FaShapley: Fast and Approximated Shapley Based Model Pruning Towards Certifiably Robust DNNs

—Despite the great success achieved by deep neural networks (DNNs) recently, several concerns have been raised regarding their robustness against adversarial perturbations as well as large model size in resource-constrained environments. Recent studies on robust learning indicate that there is a tradeoff between robustness and model size. For instance, larger smoothed models would provide higher robustness certification. Recent works have tried to weaken such a tradeoff by training small models via optimized pruning. However, these methods usually do not directly take specific neuron properties such as their importance into account. In this paper, we focus on designing a quantitative criterion, neuron Shapley, to evaluate the neuron weight/filter importance within DNNs, leading to effective unstructured/structured pruning strategies to improve the certified robustness of the pruned models. However, directly computing Shapley value for neurons is of exponential computational complexity, and thus we propose a fast and approximated Shapley (FaShapley) method via gradient-based approximation and optimized sample-size. Theoretically, we analyze the desired properties (e.g, linearity and symmetry) and sample complexity of FaShapley. Empirically, we conduct extensive experiments on different datasets with both unstructured pruning and structured pruning. The results on several DNN architectures trained with different robust learning algorithms show that FaShapley achieves state-of-the-art certified robustness under different settings.

[1]  Zhangyang Wang,et al.  Sparsity Winning Twice: Better Robust Generalization from More Efficient Training , 2022, ICLR.

[2]  Tijani Chahed,et al.  Cache Allocation in Multi-Tenant Edge Computing via online Reinforcement Learning , 2022, ICC 2022 - IEEE International Conference on Communications.

[3]  Dacheng Tao,et al.  Few-shot Backdoor Defense Using Shapley Estimation , 2021, 2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[4]  Hideo Saito,et al.  Neural Implicit Event Generator for Motion Tracking , 2021, 2022 International Conference on Robotics and Automation (ICRA).

[5]  Xiaojun Xu,et al.  On the Certified Robustness for Ensemble Models and Beyond , 2021, ICLR.

[6]  Zhe Gan,et al.  Adversarial GLUE: A Multi-Task Benchmark for Robustness Evaluation of Language Models , 2021, NeurIPS Datasets and Benchmarks.

[7]  Hassan Dbouk,et al.  Generalized Depthwise-Separable Convolutions for Adversarially Robust and Efficient Neural Networks , 2021, NeurIPS.

[8]  Furu Wei,et al.  Beyond Preserved Accuracy: Evaluating Loyalty and Robustness of BERT Compression , 2021, EMNLP.

[9]  Taylor Johnson,et al.  The Second International Verification of Neural Networks Competition (VNN-COMP 2021): Summary and Results , 2021, ArXiv.

[10]  Robert Legenstein,et al.  Training Adversarially Robust Sparse Networks via Bayesian Connectivity Sampling , 2021, ICML.

[11]  Linyi Li,et al.  Progressive-Scale Boundary Blackbox Attack via Projective Gradient Estimation , 2021, ICML.

[12]  Dawn Song,et al.  Scalability vs. Utility: Do We Have to Sacrifice One for the Other in Data Importance Quantification? , 2021, 2021 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[13]  Ruigang Yang,et al.  Invisible for both Camera and LiDAR: Security of Multi-Sensor Fusion based Perception in Autonomous Driving Under Physical-World Attacks , 2021, 2021 IEEE Symposium on Security and Privacy (SP).

[14]  Deepak K. Gupta,et al.  ChipNet: Budget-Aware Pruning with Heaviside Continuous Approximations , 2021, ICLR.

[15]  Yihan Wang,et al.  Fast and Complete: Enabling Complete Neural Network Verification with Rapid and Massively Parallel Incomplete Verifiers , 2020, ICLR.

[16]  Bhavya Kailkhura,et al.  TSS: Transformation-Specific Smoothing for Robustness Certification , 2020, CCS.

[17]  Cho-Jui Hsieh,et al.  Beta-CROWN: Efficient Bound Propagation with Per-neuron Split Constraints for Complete and Incomplete Neural Network Verification , 2021, ArXiv.

[18]  Cengiz Öztireli,et al.  Shapley Value as Principled Metric for Structured Network Pruning , 2020, ArXiv.

