Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Quantitative Analysis of Deeply Quantized Tiny Neural Networks Robust to Adversarial Attacks

Idris Zakariyya, Ferheen Ayaz, Mounia Kharbouche-Harrari, Jeremy Singer, Sye Loong Keoh, Danilo Pau, José Cano

TL;DR

This work tackles deploying robust, small-footprint DNNs on edge devices by combining deeply quantized training with Jacobian Regularization. It introduces a Stochastic Ternary Quantization (STQ) architecture trained through QKeras that applies per-layer JR, achieving strong adversarial robustness while fitting within ~410 KB of MCU flash. The approach demonstrates competitive or superior resilience to both white-box and black-box attacks compared with Quanos and DS-CNN benchmarks on CIFAR-10, SVHN, and Google Speech Commands, across 5-fold cross-validation. The findings support the viability of memory-efficient, defense-aware quantized models for TinyML deployments and guide future exploration of attack families and state-of-the-art baselines.

Abstract

Reducing the memory footprint of Machine Learning (ML) models, especially Deep Neural Networks (DNNs), is imperative to facilitate their deployment on resource-constrained edge devices. However, a notable drawback of DNN models lies in their susceptibility to adversarial attacks, wherein minor input perturbations can deceive them. A primary challenge revolves around the development of accurate, resilient, and compact DNN models suitable for deployment on resource-constrained edge devices. This paper presents the outcomes of a compact DNN model that exhibits resilience against both black-box and white-box adversarial attacks. This work has achieved this resilience through training with the QKeras quantization-aware training framework. The study explores the potential of QKeras and an adversarial robustness technique, Jacobian Regularization (JR), to co-optimize the DNN architecture through per-layer JR methodology. As a result, this paper has devised a DNN model employing this co-optimization strategy based on Stochastic Ternary Quantization (STQ). Its performance was compared against existing DNN models in the face of various white-box and black-box attacks. The experimental findings revealed that, the proposed DNN model had small footprint and on average, it exhibited better performance than Quanos and DS-CNN MLCommons/TinyML (MLC/T) benchmarks when challenged with white-box and black-box attacks, respectively, on the CIFAR-10 image and Google Speech Commands audio datasets.

Quantitative Analysis of Deeply Quantized Tiny Neural Networks Robust to Adversarial Attacks

TL;DR

This work tackles deploying robust, small-footprint DNNs on edge devices by combining deeply quantized training with Jacobian Regularization. It introduces a Stochastic Ternary Quantization (STQ) architecture trained through QKeras that applies per-layer JR, achieving strong adversarial robustness while fitting within ~410 KB of MCU flash. The approach demonstrates competitive or superior resilience to both white-box and black-box attacks compared with Quanos and DS-CNN benchmarks on CIFAR-10, SVHN, and Google Speech Commands, across 5-fold cross-validation. The findings support the viability of memory-efficient, defense-aware quantized models for TinyML deployments and guide future exploration of attack families and state-of-the-art baselines.

Abstract

Reducing the memory footprint of Machine Learning (ML) models, especially Deep Neural Networks (DNNs), is imperative to facilitate their deployment on resource-constrained edge devices. However, a notable drawback of DNN models lies in their susceptibility to adversarial attacks, wherein minor input perturbations can deceive them. A primary challenge revolves around the development of accurate, resilient, and compact DNN models suitable for deployment on resource-constrained edge devices. This paper presents the outcomes of a compact DNN model that exhibits resilience against both black-box and white-box adversarial attacks. This work has achieved this resilience through training with the QKeras quantization-aware training framework. The study explores the potential of QKeras and an adversarial robustness technique, Jacobian Regularization (JR), to co-optimize the DNN architecture through per-layer JR methodology. As a result, this paper has devised a DNN model employing this co-optimization strategy based on Stochastic Ternary Quantization (STQ). Its performance was compared against existing DNN models in the face of various white-box and black-box attacks. The experimental findings revealed that, the proposed DNN model had small footprint and on average, it exhibited better performance than Quanos and DS-CNN MLCommons/TinyML (MLC/T) benchmarks when challenged with white-box and black-box attacks, respectively, on the CIFAR-10 image and Google Speech Commands audio datasets.

Paper Structure

This paper contains 18 sections, 14 equations, 6 figures, 4 tables.

Table of Contents

  1. Introduction
  2. Background and Related Work
  3. Adversarial Attacks Against Machine Learning Models
  4. Robustness against Adversarial Attacks
  5. Jacobian Regularization
  6. Adversarial Robustness of Quantized Models
  7. Proposed Deep Neural Network model
  8. Adversarial Robustness in QKeras
  9. Stochastic Ternary Quantized Architecture
  10. Evaluation
  11. Experimental Setup
  12. Datasets and Pre-processing
  13. Model Training Procedure
  14. Adversarial Attacks Procedure
  15. $K$-fold Cross Validation
  16. ...and 3 more sections

Figures (6)

  • Figure 1: Transformation of input $x_i$ into output $z_L$ by DNN.
  • Figure 2: QKeras quantization aware training flow.
  • Figure 3: Proposed architecture of the STQ-based DNN model designed and trained with QKeras.
  • Figure 4: Models robustness (top-1 test accuracy) comparison for CIFAR-10, SVHN, and GSC datasets for a clean setting and across multiple white-box (FGSM, PGD, C&W) and black-bow-attacks (Square, Boundary, ZOO).
  • Figure 5: Robustness comparison of our FP and STQ models against Quanos panda2020quanos for various FGSM and PGD perturbation strengths.
  • ...and 1 more figures