The Generation of Visually Credible Adversarial Examples with Genetic Algorithms

3.2.1 Fitness Functions.

We consider the three norms prevalent in the MNIST neural network literature and a function introduced by Wachter et al. [2018]. We also consider a second, linearized version of each of these based on the work of Mannino and Koushik [2000]. Eight fitness functions were considered in total.

The three norms frequently used in the MNIST neural network literature to measure distance between a MNIST image \(x\) and an AE, \(x^\prime\), are \(\begin{eqnarray*} \ell _1 \left(x , x^\prime \right) & = & \Vert x - x^\prime \Vert _1 \\ & = & \sum _{j \in {\mathcal {P}}}{ \left| x_j - x^\prime _j \right|} \\ \ell _2 \left(x , x^\prime \right) & = & \Vert x - x^\prime \Vert _2 \\ & = & \left\lbrack \sum _{j \in {\mathcal {P}}}{ \left(x_j - x^\prime _j \right)^2} \right\rbrack ^{\frac{1}{2}} \\ \ell _\infty \left(x , x^\prime \right) & = & \Vert x - x^\prime \Vert _\infty \\ & = & \max _{j \in {\mathcal {P}}}{ \left| x_j - x^\prime _j \right|} , \end{eqnarray*}\) where the subscript \(j\) indicates pixel indices, \(j \in {\mathcal {P}} \equiv \left\lbrace 1 , \ldots , 784 \right\rbrace\). Although \(\ell _\infty\) is used most often as a constraint on maximum pixel value difference between a MNIST image and its AE, we considered it as a plausible objective function because constraints in optimization problems are sometimes absorbed into objective functions via Lagrangian multipliers.

Wachter et al. [2018] applied their distance function to numerical and categorical college admissions data to generate counterfactuals that humans would find plausibly similar to a reference input. We apply it here to purely numerical inputs. This function permits more difference between counterfactual and original MNIST pixel values when those pixel values exhibit more variation in the original dataset. In the MNIST context, for example, all image borders are black and any border pixels other than black in an AE would be an obvious deviation from a reference image. This function, accordingly, reduces the fitness function more significantly when border pixels vary from the ubiquitous black hue than for deviations from the reference image at other pixel locations where the dataset exhibits greater variation.

We apply the method from Wachter et al. [2018] to our context by measuring pixel value variation in MNIST at each pixel position based on the distribution of absolute differences between the pixel values and the median pixel value at that position. The median of that distribution is used as an indication of the variation: \(\begin{equation*} \mbox{MAD}_j = \mbox{median}{ \left\lbrace \left| x^m_j - \mbox{median}{ \left\lbrace x^i_j , \forall i \in {\mathcal {D}} \right\rbrace } \right| , \forall m \in {\mathcal {D}} \right\rbrace } . \end{equation*}\) A distance function between an AE and its MNIST reference can then be computed as the sum of absolute pixel differences normalized by \(\mbox{MAD} \equiv \lbrace \mbox{MAD}_j , j \in {\mathcal {P}}\rbrace\): (1) \(\begin{equation} \sum _{j \in {\mathcal {P}}}{\frac{| x_j - x^\prime _j|}{\mbox{MAD}_j}} . \end{equation}\)

Note that any \(\mbox{MAD}_j\) can be 0.0, however, if the pixels at that position \(j\) in all MNIST images are identical, as is the case for some border pixels. We avoid numerical computation issues in (1) by imposing a lower bound on MAD, \(\underline{\mbox{MAD}}\), to ensure a nonzero denominator, \(\begin{equation*} \widetilde{\mbox{MAD}}_j = \max {(\underline{\mbox{MAD}} , \mbox{MAD}_j)}, \end{equation*}\) and then rewrite the distance in (1) between an AE \(x^\prime\) and a MNIST image \(x\) as \( \begin{equation*} d_{\texttt {MAD}} \left(x , x^\prime \right) = \sum _{j \in {\mathcal {P}}}{\frac{\left| x_j - x^\prime _j \right|}{\widetilde{\mbox{MAD}}_j}} . \end{equation*} \) We will refer to this distance as MAD_Dist. This function decreases when differences in pixel values between two images decrease, but it is not a norm.

