Robust CNN Compression Framework for Security-Sensitive Embedded Systems

Convolutional neural networks (CNNs) have achieved tremendous success in solving complex classification problems. Motivated by this success, there have been proposed various compression methods for downsizing the CNNs to deploy them on resource-constrained embedded systems. However, a new type of vulnerability of compressed CNNs known as the adversarial examples has been discovered recently, which is critical for security-sensitive systems because the adversarial examples can cause malfunction of CNNs and can be crafted easily in many cases. In this paper, we proposed a compression framework to produce compressed CNNs robust against such adversarial examples. To achieve the goal, our framework uses both pruning and knowledge distillation with adversarial training. We formulate our framework as an optimization problem and provide a solution algorithm based on the proximal gradient method, which is more memory-efficient than the popular ADMM-based compression approaches. In experiments, we show that our framework can improve the trade-off between adversarial robustness and compression rate compared to the existing state-of-the-art adversarial pruning approach.

Download Full-text

Generating Adversarial Examples with Adversarial Networks

Proceedings of the Twenty-Seventh International Joint Conference on Artificial Intelligence ◽

10.24963/ijcai.2018/543 ◽

2018 ◽

Cited By ~ 65

Author(s):

Chaowei Xiao ◽

Bo Li ◽

Jun-yan Zhu ◽

Warren He ◽

Mingyan Liu ◽

...

Keyword(s):

Deep Neural Networks ◽

State Of The Art ◽

Black Box ◽

Generative Adversarial Networks ◽

Perceptual Quality ◽

Small Magnitude ◽

Adversarial Networks ◽

Original Target ◽

Adversarial Examples ◽

Adversarial Training

Deep neural networks (DNNs) have been found to be vulnerable to adversarial examples resulting from adding small-magnitude perturbations to inputs. Such adversarial examples can mislead DNNs to produce adversary-selected results. Different attack strategies have been proposed to generate adversarial examples, but how to produce them with high perceptual quality and more efficiently requires more research efforts. In this paper, we propose AdvGAN to generate adversarial exam- ples with generative adversarial networks (GANs), which can learn and approximate the distribution of original instances. For AdvGAN, once the generator is trained, it can generate perturbations efficiently for any instance, so as to potentially accelerate adversarial training as defenses. We apply Adv- GAN in both semi-whitebox and black-box attack settings. In semi-whitebox attacks, there is no need to access the original target model after the generator is trained, in contrast to traditional white-box attacks. In black-box attacks, we dynamically train a distilled model for the black-box model and optimize the generator accordingly. Adversarial examples generated by AdvGAN on different target models have high attack success rate under state-of-the-art defenses compared to other attacks. Our attack has placed the first with 92.76% accuracy on a public MNIST black-box attack challenge.

Download Full-text

Generating Adversarial Examples for Holding Robustness of Source Code Processing Models

Proceedings of the AAAI Conference on Artificial Intelligence ◽

10.1609/aaai.v34i01.5469 ◽

2020 ◽

Vol 34 (01) ◽

pp. 1169-1176

Author(s):

Huangzhao Zhang ◽

Zhuo Li ◽

Ge Li ◽

Lei Ma ◽

Yang Liu ◽

...

Keyword(s):

Programming Languages ◽

State Of The Art ◽

Source Code ◽

Natural Languages ◽

Current State ◽

Automated Processing ◽

Adversarial Examples ◽

Adversarial Training ◽

New Challenges ◽

And Performance

Automated processing, analysis, and generation of source code are among the key activities in software and system lifecycle. To this end, while deep learning (DL) exhibits a certain level of capability in handling these tasks, the current state-of-the-art DL models still suffer from non-robust issues and can be easily fooled by adversarial attacks.Different from adversarial attacks for image, audio, and natural languages, the structured nature of programming languages brings new challenges. In this paper, we propose a Metropolis-Hastings sampling-based identifier renaming technique, named \fullmethod (\method), which generates adversarial examples for DL models specialized for source code processing. Our in-depth evaluation on a functionality classification benchmark demonstrates the effectiveness of \method in generating adversarial examples of source code. The higher robustness and performance enhanced through our adversarial training with \method further confirms the usefulness of DL models-based method for future fully automated source code processing.

