RobustMQ: benchmarking robustness of quantized models

Quantization has emerged as an essential technique for deploying deep neural networks (DNNs) on devices with limited resources. However, quantized models exhibit vulnerabilities when exposed to various noises in real-world applications. Despite the importance of evaluating the impact of quantization on robustness, existing research on this topic is limited and often disregards established principles of robustness evaluation, resulting in incomplete and inconclusive findings. To address this gap, we thoroughly evaluated the robustness of quantized models against various noises (adversarial attacks, natural corruptions, and systematic noises) on ImageNet. The comprehensive evaluation results empirically provide valuable insights into the robustness of quantized models in various scenarios, for example: (1) quantized models exhibit higher adversarial robustness than their floating-point counterparts, but are more vulnerable to natural corruptions and systematic noises; (2) in general, increasing the quantization bit-width results in a decrease in adversarial robustness, an increase in natural robustness, and an increase in systematic robustness; (3) among corruption methods, \textit{impulse noise} and \textit{glass blur} are the most harmful to quantized models, while \textit{brightness} has the least impact; (4) among systematic noises, the \textit{nearest neighbor interpolation} has the highest impact, while bilinear interpolation, cubic interpolation, and area interpolation are the three least harmful. Our research contributes to advancing the robust quantization of models and their deployment in real-world scenarios.

[1]  Wanli Ouyang,et al.  Multidimensional Pruning and Its Extension: A Unified Framework for Model Compression. , 2023, IEEE transactions on neural networks and learning systems.

[2]  Xianglong Liu,et al.  Latent Imitator: Generating Natural Individual Discriminatory Instances for Black-Box Fairness Testing , 2023, ISSTA.

[3]  Hao Li,et al.  Benchmarking the Physical-world Adversarial Robustness of Vehicle Detection , 2023, ArXiv.

[4]  Yisong Xiao,et al.  Benchmarking the Robustness of Quantized Models , 2023, ArXiv.

[5]  Xianglong Liu,et al.  X-Adv: Physical Adversarial Object Attacks against X-ray Prohibited Item Detection , 2023, USENIX Security Symposium.

[6]  F. Yu,et al.  BiBench: Benchmarking and Analyzing Network Binarization , 2023, ICML.

[7]  Jinyang Guo,et al.  JointPruning: Pruning Networks Along Multiple Dimensions for Efficient Point Cloud Processing , 2022, IEEE transactions on circuits and systems for video technology (Print).

[8]  D. Tao,et al.  Defensive Patches for Robust Recognition in the Physical World , 2022, 2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[9]  Qingqing Dang,et al.  BiBERT: Accurate Fully Binarized BERT , 2022, ICLR.

[10]  Junjie Yan,et al.  MQBench: Towards Reproducible and Deployable Model Quantization Benchmark , 2021, NeurIPS Datasets and Benchmarks.

[11]  Zhe Gan,et al.  Adversarial GLUE: A Multi-Task Benchmark for Robustness Evaluation of Language Models , 2021, NeurIPS Datasets and Benchmarks.

[12]  Yap-Peng Tan,et al.  Benchmarking the Robustness of Spatial-Temporal Models Against Corruptions , 2021, NeurIPS Datasets and Benchmarks.

[13]  D. Tao,et al.  Harnessing Perceptual Adversarial Patches for Crowd Counting , 2021, CCS.

[14]  Yan Wang,et al.  RobustART: Benchmarking Robustness on Architecture Design and Training Techniques , 2021, ArXiv.

[15]  Yan Wang,et al.  Real World Robustness from Systematic Noise , 2021, AdvM @ ACM Multimedia.

[16]  Pascal Schöttle,et al.  Pruning in the Face of Adversaries , 2021, ICIAP.

[17]  Jiangshe Zhang,et al.  Discrete Cosine Transform Network for Guided Depth Map Super-Resolution , 2021, 2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[18]  Michael W. Mahoney,et al.  A Survey of Quantization Methods for Efficient Neural Network Inference , 2021, Low-Power Computer Vision.

[19]  Xianglong Liu,et al.  Dual Attention Suppression Attack: Generate Adversarial Camouflage in Physical World , 2021, 2021 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[20]  Xianglong Liu,et al.  Diversifying Sample Generation for Accurate Data-Free Quantization , 2021, 2021 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[21]  Dong Xu,et al.  Model Compression Using Progressive Channel Pruning , 2021, IEEE Transactions on Circuits and Systems for Video Technology.

[22]  Xianglong Liu,et al.  A Comprehensive Evaluation Framework for Deep Model Robustness , 2021, Pattern Recognit..

[23]  Nicolas Flammarion,et al.  RobustBench: a standardized adversarial robustness benchmark , 2020, NeurIPS Datasets and Benchmarks.

