Abstract
We present a dynamic network rewiring (DNR) method to generate pruned deep neural network (DNN) models that both are robust against adversarially generated images and maintain high accuracy on clean images. In particular, the disclosed DNR training method is based on a unified constrained optimization formulation using a novel hybrid loss function that merges sparse learning with robust adversarial training. This training strategy dynamically adjusts inter-layer connectivity based on per-layer normalized momentum computed from the hybrid loss function. To further improve the robustness of the pruned models, we propose DNR++, an extension of the DNR method where we introduce the idea of sparse parametric Gaussian noise tensor that is added to the weight tensors to yield robust regularization. In contrast to existing robust pruning frameworks that require multiple training iterations, the proposed DNR and DNR++ achieve an overall target pruning ratio with only a single training iteration and can be tuned to support both irregular and structured channel pruning. To demonstrate the efficacy of the proposed method under the no-increased-training-time “free” adversarial training scenario, we finally present FDNR++, a simple yet effective training modification that can yield robust yet compressed models requiring training time comparable to that of an unpruned non-adversarial training. To evaluate the merits of our disclosed training methods, experiments were performed with two widely accepted models, namely VGG16 and ResNet18, on CIFAR-10 and CIFAR-100 as well as with VGG16 on Tiny-ImageNet. Compared to the baseline uncompressed models, our methods provide over 20× compression on all the datasets without any significant drop of either clean or adversarial classification performance. Moreover, extensive experiments show that our methods consistently find compressed models with better clean and adversarial image classification performance than what is achievable through state-of-the-art alternatives. We provide insightful observations to help make various model, parameter density, and prune-type selection choices and have open-sourced our saved models and test codes to ensure reproducibility of our results.
1 INTRODUCTION
Despite being the critical component of various computer vision tasks [5, 10, 21, 24, 36, 45, 50], deep neural networks (DNNs) suffer from significant safety concerns due to their vulnerability to adversarial images [4, 11, 20, 34, 47]. These maliciously generated images are perceptually similar to the clean ones yet can fool the models to make wrong classifications. Given the adverse consequences of misclassification of such images, efficient training of a robust classifier that can correctly label the majority of adversarial images has been an active area of research [11, 19, 41, 51].
Meanwhile, to reduce the large computation and storage costs of DNN models, particularly for IoT devices, reduced-size models [9, 28, 29] and model pruning techniques [6, 7, 17, 30] have gained significant attention. In particular, various heuristic pruning techniques have proven to be extremely effective in reducing the parameter count of apparently over-parameterized models by up to \(\mathord {\sim }90\%\) [6, 7, 30]. Moreover, ensuring the pruned models have structure can yield significant performance improvements on a broad range of compute platforms [18, 38]. However, as Figure 1(a) illustrates, adversarial training [40] generally demands more non-zero parameters than needed for only clean images [40]. Thus, a naively pruned model performing well on clean images becomes vulnerable to adversarial images. Moreover, compared to normally trained models, it is more difficult to aggressively prune adversarially trained models [54] without sacrificing classification performance. However, with the growing deployment of DNNs in safety-critical edge applications on resource-constrained devices such as drones, compressed yet robust models are often necessary. Unfortunately, despite a plethora of work on model pruning performed on clean data, there have been only a few studies that analyze pruned models under adversarial attacks. In particular, prior work [14, 54] proposed to design a pruned yet robust model through a unified constrained optimization formulation based on the alternating direction method of multipliers (ADMM) in which dynamic \(L_2\) regularization is the key to outperforming other pruning techniques [46]. In addition, [48] proposed to provide provable robustness of pruned models. However, all these techniques require the added overhead of pre-training a model. Moreover, ADMM requires the model pruner to specify layer-wise pruning ratios. This either demands human expertise to provide suitable pruning ratios or requires the use of cumbersome evolutionary search methods to evaluate the model sensitivity for a specific global pruning ratio.1 Other schemes like Lasso [43] cannot guarantee a specified pruning ratio and requires a subsequent re-training phase to increase the accuracy after the assignment of non-significant weights to zero, resulting in increased training time.
Our contributions: To address the above-mentioned concerns, this article presents dynamic network rewiring (DNR). In particular, we propose a unified training framework to find a pruned model with increased robustness that does not require the knowledge of individual per-layer pruning ratios and present our initial results in [25]. DNR uses a unique hybrid loss function for robust pruning having three major components: a clean image classification loss, a dynamic \(L_2\)-regularizer term inspired by a relaxed version of ADMM [8], and an adversarial image classification loss. Using this hybrid loss, we then propose a non-iterative robust sparse-learning scheme. We take inspiration from [6] and use normalized momentum as a metric to dynamically arrange per-layer pruning ratios and help maintain the target pruning ratio every epoch, eliminating the need for subsequent fine-tuning. To further improve the robustness of models via robust regularization [19, 32], this article also proposes DNR++, a sparse-learning strategy where the weights are purposefully regularized via a form of trainable sparse noise tensors. In particular, models generated through DNR++ can yield improved performance of up to \(\mathord {\sim }9\%\) on adversarial images with similar or improved clean image performance as that generated through DNR.
Training a model with strong gradient-based attack-generated images (e.g., a PGD attack) generally increases the training time and cost by nearly \(k \times\), where \(k\) is the PGD attack iteration constant. This, in particular, is challenging for resource-constrained devices even for incremental training. To reduce this large training cost, we leverage the idea of “free” adversarial training [27, 49] and propose a fast one-shot training variant of DNR++, namely FDNR++, which allows sparse weight updates during each iteration of perturbed image generation. In particular, this technique helps FDNR++ produce pruned yet robust models with training times comparable to that of unpruned models training with no robustness. To provide inference speedup with no custom compiler or hardware design, we extend the proposed approaches to support structured pruning, namely channel pruning. To the best of our knowledge, we are the first to propose a non-iterative robust training framework that supports both irregular and channel pruning.
Table 1 summarizes the general benefits of our proposed methods compared to the SOTA. We quantify these benefits analyzing the performance of both irregular and channel-pruned robust models on an extensive set of experiments on CIFAR-10 [23] and CIFAR-100 [23] using both ResNet18 [16] and VGG16 [50], and on Tiny-ImageNet [15] using VGG16. Models yielded through our method consistently outperform the state of the art (SOTA) [43, 54] with no significant drop in clean image classification performance compared to the respective unpruned baselines. We further empirically demonstrate the superiority of this scheme when used to target model pruning on clean-only image classification tasks compared to SOTA non-iterative pruning mechanisms [6, 7, 17, 33].
Fig. 1. (a) Weight distribution of the 14th convolution layer of a ResNet18 model for different training schemes: normal, adversarial [40], and noisy adversarial [19]. (b) An adversarially generated image ( \(\hat{{\boldsymbol x}}\) ) obtained through a FGSM attack, which is predicted to be the number 5 instead of 8 ( \({\boldsymbol x}\) ).
Lastly, based on our comprehensive investigations and observations on adversarial robustness, we demonstrate a simple yet extremely effective method to push the boundary of model robustness using random pruned models for inference (RPMI). Specifically, RPMI randomly selects one of multiple stored pruned models for inference.2
| Method | Baseline | Ultra-high | Non-iterative | Improved Robustness | Single-shot |
|---|---|---|---|---|---|
| Robustness | Compression | Training | via Noisy Weights | Training | |
| ADMM [14, 46] | \(\checkmark\) | \(\checkmark\) | \(\times\) | \(\times\) | \(\times\) |
| RSR [43] | \(\checkmark\) | \(\times\) | \(\times\) | \(\checkmark\) | \(\times\) |
| DNR (this article) | \(\checkmark\) | \(\checkmark\) | \(\checkmark\) | \(\times\) | \(\times\) |
| DNR++ (this article) | \(\checkmark\) | \(\checkmark\) | \(\checkmark\) | \(\checkmark\) | \(\times\) |
| FDNR++ (this article) | \(\checkmark\) | \(\checkmark\) | \(\checkmark\) | \(\checkmark\) | \(\checkmark\) |
Table 1. Comparison between Various Robust Model Pruning Schemes
The remainder of this article is structured as follows. In Section 2 we present necessary background. Section 3 describes our proposed training methods and enhancements, and Section 4 presents our detailed experimental evaluations and analysis. We conclude in Section 5 and detail the potential broader impact of this work in Section 6.