The intent of normalizing by \(\widetilde{\mbox{MAD}}_j\) is to promote visual similarity as can be demonstrated by considering the contribution of two pixel indices, \(j_1\) and \(j_2\), to \(d_{\texttt {MAD}} \left(x , x^\prime \right)\). Assume, for example, that the distributions of pixel values at these two indices, \(j_1\) and \(j_2\), are uniformly distributed on \([0.3, 0.7]\) and \([0.0, 1.0]\), respectively, with both medians equal to 0.5. Then, the lesser variation in the former index is reflected in \(\mbox{MAD}_{j_1} = 0.1\) versus \(\mbox{MAD}_{j_2}=0.25\) for the latter. Normalizing by MAD, in effect, creates a greater multiplier on pixel differences at \(j_1\) than at \(j_2,\) and using \(d_{\texttt {MAD}} \left(x , x^\prime \right)\) as a fitness function will put a greater emphasis on reducing the pixel difference at \(j_1\).

The canonical GA maximizes its fitness function while we want to minimize \(d_{\texttt {MAD}} \left(x , x^\prime \right)\) and the other norms. One way to recast distance as a fitness function is to maximize its reciprocal, as with these fitness functions: \(\begin{eqnarray*} f_1^R \left(x , x^\prime \right) & = & \frac{1}{\ell _1\left(x , x^\prime \right)} \\ f_2^R \left(x , x^\prime \right) & = & \frac{1}{\ell _2\left(x , x^\prime \right)} \\ f_\infty ^R \left(x , x^\prime \right) & = & \frac{1}{\ell _\infty \left(x , x^\prime \right)} \\ f^R_{\texttt {MAD}} \left(x , x^\prime \right) & = & \frac{1}{d_{\texttt {MAD}} \left(x , x^\prime \right)} , \end{eqnarray*}\) where the superscript \(R\) indicates the reciprocal of distance.

Another approach for creating fitness functions where “greater values are better” is to create a linear function by subtracting the distance from its maximum value as done by Mannino and Koushik [2000]: \(\begin{eqnarray*} f_1^L \left(x , x^\prime \right) & = & \max _{y \in \lbrack 0.0 , 1.0 \rbrack ^{784}}{\ell _1 \left(x , y \right)} - \ell _1\left(x , x^\prime \right) \\ f_2^L \left(x , x^\prime \right) & = & \max _{y \in \lbrack 0.0 , 1.0 \rbrack ^{784}}{\ell _2 \left(x , y \right)} - \ell _2\left(x , x^\prime \right) \\ f_\infty ^L \left(x , x^\prime \right) & = & \max _{y \in \lbrack 0.0 , 1.0 \rbrack ^{784}}{\ell _\infty \left(x , y \right)} - \ell _\infty \left(x , x^\prime \right) \\ f^L_{\texttt {MAD}} \left(x , x^\prime \right) & = & \max _{y \in \lbrack 0.0 , 1.0 \rbrack ^{784}}{d_{\texttt {MAD}} \left(x , y \right)} - d_{\texttt {MAD}} \left(x , x^\prime \right) , \end{eqnarray*}\) where the superscript \(L\) indicates a linear function of distance. The maximum distances are easily computed.

We evaluate both linear and reciprocal methods because selective pressure and convergence are sensitive to the relative fitness function values among the population, which are different with linear versus reciprocal functions. The reciprocal form causes the fittest phenotypes to have disproportionately better fitness values than with linear functions, thus increasing selective pressure. Whether the increased selective pressure is appropriate is a matter to be determined by experimentation.

