Impact of Low-Bitwidth Quantization on the Adversarial Robustness for Embedded Neural Networks

2019 International Conference on Cyberworlds (CW) Pub Date : 2019-09-27 DOI:10.1109/CW.2019.00057

Rémi Bernhard, Pierre-Alain Moëllic, J. Dutertre

{"title":"Impact of Low-Bitwidth Quantization on the Adversarial Robustness for Embedded Neural Networks","authors":"Rémi Bernhard, Pierre-Alain Moëllic, J. Dutertre","doi":"10.1109/CW.2019.00057","DOIUrl":null,"url":null,"abstract":"As the will to deploy neural network models on embedded systems grows, and considering the related memory footprint and energy consumption requirements, finding lighter solutions to store neural networks such as parameter quantization and more efficient inference methods becomes major research topics. Parallel to that, adversarial machine learning has risen recently, unveiling some critical flaws of machine learning models, especially neural networks. In particular, perturbed inputs called adversarial examples have been shown to fool a model into making incorrect predictions. In this paper, we investigate the adversarial robustness of quantized neural networks under different attacks. We show that quantization is not a robust protection when considering advanced threats and may result in severe form of gradient masking which leads to a false impression of security. However, and interestingly, we experimentally observe poor transferability capacities between full-precision and quantized models and between models with different quantization levels which we explain by the quantization value shift phenomenon and gradient misalignment.","PeriodicalId":117409,"journal":{"name":"2019 International Conference on Cyberworlds (CW)","volume":"28 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2019-09-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"10","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2019 International Conference on Cyberworlds (CW)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/CW.2019.00057","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 10

Abstract

As the will to deploy neural network models on embedded systems grows, and considering the related memory footprint and energy consumption requirements, finding lighter solutions to store neural networks such as parameter quantization and more efficient inference methods becomes major research topics. Parallel to that, adversarial machine learning has risen recently, unveiling some critical flaws of machine learning models, especially neural networks. In particular, perturbed inputs called adversarial examples have been shown to fool a model into making incorrect predictions. In this paper, we investigate the adversarial robustness of quantized neural networks under different attacks. We show that quantization is not a robust protection when considering advanced threats and may result in severe form of gradient masking which leads to a false impression of security. However, and interestingly, we experimentally observe poor transferability capacities between full-precision and quantized models and between models with different quantization levels which we explain by the quantization value shift phenomenon and gradient misalignment.

查看原文本刊更多论文

低位宽量化对嵌入式神经网络对抗鲁棒性的影响

随着在嵌入式系统上部署神经网络模型的意愿的增长，以及考虑到相关的内存占用和能耗要求，寻找更轻的解决方案来存储神经网络，如参数量化和更高效的推理方法成为主要的研究课题。与此同时，对抗性机器学习最近兴起，揭示了机器学习模型的一些关键缺陷，尤其是神经网络。特别是，被称为对抗性示例的干扰输入已被证明可以欺骗模型做出错误的预测。本文研究了量化神经网络在不同攻击下的对抗鲁棒性。我们表明，在考虑高级威胁时，量化不是一个强大的保护，可能导致严重的梯度掩蔽，从而导致安全的错误印象。然而，有趣的是，我们在实验中观察到全精度模型与量化模型之间以及不同量化水平模型之间的可转移性较差，我们用量化值移位现象和梯度失调来解释这一现象。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2019 International Conference on Cyberworlds (CW)

自引率

0.00%

发文量