2 BACKGROUND WORK
2.1 Preliminaries on Adversarial Attacks
Recently, various gradient-based adversarial attacks have been proposed to generate perturbed or adversarial images. These images, despite having barely visible perturbations from real images, manage to fool a trained DNN. One of the most common gradient-based attacks is the fast gradient sign method (FGSM) [11]. Given a vectorized input x of the real image and corresponding output label t, FGSM perturbs each element x in x along the sign of the associated element of the gradient of the inference loss w.r.t. x as shown in Equation (1) and illustrated in Figure 1(b). Projected gradient descent (PGD) [40], another well-known attack, is a multi-step variant of FGSM, where \(\hat{{\boldsymbol x}}^{k=1} = {{\boldsymbol x}}\) and the iterative update of the perturbed image \(\hat{{\boldsymbol x}}\) in the \(k^{th}\) step is given in Equation (2). (1) \(\begin{equation} \hat{{\boldsymbol x}}={{\boldsymbol x}} + \epsilon \times sgn(\nabla _{x}J(g({\boldsymbol x}; \theta), {\boldsymbol t})) \end{equation}\) (2) \(\begin{equation} \hat{{\boldsymbol x}}^{k}=\texttt {Proj}_{P_{\epsilon }({\it {\bf x}})} (\hat{{\boldsymbol x}}^{k-1} + \alpha \times sgn(\nabla _{x}J(g(\hat{{\boldsymbol x}}^{k-1}; \theta), {\boldsymbol t}))) \end{equation}\) \(g({\boldsymbol x}, \theta)\) generates the output of the DNN, parameterized by \(\theta\). Here, \(\texttt {Proj}\) projects the updated adversarial sample onto the projection space \(P_{\epsilon }({\it {\bf x}})\) defined as the \(\epsilon\)-\(L_{\infty }\) neighbourhood of the benign sample \({\it {\bf x}}\).3 \(\epsilon\) is a scalar that sets the limit to the perturbation and \(\alpha\) is the attack step size. We note that PGD is one of the strongest \(L_{\infty }\) adversarial example generation algorithms [40] and use it as the attack for our adversarial image generation during training of the proposed framework. We note that there have been efforts in an orthogonal research direction to look at various modifications [12, 13, 22, 56] of the original adversarial training strategy [40] including mixing of augmentation techniques [44] in further improving model robustness. Our proposed training strategy can be easily adopted to these techniques to yield even further improved performances.
Note that for the above attacks we consider two different scenarios: (1) a white-box (WB) attack, in which the attacker has complete access to the model parameters, and (2) a black-box (BB) attack, in which the attacker has no knowledge of the model parameters and thus involves weaker perturbations.
2.2 Model Pruning
ADMM is a powerful optimization method used to solve problems with non-convex, combinatorial constraints [3]. It decomposes the original optimization problem into two sub-problems and solves the sub-problems iteratively until convergence. Pruning convolutional neural networks (CNNs) can be modeled as an optimization problem where the cardinality of each layer’s weight tensor is bounded by its pre-specified pruning ratio. In the ADMM framework, such constraints are transformed to ones represented with indicator functions, such as \(\mathbb {I}_{\theta }({\bf z})= 0\) for \(|{\bf z}| \le n\) and \(+\infty\) otherwise. Here, \(\mathbf {z}\) denotes the duplicate variable [3] and \(n\) represents the target number of non-zero weights determined by pre-specified pruning ratios.
Next, the original optimization problem is reformulated as (3) \(\begin{equation} \mathcal {L}_{\rho }(\theta ,{\bf z},\lambda) = J(g({\boldsymbol x};\theta), {\boldsymbol t}) + \mathbb {I}_{\theta }({\bf z}) + \left\langle \lambda , \theta - {\bf z} \right\rangle + \frac{\rho }{2} ||\theta - {\bf z}||^2_2, \end{equation}\) where \(\lambda\) is the Lagrangian multiplier and \(\rho\) is the penalization factor when parameters \(\theta\) and \(\mathbf {z}\) differ. Equation (3) is broken into two sub-problems that solve \(\theta\) and \(\mathbf {z}\) iteratively until convergence [46]. The first sub-problem uses stochastic gradient descent (SGD) to update \(\theta ,\) while the second sub-problem applies projection to find the assignment of \(\mathbf {z}\) that is closest to \(\theta\) yet satisfies the cardinality constraint, effectively pruning weights with small magnitudes.
Not only can ADMM prune a model’s weight tensors but also it has a dynamic regularizer. Such adaptive regularization is one of the main reasons behind the success of its use in pruning. However, ADMM-based pruning has several drawbacks. First, ADMM requires prior knowledge of the per-layer pruning ratios. Second, ADMM does not guarantee the pruning ratio will be met, and therefore, an additional round of hard pruning is required after ADMM completes. Third, not all problems solved with ADMM are guaranteed to converge. Fourth, to improve the convergence, \(\rho\) needs to be progressively increased across several rounds of training, which increases training time [3].
Sparse learning [6] addresses the shortcomings of ADMM by leveraging exponentially smoothed gradients (momentum) to prune weights. It redistributes pruned weights across layers according to their mean momentum contribution. The weights that will be removed and transferred to other layers are chosen according to their magnitudes, while the weights that are brought back (reactivated) are selected based on their momentum values. On the other hand, a major shortcoming of sparse learning compared to ADMM is that it does not benefit from a dynamic regularizer and thus often yields lower levels of accuracy. Furthermore, prior sparse-learning schemes only support irregular forms of pruning, limiting speedup on many compute platforms. Finally, sparse learning, to the best of our knowledge, has not previously been extended to robust model pruning.
3 DYNAMIC NETWORK REWIRING
To tackle the shortcomings of ADMM and sparse learning we introduce DNR, a network rewiring method that optimizes the model parameters based on a hybrid loss function and enables non-iterative training to provide high-accuracy compressed yet robust DNN models. We then detail our improved method DNR++, which adds regularizing sparse noise tensors to the trainable weight tensors. Then, to improve the robust training time, we present a simple yet effective extension FDNR++ that achieves robust compression with training times comparable to that of training normal unpruned models with only clean images. Finally, we describe our extension method to support structured pruning.
3.1 Dynamic L2 Regularizer
For a DNN parameterized by \(\theta\) with \(L\) layers, we let \(\theta _l\) represent the weight tensor of layer \(l\). In our sparse-learning approach, these weight tensors are element-wise multiplied (\(\odot\)) by corresponding binary mask tensors (\(\mathbf {m}_l\)) to retain only a fraction of non-zero weights, thereby meeting a target pruning ratio. We update each layer mask in every epoch similar to [6]. The number of non-zeros is updated based on the layer’s normalized momentum, and the specific non-zero entries are set to favor large magnitude weights. We incorporate an ADMM dynamic \(L_2\) regularizer [46] into this framework by introducing duplicate variable \(\mathbf {z}\) for the non-zero weights, which is in turn updated at the start of every epoch. Unlike [46], we only penalize differences between the masked weights (\(\theta _l \odot {\bf m}_l\)) of a layer \(l\) and their corresponding duplicate variable \(\mathbf {z}_l\). Because the total cardinality constraint of the masked parameters is satisfied, i.e., \(\sum _{l=1}^L \mbox{card}(\theta _l \odot \mathbf {m}_l) \le n\), the indicator penalty factor is redundant and the loss function may be simplified as (4) \(\begin{align} {\mathcal {L}}_{\rho }(\theta ,{\bf z}, \mathbf {m}) = J(g({\boldsymbol x};\theta , \mathbf {m}), {\boldsymbol t}) + \frac{\rho }{2}\sum _{l=1}^{L} ||\theta _l \odot \mathbf {m}_l - {\bf z}_l||^2_2, \end{align}\) where \(\rho\) is the dynamic \(L_2\) penalizing factor. This simplification is particularly important because the indicator function used in Equation (3) is non-differentiable and its removal in Equation (4) enables the loss function to be minimized without decomposition into two sub-problems.4 Moreover, SGD with this loss function converges similarly to the SGD with \(J(g({\boldsymbol x};\theta , \mathbf {m}), {\boldsymbol t})\) and more reliably than ADMM. Intuitively, the key role of the dynamic regularizer in this simplified loss function is to encourage the DNN to not change values of the weights that have large magnitude unless the corresponding loss is large, similar to what the dynamic regularizer does in ADMM-based pruning.
