Abstract
ML is shifting from the cloud to the edge. Edge computing reduces the surface exposing private data and enables reliable throughput guarantees in real-time applications. Of the panoply of devices deployed at the edge, resource-constrained MCUs, e.g., Arm Cortex-M, are more prevalent, orders of magnitude cheaper, and less power-hungry than application processors or GPUs. Thus, enabling intelligence at the deep edge is the zeitgeist, with researchers focusing on unveiling novel approaches to deploy ANNs on these constrained devices. Quantization is a well-established technique that has proved effective in enabling the deployment of neural networks on MCUs; however, it is still an open question to understand the robustness of QNNs in the face of adversarial examples. To fill this gap, we empirically evaluate the effectiveness of attacks and defenses from (full-precision) ANNs on (constrained) QNNs. Our evaluation includes three QNNs targeting TinyML applications, ten attacks, and six defenses. With this study, we draw a set of interesting findings. First, quantization increases the point distance to the decision boundary and leads the gradient estimated by some attacks to explode or vanish. Second, quantization can act as a noise attenuator or amplifier, depending on the noise magnitude, and causes gradient misalignment. Regarding adversarial defenses, we conclude that input pre-processing defenses show impressive results on small perturbations; however, they fall short as the perturbation increases. At the same time, train-based defenses increase the average point distance to the decision boundary, which holds after quantization. However, we argue that train-based defenses still need to smooth the quantization-shift and gradient misalignment phenomenons to counteract adversarial example transferability to QNNs. All artifacts are open-sourced to enable independent validation of results.
Abstract (translated)
机器学习(ML)正在从云端向边缘转移。在边缘计算中,减少了暴露的私隐数据,并在实时应用中实现了可靠的吞吐量保证。在部署的设备中,资源受限的微控制器(例如ARM Cortex-M)更为普遍,比应用处理器或GPU便宜得多,且功耗更低。因此,在边缘推动智能是潮流,研究人员集中精力揭示在受限设备上部署ANN的新方法。量化是一种经过验证的有效技术,证明可以将神经网络部署到MCU上。然而,理解量化在面临攻击时的鲁棒性仍然是一个未解之谜。为了填补这一空白,我们通过(全精度)ANN的攻击和防御评估了其在(受限)QNN上的效果。我们的评估包括针对TinyML应用的三个QNN,针对十个攻击和六个防御。通过这项研究,我们得出了一系列有趣的发现。首先,量化增加了决策边界点之间的距离,并导致某些攻击者估计的梯度爆炸或消失。其次,量化可以充当噪声衰减器或放大器,根据噪声幅度不同,导致梯度错位。关于攻击防御,我们得出结论,预处理防御在 small perturbations 上表现出惊人的效果;然而,当扰动增加时,它们的表现就不足了。同时,基于训练的防御会增加平均决策边界点距离,这是在量化后成立的。然而,我们认为基于训练的防御还需要平滑量化-转移和梯度错位现象,以对抗 adversarial example transferability to QNNs。所有成果都已公开开源,以促进独立验证结果。
URL
https://arxiv.org/abs/2404.05688
