pith. sign in

arxiv: 1906.09072 · v1 · pith:WRM44VSDnew · submitted 2019-06-21 · 💻 cs.CV

Evolution Attack On Neural Networks

YiGui Luo , RuiJia Yang , Wei Sha , WeiYi Ding , YouTeng Sun , YiSi Wang This is my paper

Pith reviewed 2026-05-25 19:09 UTC · model grok-4.3

classification 💻 cs.CV
keywords adversarial examplesblack-box attackevolution strategyneural networksCMA-ESimage classificationpixel perturbation
0
0 comments X

The pith

Evolution algorithms optimize pixel perturbations to fool neural networks without gradients or model internals.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper formalizes adversarial example generation as an optimization task over per-pixel noise added to an image, then solves it in a black-box setting using only query access to the target classifier. It evaluates multiple evolution strategies on this task and reports that the covariance matrix adaptive evolution strategy produces the strongest results. Additional trials examine how different regularizations influence the quality of the generated perturbations. A reader would care because the work demonstrates that effective attacks remain possible when the defender withholds all gradient information.

Core claim

A covariance matrix adaptive evolution strategy solves the black-box optimization problem of finding image perturbations that cause misclassification and outperforms a simple genetic algorithm, parameter-exploring policy gradient, and OpenAI evolution strategy on the tested image classifiers.

What carries the argument

Covariance matrix adaptive evolution strategy applied to direct optimization of per-pixel perturbation values to maximize misclassification under black-box query access.

If this is right

  • Black-box attacks on image classifiers become feasible using only label or probability outputs from repeated queries.
  • Among tested evolution methods, CMA-ES yields the highest attack success rate for the perturbation optimization task.
  • Regularization terms applied during evolution can trade off between attack strength and visual imperceptibility of the resulting images.
  • The same optimization framing can be reused with other evolution algorithms if CMA-ES is unavailable.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The approach may extend to other input domains such as audio or text where gradient access is also restricted.
  • Success rates could degrade on models trained with adversarial defenses that were not evaluated here.
  • Query efficiency might improve by hybridizing CMA-ES with surrogate models built from previous queries.

Load-bearing premise

Black-box query access to the model is sufficient for evolution algorithms to locate pixel perturbations that reliably produce misclassifications.

What would settle it

Running CMA-ES on a standard image classifier for a fixed query budget and observing zero successful misclassifications across a test set of correctly classified images.

Figures

Figures reproduced from arXiv: 1906.09072 by RuiJia Yang, Wei Sha, WeiYi Ding, YiGui Luo, YiSi Wang, YouTeng Sun.

Figure 1
Figure 1. Figure 1: Adversarial example generated by evolution attack. Left, original clean [PITH_FULL_IMAGE:figures/full_fig_p001_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Ellipsoids depicting one-σ lines of equal density of six different normal distributions. Left:N (0, σI). Middle: N (0, D2 ). Right:N (0, C). D is a diagonal matrix. C is a positive-definite covariance matrix which means it must face the ”dimension explosion” problem with the increase in problem dimensionality. We submit that CMA-ES can improve the optimization efficiency to some extent. Compared to other E… view at source ↗
Figure 3
Figure 3. Figure 3: Explanation for CMA-ES evolution process, which is designed to find the minimum point of [PITH_FULL_IMAGE:figures/full_fig_p004_3.png] view at source ↗
read the original abstract

Many studies have been done to prove the vulnerability of neural networks to adversarial example. A trained and well-behaved model can be fooled by a visually imperceptible perturbation, i.e., an originally correctly classified image could be misclassified after a slight perturbation. In this paper, we propose a black-box strategy to attack such networks using an evolution algorithm. First, we formalize the generation of an adversarial example into the optimization problem of perturbations that represent the noise added to an original image at each pixel. To solve this optimization problem in a black-box way, we find that an evolution algorithm perfectly meets our requirement since it can work without any gradient information. Therefore, we test various evolution algorithms, including a simple genetic algorithm, a parameter-exploring policy gradient, an OpenAI evolution strategy, and a covariance matrix adaptive evolution strategy. Experimental results show that a covariance matrix adaptive evolution Strategy performs best in this optimization problem. Additionally, we also perform several experiments to explore the effect of different regularizations on improving the quality of an adversarial example.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

