基于剪枝技术和鲁棒蒸馏融合的轻量对抗攻击防御方法

doi:10.11959/j.issn.2096-109x.2022074

Abstract

Abstract:

Adversarial training is one of the commonly used defense methods against adversarial attacks, by incorporating adversarial samples into the training process.However, the effectiveness of adversarial training heavily relied on the size of the trained model.Specially, the size of trained models generated by the adversarial training will significantly increase for defending against adversarial attacks.This imposes constraints on the usability of adversarial training, especially in a resource-constraint environment.Thus, how to reduce the model size while ensuring the robustness of the trained model is a challenge.To address the above issues, a lightweight defense mechanism was proposed against adversarial attacks, with adaptive pruning and robust distillation.A hierarchically adaptive pruning method was applied to the model generated by adversarial training in advance.Then the trained model was further compressed by a modified robust distillation method.Experimental results on CIFAR-10 and CIFAR-100 datasets showed that our hierarchically adaptive pruning method presented stronger robustness under various FLOP than the existing pruning methods.Moreover, the fusion of pruning and robust distillation presented higher robustness than the state-of-art robust distillation methods.Therefore, the experimental results prove that the proposed method can improve the usability of the adversarial training in the IoT edge computing environment.

Key words: adversarial defenses, pruning, robust distillation, lightweight network

CLC Number:

TP393

Bin WANG, Simin LI, Yaguan QIAN, Jun ZHANG, Chaohao LI, Chenming ZHU, Hongfei ZHANG. Lightweight defense mechanism against adversarial attacks via adaptive pruning and robust distillation[J]. Chinese Journal of Network and Information Security, 2022, 8(6): 102-109.

Figures/Tables 3

References 24

[1]	郑远攀, 李广阳, 李晔 . 深度学习在图像识别中的应用研究综述[J]. 计算机工程与应用, 2019,55(12): 20-36.
	ZHENG Y P , LI G Y , LI Y . Survey of application of deep learning in image recognition[J]. Computer Engineering and Applications, 2019,55(12): 20-36.
[2]	鱼昆, 张绍阳, 侯佳正 ,等. 语音识别及端到端技术现状及展望[J]. 计算机系统应用, 2021,30(3): 14-23.
	YU K , ZHANG S Y , HOU J Z ,et al. Survey of speech recognition and end-to-end techniques[J]. Computer Systems ＆ Applications, 2021,30(3): 14-23.
[3]	王睿怡, 罗森林, 吴舟婷 ,等. 深度学习在汉语语义分析的应用与发展趋势[J]. 计算机技术与发展, 2019,29(9): 110-116.
	WANG R Y , LUO S L , WU Z T ,et al. Application and development trend of deep learning in Chinese semantic analysis[J]. Computer Technology and Development, 2019,29(9): 110-116.
[4]	SZEGEDY C , ZAREMBA W , SUTSKEVER I ,et al. Intriguing properties of neural networks[C]// Proceedings of 2nd International Conference on Learning Representations (ICLR 2014). 2014.
[5]	CARLINI N , WAGNER D . Towards evaluating the robustness of neural networks[C]// Proceedings of 2017 IEEE Symposium on Security and Privacy (SP). 2017.
[6]	SONG D , EYKHOLT K , EVTIMOV I ,et al. Physical adversarial examples for object detectors[C]// 12th USENIX Workshop on offensive technologies (WOOT 18). 2018.
[7]	CARLINI N , WAGNER D . Audio adversarial examples:targeted attacks on speech-to-text[C]// 2018 IEEE Security and Privacy Workshops (SPW). 2018: 1-7.
[8]	GOODFELLOW I , SHLENS J , SZEGEDY C . Explaining and harnessing adversarial examples[C]// Proceedings of 3rd International Conference on Learning Representations (ICLR 2015). 2015.
[9]	MADRY A , MAKELOV A , SCHMIDT L ,et al. Towards deep learning models resistant to adversarial attacks[C]// Proceedings of 6th International Conference on Learning Representations (ICLR 2018). 2018.
[10]	GOWAL S , QIN C , UESATO J ,et al. Uncovering the limits of adversarial training against norm-bounded adversarial examples[J]. arXiv:2010.03593, 2020.
[11]	GOU J , YU B , MAYBANK S J ,et al. Knowledge distillation:a survey[J]. International Journal of Computer Vision, 2021,129(6): 1789-1819.
[12]	PAPERNOT N , MCDANIEL P , WU X ,et al. Distillation as a defense to adversarial perturbations against deep neural networks[C]// IEEE Symposium on Security and Privacy, 2016: 582-597.
[13]	GOLDBLUM M , FOWL L , FEIZI S ,et al. Adversarially robust distillation[C]// Proceedings of the AAAI Conference on Artificial Intelligence. 2020: 3996-4003.
[14]	ZI B , ZHAO S , MA X ,et al. Revisiting adversarial robustness distillation:robust soft labels make student better[C]// Proceedings of 2021 IEEE/CVF International Conference on Computer Vision, 2021: 16423-16432.
[15]	BAI T , LUO J , ZHAO J ,et al. Recent advances in adversarial training for adversarial robustness[C]// Proceedings of the Thirtieth International Joint Conference on Artificial Intelligence, 2021: 4312-4321.
[16]	ZHANG H , YU Y , JIAO J ,et al. Theoretically principled trade-off between robustness and accuracy[C]// International Conference on Machine Learning. 2019: 7472-7482.
[17]	ALAYRAC J B , UESATO J , HUANG P S ,et al. Are labels required for improving adversarial robustness[C]// Advances in Neural Information Processing Systems. 2019: 12192-12202.
[18]	CARMON Y , RAGHUNATHAN A , SCHMIDT L ,et al. Unlabeled data improves adversarial robustness[C]// Advances in Neural Information Processing Systems. 2019: 11190-11201.
[19]	SIMONYAN K , ZISSERMAN A . Very deep convolutional networks for large-scale image recognition[J]. arXiv:1409.1556, 2014.
[20]	HE K , ZHANG X , REN S ,et al. Deep residual learning for image recognition[C]// Proceedings of 2016 IEEE/CVF Conference on Computer Vision and Pattern Recognition. 2016: 770-778.
[21]	CROCE F , HEIN M . Reliable evaluation of adversarial robustness with an ensemble of diverse parameter-free attacks[C]// Proceedings of the 37th International Conference on Machine Learning. 2020: 2206-2216.
[22]	LI H , KADAV A , DURDANOVIC I ,et al. Pruning filters for efficient convnets[C]// Proceedings of 5th International Conference on Learning Representations (ICLR 2017). 2017.
[23]	LIU Z , LI J , Shen Z ,et al. Learning efficient convolutional networks through network slimming[C]// Proceedings of 2017 IEEE/CVF Conference on Computer Vision and Pattern Recognition. 2017: 2755-2763.
[24]	SUI Y , YIN M , XIE Y ,et al. CHIP:channel Independence-based pruning for compact neural networks[C]// Advances in Neural Information Processing Systems. 2021: 24604-24616.

Metrics

Recommended 0

No Suggested Reading articles found!

Lightweight defense mechanism against adversarial attacks via adaptive pruning and robust distillation

RichHTML

PDF下载

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 3

References 24

Related Articles 1

Metrics

Recommended 0