FPGA Adaptive Neural Network Quantization for Adversarial Image Attack Defense

Quantized neural networks (QNNs) have become a standard operation for efficiently deploying deep learning models on hardware platforms in real application scenarios. An empirical study on German traffic sign recognition benchmark (GTSRB) dataset shows that under the three white-box adversarial attac...

Full description

Saved in:
Bibliographic Details
Published in:IEEE transactions on industrial informatics 2024-12, Vol.20 (12), p.14017-14028
Main Authors: Lu, Yufeng, Shi, Xiaokang, Jiang, Jianan, Deng, Hanhui, Wang, Yanwen, Lu, Jiwu, Wu, Di
Format: Article
Language:English
Subjects:
Accuracy
Adversarial attack
Computational modeling
Datasets
Field programmable gate arrays
field-programmable gate array (FPGA)
Hardware
Iterative methods
Neural networks
Object recognition
Quantization (signal)
quantized neural networks (QNNs)
Real-time systems
Robustness
Traffic signs
Training
Citations: Items that this one cites
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Quantized neural networks (QNNs) have become a standard operation for efficiently deploying deep learning models on hardware platforms in real application scenarios. An empirical study on German traffic sign recognition benchmark (GTSRB) dataset shows that under the three white-box adversarial attacks of fast gradient sign method, random + fast gradient sign method and basic iterative method, the accuracy of the full quantization model was only 55%, much lower than that of the full precision model (73%). This indicates the adversarial robustness of the full quantization model is much worse than that of the full precision model. To improve the adversarial robustness of the full quantization model, we have designed an adversarial attack defense platform based on field-programmable gate array (FPGA) to jointly optimize the efficiency and robustness of QNNs. Various hardware-friendly techniques such as adversarial training and feature squeezing were studied and transferred to the FPGA platform based on the designed accelerator of QNN. Experiments on the GTSRB dataset show that the adversarial training embedded on FPGA can increase the model's average accuracy by 2.5% on clean data, 15% under white-box attacks, and 4% under black-box attacks, respectively, demonstrating our methodology can improve the robustness of the full quantization model under different adversarial attacks.
ISSN:1551-3203
1941-0050
DOI:10.1109/TII.2024.3438284