3.1 Deep Neural networks (DNNs)

Given an input $\mathbf{x} \in \mathbb{R}^{m}$ and the corresponding output vector $\mathbf{y} \in \mathbb{R}^{n}$, a DNN is a classification function $f: \mathbf{x} \mapsto \mathbf{y}$, where $m$ is high-dimensional. In addition to the input $\mathbf{x}$, the output $\mathbf{y}$ also depends on the network parameters $\theta$ which the network learns during the training process.

For the n-class classifiers considered in this work, the output vector $\mathbf{y}$ is a probability distribution, that is: $y_{1}+y_{2}+y_{3}+\ldots+y_{n}=1$ and $0 \leq\left(y_{i}\right)_{i=1}^{n} \leq 1$. Each element $y_{i}$ in y represents the probability that the input $\mathbf{x}$ has class $i$. Thus, for a network $\mathbf{y}=f(\mathbf{x})$, the label $y$ assigned by the classifier to input $\mathbf{x}$ is: \begin{equation*}\underset{i}{\operatorname{argmax}} f_{i}\left(\mathbf{x}\right)=y \tag{1}\end{equation*}View Source\begin{equation*}\underset{i}{\operatorname{argmax}} f_{i}\left(\mathbf{x}\right)=y \tag{1}\end{equation*}

Here, $y_{i}=f_{i}(\mathbf{x})$ is the $i^{\text {th }}$ output of the network.

3.2 Adversarial Examples

Adversarial examples are created by adding computed perturbations to a clean image. The resulting distorted samples look similar to their original counterparts and are still classified correctly by human oracles, but the perturbations are enough for a classifier to change the output class probabilities, possibly leading to a misclassification [6, 10, 16, 29].

Let $y^{\text {true }}$ be the true label of a clean sample $\mathbf{x}$, then from Equation 1 we have: $\operatorname{argmax}_{i} f_{i}(\mathbf{x})=y^{\text {true }}$. If $\mathbf{x}$ is subjected to a perturbation vector $\eta \in \mathbb{R}^{m}$, resulting in a perturbed example $\mathbf{x}^{a d v}$ that causes misclassification, then: \begin{equation*}\underset{i}{\operatorname{argmax}} f_{i}\left(\mathbf{x}^{\text {adv }}\right) \neq y^{\text {true }} \tag{2}\end{equation*}View Source\begin{equation*}\underset{i}{\operatorname{argmax}} f_{i}\left(\mathbf{x}^{\text {adv }}\right) \neq y^{\text {true }} \tag{2}\end{equation*}

3.3 Crafting Algorithms

The perturbation introduced to create an adversarial example is not random. In fact, it is much harder to cause misclassification by adding perturbations in random directions [30]. An adversarial example generation algorithm adds perturbations to the original image in a specific direction, computed within the steps of the algorithm.

Fast Gradient Sign Method (FGSM) [6] is one of the simplest methods to craft adversarial examples. The single-step algorithm adds max-norm constrained perturbation in the direction of the loss gradient of the network to create adversarial samples. \begin{equation*}\mathbf{x}^{a d v}=\mathbf{x}+\varepsilon \operatorname{sign}\left(\nabla J_{\mathbf{x}}\left(\mathbf{x}, y, \theta\right)\right) \tag{3}\end{equation*}View Source\begin{equation*}\mathbf{x}^{a d v}=\mathbf{x}+\varepsilon \operatorname{sign}\left(\nabla J_{\mathbf{x}}\left(\mathbf{x}, y, \theta\right)\right) \tag{3}\end{equation*}

Here, $\nabla J_{\mathbf{x}}$ is the gradient of the loss function $J(\mathbf{x}, y, \theta)$, computed with respect to input $\mathbf{x}$. Since loss gradient gives the direction of the largest increase in loss, adding a small perturbation aligned with this direction can cause significant increase in loss at high dimensions. $\varepsilon$ is the $L_{\infty}$ norm of the perturbation which also gives the distance between $\mathbf{x}$ and $\mathbf{x}^{a d v}$.