3.2 Proposed Hybrid Loss Function for DNR
For a given input image \({\boldsymbol x}\), adversarial training can be viewed as a min-max optimization problem that finds the model parameters \(\theta\) that minimize the loss associated with the corresponding adversarial sample \(\hat{{\boldsymbol x}}\), as shown below: (5) \(\begin{equation} \underset{\theta }{\mbox{arg min}}\left\lbrace {\underset{\mathbf {{\hat{{\boldsymbol x}} \in P_{\epsilon }({\it {\bf x}})}}}{\mbox{arg max}} \; {J(g({\hat{{\boldsymbol x}}}; \theta),{\boldsymbol t})}}\right\rbrace . \end{equation}\)
In our framework, we use SGD for loss minimization and PGD to generate adversarial images. More specifically, to boost classification robustness on a perturbed image we propose using a hybrid loss function that combines the proposed simplified loss function in Equation (4) with adversarial image loss, i.e.,
(6) \(\begin{align} J_{tot} = \beta {\mathcal {L}}_{\rho }(\theta ,{\bf z}, \mathbf {m}) + (1-\beta) {{ J(g({\hat{\textbf {\em x}}}; \theta ,\mathbf {m}),{\boldsymbol t}),}} \end{align}\) where \(\beta\) provides a tunable trade-off between the two loss components.
Fig. 2. (a) Training loss vs. epochs and (b) pruning sensitivity per layer for VGG16 on CIFAR-10.
A DNN only having a fraction of weights active throughout the training can be trained with the proposed hybrid loss to finally converge similar to that of the unpruned model (mask \(\mathbf {m}=1\)) to provide a robust yet compressed model. This is exemplified in Figure 2(a), which shows similar convergence trends for both pruned and unpruned models, simultaneously achieving both the target pruning ratio and robustness while avoiding the need for multiple training iterations.
3.3 DNR++: Dynamic Network Rewiring with Noisy Weights
The addition of noise to the weight tensors to provide robust regularization has been proven effective in improving model performance against various gradient-based adversarial attacks [32, 37]. In this work, we adopt a recently proposed trainable parametric noise injection (PNI) scheme [19]. However, to ensure target model pruning with the addition of noise, a naive adaptation of the scheme is not possible. We now detail our proposed additive sparse PNI (SPNI)-based parameter update strategy in DNR++, exemplified in Figure 3. Let the weight tensor of a convolutional layer \(l\) be denoted as \(\theta _l \in \mathbb {R}^{M \times N \times h \times w}\), where \(h\) and \(w\) are the height and width of the convolutional kernel, and \(M\) and \(N\) represent the number of filters and channels per filter, respectively. Let us now assume a noise tensor \(\nu _l\) having the same dimension as that of the weights. The SPNI weights are generated via following equation:
(7) \(\begin{align} \tilde{\theta }^i_l = {f_{SPNI}}(\theta ^i_l) = \theta ^i_l + m^i_l .\eta ^i_l . \nu ^i_l; \nu ^i_l \sim N(0, (\sigma ^i_l)^2), \end{align}\) where \(\theta ^i_l\) and \(\nu ^i_l\) are elements of the noise-free weight and noise tensors, respectively, with \(m^i_l\) as the binary mask value for the scalar weight of layer \(l\) at the \(i^{th}\) epoch. Note that in our network rewiring-based sparse-learning scheme, the \(m^i_l\) value may change from epoch to epoch based on the significance of a layer weight. \(\eta ^i_l\) is a trainable noise scaling factor that controls the strength of the additive noise and its simplistic gradient-based update is given by
(8) \(\begin{align} \eta ^{i+1}_l = \eta ^{i}_l - \varrho . \frac{\partial \mathcal {L}}{\partial \eta ^i_l}, \end{align}\) where
(9) \(\begin{align} \frac{\partial \mathcal {L}}{\partial \eta ^i_l} = \sum \frac{\partial \mathcal {L}}{\partial {f_{SPNI}}(\theta ^i_l)} \frac{\partial {f_{SPNI}}(\theta ^i_l)}{\partial \eta ^i_l} \end{align}\) and \(\varrho\) is the learning rate. We initialize the \(\eta _l\) = 0.25 and use no weight decay for this learnable parameter, following the recommendation of [19].
Fig. 3. Simplified diagram of pruned weight generation policy in (a) DNR and (b) DNR++. In particular, for DNR++, we evaluate a \({\it pruned noise}\) tensor for a corresponding \({\it pruned weight}\) tensor and add them to finally generate the \({\it pruned noisy weight}\) tensor.
3.4 FDNR++: A Single-shot Training Extension of DNR++
Excessive training time and compute costs are well-known issues of adversarial training. This is primarily due to the fact that internally the training performs two tasks in different back-propagation instances: (1) trainable weights update via gradient-based back-propagation and (2) iterative perturbation update via back-propagating gradient of loss with respect to the pixel values. Thus, despite our proposed DNR and DNR++ being non-iterative, we cannot call these methods “single shot” as multiple iterative back-propagation is necessary to create strong perturbed images via the PGD attack. Thus, to achieve the goal of a fast single-shot robust model pruning method we incorporate the idea of merging these two tasks [49]. In particular, during the perturbation generation of an image batch, we allow the weight gradients to update the weights with an associated mask value of 1. The details of our proposed fast DNR++ (FDNR++) are presented in Algorithm 2. Interestingly, in FDNR++ we do not have a separate adversarial loss component because we consider the perturbed variants of an image batch as a separate sub-batch and update the weights based on loss computed from each sub-batch (Algorithm 2). The number of sub-batches for a batch is a hyperparameter and is determined by the value \(numSteps\) (Algorithm 2). The sub-batch perturbation grows stronger with increasing \(numSteps\). Note, the primary goal of FDNR++ is to show the feasibility of a “truly” single-shot robust compression framework, which has been largely missing in the literature. DNR++ can be easily adapted to other recently proposed techniques [52] to reduce adversarial training complexity as well.
3.5 Support for Channel Pruning
We first convert the 4D weight tensor \({\theta }_l\) to a 2D weight matrix, with \(M\) and \(N\) \(\times\) \(h\) \(\times\) \(w\) being the number of rows and columns, respectively. We then partition this matrix into \(N\) sub-matrices of \(M\) rows and \(h \times w\) columns, one for each channel. To compute the importance of a channel \(c\), we find the Frobenius norm (F-norm) of a corresponding sub-matrix, thus effectively computing \(O_l^c\) = \(\vert {{\theta }_l^{:,c,:,:}}\vert ^{2}_F\). Based on the fraction of non-zero weights that need to be rewired during an epoch \(i\), denoted by the pruning rate \(p_i\), we compute the number of channels that must be pruned from each layer, \({c}^{p_i}_l\), and prune the \({c}^{p_i}_l\) channels with the lowest F-norms. We then compute each layer’s importance based on the normalized momentum contributed by its non-zero channels. These importance measures are used to determine the number of zero-F-norm channels \(r_l^i \ge 0\) that should be re-grown for each layer \(l\). More precisely, we re-grow the \(r_l^i\) zero-F-norm channels with the highest Frobenius norms of their momentum. Note that the iterative prune and regrow strategy of DNR enables the model’s sparse weight tensors to evolve during training.
We note that this approach can easily be extended to enable various other forms of structured pruning. Moreover, despite supporting pruning of both convolution and linear layers, this article focuses on reducing the computational complexity of a DNN. We thus experiment with pruning only convolutional layers because they dominate the computational complexity [26]. Figure 4 shows an illustrative example of key differentiating factors between irregular and structured pruning at the convolutional layer level. The detailed pseudo-code of the proposed training framework is shown in Algorithm 1.
DNN layers’ sensitivity toward clean and perturbed images are not necessarily equal, and thus determining layer pruning ratios for robust models is particularly challenging.
As exemplified in Figure 2(b), for \(x\) = \(95\%\) there is a significant difference in the sensitivity of the layers for clean and perturbed image classification. DNR, on the contrary, automatically finds per-layer pruning ratios (overlaid as pruning sensitivity as in [7]) that serves well for both types of image classification targeting a global pruning of \(95\%\).
Fig. 4. Illustrative example of (a) irregular and (b) structured channel pruning for a CONV layer \(l\) parameterized by \(\theta _l\) . Here each element \(\theta _l^{mn}\) of the tensor \(\theta _l\) is a tensor of \(h \times w\) scalar weights.


4 EXPERIMENTS
In this section, we first describe the experimental setup we used to evaluate the effectiveness of the proposed robust training methods. We evaluate the results under both white-box and black-box attack scenarios, comparing our method against other SOTA robust pruning techniques based on ADMM [54] and \(L_1\) lasso [43]. Based on the model performances on adversarially generated images, we further provide a detailed analysis and present a RPMI-based robustness improvement strategy for safety-critical applications with limited compute budget. We then present a thorough evaluation of the improved robustness under the lens of gradient obfuscation analysis. We also evaluate the merit of DNR as a clean-image pruning scheme and show that it consistently outperforms contemporary non-iterative model pruning techniques [6, 7, 17, 33]. We finally present an ablation study to empirically evaluate the importance of the dynamic regularizer in the DNR’s loss function. We used Pytorch [42] to write the models and trained/tested on an NVIDIA RTX 2080 Ti GPU.5
4.1 Experimental Setup
4.1.1 Models and Datasets.
We selected three widely used datasets, CIFAR-10 [23] CIFAR-100 [23], and Tiny-ImageNet [15], and picked two well-known CNN models, VGG16 [50] and ResNet18 [16], to evaluate the performances of the disclosed training methods. Both CIFAR-10 and CIFAR-100 datasets have 50K training samples and 10K test samples with an input image size of 32 \(\times\) 32 \(\times\) 3. Training and test data size for Tiny-ImageNet are 100k and 10k, respectively, where each image size is of 64 \(\times\) 64 \(\times\) 3. For all the datasets we used standard data augmentations (horizontal flip and random crop with reflective padding) to train the models with a batch size of 128.