3.2.2 Overall Selection.

Selection by proportional fitness, tournament selection, and ranking have been compared in the literature in terms of solution quality, computation complexity, and time for convergence. The computational complexity of computing fitness and the selection operator are dominated in our context by the computation time of classifying the population of AEs with the neural network, which is required for maintaining a feasible population. Accordingly, we prioritize solution quality and convergence.

Ranking selection converges more quickly on traveling salesperson problems than other operators [Razali et al. 2011], but proportional fitness has achieved comparable solution quality to ranking selection for small problems [Bala 2017; Razali et al. 2011]. Tournament selection converges more slowly, although it has less computational complexity [Razali et al. 2011] than proportionate and ranking selection, which have similar complexity [Goldberg and Deb 1991]. The computation time in each generation of our GA is dominated by classifying AEs with a neural network, so the complexity advantage offered by tournament ranking is likely to be less significant than the advantage of faster convergence so that fewer generations are required. We, consequently, included proportionate and ranking selection in our study.

In proportionate selection, we compute the probability of selecting each phenotype from the population, \(k \in {\mathcal {C}}\), as the ratio of the fitness of that \(k\)-th phenotype to the sum of the fitnesses over the entire population, when generating an AE for MNIST image \(x\), (2) \(\begin{equation} p^P_{*, \dagger , x} \left(k \right) = \frac{f_*^\dagger (x , x^{k^\prime })}{\sum _{k \in {\mathcal {C}}}{f_*^\dagger (x , x^{k \prime })}}, \end{equation}\) where \(P\) stands for proportionate ranking, \(*\) represents fitness function with either \(0, 1, \infty ,\) or \(\mbox{MAD}\), and \(\dagger \in \left\lbrace L,R \right\rbrace\) indicates either the linear or reciprocal form of a fitness function.

Baker [1985] suggested selection based on the rank of a population member’s fitness within the population. A variety of functions can be used to compute probability of selection from rank, including linear and nonlinear ones. We implemented a linear model after Baker and a nonlinear (exponential) model from Blickle and Thiele [1996]. Syswerda [1991] used a similar exponential function, but for deleting population members rather than selecting them for crossover. Assuming that the population members are sorted in ascending order of fitness and assigned an integer rank from the sequence \(k \in \left\lbrace 1 , \ldots , N \right\rbrace\) in that order, then the probability of selecting population member \(k\) for crossover in our linear model, as denoted with the superscript \(L\), is (3) \(\begin{equation} p_k^L = \frac{2k}{N \left(N+1 \right)} . \end{equation}\) This implies an expected number of the best and worst population members in the next generation of \(\frac{2N}{ N + 1 }\) and \(\frac{2}{ N + 1 }\), respectively, with a linearly decreasing expected number of selections between those two endpoints. The expected number of times that the fittest population member is selected for crossover is approximately 2. We implement nonlinear ranking with a parameter \(q\) as in the work of Blickle and Thiele [1996]: (4) \(\begin{equation} p_i^{NL} = \frac{q^{N-i}}{\sum _{i=1}^{N}{q^{N-i}}} , \end{equation}\) where the superscript \(NL\) denotes a nonlinear ranking scheme.

3.2.3 Elitist Selection.

Elitist selection is a tactic where one or more of the best-fit candidate solutions are retained from one generation to the next. Elitist selection tends to increase the convergence rate by making the best phenotypes persistently available for selection. We use elitist selection in a novel way, however, such that it may also contribute to increased diversity. Specifically, any AE is classified in one of 9 classes (10 minus 1), and we retain a single best-fit AE from each of the classes represented in the population, which will exclude the class of the reference MNIST image. The best-fit solution in the population is among those retained, but the best-fit solutions from other classes may not have good fitness levels and therefore contribute to diversity and the exploration of possible multiple optimal solutions, albeit at a slowed convergence rate similar to the effects of “inverse elitist selection” as described in the work of Corus et al. [2021].

