Author: Kim Martineau | MIT Quest for Intelligence<\/p>\n
Smartphones, security cameras, and speakers are just a few of the devices that will soon be running more artificial intelligence software to speed up image- and speech-processing tasks. A compression technique known as quantization is smoothing the way by making deep learning models smaller to reduce computation and energy costs. But smaller models, it turns out, make it easier for malicious attackers to trick an AI system into misbehaving \u2014 a concern as more complex decision-making is handed off to machines.\u00a0<\/p>\n
In a\u00a0new study<\/a>, MIT and IBM researchers show just how vulnerable compressed AI models are to adversarial attack, and they offer a fix: add a mathematical constraint during the quantization process to reduce the odds that an AI will fall prey to a slightly modified image and misclassify what they see.\u00a0<\/p>\n When a deep learning model is reduced from the standard 32 bits to\u00a0a lower bit length, it\u2019s\u00a0more likely to misclassify altered images due to an error amplification\u00a0effect: The manipulated image becomes more distorted with each extra layer of processing. By the end, the model is more likely to mistake a bird for a cat, for example, or a frog for a deer.\u00a0\u00a0\u00a0<\/p>\n Models quantized to 8 bits or fewer are more susceptible to adversarial attacks, the researchers show, with accuracy falling from an already low 30-40 percent to less than 10 percent as bit width declines. But controlling the Lipschitz constraint during quantization restores some resilience. When the researchers added the constraint, they saw small performance gains in an attack, with the smaller models in some cases outperforming the 32-bit model.\u00a0<\/p>\n \u201cOur technique limits error amplification and can even make compressed deep learning models more robust than full-precision models,\u201d says\u00a0Song Han<\/a>, an assistant professor in MIT\u2019s\u00a0Department of Electrical Engineering and Computer Science<\/a>\u00a0and a member of MIT\u2019s\u00a0Microsystems Technology Laboratories<\/a>. \u201cWith proper quantization, we can\u00a0limit\u00a0the error.\u201d\u00a0<\/p>\n The team plans to further improve the technique by training it on larger datasets and applying it to a wider range of models. \u201cDeep learning models need to be fast and secure as they move into a world of internet-connected devices,\u201d says study coauthor Chuang Gan<\/a>, a researcher at the MIT-IBM Watson AI Lab. \u201cOur Defensive Quantization technique helps on both fronts.\u201d<\/p>\n The researchers, who include MIT graduate student Ji Lin, present their results at the\u00a0International Conference on Learning Representations<\/a>\u00a0in May.<\/p>\n In making AI models smaller so that they run faster and use less energy, Han is using AI itself to push the limits of model compression technology. In related\u00a0recent work<\/a>, Han and his colleagues show how reinforcement learning can be used to automatically find the smallest bit length for each layer in a quantized model based on how quickly the device running the model can process images. This flexible bit width approach reduces latency and energy use by as much as 200 percent compared to a fixed, 8-bit model, says Han. The researchers will present their results at the\u00a0Computer Vision and Pattern Recognition<\/a>\u00a0conference in June.\u00a0<\/p>\n<\/div>\n Go to Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"