Safety and Performance, Why not Both? Bi-Objective Optimized Model
Compression toward AI Software Deployment
- URL: http://arxiv.org/abs/2208.05969v1
- Date: Thu, 11 Aug 2022 04:41:08 GMT
- Title: Safety and Performance, Why not Both? Bi-Objective Optimized Model
Compression toward AI Software Deployment
- Authors: Jie Zhu, Leye Wang, Xiao Han
- Abstract summary: AI software compression plays a crucial role, which aims to compress model size while keeping high performance.
In this paper, we try to address the safe model compression problem from a safety-performance co-optimization perspective.
Specifically, inspired by the test-driven development (TDD) paradigm in software engineering, we propose a test-driven sparse training framework called SafeCompress.
- Score: 12.153709321048947
- License: http://creativecommons.org/licenses/by-nc-nd/4.0/
- Abstract: The size of deep learning models in artificial intelligence (AI) software is
increasing rapidly, which hinders the large-scale deployment on
resource-restricted devices (e.g., smartphones). To mitigate this issue, AI
software compression plays a crucial role, which aims to compress model size
while keeping high performance. However, the intrinsic defects in the big model
may be inherited by the compressed one. Such defects may be easily leveraged by
attackers, since the compressed models are usually deployed in a large number
of devices without adequate protection. In this paper, we try to address the
safe model compression problem from a safety-performance co-optimization
perspective. Specifically, inspired by the test-driven development (TDD)
paradigm in software engineering, we propose a test-driven sparse training
framework called SafeCompress. By simulating the attack mechanism as the safety
test, SafeCompress can automatically compress a big model to a small one
following the dynamic sparse training paradigm. Further, considering a
representative attack, i.e., membership inference attack (MIA), we develop a
concrete safe model compression mechanism, called MIA-SafeCompress. Extensive
experiments are conducted to evaluate MIA-SafeCompress on five datasets for
both computer vision and natural language processing tasks. The results verify
the effectiveness and generalization of our method. We also discuss how to
adapt SafeCompress to other attacks besides MIA, demonstrating the flexibility
of SafeCompress.
Related papers
- Beyond Perplexity: Multi-dimensional Safety Evaluation of LLM Compression [33.45167213570976]
We investigate the impact of model compression on four dimensions: (1) degeneration harm, i.e., bias and toxicity in generation; (2) representational harm, i.e., biases in discriminative tasks; (3) dialect bias; and(4) language modeling and downstream task performance.
Our analysis reveals that compression can lead to unexpected consequences.
arXiv Detail & Related papers (2024-07-06T05:56:22Z) - SMC++: Masked Learning of Unsupervised Video Semantic Compression [54.62883091552163]
We propose a Masked Video Modeling (MVM)-powered compression framework that particularly preserves video semantics.
MVM is proficient at learning generalizable semantics through the masked patch prediction task.
It may also encode non-semantic information like trivial textural details, wasting bitcost and bringing semantic noises.
arXiv Detail & Related papers (2024-06-07T09:06:40Z) - PROSAC: Provably Safe Certification for Machine Learning Models under
Adversarial Attacks [20.73708921078335]
State-of-the-art machine learning models can be seriously compromised by adversarial perturbations.
We propose a new approach to certify the performance of machine learning models in the presence of adversarial attacks.
arXiv Detail & Related papers (2024-02-04T22:45:20Z) - Safety and Performance, Why Not Both? Bi-Objective Optimized Model
Compression against Heterogeneous Attacks Toward AI Software Deployment [15.803413192172037]
We propose a test-driven sparse training framework called SafeCompress.
By simulating the attack mechanism as safety testing, SafeCompress can automatically compress a big model to a small one.
We conduct extensive experiments on five datasets for both computer vision and natural language processing tasks.
arXiv Detail & Related papers (2024-01-02T02:31:36Z) - Code Polymorphism Meets Code Encryption: Confidentiality and Side-Channel Protection of Software Components [0.0]
PolEn is a toolchain and a processor architecturethat combine countermeasures in order to provide an effective mitigation of side-channel attacks.
Code encryption is supported by a processor extension such that machineinstructions are only decrypted inside the CPU.
Code polymorphism is implemented by software means. It regularly changes the observablebehaviour of the program, making it unpredictable for an attacker.
arXiv Detail & Related papers (2023-10-11T09:16:10Z) - Citadel: Real-World Hardware-Software Contracts for Secure Enclaves Through Microarchitectural Isolation and Controlled Speculation [8.414722884952525]
Hardware isolation primitives such as secure enclaves aim to protect programs, but remain vulnerable to transient execution attacks.
This paper advocates for processors to incorporate microarchitectural isolation primitives and mechanisms for controlled speculation.
We introduce two mechanisms to securely share memory between an enclave and an untrusted OS in an out-of-order processor.
arXiv Detail & Related papers (2023-06-26T17:51:23Z) - DRSM: De-Randomized Smoothing on Malware Classifier Providing Certified
Robustness [58.23214712926585]
We develop a certified defense, DRSM (De-Randomized Smoothed MalConv), by redesigning the de-randomized smoothing technique for the domain of malware detection.
Specifically, we propose a window ablation scheme to provably limit the impact of adversarial bytes while maximally preserving local structures of the executables.
We are the first to offer certified robustness in the realm of static detection of malware executables.
arXiv Detail & Related papers (2023-03-20T17:25:22Z) - Backdoor Attacks Against Deep Image Compression via Adaptive Frequency
Trigger [106.10954454667757]
We present a novel backdoor attack with multiple triggers against learned image compression models.
Motivated by the widely used discrete cosine transform (DCT) in existing compression systems and standards, we propose a frequency-based trigger injection model.
arXiv Detail & Related papers (2023-02-28T15:39:31Z) - What do Compressed Large Language Models Forget? Robustness Challenges
in Model Compression [68.82486784654817]
We study two popular model compression techniques including knowledge distillation and pruning.
We show that compressed models are significantly less robust than their PLM counterparts on adversarial test sets.
We develop a regularization strategy for model compression based on sample uncertainty.
arXiv Detail & Related papers (2021-10-16T00:20:04Z) - Adaptive Feature Alignment for Adversarial Training [56.17654691470554]
CNNs are typically vulnerable to adversarial attacks, which pose a threat to security-sensitive applications.
We propose the adaptive feature alignment (AFA) to generate features of arbitrary attacking strengths.
Our method is trained to automatically align features of arbitrary attacking strength.
arXiv Detail & Related papers (2021-05-31T17:01:05Z) - Covert Model Poisoning Against Federated Learning: Algorithm Design and
Optimization [76.51980153902774]
Federated learning (FL) is vulnerable to external attacks on FL models during parameters transmissions.
In this paper, we propose effective MP algorithms to combat state-of-the-art defensive aggregation mechanisms.
Our experimental results demonstrate that the proposed CMP algorithms are effective and substantially outperform existing attack mechanisms.
arXiv Detail & Related papers (2021-01-28T03:28:18Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.