GAs applied to constrained optimization problems can be designed to either permit infeasible candidate solutions in the population or not [Vidnerová and Neruda 2020]. In the former tactic, the fitness function might apply a penalty to infeasible phenotypes. In the latter tactic, as we have implemented, candidate solutions that are made infeasible by crossover and/or mutation are remedied by either resolving the infeasibility or replacing the candidate solution. Feasible candidate solutions in our case are images that the reference neural network classifies with a different label than the ground truth label of the reference MNIST image for which it is being derived. When crossover and mutation cause a candidate solution to be infeasible because it has the same label as the reference MNIST image, we replace those offspring with one of their parents with equal probability. Besides having assurance that the parent is feasible, the parent might be likely to have “good” genetic content if their offspring had the same label as the reference MNIST image. And so, this tactic might also act a form of elitist selection, thereby increasing selective pressure [Bäck and Hoffmeister 1991]. But, the primary motive for this tactic is to maintain a population of feasible candidate solutions rather than relying on chance that some AEs will be feasible or necessitating development of a scheme to resolve infeasible solutions while somehow not degrading their fitness.

Two classes of GAs have been defined where, in generational algorithms, all population members are replaced in each generation and, in steady state algorithms, only a few members are replaced in each generation [Syswerda 1991]. Our algorithm leans toward the former class of algorithms because all population members are replaced each generation, except those retained through elitist selection.

3.2.4 Reproduction and Crossover.

Effectively balancing exploration of the solution space and exploitation of current candidate solutions is of critical importance in the design of GAs. Excessive exploitation, for example, increases selective pressure and may cause premature convergence without appropriate exploration of alternate solutions. One design feature of our algorithm that favors exploration is that most offspring are created using crossover. Our approach was to keep the algorithm as simple as possible, so we used a single-point crossover with the crossover point uniformly distributed across the phenotype. This crossover mechanism motivated the flattened form of the MNIST image array to be used in the GA.

We denote the uniform crossover operator for AEs \(v\) and \(w\) as \( \begin{equation*} c \left(x^{v \prime } , x^{w \prime } \right) = \lbrack x^{v \prime }\lbrack 0 , d \rbrack , x^{w \prime }\lbrack d , 784 \rbrack {]}, \end{equation*} \) where \({\bf d}\) is an integer randomly selected from \([0, 784]\) with uniform probability on each integer, \(\lbrack \cdot , \cdot \rbrack\) denotes the concatenation of its arguments, and \(x \lbrack b , e \rbrack\) indicates elements \(b\) through \(e-1\) as in a Python slice.

3.2.5 Mutation Operators and Population Initialization.

We evaluated two mutation operators, RAND and MAD_Dist. RAND is naïve because it uses no contextual knowledge, whereas MAD_Dist is based on the MNIST dataset. RAND mutates an allele by simply replacing it with a uniform random variable on \(\lbrack 0.0, 1.0 \rbrack\).

The intent of MAD_Dist mutation is to minimize the number of pixels that are obviously altered by sampling from the distribution of pixel values for the pixel index being mutated from among those MNIST images with the same ground truth label. Its effect is that if all MNIST images have black borders, for example, then a border pixel mutated with MAD_Dist will be black. This method might render minimally conspicuous perturbations to reference MNIST images if the pixel value distributions vary among the different digits, as we might suspect they do. The effectiveness of this approach is still, nonetheless, subject to variation in handwriting among images of a particular classification.

Stated mathematically, if \({\mathcal {V}}_j\) is a set of the unique values in the MNIST training set at pixel position \(j\) and \({\mathcal {D}}_l \equiv \lbrace i \in {\mathcal {D}} | L (x^i) = l \rbrace\) is the set of indices for MNIST images having a label of \(l\), then the probability of pixel \(j\) being mutated to value \(v\) when generating an AE for MNIST image \(x^i\) is (5) \(\begin{equation} p_{i,j} \left(v \right) = \frac{\sum _{m \in {\mathcal {D}}_{L \left(x^i \right)}}{{\mathcal {I}}{\left(x^m_j , v \right)}}}{| {\mathcal {D}}_{L \left(x^i \right)}|} , v \in {\mathcal {V}}_j , \end{equation}\) where \({\mathcal {I}}{\left(w , z \right)} = 1\) if \(w=z\) and 0 otherwise.

