Feedback Learning for Improving the Robustness of Neural Networks

Song, Chang; Wang, Zuoguan; Li, Hai

doi:10.1109/icmla.2019.00124

Cited by 6 publications

(5 citation statements)

References 29 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Later, [43] finds that quantized DNNs are actually more vulnerable to adversarial attacks due to the error amplification effect, i.e., the magnitude of adversarial perturbation is amplified when passing through the DNN layers. To tackle this effect, [43,68] propose robustness-aware regularization methods for DNN training, and [69] retrains the network via feedback learning [70]. In addition, [55] searches for layerwise precision and [26] constructs a unified formulation to balance and enforce the models' robustness and compactness.…”

Section: Related Workmentioning

confidence: 99%

2-in-1 Accelerator: Enabling Random Precision Switch for Winning Both Adversarial Robustness and Efficiency

Zhao

et al. 2021

MICRO-54: 54th Annual IEEE/ACM International Symposium on Microarchitecture

View full text Add to dashboard Cite

The recent breakthroughs of deep neural networks (DNNs) and the advent of billions of Internet of Things (IoT) devices have excited an explosive demand for intelligent IoT devices equipped with domainspecific DNN accelerators. However, the deployment of DNN accelerator enabled intelligent functionality into real-world IoT devices still remains particularly challenging. First, powerful DNNs often come at prohibitive complexities, whereas IoT devices often suffer from stringent resource constraints. Second, while DNNs are vulnerable to adversarial attacks especially on IoT devices exposed to complex real-world environments, many IoT applications require strict security. Existing DNN accelerators mostly tackle only one of the two aforementioned challenges (i.e., efficiency or adversarial robustness) while neglecting or even sacrificing the other. To this end, we propose a 2-in-1 Accelerator, an integrated algorithm-accelerator co-design framework aiming at winning both the adversarial robustness and efficiency of DNN accelerators. Specifically, we first propose a Random Precision Switch (RPS) algorithm that can effectively defend DNNs against adversarial attacks by enabling random DNN quantization as an in-situ model switch during training and inference. Furthermore, we propose a new precision-scalable accelerator featuring (1) a new precision-scalable MAC unit architecture which spatially tiles the temporal MAC units to boost both the achievable efficiency and flexibility and (2) a systematically optimized dataflow that is searched by our generic accelerator optimizer. Extensive experiments and ablation studies validate that our 2-in-1 Accelerator can not only aggressively boost both the adversarial robustness and efficiency of DNN accelerators under various attacks, but also naturally support instantaneous robustness-efficiency trade-offs adapting to varied resources without the necessity of DNN retraining. We believe our 2-in-1 Accelerator has opened up an exciting perspective for robust and efficient accelerator design. CCS CONCEPTS• Computer systems organization → Neural networks.

show abstract

Section: Related Workmentioning

confidence: 99%

2-in-1 Accelerator: Enabling Random Precision Switch for Winning Both Adversarial Robustness and Efficiency

Zhao

et al. 2021

MICRO-54: 54th Annual IEEE/ACM International Symposium on Microarchitecture

View full text Add to dashboard Cite

show abstract

“…Decision Space: In [4], authors study the robustness of deep neural networks for the image domain with respect to unrestricted evasion attacks. Specifically, they analyze the model's behavior concerning class margins and improve the model's robustness by increasing the proportion of samples in vulnerable classes.…”

Section: Related Workmentioning

confidence: 99%

“…Moreover, it should be noted that there may be classes with overlapping or similar distributions that make the boundary shifting difficult. Instead of simply retraining the model using a portion of or the entire crafted examples [4], here, we propose a distance-based metric for selecting valid data points. It is a reliable metric as it helps us to fine-tune the behavior of a specific class without interfering with the performance of the adjacent classes.…”

Section: Robustness Improvement Using Cementioning

confidence: 99%

See 1 more Smart Citation

Analyzing and Improving the Robustness of Tabular Classifiers using Counterfactual Explanations

Rasouli

2021

2021 20th IEEE International Conference on Machine Learning and Applications (ICMLA)

View full text Add to dashboard Cite

Recent studies have revealed that Machine Learning (ML) models are vulnerable to adversarial perturbations. Such perturbations can be intentionally or accidentally added to the original inputs, evading the classifier's behavior to misclassify the crafted samples. A widely-used solution is to retrain the model using data points generated by various attack strategies. However, this creates a classifier robust to some particular evasions and can not defend unknown or universal perturbations. Counterfactual explanations are a specific class of post-hoc explanation methods that provide minimal modification to the input features in order to obtain a particular outcome from the model. In addition to the resemblance of counterfactual explanations to the universal perturbations, the possibility of generating instances from specific classes makes such approaches suitable for analyzing and improving the model's robustness. Rather than explaining the model's decisions in the deployment phase, we utilize the distance information obtained from counterfactuals and propose novel metrics to analyze the robustness of tabular classifiers. Further, we introduce a decision boundary modification approach using customized counterfactual data points to improve the robustness of the models without compromising their accuracy. Our framework addresses the robustness of black-box classifiers in the tabular setting, which is considered an under-explored research area. Through several experiments and evaluations, we demonstrate the efficacy of our approach in analyzing and improving the robustness of black-box tabular classifiers.

show abstract

“…is adversarially-trained by Madry et al [22], F.L. is retrained from the original model using feedback learning, as proposed in Song et al [32]. Although methods like feedback learning can minimize the quantization loss, the most effective and efficient way to improve adversarial robustness is still adversarial training.…”

Section: Adversarial Training and Quantizationmentioning

confidence: 99%

A Layer-wise Adversarial-aware Quantization Optimization for Improving Robustness

Song¹,

Ranjan²,

Li³

2021

Preprint

Self Cite

View full text Add to dashboard Cite

Neural networks are getting better accuracy with higher energy and computational cost. After quantization, the cost can be greatly saved, and the quantized models are more hardware friendly with acceptable accuracy loss. On the other hand, recent research has found that neural networks are vulnerable to adversarial attacks, and the robustness of a neural network model can only be improved with defense methods, such as adversarial training. In this work, we find that adversarially-trained neural networks are more vulnerable to quantization loss than plain models. To minimize both the adversarial and the quantization losses simultaneously and to make the quantized model robust, we propose a layer-wise adversarial-aware quantization method, using the Lipschitz constant to choose the best quantization parameter settings for a neural network. We theoretically derive the losses and prove the consistency of our metric selection. The experiment results show that our method can effectively and efficiently improve the robustness of quantized adversarially-trained neural networks.

show abstract

Feedback Learning for Improving the Robustness of Neural Networks

Cited by 6 publications

References 29 publications

2-in-1 Accelerator: Enabling Random Precision Switch for Winning Both Adversarial Robustness and Efficiency

2-in-1 Accelerator: Enabling Random Precision Switch for Winning Both Adversarial Robustness and Efficiency

Analyzing and Improving the Robustness of Tabular Classifiers using Counterfactual Explanations

A Layer-wise Adversarial-aware Quantization Optimization for Improving Robustness

Contact Info

Product

Resources

About