Attacking Binarized Neural Networks
This addresses security concerns for low-precision neural networks in applications like edge computing, but it is incremental as it builds on existing quantization and adversarial defense research.
The paper tackles the problem of adversarial robustness in neural networks by showing that binarized neural networks (weights and activations quantized to ±1) can improve robustness against some attacks, with performance comparable to full-precision models in worst cases, and notes that stochastic quantization in one layer reduces iterative attack impact.
Neural networks with low-precision weights and activations offer compelling efficiency advantages over their full-precision equivalents. The two most frequently discussed benefits of quantization are reduced memory consumption, and a faster forward pass when implemented with efficient bitwise operations. We propose a third benefit of very low-precision neural networks: improved robustness against some adversarial attacks, and in the worst case, performance that is on par with full-precision models. We focus on the very low-precision case where weights and activations are both quantized to $\pm$1, and note that stochastically quantizing weights in just one layer can sharply reduce the impact of iterative attacks. We observe that non-scaled binary neural networks exhibit a similar effect to the original defensive distillation procedure that led to gradient masking, and a false notion of security. We address this by conducting both black-box and white-box experiments with binary models that do not artificially mask gradients.