Linearizing Models for Efficient yet Robust Private Inference
- URL: http://arxiv.org/abs/2402.05521v1
- Date: Thu, 8 Feb 2024 10:01:29 GMT
- Title: Linearizing Models for Efficient yet Robust Private Inference
- Authors: Sreetama Sarkar, Souvik Kundu, Peter A. Beerel
- Abstract summary: This paper presents RLNet, a class of robust linearized networks that can yield latency improvement via reduction of high-latency ReLU operations.
We show that RLNet can yield models with up to 11.14x fewer ReLUs, with accuracy close to the all-ReLU models, on clean, naturally perturbed, and gradient-based perturbed images.
- Score: 8.547509873799994
- License: http://creativecommons.org/licenses/by/4.0/
- Abstract: The growing concern about data privacy has led to the development of private
inference (PI) frameworks in client-server applications which protects both
data privacy and model IP. However, the cryptographic primitives required yield
significant latency overhead which limits its wide-spread application. At the
same time, changing environments demand the PI service to be robust against
various naturally occurring and gradient-based perturbations. Despite several
works focused on the development of latency-efficient models suitable for PI,
the impact of these models on robustness has remained unexplored. Towards this
goal, this paper presents RLNet, a class of robust linearized networks that can
yield latency improvement via reduction of high-latency ReLU operations while
improving the model performance on both clean and corrupted images. In
particular, RLNet models provide a "triple win ticket" of improved
classification accuracy on clean, naturally perturbed, and gradient-based
perturbed images using a shared-mask shared-weight architecture with over an
order of magnitude fewer ReLUs than baseline models. To demonstrate the
efficacy of RLNet, we perform extensive experiments with ResNet and WRN model
variants on CIFAR-10, CIFAR-100, and Tiny-ImageNet datasets. Our experimental
evaluations show that RLNet can yield models with up to 11.14x fewer ReLUs,
with accuracy close to the all-ReLU models, on clean, naturally perturbed, and
gradient-based perturbed images. Compared with the SoTA non-robust linearized
models at similar ReLU budgets, RLNet achieves an improvement in adversarial
accuracy of up to ~47%, naturally perturbed accuracy up to ~16.4%, while
improving clean image accuracy up to ~1.5%.
Related papers
- Dynamic Pre-training: Towards Efficient and Scalable All-in-One Image Restoration [100.54419875604721]
All-in-one image restoration tackles different types of degradations with a unified model instead of having task-specific, non-generic models for each degradation.
We propose DyNet, a dynamic family of networks designed in an encoder-decoder style for all-in-one image restoration tasks.
Our DyNet can seamlessly switch between its bulkier and lightweight variants, thereby offering flexibility for efficient model deployment.
arXiv Detail & Related papers (2024-04-02T17:58:49Z) - Learning from History: Task-agnostic Model Contrastive Learning for
Image Restoration [79.04007257606862]
This paper introduces an innovative method termed 'learning from history', which dynamically generates negative samples from the target model itself.
Our approach, named Model Contrastive Learning for Image Restoration (MCLIR), rejuvenates latency models as negative models, making it compatible with diverse image restoration tasks.
arXiv Detail & Related papers (2023-09-12T07:50:54Z) - Efficient Backdoor Removal Through Natural Gradient Fine-tuning [4.753323975780736]
Recent backdoor attacks suggest that an adversary can take advantage of such training details and compromise the integrity of a deep neural network (DNN)
Our studies show that a backdoor model is usually optimized to a bad local minima, i.e. sharper minima as compared to a benign model.
We propose a novel backdoor technique, Natural Gradient Fine-tuning (NGF), which focuses on removing the backdoor by fine-tuning only one layer.
arXiv Detail & Related papers (2023-06-30T07:25:38Z) - Precision-Recall Divergence Optimization for Generative Modeling with
GANs and Normalizing Flows [54.050498411883495]
We develop a novel training method for generative models, such as Generative Adversarial Networks and Normalizing Flows.
