Impact of Low-bitwidth Quantization on the Adversarial Robustness for Embedded Neural Networks
This addresses the security risks of deploying lightweight neural networks on embedded systems, revealing vulnerabilities in quantized models, but it is incremental as it builds on existing adversarial machine learning research.
The study investigated the adversarial robustness of quantized neural networks for image classification and found that quantization does not provide robust protection, instead causing gradient masking, but observed poor transferability of attacks due to quantization value shifts and gradient misalignment.
As the will to deploy neural networks models on embedded systems grows, and considering the related memory footprint and energy consumption issues, finding lighter solutions to store neural networks such as weight quantization and more efficient inference methods become major research topics. Parallel to that, adversarial machine learning has risen recently with an impressive and significant attention, unveiling some critical flaws of machine learning models, especially neural networks. In particular, perturbed inputs called adversarial examples have been shown to fool a model into making incorrect predictions. In this article, we investigate the adversarial robustness of quantized neural networks under different threat models for a classical supervised image classification task. We show that quantization does not offer any robust protection, results in severe form of gradient masking and advance some hypotheses to explain it. However, we experimentally observe poor transferability capacities which we explain by quantization value shift phenomenon and gradient misalignment and explore how these results can be exploited with an ensemble-based defense.