Deploying convolutional neural networks (CNNs) on resource-constrained, embedded hardware constitutes challenges in bal- ancing task-related accuracy and resource-efficiency. For safety-critical applications, a third optimization objective is crucial, namely the robust- ness of CNNs. To address these challenges, this paper investigates the tri- partite optimization problem of task-related accuracy, resource-efficiency, and adversarial robustness of CNNs by utilizing multi-bit networks (MBNs). To better navigate the tripartite optimization space, this work thoroughly studies the design space of MBNs by varying the number of weight and activation bases. First, the pro-active defensive model MBN3x1 is identified, by conducting a systematic evaluation of the design space. This model achieves better adversarial accuracy (+10.3pp) against the first-order attack PGD-20 and has 1.3× lower bit-operations, with a slight degradation of natural accuracy (–2.4pp) when compared to a 2-bit fixed-point quantized implementation of ResNet-20 on CIFAR- 10. Similar observations hold for deeper and wider ResNets trained on different datasets, such as CIFAR-100 and ImageNet. Second, this work shows that the defensive capability of MBNs can be increased by adopt- ing a state-of-the-art adversarial training (AT) method. This results in an improvement of adversarial accuracy (+13.6pp) for MBN3×3, with a slight degradation in natural accuracy (–2.4pp) compared to the costly full-precision ResNet-56 on CIFAR-10, which has 7× more bit- operations. To the best of our knowledge, this is the first paper high- lighting the improved robustness of differently configured MBNs and providing an analysis on their gradient flows.
Adversarial Robustness of Multi-bit Convolutional Neural Networks / Frickenstein, L.; Sampath, S. B.; Mori', Pierpaolo; Vemparala, M. -R.; Fasfous, N.; Frickenstein, A.; Unger, C.; Passerone, C.; Stechele, W.. - STAMPA. - (2024), pp. 157-174. (Intervento presentato al convegno IntelliSys 2023) [10.1007/978-3-031-47715-7_12].
Adversarial Robustness of Multi-bit Convolutional Neural Networks
Mori Pierpaolo;Passerone C.;
2024
Abstract
Deploying convolutional neural networks (CNNs) on resource-constrained, embedded hardware constitutes challenges in bal- ancing task-related accuracy and resource-efficiency. For safety-critical applications, a third optimization objective is crucial, namely the robust- ness of CNNs. To address these challenges, this paper investigates the tri- partite optimization problem of task-related accuracy, resource-efficiency, and adversarial robustness of CNNs by utilizing multi-bit networks (MBNs). To better navigate the tripartite optimization space, this work thoroughly studies the design space of MBNs by varying the number of weight and activation bases. First, the pro-active defensive model MBN3x1 is identified, by conducting a systematic evaluation of the design space. This model achieves better adversarial accuracy (+10.3pp) against the first-order attack PGD-20 and has 1.3× lower bit-operations, with a slight degradation of natural accuracy (–2.4pp) when compared to a 2-bit fixed-point quantized implementation of ResNet-20 on CIFAR- 10. Similar observations hold for deeper and wider ResNets trained on different datasets, such as CIFAR-100 and ImageNet. Second, this work shows that the defensive capability of MBNs can be increased by adopt- ing a state-of-the-art adversarial training (AT) method. This results in an improvement of adversarial accuracy (+13.6pp) for MBN3×3, with a slight degradation in natural accuracy (–2.4pp) compared to the costly full-precision ResNet-56 on CIFAR-10, which has 7× more bit- operations. To the best of our knowledge, this is the first paper high- lighting the improved robustness of differently configured MBNs and providing an analysis on their gradient flows.File | Dimensione | Formato | |
---|---|---|---|
intellisys23_final.pdf
non disponibili
Tipologia:
2a Post-print versione editoriale / Version of Record
Licenza:
Non Pubblico - Accesso privato/ristretto
Dimensione
395.8 kB
Formato
Adobe PDF
|
395.8 kB | Adobe PDF | Visualizza/Apri Richiedi una copia |
_Accept__IntelliSys23___Adversarial_Robustness_of_MBNs.pdf
embargo fino al 30/01/2025
Tipologia:
2. Post-print / Author's Accepted Manuscript
Licenza:
PUBBLICO - Tutti i diritti riservati
Dimensione
761.56 kB
Formato
Adobe PDF
|
761.56 kB | Adobe PDF | Visualizza/Apri Richiedi una copia |
Pubblicazioni consigliate
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
https://hdl.handle.net/11583/2987509