Exploration and diversity were promoted by mutating each offspring phenotype with a probability of 0.7. Within a phenotype selected for mutation, the expected number of pixels mutated was 2. (These parameters were selected based on experimentation.) Specifically, a uniform random variable \({\bf urv}\) on \(\lbrack 0.0 , 1.0 \rbrack\) was selected for each allele, which was mutated independently if its respective random variable was \(\frac{2}{784}\) or less. These crossover and mutation rates, which might be considered to be high, supported diversity and balanced other design features that favored exploitation, including creating a minority of offspring by elitist selection as discussed previously.

Phenotypes were initialized pixel by pixel in each scenario using the mutation operator employed in that scenario. Phenotypes thus initialized were re-initialized if the label predicted by the reference neural network concurred with the ground truth label of the MNIST image for which an AE was being generated.

3.2.6 Reference Neural Networks.

The GA requires a neural network to classify members of the population to ensure they are feasible—that is, that their labels do not coincide with the ground truth label of the reference MNIST image. Upon initialization of the population, phenotypes are replaced if the reference neural network infers the same label as the target MNIST image, as described previously. Similarly, phenotypes are replaced if crossover and mutation yield offspring with the same classification as the MNIST image. AEs are specific to a particular reference neural network because one neural network might misclassify an input, whereas another might not. Thus, the characteristics of AEs will vary depending on the neural network employed. AEs are thus generated relative to a particular MNIST image and reference neural network.

We used two neural network architectures within the GAs. A Feedforward (FF) neural network and a Convolutional Neural Network (CNN) were motivated by a review of well-performing networks [Ciresan et al. 2011; Digit Recognizer 2020; LeCun et al. 2020]. The FF neural network had four layers with Batch Normalization (BN). Using common parlance in the neural network literature, its designation is 784-800-BN-400-BN-10. The CNN had eight layers: 1-32-BN-32-BN-P-64-BN-64-BN-P-256-BN-100-BN-10, where P denotes MaxPooling. We tried multiple training protocols with these networks including using just the MNIST training data, using adversarial training where the training data was augmented with AEs, and by elasticity deforming the training data. Ultimately, we used adversarial training with the FF network and elastically deformed images with the CNN. We verified the accuracy of these networks by training each network 100 times, as reported in Table 2.

In an FF neural network, information flows linearly from the input of the network, through intermediate computations used to define a function, and finally to the output. There are no feedback connections whereby outputs of the model are fed back into the model. A CNN classifies an image by assigning importance to various sub-patterns of pixels within the input image. The architecture of a CNN is analogous to that of the connectivity pattern of neurons in the human brain and was inspired by the organization of the visual cortex. CNNs are often used to classify images, so one might conjecture that they might also yield better AEs when used with a GA.

3.2.7 Remaining GA Parameters.

A population size of 1,000 provided sufficient diversity, whereas larger populations increased computation time without an apparent improvement in the quality of the AEs. Smaller populations resulted in degraded image quality. Similarly, 2,000 generations were sufficient to generate visually plausible adversarial images with many parameter sets, and a larger number of generations did not improve image quality.

3.2.8 Algorithm Summary.

The following bullet points summarize the GA parameters and a formal statement of our algorithm in shown in Algorithm 2. Although Algorithm 2 indicates multiply-nested loops, these operations were coded in a more efficient manner using the Python numpy package. The computational complexity of the GA is \({\mathcal {O}} \left(G N \right),\) where \(G\) is the number of generations and \(N\) is thepopulation size:

• Population size: 1,000 AEs

• Number of generations: \(G = 2,\!000\) generations

• Phenotype representation: One-dimensional array \(x^k\) of 784 pixels, indexed by \(k \in {\mathcal {C}} \equiv \lbrack 1 , 2000 \rbrack\)

