Neural network pruning has shown to be an effective technique for reducing the network size, trading desirable properties like generalization and robustness to adversarial attacks for higher sparsity. Recent work has claimed that adversarial pruning methods can produce sparse networks while also preserving robustness to adversarial examples. In this work, we first re-evaluate three state-of-the-art adversarial pruning methods, showing that their robustness was indeed overestimated. We then compare pruned and dense versions of the same models, discovering that samples on thin ice, i.e., closer to the unpruned model’s decision boundary, are typically misclassified after pruning. We conclude by discussing how this intuition may lead to designing more effective adversarial pruning methods in future work.
SAMPLES ON THIN ICE: RE-EVALUATING ADVERSARIAL PRUNING OF NEURAL NETWORKS / Piras, Giorgio; Pintor, Maura; Demontis, Ambra; Biggio, Battista. - (2023), pp. 229-235. (Intervento presentato al convegno International Conference on Machine Learning and Cybernetics, ICMLC 2023 tenutosi a Adelaide, Australia).
SAMPLES ON THIN ICE: RE-EVALUATING ADVERSARIAL PRUNING OF NEURAL NETWORKS
Giorgio Piras
Primo
;
2023
Abstract
Neural network pruning has shown to be an effective technique for reducing the network size, trading desirable properties like generalization and robustness to adversarial attacks for higher sparsity. Recent work has claimed that adversarial pruning methods can produce sparse networks while also preserving robustness to adversarial examples. In this work, we first re-evaluate three state-of-the-art adversarial pruning methods, showing that their robustness was indeed overestimated. We then compare pruned and dense versions of the same models, discovering that samples on thin ice, i.e., closer to the unpruned model’s decision boundary, are typically misclassified after pruning. We conclude by discussing how this intuition may lead to designing more effective adversarial pruning methods in future work.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