1 major / 1 minor

Summary. The manuscript formalizes the generation of adversarial examples as a black-box optimization problem over pixel perturbations added to an input image. It evaluates several evolution strategies (simple genetic algorithm, parameter-exploring policy gradient, OpenAI ES, and CMA-ES) for solving this optimization without gradient access and reports that CMA-ES performs best; it additionally examines the impact of different regularizations on adversarial-example quality.

Significance. If the reported experiments hold, the result would indicate that CMA-ES is an effective gradient-free optimizer for pixel-level adversarial perturbations, offering a practical black-box attack method when only query access is available. This would add to the set of evolutionary approaches studied for adversarial robustness evaluation.

major comments (1)
  1. [Abstract] Abstract: The central claim that 'Experimental results show that a covariance matrix adaptive evolution Strategy performs best in this optimization problem' supplies no quantitative metrics, success rates, datasets, model architectures, query budgets, or baseline comparisons. This leaves the primary empirical finding without visible supporting evidence and is load-bearing for the manuscript's contribution.
minor comments (1)
  1. [Abstract] Abstract: 'we also perform several experiments' contains redundant wording.

Simulated Author's Rebuttal

1 responses · 0 unresolved

We thank the referee for the detailed review. The single major comment concerns the abstract; we agree it should be strengthened with quantitative details and will revise accordingly while preserving the manuscript's core contribution on CMA-ES for black-box adversarial attacks.

read point-by-point responses

  1. Referee: [Abstract] Abstract: The central claim that 'Experimental results show that a covariance matrix adaptive evolution Strategy performs best in this optimization problem' supplies no quantitative metrics, success rates, datasets, model architectures, query budgets, or baseline comparisons. This leaves the primary empirical finding without visible supporting evidence and is load-bearing for the manuscript's contribution.

    Authors: We agree the abstract would be improved by including concrete metrics. The experiments section already reports results on standard datasets (MNIST, CIFAR-10) and architectures (LeNet, ResNet variants), with CMA-ES achieving higher attack success rates than the simple GA, PEPG, and OpenAI ES baselines under comparable query budgets; we will add representative numbers (e.g., success rates, average queries, and regularization effects) to the abstract in the revision. This addresses the visibility concern without altering the underlying claims. revision: yes

Circularity Check

0 steps flagged

No significant circularity

full rationale

The paper presents an empirical comparison of off-the-shelf black-box evolution strategies (genetic algorithm, parameter-exploring policy gradient, OpenAI ES, CMA-ES) applied to pixel-perturbation optimization for adversarial examples. No equations, derivations, formal proofs, or parameter-fitting steps are described in the abstract or claimed structure; the central result is a direct experimental ranking of algorithm performance under the standard black-box query model. No self-citations, ansatzes, or uniqueness theorems are invoked to support any derivation, and the work does not rename known results or smuggle assumptions via prior author work. The derivation chain is therefore empty, rendering circularity analysis inapplicable.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The paper rests on the domain assumption that black-box query access suffices for evolution-based optimization of adversarial perturbations; no free parameters, invented entities, or additional axioms are introduced in the abstract.

axioms (1)
  • domain assumption Evolution algorithms can optimize the perturbation generation problem without gradient information in a black-box setting.
    Stated directly in the abstract as the motivation for choosing evolution algorithms.

pith-pipeline@v0.9.0 · 5715 in / 1082 out tokens · 25516 ms · 2026-05-25T19:09:14.396800+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

24 extracted references · 24 canonical work pages · 3 internal anchors

  1. [1]