Jacobian Saliency Map based Attack (JSMA) [27] computes adversarial examples by creating a direct mapping between input and output variations and using this map to isolate features that are most effective in causing classification change. The algorithm uses forward derivative of the function learned by the network (given by Equation 4) to construct a saliency map which filters the features that are most important based on the the given criteria. Equation 5 provides a basic filter criteria as defined in [27]. \begin{equation*}\nabla f\left(\mathbf{x}\right)=\frac{\partial f\left(\mathbf{x}\right)}{\partial \mathbf{x}}=\left[\frac{\partial f_{j}\left(\mathbf{x}\right)}{\partial x_{i}}\right]_{i \in 1, \ldots, m, j \in 1, \ldots, n} \tag{4}\end{equation*}View Source\begin{equation*}\nabla f\left(\mathbf{x}\right)=\frac{\partial f\left(\mathbf{x}\right)}{\partial \mathbf{x}}=\left[\frac{\partial f_{j}\left(\mathbf{x}\right)}{\partial x_{i}}\right]_{i \in 1, \ldots, m, j \in 1, \ldots, n} \tag{4}\end{equation*} \begin{equation*}S\left(\nabla f\left(\mathrm{x}\right), t\right)\left[i\right]=\begin{cases}0 \text { if } \frac{\partial f_{t}\left(\mathrm{x}\right)}{\partial x_{i}}\lt0 \text { or } \sum_{j \neq t} \frac{\partial f_{j}\left(\mathrm{x}\right)}{\partial x_{i}}\gt 0 \\ \left(\frac{\partial f_{t}\left(\mathrm{x}\right)}{\partial x_{i}}\right)\left|\sum_{j \neq t} \frac{\partial f_{j}\left(\mathrm{x}\right)}{\partial x_{i}}\right| \text { otherwise }\end{cases} \tag{5}\end{equation*}View Source\begin{equation*}S\left(\nabla f\left(\mathrm{x}\right), t\right)\left[i\right]=\begin{cases}0 \text { if } \frac{\partial f_{t}\left(\mathrm{x}\right)}{\partial x_{i}}\lt0 \text { or } \sum_{j \neq t} \frac{\partial f_{j}\left(\mathrm{x}\right)}{\partial x_{i}}\gt 0 \\ \left(\frac{\partial f_{t}\left(\mathrm{x}\right)}{\partial x_{i}}\right)\left|\sum_{j \neq t} \frac{\partial f_{j}\left(\mathrm{x}\right)}{\partial x_{i}}\right| \text { otherwise }\end{cases} \tag{5}\end{equation*}

In Equation 5, $t$ is the target class to which the input is to be misclassified, that is, $t \neq y^{\text {true }}. S(\nabla f(\mathbf{x}), t)[i]$ is the saliency map computed for $i^{\text {th }}$ feature.

Thus, as per Equation 5, from the Jacobian matrix (given by Equation 4), features that increase the target class probability and at the same time decrease the probabilities of all other classes are weighed and the feature with the highest value is selected. In each iteration, selected feature is perturbed by a defined amount. This is continued till adversarial goal of misclassification, that is, $\operatorname{argmax}_{i} f_{i}(\mathbf{x})=t$, is reached.

Universal Adversarial Perturbation (UAP) Attack [23] is quite different from other algorithms because it does not create adversarial sample but instead results in a single perturbation vector that can be added to any point in the dataset to create adversarial examples. Such perturbation vector is called Universal Adversarial Perturbation or UAP.

If $X=\left\{\mathbf{x}_{1}, \mathbf{x}_{2}, \ldots, \mathbf{x}_{n}\right\}$ be a dataset sampled from a data distribution $\mu$, then the basic idea is to sequentially iterate though each image in $X$ and compute a perturbation vector $\Delta \boldsymbol{v}_{k}$ that sends the current image $\mathbf{x}_{k}+\boldsymbol{v}$ across the decision boundary of the network. Every iteration also updates the overall perturbation $\boldsymbol{v}$ with $\Delta \boldsymbol{v}_{k}$. The algorithm stops when the computed perturbation is able to fool a pre-defined number of images in $X$. The perturbation vector $\Delta \boldsymbol{v}_{k}$ can be computed using any algorithm, in the case of this paper, we use FGSM.