4.1.2 Adversarial Attack, DNR, DNR++, and FDNR++ Training Settings.
Unless stated otherwise, for both PGD-based perturbation and perturbation for FDNR++, we set the attack bound \(\epsilon\) to \(8/255\). For PGD-based attack the attack step size \(\alpha\) and the number of attack iterations \(k\) were kept to 0.01 and 7, respectively, the same values as in [19]. For FGSM, we chose the same \(\epsilon\) value as above.
We performed DNR and DNR++ based training for 240/240/120 epochs for CIFAR-10/CIFAR-100/Tiny-ImageNet, with a starting learning rate of 0.1, momentum value of 0.9, and weight decay value of \(5e^{-4}\). For CIFAR-10 and CIFAR-100, the learning rate (LR) was reduced by a factor of 0.2 after 80, 120, and 160 epochs. For Tiny-ImageNet we reduced the LR value after 40, 60, and 80 epochs. In addition, we hand-tuned \(\rho\) to \(10^{-4}\) and set the pruning rate \(p=0.5\). We linearly decreased the pruning rate every epoch by \(\frac{p}{total\; epochs}\). Finally, to balance between the clean and adversarial loss, we set \(\beta\) to 0.5 in the DNR and DNR++ training experiments. Lastly, note that we performed warm-up sparse learning [6] for the first five epochs with only the clean image loss function before using the hybrid loss function with dynamic regularization (see Equation (6)) for robust compression for the remaining epochs.
For the scaled sparse noisy tensor-based regularization technique in DNR++, at channel number \(c\) of layer \(l\), we define a trainable noise scaling factor \(\eta _{l_c}\). Thus, the noise scaling tensor for a convolutional layer \(l\) with \(N\) channel is given by \(\eta _l\) = [\(\eta _{l_0}\), \(\eta _{l_1},\ldots , \eta _{l_N}\)] and we follow the recommendation of [19] to initialized each element to 0.25.
For FDNR++, we set the \(numSteps\) value to 4, meaning during every epoch each image batch is repeated four times to generate perturbed image variants to the model. Hence, to not incur any additional training time cost, we reduce the total \(numEpochs\) by a factor of 4. Thus, the effective epoch count for CIFAR-10/CIFAR-100/Tiny-ImageNet becomes 60/60/30.
4.2 Results for White-box Attack
Definition (Compression Ratio). We define the model compression ratio as \(1/d\), where \(d\) represents the target global parameter density of the model. Hence, compression ratio\(^{-1}\) is same as the parameter density of the pruned model.
As shown in Figures 5(a), 5(b), 5(d), and 5(e), for various white-box attack-generated images, DNR can effectively find a robust model with high compression ratio and negligible compromise in accuracy. In particular, for irregular pruning, our method can compress up to \(\mathord {\sim }20\times\) with a negligible drop in accuracy on clean as well as PGD- and FGSM-based perturbed images, compared to the baseline non-pruned models, tested with VGG16 on CIFAR-10 and ResNet18 on CIFAR-100.6
Figures 6(a), 6(b), 6(d), and 6(e) show the performance of DNR++ trained VGG16 and ResNet18 on CIFAR-10 and CIFAR-100, respectively, under various pruning schemes. Interestingly, the robustness improvement achieved via DNR++ is valid even at ultra high model compression of \(100\times\). For example, at \(d=0.05\) (irregular), the improved robustness against PGD white-box attack for VGG16 on CIFAR-10 is \(52.48\%\) with DNR++, which is \(9.23\%\) more than that achievable through DNR. Similarly, Figures 7(a), 7(b), 7(d), and 7(e) show the accuracy vs. compression ratio\(^{-1}\) plots for models trained through FDNR++. FDNR++ consistently outperforms DNR by providing improved robustness against FGSM and PGD white-box attack-generated images. From these results it is clear that our proposed class of robust training methods based on the proposed hybrid loss and rewiring method can indeed find a robust DNN model even at ultra-high compression ratios.
As the target compression ratio increases, channel pruning degrades adversarial robustness more significantly than irregular pruning.
Fig. 5. DNR: Model compression vs. accuracy (on both clean and adversarially generated images) for irregular and channel pruning evaluated with VGG16 on CIFAR-10 ((a) and (b), respectively) and ResNet18 on CIFAR-100 ((c) and (d), respectively). (c) and (f) show the percentage of effective non-zero channels present for channel and irregular pruned models at different values of target parameter density, for VGG16 and ResNet18, respectively.
Fig. 6. DNR++: Model compression vs. accuracy (on both clean and adversarially generated images) for irregular and channel pruning evaluated with VGG16 on CIFAR-10 ((a) and (b), respectively) and ResNet18 on CIFAR-100 ((c) and (d), respectively). (c) and (f) show the percentage of effective non-zero channels present for channel and irregular pruned models at different values of target parameter density, for VGG16 and ResNet18, respectively.
Fig. 7. FDNR++: Model compression vs. accuracy (on both clean and adversarially generated images) for irregular and channel pruning evaluated with VGG16 on CIFAR-10 ((a) and (b), respectively) and ResNet18 on CIFAR-100 ((c) and (d), respectively). (c) and (f) show the percentage of effective non-zero channels present for channel and irregular pruned models at different values of target parameter density, for VGG16 and ResNet18, respectively.
As we can consistently see in Figures 5, 6, and 7(b)–7(e), the achievable model compression with negligible accuracy loss for structured (channel) pruned models is \(\mathord {\sim }10\times\) lower than that achievable through irregular pruning. This trend is similar to that of the model’s performance on clean image. However, as we can also see in Figures 5, 6, 7(c), and 7(f), the percentage of channels present in the channel-pruned models can be up to \(\mathord {\sim }10\times\) lower than the irregular pruned counterparts, implying the potential for a similarly large speedup in inference time on a large range of compute platforms [6, 39].
Results on Tiny-ImageNet: As shown in Table 2, DNR can compress the model up to \(11.26\times\) without any compromise in performance for both clean and perturbed image classification. For DNR++, the robustness improves by up to \(3.87\%\) in absolute scale, with similar clean image classification performance, under similar compression. For channel-pruned models, DNR++ can improve adversarial classification performance by \(3.15\%\) over that achievable through DNR with a reduced effective channel presence of only \(\mathord {\sim }60\%\). A similar trend is observed for FDNR++ but not included in the article for the sake of brevity.
Table 2. Results on VGG16 to Classify Tiny-ImageNet
4.3 Results for Black-box Attack
Table 3 shows the performance details of the models generated via DNR, DNR++, and FDNR++ under various black-box adversarial attack scenarios. In particular, similar to the trend of the white-box attack scenario, DNR++ provides the best-performing black-box robust models. Here, to generate black-box attacks we used attacker models of the same architecture as but of different target density than the victim model.7
4.4 DNR vs. DNR++ vs. FDNR++
This subsection provides an empirical performance comparison of DNR, DNR++, and FDNR++. Figures 8(a) and 8(b) show the accuracy comparison among the proposed methods on clean and PGD-generated perturbed images, respectively. In particular, DNR++ performs better than both DNR and FDNR++ on the strongly perturbed images, with similar performance on clean images. FDNR++, on the other side, performs superior to DNR on perturbed images, with negligible performance drops on clean images. Finally, Figure 8(c) demonstrates the superiority of FDNR++ in terms of improved training speed of \(\mathord {\sim }6\times\) compared to the other two methods. These results indeed show FDNR++ to be a low-cost training alternative of DNR++. Note, however, that FDNR++ generally yields models that are less robust than obtained through DNR++. For example, on PGD-generated adversarial CIFAR-10 test images, FDNR++ generates a pruned VGG16 with classification performance of \(61.09\%\), which is significantly lower than the \(65.85\%\) performance of the DNR++ generated model.
