Towards Certificated Model Robustness Against Weight Perturbations

Weng, Tsui-Wei; Zhao, Pu; Liu, Sijia; Chen, Pin-Yu; Lin, Xue; Daniel, Luca

doi:10.1609/aaai.v34i04.6105

Cited by 21 publications

(14 citation statements)

References 18 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Multiple structured pruning approaches exist based on their pruning dimensions, including filter pruning (that prunes the whole filter), channel pruning (that prunes channels), column pruning (that prunes the same location in each filter of each layer), and connectivity and pattern pruning (that prunes both the channels and certain locations in each kernel simultaneously) Ma et al, 2019]. Despite the differences of these structured pruning methods, we support them on a uniform framework based on Alternating Direction Method of Multipliers (ADMM) [Boyd et al, 2011;Zhao et al, 2019b;Weng et al, 2020]. In general, the pruning optimization problem is formulated as,…”

Section: Structured Model Pruningmentioning

confidence: 86%

See 1 more Smart Citation

Towards Real-Time DNN Inference on Mobile Platforms with Model Pruning and Compiler Optimization

Niu

Zhao

Zhan

et al. 2020

Proceedings of the Twenty-Ninth International Joint Conference on Artificial Intelligence

Self Cite

View full text Add to dashboard Cite

High-end mobile platforms rapidly serve as primary computing devices for a wide range of Deep Neural Network (DNN) applications. However, the constrained computation and storage resources on these devices still pose significant challenges for real-time DNN inference executions. To address this problem, we propose a set of hardware-friendly structured model pruning and compiler optimization techniques to accelerate DNN executions on mobile devices. This demo shows that these optimizations can enable real-time mobile execution of multiple DNN applications, including style transfer, DNN coloring and super resolution.

show abstract

Section: Structured Model Pruningmentioning

confidence: 86%

“…The super resolution model mainly utilizes residual blocks with wider activation and linear low-rank convolution [Yu et al, 2018] trained on the DIV2K [Timofte et al, 2017] dataset. With structured pruning and compiler optimization, we implement the models on a Samsung Galaxy S10 mobile phone.…”

Section: Experiments and Demonstrationsmentioning

confidence: 99%

Towards Real-Time DNN Inference on Mobile Platforms with Model Pruning and Compiler Optimization

Niu

Zhao

Zhan

et al. 2020

Proceedings of the Twenty-Ninth International Joint Conference on Artificial Intelligence

Self Cite

View full text Add to dashboard Cite

show abstract

“…ADVBET is similar in spirit to training on adversarial examples which received considerable attention recently [20], [21], [45], [46]. Weight Robustness: Only few works consider weight robustness: [47] certify the robustness of weights with respect to L ∞ perturbations and [48] study Gaussian noise on weights. [11], [13] consider identifying and (adversarially) flipping few vulnerable bits in quantized weights.…”

Section: Low-voltage Random Bit Errors In Dnn Acceleratorsmentioning

confidence: 99%

“…This is particularly pronounced for low-precision, e.g., m = 4bits. ±1 47. 32.05 ±6 68.65 ±9.23 CLIPPING 0.1 4.82 6.95 ±0.24 8.93 ±0.46 12.22 ±1.29 PLCLIPPING 0.25 4.96 6.21 ±0.16 7.04 ±0.28 8.14 ±0.49 RANDBET 0.1 p=0.1 4.72 6.74 ±0.29 8.53 ±0.58 11.40 ±1.27 RANDBET 0.1 p=1 4.90 6.36 ±0.17 7.41 ±0.29 8.65 ±0.37 PLRANDBET 0.25 p=0.1 4.49 5.80 ±0.16 6.65 ±0.22 7.59 ±0.34 PLRANDBET 0.25 p=1 4.62 5.62 ±0.13 6.36 ±0.2 7.02 ±0.27 4bit CLIPPING 0.1 5.29 7.71 ±0.36 10.62 ±1.08 15.79 ±2.54 PLCLIPPING 0.25 4.63 6.15 ±0.16 7.34 ±0.33 8.70 ±0.62 RANDBET 0.1 p=1 5.39 7.04 ±0.21 8.34 ±0.42 9.77 ±0.81 PLRANDBET 0.25 p=1 4.83 5.95 ±0.12 6.65 ±0.19 7.48 ±0.32…”

mentioning

confidence: 99%

Random and Adversarial Bit Error Robustness: Energy-Efficient and Secure DNN Accelerators

Stutz¹,

Chandramoorthy²,

Hein³

et al. 2021

Preprint

View full text Add to dashboard Cite

Deep neural network (DNN) accelerators received considerable attention in recent years due to the potential to save energy compared to mainstream hardware. Low-voltage operation of DNN accelerators allows to further reduce energy consumption significantly, however, causes bit-level failures in the memory storing the quantized DNN weights. Furthermore, DNN accelerators have been shown to be vulnerable to adversarial attacks on voltage controllers or individual bits. In this paper, we show that a combination of robust fixed-point quantization, weight clipping, as well as random bit error training (RANDBET) or adversarial bit error training (ADVBET) improves robustness against random or adversarial bit errors in quantized DNN weights significantly. This leads not only to high energy savings for low-voltage operation as well as low-precision quantization, but also improves security of DNN accelerators. Our approach generalizes across operating voltages and accelerators, as demonstrated on bit errors from profiled SRAM arrays, and achieves robustness against both targeted and untargeted bit-level attacks. Without losing more than 0.8%/2% in test accuracy, we can reduce energy consumption on CIFAR10 by 20%/30% for 8/4-bit quantization using RANDBET. Allowing up to 320 adversarial bit errors, ADVBET reduces test error from above 90% (chance level) to 26.22% on CIFAR10.

show abstract

“…Recently, maliciously altered weights are used to introduce of a specific backdoor [26,35]. Few works exist to defend malicious change to the weights in general, not only related to backdoor introduction [76,87].…”

Section: Adversarial Machine Learningmentioning

confidence: 99%

Mental Models of Adversarial Machine Learning

Bieringer¹,

Grosse²,

Backes³

et al. 2021

Preprint

View full text Add to dashboard Cite

Although machine learning (ML) is widely used in practice, little is known about practitioners' actual understanding of potential security challenges. In this work, we close this substantial gap in the literature and contribute a qualitative study focusing on developers' mental models of the ML pipeline and potentially vulnerable components. Studying mental models has helped in other security fields to discover root causes or improve risk communication. Our study reveals four characteristic ranges in mental models of industrial practitioners. The first range concerns the intertwined relationship of adversarial machine learning (AML) and classical security. The second range describes structural and functional components. The third range expresses individual variations of mental models, which are neither explained by the application nor by the educational background of the corresponding subjects. The fourth range corresponds to the varying levels of technical depth, which are however not determined by our subjects' level of knowledge. Our characteristic ranges have implications for the integration of AML into corporate workflows, security enhancing tools for practitioners, and creating appropriate regulatory frameworks for AML.

show abstract

Towards Certificated Model Robustness Against Weight Perturbations

Cited by 21 publications

References 18 publications

Towards Real-Time DNN Inference on Mobile Platforms with Model Pruning and Compiler Optimization

Towards Real-Time DNN Inference on Mobile Platforms with Model Pruning and Compiler Optimization

Random and Adversarial Bit Error Robustness: Energy-Efficient and Secure DNN Accelerators

Mental Models of Adversarial Machine Learning

Contact Info

Product

Resources

About