• Allele representation: Floating-point values in phenotype \(k\), \(x^{k \prime }_j\) on \(\left[ 0.0, 1.0 \right]\) for \(j \in {\mathcal {P}}\)

• Fitness functions: \(f_1^L (\cdot), f_1^R (\cdot), f_2^L (\cdot), f_2^R (\cdot), f_\infty ^L (\cdot), f_\infty ^R (\cdot), f_{\texttt {MAD}}^L\), and \(f_{\texttt {MAD}}^R \left(\cdot \right)\)

• Selection operators: Proportionate fitness, linear ranking, nonlinear ranking

• Crossover probability: 1.0

• Crossover operator: Uniformly distributed single-point crossover

• Mutation probability (phenotype): Offspring were mutated with a probability of 0.7

• Mutation probability (allele): Each allele was mutated, independently, with probability of \(\frac{2}{784}\) in phenotypes selected for mutation

• Mutation operators: MAD_Dist and RAND

• Phenotype feasibility: Enforced at initialization and after crossover and mutation

• Population initialization: Each pixel was initialized using the mutation operator within a parameter set

• Elitist selection: The best-fit candidate solution for each possible MNIST classification (0–9) are held over into the next generation

• Minimum MAD: \(\underline{\mbox{MAD}} = 0.1.\)

3.2.9 Experimental Trials.

Experiments can be run for all combinations of the fitness, selection, and mutation methods we have outlined, but some are redundant. For example, the rank of population members is the same regardless of whether the linear or reciprocal form of a fitness functions is used, so the ranking selection methods need be run only for either the reciprocal or linear form of a fitness function. Table 3 indicates with an “X” each of 16 combinations of selection operators and fitness functions that avoid this redundancy. Specifically, the merged cells in the rows indicate where linear and reciprocal fitness forms are equivalent. We evaluated each of these scenarios in combination with two mutation operators, RAND and MAD_Dist, and two neural networks, FF and CNN. In total, then, we generated AEs with GAs for 64 parameter sets.

Running each of the 64 scenarios for all 60,000 MNIST images represents considerable computation time, and in any case, generating AEs for a smaller number of randomly selected MNIST images suffices for our survey of human subjects. Accordingly, we generated AEs for 500 randomly selected images, for each of the 64 scenarios.

3.2.10 Implementation.

The GA was implemented in Python using a parallel processing architecture: a “manager” program instantiated multiple “worker” processes, each of which independently generated an AE based on a reference image from the MNIST dataset using a pool of CPU cores on the high-performance computing cluster at William & Mary ( https://www.wm.edu/it/rc). The code used TensorFlow version 1.14. Each computing node contained two Intel Xeon E5-2640 v4 Broadwell 2.4-GHz chips with 20 cores. Although it is typical to use Graphical Processing Units (GPUs) with neural networks, a GPU cannot execute multiple threads simultaneously, and we found that parallel execution with multiple CPUs was faster than generating one AE at a time on a GPU. The code for the GA can be found online at https://github.com/jrb28/telo-2022-16 and is archived at https://zenodo.org/record/7562791.

5.2.1 Survey Question Scale.

Likert scales are often used to measure participant perception. We considered Likert scales with varying numbers of responses but settled on a binary, 2-point Likert scale because it best fit the task at hand. Although a greater number of responses from which to choose might, on its face, permit greater precision, we chose a binary response primarily because it had the potential of making responding easier and faster, thus reducing survey fatigue. These data also permit clear statistical analysis.

5.2.2 Data Integrity.

We anticipated that participants might have trouble keeping focused on the (repetitive) task, so we incorporated a mechanism to mitigate that tendency. This device was implemented by showing two red squares at random intervals rather than two MNIST-based images, as shown in Figure 2(b), to which the participants were instructed to respond by clicking on the button labeled “these images are red” rather than either of the responses that are relevant for comparing two images of digits. This alternate dialogue was shown, in expectation, 5% of the time, and it implicitly communicated to the participants that the researchers would be paying attention to whether their responses made sense and also provided a signal upon which some participants’ responses could be omitted from the analysis if a sufficient frequency of incorrect responses to this check suggested that an individual’s responses were unreliable. Training included a familiarization to this check as well as familiarization and practice opportunities for the screens with comparative images. Our goal with training was to not only familiarize participants with the task but also to permit them to develop their own sense of what “quite similar” and “quite different” meant. In that vein, training also provided a warm-up period from which data was not collected. The training required approximately 5 minutes to complete.