Table 3. Results for Black-box Attack-generated Images on VGG16 and ResNet18
Fig. 8. Comparison of performance between DNR, DNR++, and FDNR++ on (a) clean and (b) adversarial image generated via PGD attack evaluated on CIFAR-10 with VGG16. (c) shows the normalized training time required to yield robust compressed models for VGG16 (on CIFAR-10) and ResNet18 (on CIFAR-100).
4.5 Comparison with SOTA
We now compare the performance of DNR, DNR++, and FDNR++ with ADMM- [54], \(L_1\) lasso-, and RSR-based [43] robust pruning. For ADMM-based robust pruning, we followed a three-stage compression technique, namely pre-training, ADMM-based pruning, and masked retraining, performing pruning for 30 epochs with \(\rho _{admm} = 10^{-3}\) as described in [54]. \(L_1\) lasso-based pruning adds a \(L_1\) regularizer to its loss function to penalize the weight magnitudes, where the regularizer coefficient determines the penalty factor. RSR improved the performance of \(L_1\) lasso by proposing a robust regularizing noise. Table 4 shows that our proposed DNR++ method outperforms both ADMM- and \(L_1\) lasso-based approaches by a considerable margin, retaining advantages of both worlds. In particular, compared to ADMM, with the VGG16 (ResNet18) model on CIFAR-10, DNR++ provides up to \(11.86\%\) (\(7.49\%\)) increased classification accuracy on perturbed images with \(1.24\times\) (\(1.44\times\)) higher compression. Compared to \(L_1\) lasso, we achieve \(10.38\times\) (\(3.15\times\)) higher compression and up to \(10.47\%\) (\(7.26\%\)) and \(3.56\%\) (\(2.05\%\)) increased accuracy on perturbed and clean images, respectively, for VGG16 (ResNet18) on CIFAR-10 classification. Finally, compared to RSR, DNR++ provides up to \(5.91\%\) higher performance on perturbed images with up to \(\mathord {\sim }10\times\) better compression.
Naively tuned per-layer pruning ratio degrades both robustness and clean-image classification performance of a model.
For this, we evaluated robust compression using naive ADMM, i.e., using naively tuned per-layer pruning ratio (all but the first layer \(\mathord {\sim }x\%\) for a \(x\%\) total pruning ratio). As shown in Table 4, this clearly degrades the performance, implying layer-wise parameter density tuning is necessary for ADMM to perform well.
| Model | Method | No Pre-trained Model | Per-layer Pruning Ratio Knowledge Not Needed | Target Pruning Met | Pruning Type | Compression Ratio | Accuracy (%) | ||
|---|---|---|---|---|---|---|---|---|---|
| Clean | FGSM | PGD | |||||||
| ADMM [54] | \(\times\) | \(\times\) | \(\checkmark\) | Irregular | \(16.78\times\) | 86.34 | 49.52 | 40.62 | |
| VGG16 | ADMM naive | \(\times\) | \(\checkmark\) | \(\checkmark\) | \(19.74\times\) | 83.87 | 42.46 | 32.87 | |
| \(L_1\) Lasso [43] | \(\checkmark\) | \(\checkmark\) | \(\times\) | \({\it 2.01}\times\) | \({\it 83.24}\) | \({\it 50.32}\) | \({\it 42.01}\) | ||
| RSR [43] | \(\checkmark\) | \(\checkmark\) | \(\times\) | \({\it 2.17}\times\) | \({\it 83.02}\) | \({\it 54.16}\) | \({\it 47.7}\) | ||
| DNR | \(\checkmark\) | \(\checkmark\) | \(\checkmark\) | \({20.85}\times\) | \({86.74}\) | \({52.92}\) | \({43.21}\) | ||
| DNR++ | \(\checkmark\) | \(\checkmark\) | \(\checkmark\) | \({\bf 20.92}\times\) | \({\bf 86.8}\) | \({\bf 60.07}\) | \({\bf 52.48}\) | ||
| FDNR++ | \(\checkmark\) | \(\checkmark\) | \(\checkmark\) | \({20.8}\times\) | \({84.32}\) | \({57.7}\) | \({51.7}\) | ||
| ADMM [54] | \(\times\) | \(\times\) | \(\checkmark\) | Irregular | \(14.6\times\) | 87.15 | 54.65 | 46.57 | |
| ResNet18 | ADMM naive | \(\times\) | \(\checkmark\) | \(\checkmark\) | \(19.74\times\) | 86.10 | 50.49 | 42.24 | |
| \(L_1\) Lasso [43] | \(\checkmark\) | \(\checkmark\) | \(\times\) | \({\it 6.84}\times\) | \({\it 85.92}\) | \({\it 55.20}\) | \({\it 46.80}\) | ||
| RSR [43] | \(\checkmark\) | \(\checkmark\) | \(\times\) | \({\it 6.83}\times\) | \({\it 86.79}\) | \({\it 60.35}\) | \({\it 53.03}\) | ||
| DNR | \(\checkmark\) | \(\checkmark\) | \(\checkmark\) | \({\bf 21.57}\times\) | 87.32 | 55.13 | 47.35 | ||
| DNR++ | \(\checkmark\) | \(\checkmark\) | \(\checkmark\) | \({21.1}\times\) | \({\bf 87.97}\) | \({\bf 61.14}\) | \({\bf 54.06}\) | ||
| FDNR++ | \(\checkmark\) | \(\checkmark\) | \(\checkmark\) | \({21.1}\times\) | \({85.53}\) | \({56.93}\) | \({50.58}\) | ||
Romanized numbers in the table are results of our experiments, and italicized values are directly taken from the respective original papers.
Table 4. Comparison of Our Dynamic Rewiring-based Methods with ADMM-, \(L_1\) Lasso-, and RSR-Based Robust Pruning Schemes on CIFAR-10
Romanized numbers in the table are results of our experiments, and italicized values are directly taken from the respective original papers.
Fig. 9. FDNR++: Model performance under attacks trained with different seeds having same model architecture as the victim models. (a) and (b) show performance on FGSM- and PGD-generated images, respectively, when both attacker and victim have \(d\) = 0.1, and (c) and (d) show the respective performance when \(d\) = 0.05. Note the \(x\) and \(y\) directions signify the seeds of the victim model and attacker model, respectively. We used ResNet18 on CIFAR-100 to conduct these experiments.
Fig. 10. FDNR++: Model performance under attacks from attacker models of various target density for (a) FGSM- and (b) PGD-generated adversarial images. Similar trend is observed for DNR and DNR++ as well. We used a fixed seed value to train ResNet18 on CIFAR-100 to conduct these experiments.
Fig. 11. FDNR++: Weight histogram plot (of non-zero weights only) of the 4th CONV layer of ResNet18 for CIFAR-100 for model trained with different seeds ( \(s0\) and \(s1\) ) to meet various target densities.
4.6 Random Pruned Model Selection for Inference (RPMI)
Consider the set of possible models used to create adversarial images. These models should, in general, have the same architecture and similar clean-image accuracy as the victim model. However, they could have varying parameter densities and be generated using different random seeds. Interestingly, the strength of adversarial images on the victim model that are generated from models of the same density but different seeds is similar to images generated from models with varying densities.
Figures 9(a) to 9(d) show the performance of a model on perturbed images generated from a different model of the same architecture with the same density trained with different seeds. The diagonal elements from the right represent a white-box attack because the seed is the same for both the attacker and the victim models and thus shows lower classification accuracy on perturbed images. The performance of the victim model improves significantly when the target is trained with a different seed. As observed above, we see similar performance improvements when the target densities are changed, comparing the non-right-diagonal values of Figure 9 to that of Figure 10. Interestingly, as depicted in Figure 11, the distributions of the weights of two models of the same \(d\) trained with different seeds are largely similar, despite one being able to largely act as a black box to another.
Based on this observation, we propose a simple enhancement of our method to significantly improve model robustness. First, we choose a set of adversarially trained candidate models to have the same target density to ensure optimal performance of the underlying hardware, in case it was optimized for a specific target density. In particular, we propose to create a library of adversarially trained models compressed to a density similar to the victim but trained with different seeds, and randomly choose models from that library to perform inference on specific input image batches.
Intuitively, this RPMI, detailed in Algorithm 3, makes the attacker’s task difficult in two respects: (1) it must collect model information of all candidate models, and (2) it must predict the sequence of models to determine which model to be used for inference for a specific image batch. This is particularly important because, even with the knowledge of all candidate models, the attacker may still fail to create a white-box attack because it fails to guess the specific sequence of random models. To evaluate the efficacy of the proposed RPMI method, we took two candidate models \(g_{\theta _0}\) and \(g_{\theta _1}\) in the model pool each with target density \(d = 0.1\) but trained with two different seeds \(s_0\) and \(s_1\), respectively. We assume the attacker has knowledge of one of the models \(g_{\theta _1}\). Figure 12 shows that, as we increase the probability of selecting \(g_{\theta _0}\) (which acts as a black box to the attacker) in the random model sampling of RPMI, the accuracy on adversarially perturbed images improves. The baseline plots are the performance of the victim model under a white-box attack.