[19]  Shuang Yang,et al.  QEBA: Query-Efficient Boundary-Based Blackbox Attack , 2020, 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[20]  Alexander M. Rush,et al.  Movement Pruning: Adaptive Sparsity by Fine-Tuning , 2020, NeurIPS.

[21]  Suman Jana,et al.  Towards Practical Lottery Ticket Hypothesis for Adversarial Training , 2020, ArXiv.

[22]  Cho-Jui Hsieh,et al.  Automatic Perturbation Analysis for Scalable Certified Robustness and Beyond , 2020, NeurIPS.

[23]  S. Jana,et al.  HYDRA: Pruning Adversarially Robust Neural Networks , 2020, NeurIPS.

[24]  James Y. Zou,et al.  Neuron Shapley: Discovering the Responsible Neurons , 2020, NeurIPS.

[25]  Tom Goldstein,et al.  Curse of Dimensionality on Randomized Smoothing for Certifiable Robustness , 2020, ICML.

[26]  Sung Ju Hwang,et al.  Adversarial Neural Pruning with Latent Vulnerability Suppression , 2019, ICML.

[27]  Honglak Lee,et al.  SemanticAdv: Generating Adversarial Examples via Attribute-conditional Image Editing , 2019, ECCV.

[28]  Cho-Jui Hsieh,et al.  Towards Stable and Efficient Training of Verifiably Robust Neural Networks , 2019, ICLR.

[29]  Xiaojun Xu,et al.  Nonlinear Gradient Estimation for Query Efficient Blackbox Attack , 2020 .

[30]  Avrim Blum,et al.  Random Smoothing Might be Unable to Certify 𝓁∞ Robustness for High-Dimensional Images , 2020, J. Mach. Learn. Res..

[31]  Federico Zaiter,et al.  The Search for Sparse, Robust Neural Networks , 2019, ArXiv.

[32]  Tao Xie,et al.  Robustra: Training Provable Robust Neural Networks over Reference Adversarial Space , 2019, IJCAI.

[33]  Kamil Adamczewski,et al.  Neuron ranking - an informed way to condense convolutional neural networks architecture , 2019, ArXiv.

[34]  Li Yang,et al.  Robust Sparse Regularization: Simultaneously Optimizing Neural Network Robustness and Compactness , 2019, ArXiv.

[35]  James Y. Zou,et al.  Data Shapley: Equitable Valuation of Data for Machine Learning , 2019, ICML.

[36]  Hao Cheng,et al.  Adversarial Robustness vs. Model Compression, or Both? , 2019, 2019 IEEE/CVF International Conference on Computer Vision (ICCV).

[37]  Costas J. Spanos,et al.  Towards Efficient Data Valuation Based on the Shapley Value , 2019, AISTATS.

[38]  J. Zico Kolter,et al.  Certified Adversarial Robustness via Randomized Smoothing , 2019, ICML.

[39]  Pierre-Marc Jodoin,et al.  Structured Pruning of Neural Networks With Budget-Aware Regularization , 2018, 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[40]  Philip H. S. Torr,et al.  SNIP: Single-shot Network Pruning based on Connection Sensitivity , 2018, ICLR.

[41]  Michael Carbin,et al.  The Lottery Ticket Hypothesis: Finding Sparse, Trainable Neural Networks , 2018, ICLR.

[42]  Martin Vechev,et al.  Beyond the Single Neuron Convex Barrier for Neural Network Certification , 2019, NeurIPS.

[43]  Ming-Wei Chang,et al.  BERT: Pre-training of Deep Bidirectional Transformers for Language Understanding , 2019, NAACL.

[44]  Mitesh M. Khapra,et al.  Studying the plasticity in deep convolutional neural networks using random pruning , 2018, Machine Vision and Applications.

[45]  Yizheng Chen,et al.  MixTrain: Scalable Training of Verifiably Robust Neural Networks , 2018, 1811.02625.

[46]  Cho-Jui Hsieh,et al.  Efficient Neural Network Robustness Certification with General Activation Functions , 2018, NeurIPS.

[47]  Changshui Zhang,et al.  Sparse DNNs with Improved Adversarial Robustness , 2018, NeurIPS.

[48]  Junfeng Yang,et al.  Efficient Formal Safety Analysis of Neural Networks , 2018, NeurIPS.