The Boundary Attack (BA) [3] uses model’s decisions on the input points to craft adversarial examples. The attack is conceptually simple. Given a benign image, the algorithm initializes a random adversarial image. The initialized random image is then subjected to multiple perturbations iteratively. Each perturbation decreases the $L_{2}$ distance between the benign and the adversarial image. When adding these perturbations, the algorithm queries the model with the perturbed image as input to make sure that the perturbation still keeps the image outside the decision boundary of the true class. Thus, the initial random image is moved along the decision boundary between the adversarial and non-adversarial region until minimum $L_{2}$ distance between the benign and the adversarial image is achieved. At the end of the run, the initial image remains adversarial but looks like the benign image to human observers.

The boundary attack does not require access to model parameters and architecture, thus it can operate under black-box scenarios. Further, it does not use gradients to create adversarial examples.

The Carlini-Wagner (CW) Attack [4] is one of the most powerful adversarial attacks. It uses an optimization function that iteratively performs gradient descent towards the target adversarial class while keeping the distance between original and the adversarial example minimal. Equation 6 defines the optimization problem the attack algorithm solves. \begin{align*}\text { minimize }\left\|\mathrm{x}^{a d v}-\mathrm{x}\right\|_{2}^{2}+c \cdot l\left(\mathrm{x}^{a d v}\right); \text { where, } \\ l\left(\mathrm{x}^{a d v}\right)=\max \left(Z_{i}\left(\mathrm{x}^{a d v}\right)-\max \left(Z_{t}\left(\mathrm{x}^{a d v}\right): t \neq i\right)+\kappa, 0\right) \tag{6}\end{align*}View Source\begin{align*}\text { minimize }\left\|\mathrm{x}^{a d v}-\mathrm{x}\right\|_{2}^{2}+c \cdot l\left(\mathrm{x}^{a d v}\right); \text { where, } \\ l\left(\mathrm{x}^{a d v}\right)=\max \left(Z_{i}\left(\mathrm{x}^{a d v}\right)-\max \left(Z_{t}\left(\mathrm{x}^{a d v}\right): t \neq i\right)+\kappa, 0\right) \tag{6}\end{align*}

In the above equation, $Z_{i}\left(x^{a d v}\right)$ is the true label while $Z_{t}\left(x^{a d v}\right)$ is any label other than $i$, thus the loss function $l$ ensures misclassification. Further, it can be seen that the attack uses logits $Z(\mathbf{x})$ instead of output from the softmax layer. This enables the attack to bypass defensive techniques such as defensive distillation [28] which work by smoothening the model’s output. Similarly, $c$ is a non-negative constant that balances misclassification confidence and distance between adversarial and original sample. It is determined during run-time using binary search. The attack also allows to define misclassification confidence $\kappa$. Increasing the misclassification confidence increases the probability that the attack becomes more transferable but at the cost of higher distortions.

As can be seen, the equation focuses on only $L_{2}$ metric when creating attacks. In their paper, authors also define $L_{0}$ and $L_{\infty}$ variants; however, our analysis only includes $L_{2}$ norm as it is the strongest and the attack was originally formulated for this norm, while other norms were adapted from $L_{2}$.

3.4 Quantization as a model optimization technique.

Quantization reduces the bitwidth of network values such that computational complexity during training and inference is reduced [14]. By using lower bitwidth numbers rather than default float32 values, floating-point multiplications during convolution operations can be replaced by bitwise operations which are much faster.