Fig. 12. Performance of RPMI evaluated with ResNet18 on CIFAR-100. The density of the candidate models is \(d = 0.1\) .
4.7 Estimate of Parameter Storage and Computation Cost of the Pruned Models
We now discuss the parameter storage and compute cost (FLOPs) of the pruned models. For an unpruned model, let \(\mathcal {P}_l\) be the number of parameters present in layer \(l\). With homogeneous FP-32 representation, the total storage requirement (MB) of the model weights can be given by [31] (10) \(\begin{align} {M_{{\it fp32}} = 4*\left(\sum _{l=0}^{L-1}\frac{\mathcal {P}_l}{2^{20}}\right)}. \end{align}\) For a pruned model, the parameter storage cost can be estimated as (11) \(\begin{align} {M^p_{{\it fp32}} = 4*\left(\sum _{l=0}^{L-1}\frac{\mathcal {P}_l}{2^{20}}\right)*d,} \end{align}\) where \(d\) represents the parameter density of the model. Here, the estimated storage cost saving is directly proportional to the saving in non-zero weight count. Note, however, that this estimate ignores the cost of indexing the irregularly pruned models, which depends on the specifics of the compression technique applied.
The computation cost (FLOPs) of an unpruned convolutional layer \(l\) with parameter tensor \(\theta _l \in \mathbb {R}^{M \times N \times h \times w}\) that creates an output feature map of size \(H_o \times W_o \times M\) can be given by [26]
(12) \(\begin{align} {F_l^{conv} = H_o*W_o*h*w*M*N.} \end{align}\) For a linear layer \(l\) with node fanin \(f_{in}\) and node fanout \(f_{out}\), the FLOPs can be given by
(13) \(\begin{align} {F_l^{lin} = f_{in}*f_{out}.} \end{align}\) From the above equation, we can compute the FLOPs for a pruned \(L\)-layer model as
(14) \(\begin{align} {F^{total} = \sum _{l=0}^{L-1}F_l*d_l,} \end{align}\) where \(d_l\) is the parameter density of layer \(l\). Note that here, we assume that the computation cost for zero-valued weights is saved through clock gating. Figure 13 compares per-layer FLOPs between unpruned and pruned ResNet18 models.
Fig. 13. Per-layer FLOP comparison of an unpruned ( \(d = 1.0\) ) and an irregularly pruned ResNet18 model ( \(d = 0.05\) ) used to classify CIFAR-10. Here, \(Cn\) and \(Sm\) represent convolutional layer \(n\) and shortcut layer \(m\) , respectively.
Table 5. Checklist Set of Tests for Characteristic Behaviors Caused by Obfuscated and Masked Gradients [2]
4.8 Gradient Obfuscation Analysis
We conducted the experiments listed in Table 5 to verify whether the improved robustness of the generated models comes from any approximation of the true gradient based on a single sample. In particular, the five experiments listed in the table were proposed in [2] and can identify potential gradient obfuscation. Note that here we say an attack performs worse than another when the classification performance on the attack-generated images is higher as opposed to the images generated through other attacks.
For all the models on all datasets, the one-step FGSM performs poorly compared to its iterative counterpart PGD as exemplified in Figures 5, 6, and 7. This certifies the success of Test (i). Table 3 shows that black-box attack-generated images yield weaker attack than the white-box counterpart, certifying the success of Test (ii). To conduct Tests (iii) and (iv) we analyzed the adversarial classification performance of ResNet18 on CIFAR-10 by increasing the attack bound \(\epsilon\). Figures 14(a) and 14(c) present the performances of the DNR-generated ResNet as a function of the PGD attack bound \(\epsilon\). In particular, we can see that for both irregular and channel-pruned models, the accuracy degrades as the \(\epsilon\) increases. Test (v) can fail if and only if gradient-based attacks cannot provide adversarial examples for the model to misclassify. It is clear from our extensive experiments that FGSM and PGD, both variants of gradient-based attacks, can largely fool the models despite our training.
We also evaluated the model performance with increased attack strength by increasing the number of iterations \(K\) of PGD (Figures 14(b) and 14(d)) and found that the model’s robustness decreases with increasing \(K\). Thus, based on these evaluations, we conclude that even if the models include obfuscated gradients, they are not primary sources of the robustness for the model generated by our training methods.
Fig. 14. On CIFAR-10, the perturbed data accuracy of ResNet18 under PGD attack versus increasing (a), (c) attack iteration, and (b), (d) attack bound \(\epsilon\) for irregular ( \(5\%\) density) and channel-pruned ( \(50\%\) density) models, respectively.
4.9 Ablation Study
To understand the performance of the proposed hybrid loss function with a dynamic \(L_2\) regularizer, we performed ablation with both VGG16 and ResNet18 generated by DNR on CIFAR-10 for a target parameter density of \(5\%\) and \(50\%\) using irregular and channel pruning, respectively. As shown in Table 6, using the dynamic regularizer improves the adversarial classification accuracy by up to \(2.83\%\) for VGG16 and \(\mathord {\sim }3\%\) for ResNet18 with similar clean-image classification performance.
Table 6. Comparison of DNR with and without the Dynamic Regularizer for CIFAR-10 Classification
4.10 Pruning to Classify Clean-only Images
To evaluate the merit of DNR as a clean-image-only pruning scheme (DNR-C), we performed training using DNR with the same loss function minus the adversarial loss term (by setting \(\beta = 1.0\) in Equation (6)) to reach a target pruning ratio. Table 7 shows that our approach consistently outperforms other state-of-the-art non-iterative pruning approaches based on momentum information [6, 7], reinforcement-learning-driven auto-compression (AMC) [17], and connection sensitivity [33]. We have further compared the performance of DNR-C with existing state-of-the-art approaches [1, 35, 53, 55]8 that are iterative and require pre-trained unpruned model for model compression. The \(\delta\) value in the seventh column of Table 7 represents the error difference from corresponding non-pruned baseline models as mentioned in the respective original manuscripts. We also present the performance on CIFAR-100 for VGG16 and on ResNet18 and Tiny-ImageNet for VGG16.9 In particular, we achieve up to \(34.57\times\) (\(12.61\times\)) compression on the CIFAR-10 dataset with irregular (channel) pruning, maintaining accuracy similar to the baseline. On CIFAR-100, compression of up to \(22.45\times\) (\(5.57\times\)) yields no significant accuracy drop (less than \(2.7\%\) in top-1 accuracy) with irregular (channel) pruning. Moreover, our evaluation shows that a possible practical speedup of up to \(6.06\times\) for CIFAR-10 and \(2.41\times\) for CIFAR-100 can be achieved through channel pruning using DNR-C. For Tiny-ImageNet, DNR-C can provide compression and speedup of up to \(11.55\times\) and \(1.53\times\), respectively, with negligible accuracy drop.
| Dataset | Model | Method | Pruning Type | Compression Ratio | Error (%) Top-1 | \(\delta\) from Baseline | Speedup |
|---|---|---|---|---|---|---|---|
| VGG16 | SNIP [33] | Irregular | \({\it 32.33}\times\) | \({\it 8.00}\) | \(-\)0.26 | – | |
| Sparse learning [6] | \({\it 32.33}\times\) | \({\it 7.00}\) | \(-\)0.5 | – | |||
| DNR-C | \({\bf 34.57}\times\) | \({\bf 6.50}\) | \(-\)0.09 | \(1.29\times\) | |||
| Filter pruning [35] | \({\it 2.78}\times\) | \({\it 6.60}\) | \({\it +0.15}\) | \({\it 1.52}\times\) | |||
| AutoPrune [53] | Structured | \({\it 4.72}\times\) | \({\it 8.50}\) | \({\it --0.90}\) | \({\it 4.35}\times\) | ||
| SuperSlash [1] | \({\it 16.67}\times\) | \({\it 8.70}\) | \({\it --2.10}\) | \({\it 3.49}\times\) | |||
| DNR-C | \(12.61\times\) | 8.00 | \(-\)1.5 | \({\bf 6.06}\times\) | |||
| CIFAR | ResNet50 | GSM [7] | Irregular | \({\it 10}\times\) | \({\it 6.20}\) | \({\it --0.25}\) | – |
| -10 | AMC [17] | \({\it 2.5}\times\) | \({\it 6.45}\) | \({\it +0.02}\) | – | ||
| DNR-C | \({\bf 20}\times\) | \({\bf 4.8}\) | \(-\)0.07 | \(1.75\times\) | |||
| NISP [55] | Structured | \({\it 1.76}\times\) | \({\it 6.99}\) | \({\it --0.03}\) | \({\it 1.77}\times\) | ||
| ResNet18 | DNR-C | Irregular | \(20.32\times\) | 5.19 | \(-\)0.10 | \(1.31\times\) | |
| Structured | \(5.67\times\) | 5.36 | \(-\)0.27 | \(2.43\times\) | |||
| VGG16 | DNR-C | Irregular | \(20\times\) | 27.14 | \(-\)1.04 | \(1.07\times\) | |
| CIFAR | Structured | \(2.76 \times\) | 28.78 | \(-\)2.68 | \(2.06\times\) | ||
| -100 | ResNet18 | DNR-C | Irregular | \(22.45\times\) | 24.9 | \(-\)1.17 | \(1.13\times\) |
| Structured | \(5.57\times\) | 25.28 | \(-\)1.55 | \(2.41\times\) | |||
| Tiny | VGG16 | DNR-C | Irregular | \(11.55\times\) | 40.96 | +0.36 | \(1.01\times\) |
| ImageNet | Structured | \(1.74 \times\) | 42.61 | \(-\)1.28 | \(1.53\times\) |
Romanized numbers in the table are results of our experiments, and italicized values are directly taken from the respective original papers.