[24]  Dong Xu,et al.  Multi-Dimensional Pruning: A Unified Framework for Model Compression , 2020, 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[25]  Xinyun Chen,et al.  Spatiotemporal Attacks for Embodied Agents , 2020, ECCV.

[26]  Xianglong Liu,et al.  Bias-Based Universal Adversarial Patch Attack for Automatic Check-Out , 2020, ECCV.

[27]  Kaiming He,et al.  Designing Network Design Spaces , 2020, 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[28]  Dong Xu,et al.  Channel Pruning Guided by Classification Loss and Feature Importance , 2020, AAAI.

[29]  Matthias Hein,et al.  Reliable evaluation of adversarial robustness with an ensemble of diverse parameter-free attacks , 2020, ICML.

[30]  Xin He,et al.  Attacking Vision-based Perception in End-to-End Autonomous Driving Models , 2019, J. Syst. Archit..

[31]  Pierre-Alain Moëllic,et al.  Impact of Low-Bitwidth Quantization on the Adversarial Robustness for Embedded Neural Networks , 2019, 2019 International Conference on Cyberworlds (CW).

[32]  Jingkuan Song,et al.  Forward and Backward Information Retention for Accurate Binary Neural Networks , 2019, 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[33]  Qiang Liu,et al.  Training Robust Deep Neural Networks via Adversarial Noise Propagation , 2019, IEEE Transactions on Image Processing.

[34]  Xianglong Liu,et al.  Interpreting and Improving Adversarial Robustness of Deep Neural Networks With Neuron Sensitivity , 2019, IEEE Transactions on Image Processing.

[35]  Dacheng Tao,et al.  Perceptual-Sensitive GAN for Generating Adversarial Patches , 2019, AAAI.

[36]  Song Han,et al.  Defensive Quantization: When Efficiency Meets Robustness , 2019, ICLR.

[37]  Thomas G. Dietterich,et al.  Benchmarking Neural Network Robustness to Common Corruptions and Perturbations , 2019, ICLR.

[38]  Steven K. Esser,et al.  Learned Step Size Quantization , 2019, ICLR.

[39]  Jae-Joon Han,et al.  Learning to Quantize Deep Networks by Optimizing Quantization Intervals With Task Loss , 2018, 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[40]  Swagath Venkataramani,et al.  PACT: Parameterized Clipping Activation for Quantized Neural Networks , 2018, ArXiv.

[41]  Mark Sandler,et al.  MobileNetV2: Inverted Residuals and Linear Bottlenecks , 2018, 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition.

[42]  Aleksander Madry,et al.  Towards Deep Learning Models Resistant to Adversarial Attacks , 2017, ICLR.

[43]  Shuchang Zhou,et al.  DoReFa-Net: Training Low Bitwidth Convolutional Neural Networks with Low Bitwidth Gradients , 2016, ArXiv.

[44]  Jian Sun,et al.  Deep Residual Learning for Image Recognition , 2015, 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR).

[45]  Geoffrey E. Hinton,et al.  Distilling the Knowledge in a Neural Network , 2015, ArXiv.

[46]  Jonathon Shlens,et al.  Explaining and Harnessing Adversarial Examples , 2014, ICLR.

[47]  Quoc V. Le,et al.  Sequence to Sequence Learning with Neural Networks , 2014, NIPS.

[48]  Yoshua Bengio,et al.  Neural Machine Translation by Jointly Learning to Align and Translate , 2014, ICLR.

[49]  Geoffrey E. Hinton,et al.  Speech recognition with deep recurrent neural networks , 2013, 2013 IEEE International Conference on Acoustics, Speech and Signal Processing.

[50]  Geoffrey E. Hinton,et al.  ImageNet classification with deep convolutional neural networks , 2012, Commun. ACM.

[51]  Fei-Fei Li,et al.  ImageNet: A large-scale hierarchical image database , 2009, 2009 IEEE Conference on Computer Vision and Pattern Recognition.

[52]  Rich Caruana,et al.  Model compression , 2006, KDD '06.

[53]  Suramya Tomar,et al.  Converting video formats with FFmpeg , 2006 .

[54]  Max Welling,et al.  Gradient 𝓁1 Regularization for Quantization Robustness , 2020, ArXiv.

[55]  Stephen Lynch,et al.  Image Processing with Python , 2018 .

[56]  Tara N. Sainath,et al.  The shared views of four research groups ) , 2012 .

[57]  Alex Krizhevsky,et al.  Learning Multiple Layers of Features from Tiny Images , 2009 .

[58]  Yann LeCun,et al.  The mnist database of handwritten digits , 2005 .