Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Reinforced Compressive Neural Architecture Search for Versatile Adversarial Robustness

Dingrong Wang, Hitesh Sapkota, Zhiqiang Tao, Qi Yu

TL;DR

An innovative dual-level training paradigm that consists of a meta-training and a fine-tuning phase to effectively expose the RL agent to diverse attack scenarios, and make it adapt quickly to locate an optimal sub-network for previously unseen scenarios to achieve Versatile Adversarial Robustness.

Abstract

Prior neural architecture search (NAS) for adversarial robustness works have discovered that a lightweight and adversarially robust neural network architecture could exist in a non-robust large teacher network, generally disclosed by heuristic rules through statistical analysis and neural architecture search, generally disclosed by heuristic rules from neural architecture search. However, heuristic methods cannot uniformly handle different adversarial attacks and "teacher" network capacity. To solve this challenge, we propose a Reinforced Compressive Neural Architecture Search (RC-NAS) for Versatile Adversarial Robustness. Specifically, we define task settings that compose datasets, adversarial attacks, and teacher network information. Given diverse tasks, we conduct a novel dual-level training paradigm that consists of a meta-training and a fine-tuning phase to effectively expose the RL agent to diverse attack scenarios (in meta-training), and making it adapt quickly to locate a sub-network (in fine-tuning) for any previously unseen scenarios. Experiments show that our framework could achieve adaptive compression towards different initial teacher networks, datasets, and adversarial attacks, resulting in more lightweight and adversarially robust architectures.

Reinforced Compressive Neural Architecture Search for Versatile Adversarial Robustness

TL;DR

An innovative dual-level training paradigm that consists of a meta-training and a fine-tuning phase to effectively expose the RL agent to diverse attack scenarios, and make it adapt quickly to locate an optimal sub-network for previously unseen scenarios to achieve Versatile Adversarial Robustness.

Abstract

Prior neural architecture search (NAS) for adversarial robustness works have discovered that a lightweight and adversarially robust neural network architecture could exist in a non-robust large teacher network, generally disclosed by heuristic rules through statistical analysis and neural architecture search, generally disclosed by heuristic rules from neural architecture search. However, heuristic methods cannot uniformly handle different adversarial attacks and "teacher" network capacity. To solve this challenge, we propose a Reinforced Compressive Neural Architecture Search (RC-NAS) for Versatile Adversarial Robustness. Specifically, we define task settings that compose datasets, adversarial attacks, and teacher network information. Given diverse tasks, we conduct a novel dual-level training paradigm that consists of a meta-training and a fine-tuning phase to effectively expose the RL agent to diverse attack scenarios (in meta-training), and making it adapt quickly to locate a sub-network (in fine-tuning) for any previously unseen scenarios. Experiments show that our framework could achieve adaptive compression towards different initial teacher networks, datasets, and adversarial attacks, resulting in more lightweight and adversarially robust architectures.
Paper Structure (32 sections, 2 theorems, 25 equations, 6 figures, 10 tables, 2 algorithms)

This paper contains 32 sections, 2 theorems, 25 equations, 6 figures, 10 tables, 2 algorithms.

Table of Contents

  1. Introduction
  2. Related Work
  3. Methodology
  4. Markov Decision Process
  5. Reinforced Neural Architecture
  6. Dual-level Training Paradigm
  7. Theoretical Analysis
  8. Experiments
  9. Results and Comparison
  10. SoTA Adversarial Attacks.
  11. RL training and fine-tuning costs.
  12. Ablation Study
  13. Effectiveness of RL guided exploration
  14. Effectiveness of dual-level training paradigm
  15. Ablative Study on RL critical design components
  16. ...and 17 more sections

Key Result

Lemma 3.1

Let T be the total iterations for the clean training and $T^\prime$ be the additional iterations for the adversarial training. Considering $\delta$ be the l2-perturbation applied on input sample for the adversarial training with a radius of the perturbation defined as $||\delta||_2\leq \tau$. Then g

Figures (6)

  • Figure 1: Architecture topology analysis of RobustResNet in different attack scenarios from the mildest (i.e., clean) to the most severe (i.e., auto-attack) on Tiny-ImageNet. WRN-46-14 and WRN-70-16 are leveraged as teacher networks with 20 and 40 GFLOPs computation budgets, respectively. The corresponding student networks are referred to as RobustResNet-A3 and RobustResNet-A4. The entire teacher network architecture is partitioned into multiple (e.g., 3) stages as in huang2022revisiting and we visualize both depths and widths of the corresponding RobustResNet for each stage. In (a)-(d), the left three bar plots (in blue and orange) show the depths and widths in the three stages of RobustResNet A3 and A4 that follow the same configuration rules; the right three bar plots (in red and orange) show the adaptive configuration obtained by the proposed reinforced learning (RL) based architecture search. In (e)-(h), the grey bars denote the capacity of the corresponding teacher networks and $C$ denotes the remaining percentage of each stage after compression.
  • Figure 2: Overview of the RC-NAS framework
  • Figure 3: Evaluation curves of the RL (w/ and w/o meta RL training) selected sub-networks on target task setting: WRN-46-14 (20G budget) on auto attacked Tiny-ImageNet.
  • Figure 4: RL compressed sub-network statistical analysis: depth/width compression ratio across three stages under 5G and 10G budgets (5G-D, 5G-W, 10G-D, 10G-W), and the total depth to total width compression ratio under 5G (5G-T) and 10G (10G-T) budgets on auto attacked CIFAR 10 and 100.
  • Figure 5: State Encoder Pre-Training
  • ...and 1 more figures

Theorems & Definitions (2)

  • Lemma 3.1
  • Theorem 3.2