Download Full-text

Bidirectional Adversarial Training for Semi-Supervised Domain Adaptation

Proceedings of the Twenty-Ninth International Joint Conference on Artificial Intelligence ◽

10.24963/ijcai.2020/130 ◽

2020 ◽

Author(s):

Pin Jiang ◽

Aming Wu ◽

Yahong Han ◽

Yunfeng Shao ◽

Meiyu Qi ◽

...

Keyword(s):

Additional Data ◽

Domain Adaptation ◽

State Of The Art ◽

Powerful Method ◽

Target Domain ◽

Unsupervised Domain Adaptation ◽

Benchmark Datasets ◽

Adversarial Examples ◽

Adversarial Training ◽

Effective Use

Semi-supervised domain adaptation (SSDA) is a novel branch of machine learning that scarce labeled target examples are available, compared with unsupervised domain adaptation. To make effective use of these additional data so as to bridge the domain gap, one possible way is to generate adversarial examples, which are images with additional perturbations, between the two domains and fill the domain gap. Adversarial training has been proven to be a powerful method for this purpose. However, the traditional adversarial training adds noises in arbitrary directions, which is inefficient to migrate between domains, or generate directional noises from the source to target domain and reverse. In this work, we devise a general bidirectional adversarial training method and employ gradient to guide adversarial examples across the domain gap, i.e., the Adaptive Adversarial Training (AAT) for source to target domain and Entropy-penalized Virtual Adversarial Training (E-VAT) for target to source domain. Particularly, we devise a Bidirectional Adversarial Training (BiAT) network to perform diverse adversarial trainings jointly. We evaluate the effectiveness of BiAT on three benchmark datasets and experimental results demonstrate the proposed method achieves the state-of-the-art.

Download Full-text

Adversarially Robust Distillation

Proceedings of the AAAI Conference on Artificial Intelligence ◽

10.1609/aaai.v34i04.5816 ◽

2020 ◽

Vol 34 (04) ◽

pp. 3996-4003

Author(s):

Micah Goldblum ◽

Liam Fowl ◽

Soheil Feizi ◽

Tom Goldstein

Keyword(s):

Neural Networks ◽

High Performance ◽

State Of The Art ◽

Test Accuracy ◽

Training Methods ◽

Knowledge Distillation ◽

Adversarial Training ◽

Student Models ◽

Small Models ◽

High Test

Knowledge distillation is effective for producing small, high-performance neural networks for classification, but these small networks are vulnerable to adversarial attacks. This paper studies how adversarial robustness transfers from teacher to student during knowledge distillation. We find that a large amount of robustness may be inherited by the student even when distilled on only clean images. Second, we introduce Adversarially Robust Distillation (ARD) for distilling robustness onto student networks. In addition to producing small models with high test accuracy like conventional distillation, ARD also passes the superior robustness of large networks onto the student. In our experiments, we find that ARD student models decisively outperform adversarially trained networks of identical architecture in terms of robust accuracy, surpassing state-of-the-art methods on standard robustness benchmarks. Finally, we adapt recent fast adversarial training methods to ARD for accelerated robust distillation.

Download Full-text

Hierarchical Knowledge Squeezed Adversarial Network Compression

Proceedings of the AAAI Conference on Artificial Intelligence ◽

10.1609/aaai.v34i07.6799 ◽

2020 ◽

Vol 34 (07) ◽

pp. 11370-11377

Author(s):

Peng Li ◽

Chang Shu ◽

Yuan Xie ◽

Yan Qu ◽

Hui Kong

Keyword(s):