    Imagenet classification with deep convolutional neural networks

    A. Krizhevsky, I. Sutskever, and G. E. Hinton. “Imagenet classification with deep convolutional neural networks.” Advances in neural informa- tion processing systems(NIPS). 2012,pp.1097-1105

    work page 2012

  2. [2]

    Faster R-CNN: Towards Real- Time Object Detection with Region Proposal Networks,

    S. Ren, K. He, R. Girshick and J. Sun,“Faster R-CNN: Towards Real- Time Object Detection with Region Proposal Networks,” in IEEE Transactions on Pattern Analysis and Machine Intelligence, vol. 39, no. 6, pp. 1137-1149, 1 June 2017

    work page 2017

  3. [3]

    You Only Look Once: Unified, Real-Time Object Detection

    J. Redmon, S. Divvala, R. Girshick and A. Farhadi, “You Only Look Once: Unified, Real-Time Object Detection” 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR), Las Vegas, NV , 2016, pp. 779-788

    work page 2016

  4. [4]

    Fully convolutional networks for semantic segmentation

    J. Long, E. Shelhamer and T. Darrell, “Fully convolutional networks for semantic segmentation” 2015 IEEE Conference on Computer Vision and Pattern Recognition (CVPR), Boston, MA, 2015, pp. 3431-3440

    work page 2015

  5. [5]

    Mask R-CNN,

    K. He, G. Gkioxari, P. Dollr and R. Girshick, “Mask R-CNN,” 2017 IEEE International Conference on Computer Vision (ICCV), Venice, 2017, pp. 2980-2988

    work page 2017

  6. [6]

    Realtime Multi-person 2D Pose Estimation Using Part Affinity Fields,

    Z. Cao, T. Simon, S. Wei and Y . Sheikh, “Realtime Multi-person 2D Pose Estimation Using Part Affinity Fields,” 2017 IEEE Conference on Computer Vision and Pattern Recognition (CVPR), Honolulu, HI, 2017, pp. 1302-1310

    work page 2017

  7. [7]

    Intriguing properties of neural networks

    C. Szegedy , W. Zaremba , I. Sutskever , J. Bruna , D. Erhan , I. Goodfellow , R. Fergus, “Intriguing properties of neural networks”, Proceedings of the International Conference on Learning Representation (ICLR), 2014

    work page 2014

  8. [8]

    Explaining and harnessing adversarial examples,

    I. Goodfellow , J. Shlens and C. Szegedy, “Explaining and harnessing adversarial examples,” Proceedings of the International Conference on Learning Representation (ICLR), 2015

    work page 2015

  9. [9]

    Adversarial Diversity and Hard Positive Generation,

    A. Rozsa, E. M. Rudd and T. E. Boult, “Adversarial Diversity and Hard Positive Generation,” 2016 IEEE Conference on Computer Vision and Pattern Recognition Workshops (CVPR), Las Vegas, NV , 2016, pp. 410- 417. p

    work page 2016

  10. [10]

    DeepFool: a simple and accurate method to fool deep neural networks

    S. Moosavi-Dezfooli, A. Fawzi, P. Frossard, “DeepFool: a simple and accurate method to fool deep neural networks”, In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 2574-2582, 2016

    work page 2016

  11. [11]

    Practical Black-Box Attacks against Machine Learning,

    N. Papernot, P. McDaniel, I. Goodfellow, S. Jha, Z. B. Celik, A. Swami, “Practical Black-Box Attacks against Machine Learning,” In Proceed- ings of the ACM on Asia Conference on Computer and Communications Security, pp. 506-519. ACM, 2017

    work page 2017

  12. [12]

    Universal Adversarial Perturbations,

    S. Moosavi-Dezfooli, A. Fawzi, O. Fawzi and P. Frossard, “Universal Adversarial Perturbations,” 2017 IEEE Conference on Computer Vision and Pattern Recognition (CVPR), Honolulu, HI, 2017, pp. 86-94

    work page 2017

  13. [13]

