Adversarial robustness vs. model compression, or both?

Shaokai Ye; Kaidi Xu; Sijia Liu; Hao Cheng; Jan-Henrik Lambrechts; Huan Zhang; Aojun Zhou; Kaisheng Ma; Yanzhi Wang; Xue Lin

doi:10.1109/ICCV.2019.00020

Adversarial robustness vs. model compression, or both?

Shaokai Ye (Co-first Author), Kaidi Xu (Co-first Author), Sijia Liu, Hao Cheng, Jan-Henrik Lambrechts, Huan Zhang, Aojun Zhou, Kaisheng Ma^*, Yanzhi Wang^*, Xue Lin^*

^*Corresponding author for this work

Research output: Chapters, Conference Papers, Creative and Literary Works › RGC 32 - Refereed conference paper (with host publication) › peer-review

147 Citations (Scopus)

Abstract

It is well known that deep neural networks (DNNs) are vulnerable to adversarial attacks, which are implemented by adding crafted perturbations onto benign examples. Min-max robust optimization based adversarial training can provide a notion of security against adversarial attacks. However, adversarial robustness requires a significantly larger capacity of the network than that for the natural training with only benign examples. This paper proposes a framework of concurrent adversarial training and weight pruning that enables model compression while still preserving the adversarial robustness and essentially tackles the dilemma of adversarial training. Furthermore, this work studies two hypotheses about weight pruning in the conventional setting and finds that weight pruning is essential for reducing the network model size in the adversarial setting; training a small model from scratch even with inherited initialization from the large model cannot achieve neither adversarial robustness nor high standard accuracy. Code is available at https://github.com/yeshaokai/Robustness-Aware-Pruning-ADMM. © 2019 IEEE.

Original language	English
Title of host publication	Proceedings - 2019 International Conference on Computer Vision
Publisher	IEEE
Pages	111-120
ISBN (Electronic)	9781728148038
ISBN (Print)	978-1-7281-4804-5
DOIs	https://doi.org/10.1109/ICCV.2019.00020
Publication status	Published - Oct 2019
Externally published	Yes
Event	17th IEEE/CVF International Conference on Computer Vision (ICCV 2019) - COEX Convention Center, Seoul, Korea, Republic of Duration: 27 Oct 2019 → 2 Nov 2019 http://iccv2019.thecvf.com/

Publication series

Name	Proceedings of the IEEE International Conference on Computer Vision
ISSN (Print)	1550-5499
ISSN (Electronic)	2380-7504

Conference

Conference	17th IEEE/CVF International Conference on Computer Vision (ICCV 2019)
Abbreviated title	ICCV19
Place	Korea, Republic of
City	Seoul
Period	27/10/19 → 2/11/19
Internet address	http://iccv2019.thecvf.com/

Funding

This work is partly supported by the National Science Foundation CNS-1932351, Institute for Interdisciplinary Information Core Technology (IIISCT) and Zhongguancun Haihua Institute for Frontier Information Technology.

Access Output

10.1109/ICCV.2019.00020

https://openaccess.thecvf.com/content_ICCV_2019/html/Ye_Adversarial_Robustness_vs._Model_Compression_or_Both_ICCV_2019_paper.html

Other Access Options

Check CityUHK Library

Permanent Link

Right click to copy link

Cite this

@inproceedings{842d864b2e024bdf8153625324b86f47,

title = "Adversarial robustness vs. model compression, or both?",

abstract = "It is well known that deep neural networks (DNNs) are vulnerable to adversarial attacks, which are implemented by adding crafted perturbations onto benign examples. Min-max robust optimization based adversarial training can provide a notion of security against adversarial attacks. However, adversarial robustness requires a significantly larger capacity of the network than that for the natural training with only benign examples. This paper proposes a framework of concurrent adversarial training and weight pruning that enables model compression while still preserving the adversarial robustness and essentially tackles the dilemma of adversarial training. Furthermore, this work studies two hypotheses about weight pruning in the conventional setting and finds that weight pruning is essential for reducing the network model size in the adversarial setting; training a small model from scratch even with inherited initialization from the large model cannot achieve neither adversarial robustness nor high standard accuracy. Code is available at https://github.com/yeshaokai/Robustness-Aware-Pruning-ADMM. {\textcopyright} 2019 IEEE.",

author = "Shaokai Ye and Kaidi Xu and Sijia Liu and Hao Cheng and Jan-Henrik Lambrechts and Huan Zhang and Aojun Zhou and Kaisheng Ma and Yanzhi Wang and Xue Lin",

year = "2019",

month = oct,

doi = "10.1109/ICCV.2019.00020",

language = "English",

isbn = "978-1-7281-4804-5",

series = "Proceedings of the IEEE International Conference on Computer Vision",

publisher = "IEEE",

pages = "111--120",

booktitle = "Proceedings - 2019 International Conference on Computer Vision",

address = "United States",

note = "17th IEEE/CVF International Conference on Computer Vision (ICCV 2019), ICCV19 ; Conference date: 27-10-2019 Through 02-11-2019",

url = "http://iccv2019.thecvf.com/",

}

Ye, S, Xu, K, Liu, S, Cheng, H, Lambrechts, J-H, Zhang, H, Zhou, A, Ma, K, Wang, Y & Lin, X 2019, Adversarial robustness vs. model compression, or both? in Proceedings - 2019 International Conference on Computer Vision. Proceedings of the IEEE International Conference on Computer Vision, IEEE, pp. 111-120, 17th IEEE/CVF International Conference on Computer Vision (ICCV 2019), Seoul, Korea, Republic of, 27/10/19. https://doi.org/10.1109/ICCV.2019.00020

Adversarial robustness vs. model compression, or both? / Ye, Shaokai (Co-first Author); Xu, Kaidi (Co-first Author); Liu, Sijia et al.
Proceedings - 2019 International Conference on Computer Vision. IEEE, 2019. p. 111-120 (Proceedings of the IEEE International Conference on Computer Vision).

Research output: Chapters, Conference Papers, Creative and Literary Works › RGC 32 - Refereed conference paper (with host publication) › peer-review