State Of The Art ◽

Teacher Student ◽

Adversarial Network ◽

Benchmark Datasets ◽

Knowledge Distillation ◽

Adversarial Training ◽

Rich Information ◽

Process Oriented ◽

Transfer Method ◽

Network Compression

Deep network compression has been achieved notable progress via knowledge distillation, where a teacher-student learning manner is adopted by using predetermined loss. Recently, more focuses have been transferred to employ the adversarial training to minimize the discrepancy between distributions of output from two networks. However, they always emphasize on result-oriented learning while neglecting the scheme of process-oriented learning, leading to the loss of rich information contained in the whole network pipeline. Whereas in other (non GAN-based) process-oriented methods, the knowledge have usually been transferred in a redundant manner. Observing that, the small network can not perfectly mimic a large one due to the huge gap of network scale, we propose a knowledge transfer method, involving effective intermediate supervision, under the adversarial training framework to learn the student network. Different from the other intermediate supervision methods, we design the knowledge representation in a compact form by introducing a task-driven attention mechanism. Meanwhile, to improve the representation capability of the attention-based method, a hierarchical structure is utilized so that powerful but highly squeezed knowledge is realized and the knowledge from teacher network could accommodate the size of student network. Extensive experimental results on three typical benchmark datasets, i.e., CIFAR-10, CIFAR-100, and ImageNet, demonstrate that our method achieves highly superior performances against state-of-the-art methods.

Download Full-text

Curriculum Adversarial Training

Proceedings of the Twenty-Seventh International Joint Conference on Artificial Intelligence ◽

10.24963/ijcai.2018/520 ◽

2018 ◽

Cited By ~ 5

Author(s):

Qi-Zhi Cai ◽

Chang Liu ◽

Dawn Song

Keyword(s):

Deep Learning ◽

State Of The Art ◽

The State ◽

Complex Task ◽

Worst Case ◽

Large Margin ◽

Robust Model ◽

Wide Range ◽

Adversarial Examples ◽

Adversarial Training

Recently, deep learning has been applied to many security-sensitive applications, such as facial authentication. The existence of adversarial examples hinders such applications. The state-of-the-art result on defense shows that adversarial training can be applied to train a robust model on MNIST against adversarial examples; but it fails to achieve a high empirical worst-case accuracy on a more complex task, such as CIFAR-10 and SVHN. In our work, we propose curriculum adversarial training (CAT) to resolve this issue. The basic idea is to develop a curriculum of adversarial examples generated by attacks with a wide range of strengths. With two techniques to mitigate the catastrophic forgetting and the generalization issues, we demonstrate that CAT can improve the prior art's empirical worst-case accuracy by a large margin of 25% on CIFAR-10 and 35% on SVHN. At the same, the model's performance on non-adversarial inputs is comparable to the state-of-the-art models.

Download Full-text

Compressing deep graph convolution network with multi-staged knowledge distillation

PLoS ONE ◽

10.1371/journal.pone.0256187 ◽

2021 ◽

Vol 16 (8) ◽

pp. e0256187

Author(s):

Junghun Kim ◽

Jinhong Jung ◽

U. Kang

Keyword(s):

Embedded Systems ◽

Real World ◽

State Of The Art ◽

Significant Loss ◽

Second Best ◽

Novel Approach ◽

Feature Aggregation ◽

Knowledge Distillation ◽

Real World Datasets ◽

Effective Layer

Given a trained deep graph convolution network (GCN), how can we effectively compress it into a compact network without significant loss of accuracy? Compressing a trained deep GCN into a compact GCN is of great importance for implementing the model to environments such as mobile or embedded systems, which have limited computing resources. However, previous works for compressing deep GCNs do not consider the multi-hop aggregation of the deep GCNs, though it is the main purpose for their multiple GCN layers. In this work, we propose MustaD (Multi-staged knowledge Distillation), a novel approach for compressing deep GCNs to single-layered GCNs through multi-staged knowledge distillation (KD). MustaD distills the knowledge of 1) the aggregation from multiple GCN layers as well as 2) task prediction while preserving the multi-hop feature aggregation of deep GCNs by a single effective layer. Extensive experiments on four real-world datasets show that MustaD provides the state-of-the-art performance compared to other KD based methods. Specifically, MustaD presents up to 4.21%p improvement of accuracy compared to the second-best KD models.

Download Full-text

A Robust Adversarial Training Approach to Machine Reading Comprehension

Proceedings of the AAAI Conference on Artificial Intelligence ◽

10.1609/aaai.v34i05.6357 ◽

2020 ◽

Vol 34 (05) ◽

pp. 8392-8400 ◽

Cited By ~ 1

Author(s):

Kai Liu ◽

Xin Liu ◽

An Yang ◽

Jing Liu ◽

Jinsong Su ◽

...

