1]1 at [0,1][0,1]2, [0,1][0,1]3, [0,1][0,1]4, outperforming both PGD and C&W (Sharma et al., 2017).

6. Practical Implementation and Recommendations

  • Hyperparametrization: Binary search 9 steps on [0,1][0,1]5 (start at [0,1][0,1]6); inner FISTA with [0,1][0,1]7, [0,1][0,1]8, [0,1][0,1]9 decaying as t0t_00. Preferred t0t_01 in t0t_02; for transferability t0t_03 is effective. t0t_04 in t0t_05 balances visibility and transfer, with t0t_06 typically optimal.
  • Early stopping: Halt when a successful adversarial example with minimal objective is found.
  • Transfer augmentation: For high transferability, use an ensemble of multiple (e.g., three) naturally trained networks for crafting.
  • Pixel preprocessing: Normalize inputs to t0t_07 prior to attack generation (Chen et al., 2017, Sharma et al., 2017).

7. Security Implications and Research Directions

EAD exposes DNN vulnerabilities that are not detectable by restricting to t0t_08 or t0t_09 threat models alone. Sparse, high-magnitude perturbations can be highly effective, calling for the adoption of multi-norm analysis in security auditing. The elastic-net framework provides a constructive means of synthesizing diverse attack profiles, with clear implications for the development of robust classifiers. EAD simultaneously retains the ability to break strong defenses (defensive distillation), enhances attack transferability, and substantially augments adversarial training—suggesting that regularization with L2L_200 distortion is essential to both attacking and defending DNNs in adversarial settings (Chen et al., 2017, Sharma et al., 2017).

Definition Search Book Streamline Icon: https://streamlinehq.com
References (2)

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Elastic-Net Attacks to Deep Neural Networks (EAD).