We show that achieving a specified precision-recall trade-off corresponds to minimizing a unique $f$-divergence from a family we call the textitPR-divergences.
Our approach improves the performance of existing state-of-the-art models like BigGAN in terms of either precision or recall when tested on datasets such as ImageNet.
arXiv Detail & Related papers (2023-05-30T10:07:17Z) - Making Models Shallow Again: Jointly Learning to Reduce Non-Linearity
and Depth for Latency-Efficient Private Inference [6.141267142478346]
We present a model optimization method that allows a model to learn to be shallow.
We leverage the ReLU sensitivity of a convolutional block to remove a ReLU layer and merge its succeeding and preceding convolution layers to a shallow block.
arXiv Detail & Related papers (2023-04-26T04:23:34Z) - Iterative Soft Shrinkage Learning for Efficient Image Super-Resolution [91.3781512926942]
Image super-resolution (SR) has witnessed extensive neural network designs from CNN to transformer architectures.
This work investigates the potential of network pruning for super-resolution iteration to take advantage of off-the-shelf network designs and reduce the underlying computational overhead.
We propose a novel Iterative Soft Shrinkage-Percentage (ISS-P) method by optimizing the sparse structure of a randomly network at each and tweaking unimportant weights with a small amount proportional to the magnitude scale on-the-fly.
arXiv Detail & Related papers (2023-03-16T21:06:13Z) - Learning to Linearize Deep Neural Networks for Secure and Efficient
Private Inference [5.293553970082942]
Existing techniques to reduce ReLU operations often involve manual effort and sacrifice accuracy.
We first present a novel measure of non-linearity layers' ReLU sensitivity, enabling mitigation of the time-consuming manual efforts.
We then present SENet, a three-stage training method that automatically assigns per-layer ReLU counts, decides the ReLU locations for each layer's activation map, and trains a model with significantly fewer ReLUs.
arXiv Detail & Related papers (2023-01-23T03:33:38Z) - SmoothNets: Optimizing CNN architecture design for differentially
private deep learning [69.10072367807095]
DPSGD requires clipping and noising of per-sample gradients.
This introduces a reduction in model utility compared to non-private training.
We distilled a new model architecture termed SmoothNet, which is characterised by increased robustness to the challenges of DP-SGD training.
arXiv Detail & Related papers (2022-05-09T07:51:54Z) - Effective Model Sparsification by Scheduled Grow-and-Prune Methods [73.03533268740605]
We propose a novel scheduled grow-and-prune (GaP) methodology without pre-training the dense models.
Experiments have shown that such models can match or beat the quality of highly optimized dense models at 80% sparsity on a variety of tasks.
arXiv Detail & Related papers (2021-06-18T01:03:13Z) - Fully Dynamic Inference with Deep Neural Networks [19.833242253397206]
Two compact networks, called Layer-Net (L-Net) and Channel-Net (C-Net), predict on a per-instance basis which layers or filters/channels are redundant and therefore should be skipped.
On the CIFAR-10 dataset, LC-Net results in up to 11.9$times$ fewer floating-point operations (FLOPs) and up to 3.3% higher accuracy compared to other dynamic inference methods.
On the ImageNet dataset, LC-Net achieves up to 1.4$times$ fewer FLOPs and up to 4.6% higher Top-1 accuracy than the other methods.
arXiv Detail & Related papers (2020-07-29T23:17:48Z) - EMPIR: Ensembles of Mixed Precision Deep Networks for Increased
Robustness against Adversarial Attacks [18.241639570479563]
Deep Neural Networks (DNNs) are vulnerable to adversarial attacks in which small input perturbations can produce catastrophic misclassifications.
We propose EMPIR, ensembles of quantized DNN models with different numerical precisions, as a new approach to increase robustness against adversarial attacks.
Our results indicate that EMPIR boosts the average adversarial accuracies by 42.6%, 15.2% and 10.5% for the DNN models trained on the MNIST, CIFAR-10 and ImageNet datasets respectively.
arXiv Detail & Related papers (2020-04-21T17:17:09Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.