Exploring the Robustness and Transferability of Patch-Based Adversarial Attacks in Quantized Neural Networks

TL;DR

This work demonstrates that patch-based adversarial attacks remain highly effective and transferable in quantized neural networks across multiple architectures and bitwidths, undermining the notion that quantization alone can provide robust defense. By systematically varying quantization levels, patch size, and model architecture, the authors show that patches preserve high-visibility signals and gradient structure, enabling strong cross-model transfer and resilience to spatial perturbations. The study introduces Quantization-Aware Defense Training (QADT) and outlines practical defense strategies to counter patch-based threats in low-precision regimes. The findings have significant implications for deploying secure, quantized models in resource-constrained environments and guide future defense development for real-world applications.

Abstract

Quantized neural networks (QNNs) are increasingly used for efficient deployment of deep learning models on resource-constrained platforms, such as mobile devices and edge computing systems. While quantization reduces model size and computational demands, its impact on adversarial robustness-especially against patch-based attacks-remains inadequately addressed. Patch-based attacks, characterized by localized, high-visibility perturbations, pose significant security risks due to their transferability and resilience. In this study, we systematically evaluate the vulnerability of QNNs to patch-based adversarial attacks across various quantization levels and architectures, focusing on factors that contribute to the robustness of these attacks. Through experiments analyzing feature representations, quantization strength, gradient alignment, and spatial sensitivity, we find that patch attacks consistently achieve high success rates across bitwidths and architectures, demonstrating significant transferability even in heavily quantized models. Contrary to the expectation that quantization might enhance adversarial defenses, our results show that QNNs remain highly susceptible to patch attacks due to the persistence of distinct, localized features within quantized representations. These findings underscore the need for quantization-aware defenses that address the specific challenges posed by patch-based attacks. Our work contributes to a deeper understanding of adversarial robustness in QNNs and aims to guide future research in developing secure, quantization-compatible defenses for real-world applications.

Figures (10)

• Figure 1: Overview of the experimental framework for evaluating patch-based attacks on QNNs.
• Figure 2: Feature maps of the 32-bit, 8-bit, 4-bit, and 2-bit models comparing the clean and patched feature maps for the three first convolutional layers.
• Figure 3: Gradient maps for 32-bit, 8-bit, 4-bit, and 2-bit models under patch-based and pixel-level attacks, along with Cosine Similarity and MSE measurements comparing gradients between the full-precision and quantized models.
• Figure 4: Accuracy of ResNet-56 under PGD attacks across different quantization levels (Full Precision 32-bit, 8-bit, 5-bit, 4-bit, and 2-bit) and perturbation magnitudes ($\epsilon$).
• Figure 5: Accuracy of ResNet-20 under PGD attacks across different quantization levels (Full Precision, 8-bit, 5-bit, 4-bit, and 2-bit) and perturbation magnitudes ($\epsilon$).