In this paper, network quantization is performed during training using a method called DoReFa-Net [36]. For any real number $r_{i} \in[0,1]$, the corresponding n-bit quantized output value $r_{o}$ is computed during forward pass using the quantization function $r_{o}=\frac{1}{2^{n}-1} \operatorname{round}\left(\left(2^{n}-1\right) r_{i}\right)$. However, since a continuous function with a small finite range always has zero gradient with respect to its input [36], the quantization function itself is not differentiable This creates a problem during back-propagation. For instance, if $c$ is the cost function, then during backward pass, computation as in Equation 7 requires $\frac{\partial r_{o}}{\partial r_{i}}$ which is not defined. \begin{equation*}\frac{\partial c}{\partial r_{i}}=\frac{\partial c}{\partial r_{o}} \cdot \frac{\partial r_{o}}{\partial r_{i}} \tag{7}\end{equation*}View Source\begin{equation*}\frac{\partial c}{\partial r_{i}}=\frac{\partial c}{\partial r_{o}} \cdot \frac{\partial r_{o}}{\partial r_{i}} \tag{7}\end{equation*}

One of the solution to this problem is to estimate the value of $\frac{\partial r_{o}}{\partial r_{i}}$, given that $\frac{\partial c}{\partial r_{o}}$ is properly defined. The estimators that allow defining custom $\frac{\partial r_{o}}{\partial r_{i}}$ are called Straight Through Estimators or STEs [1]. DoReFa-Net uses $\frac{\partial c}{\partial r_{i}}=\frac{\partial c}{\partial r_{o}}$ as STE during activation and weight quantization.

4.1 Transferability of adversarial examples

The objective of this experiment was to evaluate how algorithm specific properties affect transferability. For both CIFAR10 and MNIST models, 1000 randomly selected clean samples that were classified correctly by both source and target models were used to create adversarial samples. These were then transferred among different bitwidth versions of the same model and the resulting adversarial accuracy of the target model was measured. This process was repeated 3 times and the average adversarial accuracy was noted.

Figure 1 reports the transferability results for Resnet20 models. Results for MNIST models are similar and are excluded for brevity.

From the figure, the following observations can be made:

Observation 1: Transferability of loss gradient based attacks is poor. As can be seen, transferability of FGSM, CW, and UAP is poor. CW attack, which has 100% efficiency when applied on the same network, transfers very poorly. One of the reasons for the observed poor transferability of these attacks is that the gradient of the loss function (with respect to the input) of the networks at different bitwidths do not align with each other [2]. Loss gradient based attacks create adversarial examples by adding perturbations in the direction of the loss gradient. Thus, misalignment of gradient between source and target means that the perturbation direction transferred from source may not be able to cause the same effect at the target. The lower the cosine similarity between the loss gradients, the lower is the transferability [2, 5, 32]. By comparison, UAP has better transferability which is noticed in observation 3.

Another reason for the poor transferability could be due to the quantization shift phenomenon [2, 35]. When networks are quantized, weight and activation values are grouped into the same bucket, this impacts how the attack performs when bitwidth is changed. For instance, when adversarial examples are crafted in a quantized network, an algorithm may assume that weight values associated with certain nodes are similar, but when moving the attack to a full-precision network, one weight value may be more than the other. This might end up activating unintended nodes thus making the sample unsuccessful. This also explains why a powerful attack like CW fails to transfer. Since the attack relies on creating differential activation between the logits, when the attack is transferred to another network, the attack might not be able to achieve the same activation difference between the true class and adversarial class. Hence, the change in bitwidth between source and target hampers the effectiveness of the attack.

We also noticed that the transferability of CW attack can be improved by increasing the value of $\kappa$. This was also observed in the original paper [4] as well as by other studies [2]. However, in our experiments, when the value was increased beyond $\kappa=5$, most of the images became unrecognizable. Since one of the requirements for a sample to be adversarial is that it should be recognizable to humans, we did not increase $\kappa$ beyond this value.

Observation 2: JSMA has poor transferability. This can again be explained in terms of quantization shift. JSMA crafts adversarial examples by manipulating individual features in an image based on how effective that feature is in producing misclassification. The effectiveness of each feature is based on individual parameter and activation values of that network. Due to quantization shift, the same features may no longer be sensitive on a different network with different bitwidth. This explains why JSMA has better performance when the attack is applied on the same network as it is able to find features that are sensitive enough to cause misclassification for that network. However, when the created sample is transferred to another network with different bitwidth, the same perturbations are no longer able to produce similar change in activations due to the target network being in full-precision or having different discrete levels of activation and weight values.