We used these responses as an indication of whether a participant was being sufficiently attentive to the survey, and in particular, we chose a rate of 10% incorrect responses as the threshold for including participants’ responses in our analysis. Our analysis omits the responses of 11 of the 109 participants whose responses to red squares were incorrect at a rate of 10% or greater.

5.2.3 Survey Pool.

We obtained approval from our institution’s Protection of Human Subjects Committee (PHSC), and we collected responses from 109 undergraduate and graduate students. Participants in the former group were taking a major or minor in business administration, whereas the latter group were from a Masters of Science in Business Analytics program. The identities of participants in both groups were not known to the researchers. Both groups received extra credit in a course in return for their participation.

6.4.1 Reference Neural Network.

CNNs are often used to classify images because their accuracy is often better than that of other neural network architectures such as simpler FF networks, so we might conjecture that a CNN would facilitate more visually similar AEs than FF networks. We find, however, no significant evidence that CNNs perform better than FF networks in that regard. Moreover, the GA computation time is significantly less for the smaller FF network (as reported in Section A.1.7), so using an FF network is the dominant choice for a reference neural network.

6.4.2 Fitness Function.

We tested the six pairwise combinations of the three best-performing fitness functions, which were L2, L1, and ML. None of the differences were statistically significant at the \(\alpha = 0.05\) level. Although the performance of these three fitness functions is statistically equivalent, we note that the L2 fitness function performed best with a proportion of “quite similar” that was perhaps a nontrivial 0.023 greater than the next best alternative, which is L1. Thus, one might prefer L2 based on descriptive statistics.

6.4.3 Selection Operator.

The two best selection operators were RNL and RL. The difference in these two operators’ proportion of “quite similar” responses was not statistically significant, although a regression analysis indicated that the proportion of “quite similar” responses for RNL was 0.077 greater than for RL. The RNL operator is therefore preferred.

6.4.4 Mutation Operator.

A combination of statistical tests and descriptive statistics indicate that random mutation is preferred over MAD_Dist mutation. Notably, 11 of the 12 best parameter sets in Table 5 employ random mutation.

7.2.1 Mutation Operators.

We tried two methods for generalizing random mutation from the MNIST dataset to CIFAR-10. We first investigated converting RGB-encoded pixels to an alternate color model, which is called the HSV (hue, saturation, and value) model. Grayscale images encoded in RGB for black, white, and medium gray, for example, are \((0.0,0.0,0.0)\), \((1.0,1.0,1.0),\) and \((0.5,0.5,0.5)\), respectively. In the HSV model, where hue describes the color, saturation describes the intensity of gray, and the value represents the brightness, the grayscale colors black, white, and medium gray are encoded as \((0.0,0.0,0.0)\), \((0.0,0.0,1.0)\), and \((0.0,0.0,0.5)\), respectively. Brightness is the only parameter that varies with HSV encodings of grayscale hues, so the mutation method used with MNIST could have been implemented equivalently using HSV by mutating the brightness value on \(\lbrack 0.0 , 1.0 \rbrack\). Using the HSV model to hold constant hue and saturation while mutating brightness is enticing for the CIFAR-10 dataset because it might permit a mutated pixel to be more consistent with the reference image color palette and, locally, with its neighboring pixels than if all three values in the RGB model were mutated, as is described next.

