Samples on Thin Ice: Re-Evaluating Adversarial Pruning of Neural Networks
This work addresses the robustness of pruned neural networks for AI security, but it is incremental as it critiques existing methods without introducing a new solution.
The authors re-evaluated three state-of-the-art adversarial pruning methods and found that their robustness to adversarial examples was overestimated, with samples near the decision boundary often misclassified after pruning.
Neural network pruning has shown to be an effective technique for reducing the network size, trading desirable properties like generalization and robustness to adversarial attacks for higher sparsity. Recent work has claimed that adversarial pruning methods can produce sparse networks while also preserving robustness to adversarial examples. In this work, we first re-evaluate three state-of-the-art adversarial pruning methods, showing that their robustness was indeed overestimated. We then compare pruned and dense versions of the same models, discovering that samples on thin ice, i.e., closer to the unpruned model's decision boundary, are typically misclassified after pruning. We conclude by discussing how this intuition may lead to designing more effective adversarial pruning methods in future work.