Observation 3: The Boundary Attack has poor transferability. As can be seen, the transferability of the Boundary Attack is poor. The target networks are highly robust against the attack even though the same examples work with almost 100% success rate at the source. This can be explained with how the Boundary Attack crafts adversarial examples and the resulting direction of the perturbations.

Adversarial examples exist in a broad contiguous regions in input space; thus, rather than an exact example, the direction of perturbation is important for transferability [6]. The perturbation directions that lead to the adversarial sub-space are called the adversarial directions and the examples created on source are transferable if their adversarial directions align with adversarial directions of the black-box target model [30]. Thus, aligning the perturbation with the adversarial direction is a reliable way of not only fooling the source but also the target model. These adversarial directions point away from the original image as the perturbations are normally added to the original image. However, in case of the Boundary Attack, perturbations are added to a random image, moving it towards the original image. The perturbed image thus has perturbation direction towards the original class boundary which is opposite to the adversarial direction. This explains the poor transferability of the attack.

Observation 4: UAP has better transferability than FGSM when the allowed perturbation is high. Although UAP algorithm internally uses FGSM to compute perturbations for individual images (Section 3.3), it performs better than FGSM itself when the allowed magnitude of perturbation $\xi$ is high.

UAP allows to increase the maximum allowed distortion to higher values than the internal algorithm while still keeping the adversarial image recognizable. Figure 2 compares adversarial images generated using UAP and FGSM on the FP Mnist A model by taking the same value of allowed distortion ($\varepsilon$ for FGSM and $\xi$ for UAP). As can be seen, the images still remain recognizable in the case of UAP, whereas the images are completely distorted for FGSM.

Summary

• Quantization reduces the transferability of attacks. Quantization shift and misalignment of loss gradients between variable bitwidth networks result in poor transferability. Similar observations were made in $[2,35]$. The experiments in this section extend this finding to show that the quantization shift also affects the transferability of algorithms like JSMA that leverage individual features to produce misclassification. Further, the experiments on the Boundary Attack show that search based algorithms might not produce transferable examples due to the direction of perturbation.

• At higher distortions, UAPs are more transferable than the attack used to craft it. It was found that the UAP allows to add more distortion than the algorithm used internally to craft it. Thus, the performance of UAP may be enhanced to a greater extent than that of the internal algorithm.

4.2 Transferability of adversarial examples when considering model-related properties

To explore how model-related properties affect transferability among networks of different bitwidths, adversarial examples created at source were transferred to target networks which not only had different bitwidths but also different model capacity and model architecture than the source model. The model capacity here is quantified in terms of number of parameters in the model.

Figure 1:

Transferability of adversarial attacks among different bitwidth versions of the Resnet20 model. In each matrix, rows indicate the source networks, while columns indicate the corresponding target networks. Row and column headers specify the bitwidth of the source and target models, respectively. The source and target model IDs are labelled alongside the corresponding headers. Cell values correspond to the adversarial accuracy of the target. Higher values (darker colours) indicate less transferability, while lower values (lighter colours) indicate more transferability. The diagonal values correspond to attack performance on the source (the source and target are the same model). Each value in the “Average” column indicates the average adversarial accuracy of all target models (one complete row) against a single attack source.

Show All

Figure 2:

Adversarial examples generated on FP Mnist A model using: (a) UAP with $\xi=0.6$. (b) FGSM with $\varepsilon=0.6$. Both images are first 10 images from the MNIST dataset.

Show All

Table 3 Test Set Accuracy of the Full-Precision (Fp) and Quantized Versions of High-Capacity Variants of Mnist A Model. Mnist A Has 414K Parameters, While Mnist B and Mnist C Have 836K and 1.7M Parameters, Respectively

Additional CIFAR10 and MNIST models of different capacities were trained. More specifically, Resnet32, Resnet44, and their quantized versions were trained for CIFAR10 and by increasing the number of channels for all convolution layers of Mnist A by 100% and 300%, Mnist B and Mnist C, respectively, were trained for MNIST. Tables 3 and Tables 4 show test accuracies for quantized and FP versions of both MNIST and CIFAR10 models, respectively. Using FP Resnet44 and its quantized versions as targets, attacks were transferred from FP and quantized versions of Resnet20 and Resnet32. Similarly, Mnist C and its quantized versions were used as target models and attacks were transferred from FP and quantized versions of Mnist A and Mnist B. Figure 3 shows the results for CIFAR10 models. Similar results were obtained for MNIST and are not shown for the sake of conciseness.