Keyword(s):

Reading Comprehension ◽

State Of The Art ◽

The State ◽

Training Data ◽

Training Dataset ◽

Original Dataset ◽

Training Approach ◽

Adversarial Examples ◽

Adversarial Training ◽

Machine Reading

Lacking robustness is a serious problem for Machine Reading Comprehension (MRC) models. To alleviate this problem, one of the most promising ways is to augment the training dataset with sophisticated designed adversarial examples. Generally, those examples are created by rules according to the observed patterns of successful adversarial attacks. Since the types of adversarial examples are innumerable, it is not adequate to manually design and enrich training data to defend against all types of adversarial attacks. In this paper, we propose a novel robust adversarial training approach to improve the robustness of MRC models in a more generic way. Given an MRC model well-trained on the original dataset, our approach dynamically generates adversarial examples based on the parameters of current model and further trains the model by using the generated examples in an iterative schedule. When applied to the state-of-the-art MRC models, including QANET, BERT and ERNIE2.0, our approach obtains significant and comprehensive improvements on 5 adversarial datasets constructed in different ways, without sacrificing the performance on the original SQuAD development set. Moreover, when coupled with other data augmentation strategy, our approach further boosts the overall performance on adversarial datasets and outperforms the state-of-the-art methods.

Download Full-text

Im2Mesh GAN: Accurate 3D Hand Mesh Recovery from a Single RGB Image

10.21203/rs.3.rs-955086/v1 ◽

2021 ◽

Author(s):

Akila Pemasiri ◽

Kien Nguyen ◽

Sridha Sridha ◽

Clinton Fookes

Keyword(s):

State Of The Art ◽

Input Image ◽

Data Availability ◽

The Other ◽

Challenging Problem ◽

Topological Relationship ◽

New Type ◽

Adversarial Training ◽

Rgb Image ◽

Better Than

Abstract This work addresses hand mesh recovery from a single RGB image. In contrast to most of the existing approaches where parametric hand models are employed as the prior, we show that the hand mesh can be learned directly from the input image. We propose a new type of GAN called Im2Mesh GAN to learn the mesh through end-to-end adversarial training. By interpreting the mesh as a graph, our model is able to capture the topological relationship among the mesh vertices. We also introduce a 3D surface descriptor into the GAN architecture to further capture the associated 3D features. We conduct experiments with the proposed Im2Mesh GAN architecture in two settings: one where we can reap the benefits of coupled groundtruth data availability of the images and the corresponding meshes; and the other which combats the more challenging problem of mesh estimation without the corresponding groundtruth. Through extensive evaluations we demonstrate that even without using any hand priors the proposed method performs on par or better than the state-of-the-art.

Download Full-text

Improving Land Cover Classification Using Genetic Programming for Feature Construction

Remote Sensing ◽

10.3390/rs13091623 ◽

2021 ◽

Vol 13 (9) ◽

pp. 1623

Author(s):

João E. Batista ◽

Ana I. R. Cabral ◽

Maria J. P. Vasconcelos ◽

Leonardo Vanneschi ◽

Sara Silva

Keyword(s):

Land Cover ◽

Genetic Programming ◽

Satellite Images ◽

State Of The Art ◽

Binary Classification ◽

Feature Construction ◽

Classification Problems ◽

Construction Methods ◽

Box Models

Genetic programming (GP) is a powerful machine learning (ML) algorithm that can produce readable white-box models. Although successfully used for solving an array of problems in different scientific areas, GP is still not well known in the field of remote sensing. The M3GP algorithm, a variant of the standard GP algorithm, performs feature construction by evolving hyperfeatures from the original ones. In this work, we use the M3GP algorithm on several sets of satellite images over different countries to create hyperfeatures from satellite bands to improve the classification of land cover types. We add the evolved hyperfeatures to the reference datasets and observe a significant improvement of the performance of three state-of-the-art ML algorithms (decision trees, random forests, and XGBoost) on multiclass classifications and no significant effect on the binary classifications. We show that adding the M3GP hyperfeatures to the reference datasets brings better results than adding the well-known spectral indices NDVI, NDWI, and NBR. We also compare the performance of the M3GP hyperfeatures in the binary classification problems with those created by other feature construction methods such as FFX and EFS.

Download Full-text