Table 7. Comparison with State-of-the-art Non-iterative Pruning Schemes on CIFAR-10 and Comparison of Deviation from Baseline on CIFAR-100 and Tiny-ImageNet
Romanized numbers in the table are results of our experiments, and italicized values are directly taken from the respective original papers.
5 CONCLUSIONS AND FUTURE WORK
This article addresses the largely unexplored problem of achieving ultra-high compression of DNN models while maintaining their robustness through a non-iterative training approach. In particular, the proposed network rewiring-based DNR training method leverages a sparse-learning strategy with a hybrid loss function that has a dynamic regularizer to achieve better tradeoffs between accuracy, model size, and robustness. We then proposed a robustness improvement strategy via sparse parametric noise regularization and extended the idea to “free” adversarial training by presenting DNR++ and FDNR++, respectively. In particular, DNR++ can provide an increased accuracy on perturbed images by up to \(\mathord {\sim }10.5\%\) with improved compression with respect to the existing SOTA methods. Furthermore, our extension to support channel pruning shows that compressed models produced by DNR can have a practical inference speedup of up to \(\mathord {\sim }10\times\).
More generally, exploring a deeper biological foundation and interpretability of model compression are important directions of future research.
6 BROADER IMPACT
The demand for model robustness to perform well under various adversarial attacks has grown rapidly over the past few years, primarily due to deployment of AI-enabled hardware for safety-critical applications, including autonomous vehicles and drones. As most of these devices are limited by computation and/or storage budgets, deployment of large over-parameterized models is not an option in the majority of the cases. In this context, the retention of model robustness for a compute-efficient compressed model is of the utmost importance. We believe our proposed training method for compressed yet robust DNNs will be a key factor in helping enable limited-resource AI-driven hardware where safety is a concern.
A APPENDIX
A.1 DNR and Per-layer Pruning Ratios
As the architectures of modern DNNs deepen to hundreds of layers, manually setting per-layer pruning ratios to reach a desired global compression ratio becomes increasingly impractical. In particular, we assert that layers may not be equally sensitive toward clean and perturbed images and thus determining layer pruning ratios for robust models is particularly challenging.
To quantify per-layer sensitivity, we follow a similar procedure as proposed in [7]. In particular, we estimate the sensitivity of a layer by measuring the percentage reduction in classification accuracy on both clean and adversarial images caused by pruning a layer by a fixed percentage \(x,\) keeping all other layers unpruned. The work in [7] argued that the closer this percentage is to 1, the more sensitive the layer and thus less layer-pruning ratio is recommended. The results for the 13 layers of VGG16 with a target pruning ratio of 95% are plotted in Figure 15. The plot shows that there is indeed a wide variance in the estimated sensitivity for both clean and adversarial images across layers.
We then compared these estimates to the percentage of non-zero weights present after DNR targeting the same 95% global pruning ratio, the results of which are also plotted in Figure 15. Interestingly, the plots show that the estimated layer sensitivity exhibits the same general trend as the percentage of non-zero weights obtained by DNR (i.e., earlier layers are more sensitive than later layers and thus need more \(\%\) non-zero weights). Although empirical in nature, this result suggests that DNR is effective in evaluating the sensitivity and assigning weights to each layer without any human intervention.
Figure 16 shows a few more examples of layer sensitivity found by DNR for both irregular and channel pruning. Interestingly, we discovered that for both types of pruning, the earlier layers are more sensitive than the later layers.
Fig. 15. Layer-wise sensitivity estimated by both layer-wise pruning and DNR on VGG16 for the CIFAR-10 dataset, with a target pruning (irregular) ratio of \(95\%\) . Here, both the unpruned and DNR-found models trained with both clean and PGD-generated samples. Fig. 16. Layer-wise sensitivity scores estimated through DNR on VGG16 for CIFAR-10 and CIFAR-100 dataset with (a) irregular pruning to a target global pruning ratio of \(95\%\) and (b) channel pruning to a target global pruning ratio of \(50\%\) .
A.2 Details of Models Used
Table 8 shows the details of the models we used for our experimental evaluation.
We omitted batch-norm and activation layers for brevity. We specify convolution (C) layers with number of filters and kernel size. MaxPool layers are specified with kernel and stride size. The repetition number of a layer is specified outside the corresponding bracket.
Table 8. Models Used for Our Experiments
We omitted batch-norm and activation layers for brevity. We specify convolution (C) layers with number of filters and kernel size. MaxPool layers are specified with kernel and stride size. The repetition number of a layer is specified outside the corresponding bracket.
Footnotes
1 For a model with target parameter density \(d\), its global pruning ratio is defined as (1-\(d\)) \(\times\) 100%. For example, in a model with \(d=0.05\), the pruning ratio is \(95\%\).
Footnote2 Here, our assumption is the model selector mechanism to be largely hidden from the attacker despite the attacker’s knowledge of the various models’ weights.
Footnote3 It is noteworthy that the generated \(\hat{{\boldsymbol x}}\) are clipped to a valid range, which for our experiments is \([0,1]\).
Footnote4 Note this simplified loss function also drops the term \(\left\langle \lambda , \theta - {\bf z} \right\rangle\) because \(\mathbf {z}\) is updated with \(\theta\) at the beginning of each epoch, forcing the Lagrangian multiplier \(\lambda\) and its contribution to the loss function to be always 0.
Footnote5 Our models and test codes are available at this hyperlink.
Footnote6 A similar trend is observed for VGG16 on CIFAR-100 and ResNet18 on CIFAR-10. These are not included in the article for the sake of brevity.
Footnote7 Here, the attacker model is the model that generates adversarial images and the victim model is the one to which these adversarial images are sent to fool or degrade classification performance.
Footnote8 For NISP [55] we report accuracy with ResNet56.
Footnote9 To have an “apples to apples” comparison we provide results on the ResNet50 model for classification on CIFAR-10. All other simulations are done on only the ResNet18 variant of ResNet.