The second approach we investigated for mutating pixels, which might also be considered analogous with the method used with MNIST, is to choose three uniform random variables on \(\lbrack 0.0 , 1.0 \rbrack\), one for each of the RGB intensities. We found that this method, visually, was inferior to mutating brightness in the HSV model, because mutated pixels often seemed obviously out of place due to their hues being distinctly different from the surrounding pixels. Using brightness mutation with the HSV model does provide a better match with the color palette of the reference image, so we employed that method.

We did depart from the RAND mutation method used with MNIST images in that the brightness was not randomly selected but, instead, the pixel brightness of the reference CIFAR-10 image was randomly perturbed. This mutation variant could have been used with MNIST data, and we view it as a possible algorithmic improvement there rather than an indication that the same GA is not generally applicable. We found in sample runs that pixels thus mutated were less conspicuous than pixels whose brightness was randomly selected from the entire range \(\lbrack 0.0, 1.0 \rbrack\). We call this PRand mutation because pixels are mutated by Perturbing the reference image pixel by a Random differential, which can be either positive or negative. The details of PRand are described in the following after a description of some necessary preliminary notation.

We denote a CIFAR-10 image with the same notation used for MNIST with modifications for the different image array shape including that, now, \({\mathcal {P}} = \left\lbrace 1, \ldots , 3072 \right\rbrace\). Additionally, similarly with MNIST, \(x^i\) denotes the CIFAR-10 image with index \(i\), although now \(x^i \in \left(h , s , v \right)^{1024}\), where \(h,s,v \in \lbrack 0.0 , 1.0 \rbrack\) to accommodate the hue, saturation, and brightness values in the HSV model. Furthermore, denote the hue, saturation, and brightness of pixel \(j\) in CIFAR-10 image \(i\) by \(h^i_j , s^i_j , {\rm{and}}\, v^i_j\),respectively. We denote an AE for a CIFAR-10 image, by \(x^{\prime }\), as we did with MNIST, with the hue, saturation, and brightness values of its \(j\)-th pixel being \(h^{\prime }_j , s^{\prime }_j , {\rm{and}}\, v^{\prime }_j\), respectively. If pixel \(j\) of a CIFAR-10 image \(i\) is being mutated, then the mutated brightness element is (6) \(\begin{equation} v^{\prime }_j = \min { \left(\max {\left(v^i_j + \epsilon (0.5 - {\bf urv}), 0.0 \right)} , 1.0 \right)} , \end{equation}\) where \(\epsilon\) is the scale of the mutation. Furthermore, hue and saturation remain unchanged in the mutation: \(h^{\prime }_j = h^i_j, s^{\prime }_j = s^i_j\). Note that pixel brightness values are clipped to maintain feasible values on the interval \([0.0, 1.0]\)

The \(\texttt {MAD_Dist}\) mutation method suffered the same downside as did random mutation based on the RGB model where mutated pixels were often obvious because the dominant hues vary significantly among CIFAR-10 images. Although the hues in one image may be skewed toward browns and reds, another may be skewed toward yellows and greens such that a pixel selected from the former image for the mutation of a pixel in the latter image would stand out. We consequently chose not to explore the viability of \(\texttt {MAD_Dist}\) mutation for CIFAR-10 images. The \(\texttt {MAD_Dist}\) mutation method is one operator that was reasonably successful with the MNIST dataset that does not translate well to CIFAR-10.

7.3.1 Fitness, Selection, Reproduction, Crossover, and Benchmarks.

The multiple forms of the L1, L2, Linf, and \(\texttt {MAD_Dist}\) fitness functions are directly applicable to CIFAR-10 images. We evaluated all of these in our study with the exception of \(\texttt {MAD_Dist}\) because it is associated with \(\texttt {MAD}\) mutation, which we did not evaluate because of its poor visual similarity.

The same selection operators were evaluated for CIFAR-10 as were evaluated for MNIST. A single-point crossover operator was used on flattened phenotypes, as we used with MNIST. Consistent with the GA implementation for MNIST, each new generation consists of entirely new offspring, with the exceptions for those retained for elitist selection and those parents that are retained because their offspring are infeasible.