Fast Test Input Generation for Finding Deviated Behaviors in Compressed
Deep Neural Network
- URL: http://arxiv.org/abs/2112.02819v1
- Date: Mon, 6 Dec 2021 07:12:49 GMT
- Title: Fast Test Input Generation for Finding Deviated Behaviors in Compressed
Deep Neural Network
- Authors: Yongqiang Tian, Wuqi Zhang, Ming Wen, Shing-Chi Cheung, Chengnian Sun,
Shiqing Ma, Yu Jiang
- Abstract summary: We propose TriggerFinder to automatically identify inputs to trigger deviated behaviors in compressed models.
We evaluate TriggerFinder on 18 compressed models with two datasets.
- Score: 18.205951607889556
- License: http://creativecommons.org/licenses/by-nc-nd/4.0/
- Abstract: Model compression can significantly reduce sizes of deep neural network (DNN)
models so that large, sophisticated models after compression can be deployed on
resource-limited mobile and IoT devices. However, model compression often
introduces deviated behaviors into a compressed model: the original and
compressed models output different prediction results for the same input.
Hence, it is critical to warn developers and help them comprehensively evaluate
possible consequences of such behaviors before deployment. To this end, we
propose TriggerFinder, a novel, effective and efficient testing approach to
automatically identifying inputs to trigger deviated behaviors in compressed
models. Given an input i as a seed, TriggerFinder iteratively applies a series
of mutation operations to change i until the resulting input triggers a
deviated behavior.
However, compressed models usually hide their architecture and gradient
information; without such internal information as guidance, it becomes
difficult to effectively and efficiently trigger deviated behaviors. To tackle
this challenge, we propose a novel fitness function to determine the mutated
input that is closer to the inputs that can trigger the deviated predictions.
Furthermore, TriggerFinder models this search problem as a Markov Chain process
and leverages the Metropolis-Hasting algorithm to guide the selection of
mutation operators.
We evaluated TriggerFinder on 18 compressed models with two datasets. The
experiment results demonstrate that TriggerFinder can successfully find
triggering inputs for all seed inputs while the baseline fails in certain
cases. As for efficiency, TriggerFinder is 5.2x-115.8x as fast as the
baselines. Furthermore, the queries required by TriggerFinder to find one
triggering input is only 51.8x-535.6x as small as the baseline.
Related papers
- PerfGen: Automated Performance Benchmark Generation for Big Data Analytics [6.4905318866478625]
Many symptoms of poor performance in big data analytics such as computational skews, data skews, and memory skews are input dependent.
PerfGen is designed to automatically generate inputs for the purpose of performance testing.
PerfGen achieves at least 11x speedup compared to a traditional fuzzing approach when generating inputs to trigger performance symptoms.
arXiv Detail & Related papers (2024-12-06T00:58:20Z) - Robust and Transferable Backdoor Attacks Against Deep Image Compression With Selective Frequency Prior [118.92747171905727]
This paper introduces a novel frequency-based trigger injection model for launching backdoor attacks with multiple triggers on learned image compression models.
We design attack objectives tailored to diverse scenarios, including: 1) degrading compression quality in terms of bit-rate and reconstruction accuracy; 2) targeting task-driven measures like face recognition and semantic segmentation.
Experiments show that our trigger injection models, combined with minor modifications to encoder parameters, successfully inject multiple backdoors and their triggers into a single compression model.
arXiv Detail & Related papers (2024-12-02T15:58:40Z) - Accelerated zero-order SGD under high-order smoothness and overparameterized regime [79.85163929026146]
We present a novel gradient-free algorithm to solve convex optimization problems.
Such problems are encountered in medicine, physics, and machine learning.
We provide convergence guarantees for the proposed algorithm under both types of noise.
arXiv Detail & Related papers (2024-11-21T10:26:17Z) - The Persian Rug: solving toy models of superposition using large-scale symmetries [0.0]
We present a complete mechanistic description of the algorithm learned by a minimal non-linear sparse data autoencoder in the limit of large input dimension.
Our work contributes to neural network interpretability by introducing techniques for understanding the structure of autoencoders.
arXiv Detail & Related papers (2024-10-15T22:52:45Z) - Compression of Structured Data with Autoencoders: Provable Benefit of
Nonlinearities and Depth [83.15263499262824]
We prove that gradient descent converges to a solution that completely disregards the sparse structure of the input.
We show how to improve upon Gaussian performance for the compression of sparse data by adding a denoising function to a shallow architecture.
We validate our findings on image datasets, such as CIFAR-10 and MNIST.
arXiv Detail & Related papers (2024-02-07T16:32:29Z) - Occlusion-based Detection of Trojan-triggering Inputs in Large Language
Models of Code [12.590783740412157]
Large language models (LLMs) are becoming an integrated part of software development.
A potential attack surface can be to inject poisonous data into the training data to make models vulnerable, aka trojaned.
It can pose a significant threat by hiding manipulative behaviors inside models, leading to compromising the integrity of the models in downstream tasks.
arXiv Detail & Related papers (2023-12-07T02:44:35Z) - Backdoor Attacks Against Deep Image Compression via Adaptive Frequency
Trigger [106.10954454667757]
We present a novel backdoor attack with multiple triggers against learned image compression models.
Motivated by the widely used discrete cosine transform (DCT) in existing compression systems and standards, we propose a frequency-based trigger injection model.
arXiv Detail & Related papers (2023-02-28T15:39:31Z) - CrAM: A Compression-Aware Minimizer [103.29159003723815]
We propose a new compression-aware minimizer dubbed CrAM that modifies the optimization step in a principled way.
CrAM produces dense models that can be more accurate than the standard SGD/Adam-based baselines, but which are stable under weight pruning.
CrAM can produce sparse models which perform well for transfer learning, and it also works for semi-structured 2:4 pruning patterns supported by GPU hardware.
arXiv Detail & Related papers (2022-07-28T16:13:28Z) - An Adaptive Black-box Backdoor Detection Method for Deep Neural Networks [25.593824693347113]
Deep Neural Networks (DNNs) have demonstrated unprecedented performance across various fields such as medical diagnosis and autonomous driving.
They are identified to be vulnerable to Neural Trojan (NT) attacks that are controlled and activated by stealthy triggers.
We propose a robust and adaptive Trojan detection scheme that inspects whether a pre-trained model has been Trojaned before its deployment.
arXiv Detail & Related papers (2022-04-08T23:41:19Z) - MINIMAL: Mining Models for Data Free Universal Adversarial Triggers [57.14359126600029]
We present a novel data-free approach, MINIMAL, to mine input-agnostic adversarial triggers from NLP models.
We reduce the accuracy of Stanford Sentiment Treebank's positive class from 93.6% to 9.6%.
For the Stanford Natural Language Inference (SNLI), our single-word trigger reduces the accuracy of the entailment class from 90.95% to less than 0.6%.
arXiv Detail & Related papers (2021-09-25T17:24:48Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.