    Adversarial Examples for Semantic Segmentation and Object Detection,

    C. Xie, J. Wang, Z. Zhang, Y . Zhou, L. Xie and A. Yuille, “Adversarial Examples for Semantic Segmentation and Object Detection,” 2017 IEEE International Conference on Computer Vision (ICCV), Venice, 2017, pp. 1378-1387

    work page 2017

  14. [14]

    Adversarial Transformation Networks: Learning to Generate Adversarial Examples

    S. Baluja, I. Fischer, “Adversarial Transformation Networks: Learning to Generate Adversarial Examples,” parXiv preprint arXiv:1703.09387, 2017

    work page internal anchor Pith review Pith/arXiv arXiv 2017

  15. [15]

    Distillation as a Defense to Adversarial Perturbations against Deep Neural Networks,

    N. Papernot, P. McDaniel, X. Wu, S. Jha, A. Swami, “Distillation as a Defense to Adversarial Perturbations against Deep Neural Networks,” In IEEE Symposium on Security and Privacy (SP), pp. 582-597, 2016

    work page 2016

  16. [16]

    A genetic algorithm tutorial,

    D. Whitley, “A genetic algorithm tutorial,” Statistics and Computing, vol. 2, pp, 65-85, 1994

    work page 1994

  17. [17]

    Parameter-exploring policy gradients,

    F. Sehnke, C. Osendorfer, T. R ¨uckstieβ, A. Graves, J. Peters, J. Schmid- huber, “Parameter-exploring policy gradients,” Neural Networks, vol. 23, pp. 551-559, 2010

    work page 2010

  18. [18]

    Multimodal Parameter-exploring Policy Gradients,

    F. Sehnke, A. Graves, C. Osendorfer and J. Schmidhuber, “Multimodal Parameter-exploring Policy Gradients,” 2010 Ninth International Con- ference on Machine Learning and Applications, Washington, DC, 2010, pp. 113-118

    work page 2010

  19. [19]

    On the Relationship Between the OpenAI Evolution Strategy and Stochastic Gradient Descent

    X. Zhang, J. Clune, K. Stanley. ”On the Relationship Between the OpenAI Evolution Strategy and Stochastic Gradient Descent,” arXiv preprint arXiv:1712.06564, 2017

    work page internal anchor Pith review Pith/arXiv arXiv 2017

  20. [20]

    The CMA Evolution Strategy: A Tutorial

    N. Hansen,“The CMA evolution strategy: A tutorial,” arXiv preprint arXiv:1604.00772,2016

    work page internal anchor Pith review Pith/arXiv arXiv 2016

  21. [21]

    Auger, H

    A. Auger, H. Hansen, ”Theory of evolution strategies: a new perspec- tive,” Theory of Randomized Search Heuristics: Foundations and Recent Developments, pp. 289-325, 2011

    work page 2011

  22. [22]

    Loshchilov, ”A computationally efficient limited memory CMA-ES for large scale optimization,” Proceedings of the 2014 Annual Conference on Genetic and Evolutionary Computation

    I. Loshchilov, ”A computationally efficient limited memory CMA-ES for large scale optimization,” Proceedings of the 2014 Annual Conference on Genetic and Evolutionary Computation. ACM, pp. 397-404, 2014

    work page 2014

  23. [23]

    Arkhipov, M

    V . Arkhipov, M. Buzdalov and A. Shalyto, ”An Asynchronous Imple- mentation of the Limited Memory CMA-ES,” 2015 IEEE 14th Inter- national Conference on Machine Learning and Applications (ICMLA), Miami, FL, 2015, pp. 707-712

    work page 2015

  24. [24]

    H. Lee, S. Han, J. Lee, ”Generative Adversarial Trainer: Defense to Adversarial Perturbations with GAN,” arXiv preprint arXiv:1705.03387, 2017

    work page arXiv 2017