[49]  Mingyan Liu,et al.  Characterizing Adversarial Examples Based on Spatial Consistency Information for Semantic Segmentation , 2018, ECCV.

[50]  Matthew Mirman,et al.  Differentiable Abstract Interpretation for Provably Robust Neural Networks , 2018, ICML.

[51]  Yi Yang,et al.  Soft Filter Pruning for Accelerating Deep Convolutional Neural Networks , 2018, IJCAI.

[52]  Atul Prakash,et al.  Robust Physical-World Attacks on Deep Learning Visual Classification , 2018, 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition.

[53]  Swarat Chaudhuri,et al.  AI2: Safety and Robustness Certification of Neural Networks with Abstract Interpretation , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[54]  Junfeng Yang,et al.  Formal Security Analysis of Neural Networks using Symbolic Intervals , 2018, USENIX Security Symposium.

[55]  Inderjit S. Dhillon,et al.  Towards Fast Computation of Certified Robustness for ReLU Networks , 2018, ICML.

[56]  Colin Raffel,et al.  Thermometer Encoding: One Hot Way To Resist Adversarial Examples , 2018, ICLR.

[57]  David A. Wagner,et al.  Obfuscated Gradients Give a False Sense of Security: Circumventing Defenses to Adversarial Examples , 2018, ICML.

[58]  J. Zico Kolter,et al.  Provable defenses against adversarial examples via the convex outer adversarial polytope , 2017, ICML.

[59]  Aleksander Madry,et al.  Towards Deep Learning Models Resistant to Adversarial Attacks , 2017, ICLR.

[60]  Moustapha Cissé,et al.  Countering Adversarial Images using Input Transformations , 2018, ICLR.

[61]  Zhiqiang Shen,et al.  Learning Efficient Convolutional Networks through Network Slimming , 2017, 2017 IEEE International Conference on Computer Vision (ICCV).

[62]  Scott Lundberg,et al.  A Unified Approach to Interpreting Model Predictions , 2017, NIPS.

[63]  Timo Aila,et al.  Pruning Convolutional Neural Networks for Resource Efficient Inference , 2016, ICLR.

[64]  Hanan Samet,et al.  Pruning Filters for Efficient ConvNets , 2016, ICLR.

[65]  Adversarial Examples THERMOMETER ENCODING: ONE HOT WAY TO RESIST , 2017 .

[66]  Yurong Chen,et al.  Dynamic Network Surgery for Efficient DNNs , 2016, NIPS.

[67]  Yiran Chen,et al.  Learning Structured Sparsity in Deep Neural Networks , 2016, NIPS.

[68]  Rui Peng,et al.  Network Trimming: A Data-Driven Neuron Pruning Approach towards Efficient Deep Architectures , 2016, ArXiv.

[69]  Nikos Komodakis,et al.  Wide Residual Networks , 2016, BMVC.

[70]  Song Han,et al.  Deep Compression: Compressing Deep Neural Network with Pruning, Trained Quantization and Huffman Coding , 2015, ICLR.

[71]  Victor S. Lempitsky,et al.  Fast ConvNets Using Group-Wise Brain Damage , 2015, 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR).

[72]  Song Han,et al.  Learning both Weights and Connections for Efficient Neural Network , 2015, NIPS.

[73]  Thomas Brox,et al.  U-Net: Convolutional Networks for Biomedical Image Segmentation , 2015, MICCAI.

[74]  Jimmy Ba,et al.  Adam: A Method for Stochastic Optimization , 2014, ICLR.

[75]  Ya Le,et al.  Tiny ImageNet Visual Recognition Challenge , 2015 .

[76]  Talal Rahwan,et al.  Bounding the Estimation Error of Sampling-based Shapley Value Approximation With/Without Stratifying , 2013, ArXiv.

[77]  Andrew Y. Ng,et al.  Reading Digits in Natural Images with Unsupervised Feature Learning , 2011 .

[78]  Alex Krizhevsky,et al.  Learning Multiple Layers of Features from Tiny Images , 2009 .

[79]  Nicholas R. Jennings,et al.  A linear approximation method for the Shapley value , 2008, Artif. Intell..

[80]  L. Shapley A Value for n-person Games , 1988 .