Table 4 Test Set Accuracy of the Full-Precision (Fp) and Quantized Versions of Various Resnets and Cnn Models Used. Resnet20 Has 269K Parameters, While Resnet32, Resnet44, and Cifar A Have 464K, 658K, and 4.5M Parameters, Respectively

Similarly, to study how model architecture affects transferability, an 11-layer CNN (named as Cifar A for easier reference) was trained on the CIFAR10 dataset. Table 4 shows test accuracy of the model and its quantized versions. Adversarial examples crafted on FP and quantized versions of Resnet 20 was then transferred to FP and quantized versions of Cifar A. Figure 4 shows the results.

Figure 3:

Transferability of adversarial attacks when the source and target networks differ in capacity. The five matrices on the left column depict the transferability of each of the five attacks when the source networks are different bitwidth versions of Resnet20. The matrices on the right column depict the transferability of the same attacks when the source networks are different bitwidth versions of Resnet32. The target networks are FP Resnet44 and its quantized versions in all cases.

Show All

Figure 4:

Transferability of adversarial attacks when the source and target networks differ in architecture. The source networks are different bitwidth versions of Resnet20 and the target networks are different bitwidth versions of Cifar A.

Show All

Comparing transferability results in Figure 1 with those in Figure 3 and Figure 4, it can be seen that, for the corresponding attack types, the average transferability when the source and targets have different capacity and architecture follows the same pattern as when the source and targets are similar in architecture and capacity. For instance, for the UAP attack in Figure 1 where both source and target networks are different bitwidth versions of Resnet20, the average transferability (for $\xi=0.1$) is highest when the attack source is 1-bit Resnet20, while it is lowest when the attack source is a FP Resnet20 This pattern can be seen for the UAP attack in Figure 3 as well where the attack sources are Resnet 20 and its quantized versions but the target models are Resnet44 and its quantized versions. Moreover, similar observations can be made in Figure 4. The pattern is followed for all attack sources and not just for the sources with the highest or lowest overall adversarial transferability and is true for all attack types. There are very few exceptions, for instance, in the case of JSMA; however these are rare for both MNIST and CIFAR10 models.

Further, it can be noted from Figure 3 and 4 that the transferability is not better when source and target networks are of same architecture as when they are different in architecture. This is inline with the observation in [19] but is in contrast to the one made in [32].

Summary

The average transferability of an attack among the different bitwidth versions of the same model can be an indication of transferability when the attack is transferred to another model which may be different in not only bitwidth but also in architecture and model capacity. This suggests that better overall transferability of an attack source when the network architecture and capacity of source and target are similar can also mean better transferability when both source and target differ in architecture and model capacity.

A.1 Mnist A

Training hyperparameters are as below:

• Normalization: Features are normalized to [0, 1]

• Optimizer: Adam optimizer with learning rate $(\alpha)=0.001, \beta_{1}=0.9$, $\beta_{2}=0.999, \varepsilon=1 \mathrm{e}-8$

• Regularization: Weight decay on all FC layers Regularization hyperparameter $(\lambda)$: 1e-5

• Loss: Cross-entropy

A.2 ResNet20

Training details are as below:

• Normalization: Features are normalized to [0, 1]

• Optimizer: Momentum optimizer with $\gamma=0.9$

• Regularization: Weight decay on all layers Regularization hyperparameter ($\lambda$): 2e-4

• Loss: Cross-entropy

• Learning Rate: Scheduled to change as (epoch, value): (1, 0.1), (32, 0.01), (48, 0.001), (72, 0.0002), (82, 0.00002)