Footnote
- [1] . 2020. SuperSlash: A unified design space exploration and model compression methodology for design of deep learning accelerators with reduced off-chip memory access volume. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems 39, 11 (2020), 4191–4204.Google Scholar
Cross Ref
- [2] . 2018. Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. arXiv preprint arXiv:1802.00420 (2018).Google Scholar
- [3] . 2011. Distributed optimization and statistical learning via the alternating direction method of multipliers. Foundations and Trends in Machine Learning 3, 1 (2011), 1–122.Google Scholar
Digital Library
- [4] . 2017. Towards evaluating the robustness of neural networks. In IEEE Symposium on Security and Privacy. IEEE, 39–57.Google Scholar
- [5] . 2015. DeepDriving: Learning affordance for direct perception in autonomous driving. In Proceedings of the IEEE International Conference on Computer Vision. 2722–2730.Google Scholar
Digital Library
- [6] . 2019. Sparse networks from scratch: Faster training without losing performance. arXiv preprint arXiv:1907.04840 (2019).Google Scholar
- [7] . 2019. Global sparse momentum SGD for pruning very deep neural networks. In Advances in Neural Information Processing Systems. 6379–6391.Google Scholar
- [8] . 2018. Convergence of a relaxed variable splitting method for learning sparse neural networks via \(l_1,l_0\), and transformed-\(l_1\) penalties. arXiv preprint arXiv:1812.05719.Google Scholar
- [9] . 2019. CSrram: Area-efficient low-power ex-situ training framework for memristive neuromorphic circuits based on clustered sparsity. In 2019 IEEE Computer Society Annual Symposium on VLSI (ISVLSI’19). IEEE, 465–470.Google Scholar
- [10] . 2014. Rich feature hierarchies for accurate object detection and semantic segmentation. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition. 580–587.Google Scholar
Digital Library
- [11] . 2014. Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572.Google Scholar
- [12] . 2020. Uncovering the limits of adversarial training against norm-bounded adversarial examples. arXiv preprint arXiv:2010.03593.Google Scholar
- [13] . 2019. An alternative surrogate loss for PGD-based adversarial testing. arXiv preprint arXiv:1910.09338.Google Scholar
- [14] . 2019. Model compression with adversarial robustness: A unified optimization framework. In Advances in Neural Information Processing Systems. 1283–1294.Google Scholar
- [15] . 2015. Tiny ImageNet challenge submission. CS 231N.Google Scholar
- [16] . 2016. Deep residual learning for image recognition. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition. 770–778.Google Scholar
Cross Ref
- [17] . 2018. AMC: AutoML for model compression and acceleration on mobile devices. In The European Conference on Computer Vision (ECCV’18).Google Scholar
Digital Library
- [18] . 2017. Channel pruning for accelerating very deep neural networks. In Proceedings of the IEEE International Conference on Computer Vision. 1389–1397.Google Scholar
Cross Ref
- [19] . 2019. Parametric noise injection: Trainable randomness to improve deep neural network robustness against adversarial attack. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition. 588–597.Google Scholar
Cross Ref
- [20] . 2021. Natural adversarial examples. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR’21). 15262–15271.Google Scholar
Cross Ref
- [21] . 2012. Deep neural networks for acoustic modeling in speech recognition: The shared views of four research groups. IEEE Signal Processing Magazine 29, 6 (2012), 82–97.Google Scholar
Cross Ref
- [22] . 2020. Self-adaptive training: Beyond empirical risk minimization. Advances in Neural Information Processing Systems 33 (2020).Google Scholar
- [23] . 2009. Learning multiple layers of features from tiny images. Technical Report, Citeseer (2009).Google Scholar
- [24] . 2012. Imagenet classification with deep convolutional neural networks. In Advances in Neural Information Processing Systems. 1097–1105.Google Scholar
Digital Library
- [25] . 2021. DNR: A tunable robust pruning framework through dynamic network rewiring of DNNs. In Proceedings of the 26th Asia and South Pacific Design Automation Conference. 344–350.Google Scholar
Digital Library
- [26] . 2020. Pre-defined sparsity for low-complexity convolutional neural networks. IEEE Transactions on Computers.Google Scholar
Digital Library
- [27] . 2021. Hire-SNN: Harnessing the inherent robustness of energy-efficient deep spiking neural networks by training with crafted input noise. In Proceedings of the IEEE/CVF International Conference on Computer Vision. 5209–5218.Google Scholar
Cross Ref
- [28] . 2019. pSConv: A pre-defined sparse kernel based convolution for deep CNNs. In 2019 57th Annual Allerton Conference on Communication, Control, and Computing (Allerton’19). IEEE, 100–107.Google Scholar
Digital Library
- [29] . 2021. Analyzing the confidentiality of undistillable teachers in knowledge distillation. In Advances in Neural Information Processing Systems (NeurIPS’21), 34.Google Scholar
- [30] . 2021. AttentionLite: Towards efficient self-attention models for vision. In 2021 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP’21). 2225–2229.Google Scholar
Cross Ref
- [31] . 2022. BMPQ: Bit-gradient sensitivity-driven mixed-precision quantization of DNNs from scratch. In DATE.Google Scholar
- [32] . 2019. Certified robustness to adversarial examples with differential privacy. In 2019 IEEE Symposium on Security and Privacy (SP’19). IEEE, 656–672.Google Scholar
- [33] . 2018. SNIP: Single-shot network pruning based on connection sensitivity. arXiv preprint arXiv:1810.02340.Google Scholar
- [34] . 2021. Exploring adversarial fake images on face manifold. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR’21). 5789–5798.Google Scholar
Cross Ref
- [35] . 2016. Pruning filters for efficient convnets. arXiv preprint arXiv:1608.08710.Google Scholar
- [36] . 2017. A survey on deep learning in medical image analysis. Medical Image Analysis 42 (2017), 60–88.Google Scholar
Cross Ref
- [37] . 2018. Towards robust neural networks via random self-ensemble. In Proceedings of the European Conference on Computer Vision (ECCV’18). 369–385.Google Scholar
Digital Library
- [38] . 2018. Rethinking the value of network pruning. arXiv preprint arXiv:1810.05270.Google Scholar
- [39] . 2021. Non-structured DNN weight pruning–is it beneficial in any platform? IEEE Transactions on Neural Networks and Learning Systems.Google Scholar
- [40] . 2017. Towards deep learning models resistant to adversarial attacks. arXiv preprint arXiv:1706.06083.Google Scholar
- [41] . 2017. Magnet: A two-pronged defense against adversarial examples. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. 135–147.Google Scholar
Digital Library
- [42] . 2017. Automatic differentiation in PyTorch.Google Scholar
- [43] . 2019. Robust sparse regularization: Simultaneously optimizing neural network robustness and compactness. arXiv preprint arXiv:1905.13074.Google Scholar
- [44] . 2021. Fixing data augmentation to improve adversarial robustness. arXiv preprint arXiv:2103.01946.Google Scholar
- [45] . 2017. YOLO9000: Better, faster, stronger. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition. 7263–7271.Google Scholar
- [46] . 2019. ADMM-NN: An algorithm-hardware co-design framework of DNNs using alternating direction methods of multipliers. In Proceedings of the 24th International Conference on Architectural Support for Programming Languages and Operating Systems. 925–938.Google Scholar
Digital Library
- [47] . 2021. Invisible perturbations: Physical adversarial examples exploiting the rolling shutter effect. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR’21). 14666–14675.Google Scholar
Cross Ref
- [48] . 2020. Hydra: Pruning adversarially robust neural networks. arXiv preprint arXiv:2002.10509.Google Scholar
- [49] . 2019. Adversarial training for free! arXiv preprint arXiv:1904.12843.Google Scholar
- [50] . 2014. Very deep convolutional networks for large-scale image recognition. arXiv preprint arXiv:1409.1556.Google Scholar
- [51] . 2017. Ensemble adversarial training: Attacks and defenses. arXiv preprint arXiv:1705.07204.Google Scholar
- [52] . 2020. Fast is better than free: Revisiting adversarial training. arXiv preprint arXiv:2001.03994.Google Scholar
- [53] . 2019. Autoprune: Automatic network pruning by regularizing auxiliary parameters. In Advances in Neural Information Processing Systems (NeurIPS’19), 32.Google Scholar
- [54] . 2019. Adversarial robustness vs. model compression, or both. In The IEEE International Conference on Computer Vision (ICCV’19), Vol. 2.Google Scholar
Cross Ref
- [55] . 2018. NISP: Pruning networks using neuron importance score propagation. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition. 9194–9203.Google Scholar
Cross Ref
- [56] . 2019. Theoretically principled trade-off between robustness and accuracy. In International Conference on Machine Learning. PMLR, 7472–7482.Google Scholar
Index Terms
Toward Adversary-aware Non-iterative Model Pruning through Dynamic Network Rewiring of DNNs
Recommendations
DNR: A Tunable Robust Pruning Framework Through Dynamic Network Rewiring of DNNs
ASPDAC '21: Proceedings of the 26th Asia and South Pacific Design Automation ConferenceThis paper presents a dynamic network rewiring (DNR) method to generate pruned deep neural network (DNN) models that are robust against adversarial attacks yet maintain high accuracy on clean images. In particular, the disclosed DNR method is based on a ...
Efficacy of pruning in ultra-low precision DNNs
ISLPED '21: Proceedings of the ACM/IEEE International Symposium on Low Power Electronics and DesignQuantization, or reducing the precision of variables and operations, and pruning, or removing neurons and connections are two popular approaches for improving the efficiency of DNNs. These directions have been pursued largely separately. In this work, ...
Filter pruning via separation of sparsity search and model training
AbstractNetwork pruning has been widely used in the field of model compression and inference acceleration for convolutional neural networks(CNN). Existing methods generally follow a “training-pruning-retraining” paradigm, known as a three-...






















Comments