Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
133 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
46 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Safety and Performance, Why Not Both? Bi-Objective Optimized Model Compression against Heterogeneous Attacks Toward AI Software Deployment (2401.00996v1)

Published 2 Jan 2024 in cs.AI, cs.CR, and cs.SE

Abstract: The size of deep learning models in AI software is increasing rapidly, hindering the large-scale deployment on resource-restricted devices (e.g., smartphones). To mitigate this issue, AI software compression plays a crucial role, which aims to compress model size while keeping high performance. However, the intrinsic defects in a big model may be inherited by the compressed one. Such defects may be easily leveraged by adversaries, since a compressed model is usually deployed in a large number of devices without adequate protection. In this article, we aim to address the safe model compression problem from the perspective of safety-performance co-optimization. Specifically, inspired by the test-driven development (TDD) paradigm in software engineering, we propose a test-driven sparse training framework called SafeCompress. By simulating the attack mechanism as safety testing, SafeCompress can automatically compress a big model to a small one following the dynamic sparse training paradigm. Then, considering two kinds of representative and heterogeneous attack mechanisms, i.e., black-box membership inference attack and white-box membership inference attack, we develop two concrete instances called BMIA-SafeCompress and WMIA-SafeCompress. Further, we implement another instance called MMIA-SafeCompress by extending SafeCompress to defend against the occasion when adversaries conduct black-box and white-box membership inference attacks simultaneously. We conduct extensive experiments on five datasets for both computer vision and natural language processing tasks. The results show the effectiveness and generalizability of our framework. We also discuss how to adapt SafeCompress to other attacks besides membership inference attack, demonstrating the flexibility of SafeCompress.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (86)
  1. A. Krizhevsky, I. Sutskever, and G. E. Hinton, “ImageNet Classification with Deep Convolutional Neural Networks,” Advances in Neural Information Processing Systems (NeurIPS), pp. 1106–1114, 2012.
  2. Z. Zhang, Y. Li, J. Wang, B. Liu, D. Li, X. Chen, Y. Guo, and Y. Liu, “ReMoS: Reducing Defect Inheritance in Transfer Learning via Relevant Model Slicing,” in Proceedings of the 44th International Conference on Software Engineering (ICSE), 2022, pp. 1856–1868.
  3. C. Riquelme, J. Puigcerver, B. Mustafa, M. Neumann, R. Jenatton, A. Susano Pinto, D. Keysers, and N. Houlsby, “Scaling Vision with Sparse Mixture of Experts,” Advances in Neural Information Processing Systems (NeurIPS), pp. 8583–8595, 2021.
  4. T. Brown, B. Mann, N. Ryder, M. Subbiah, J. D. Kaplan, P. Dhariwal, A. Neelakantan, P. Shyam, G. Sastry, A. Askell et al., “Language Models are Few-Shot Learners,” Advances in Neural Information Processing Systems (NeurIPS), pp. 1877–1901, 2020.
  5. W. W. Pugh, “Compressing Java Class Files,” in Proceedings of the 1999 ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), 1999, pp. 247–258.
  6. M. Drinić, D. Kirovski, and H. Vo, “PPMexe: Program Compression,” ACM Transactions on Programming Languages and Systems (TOPLAS), 2007.
  7. X. Jiao, Y. Yin, L. Shang, X. Jiang, X. Chen, L. Li, F. Wang, and Q. Liu, “TinyBERT: Distilling BERT for Natural Language Understanding,” arXiv preprint arXiv:1909.10351, 2019.
  8. S. Han, J. Pool, J. Tran, and W. Dally, “Learning both Weights and Connections for Efficient Neural Networks,” Advances in Neural Information Processing Systems (NeurIPS), pp. 1135–1143, 2015.
  9. J. Devlin, M.-W. Chang, K. Lee, and K. Toutanova, “BERT: Pre-training of Deep Bidirectional Transformers for Language Understanding,” arXiv preprint arXiv:1810.04805, 2018.
  10. A. Wang, A. Singh, J. Michael, F. Hill, O. Levy, and S. R. Bowman, “GLUE: A Multi-Task Benchmark and Analysis Platform for Natural Language Understanding ,” arXiv preprint arXiv:1804.07461, 2018.
  11. N. Carlini, C. Liu, Ú. Erlingsson, J. Kos, and D. Song, “The Secret Sharer: Evaluating and Testing Unintended Memorization in Neural Networks,” in 28th USENIX Security Symposium (USENIX Security), 2019, pp. 267–284.
  12. R. Shokri, M. Stronati, C. Song, and V. Shmatikov, “Membership Inference Attacks Against Machine Learning Models,” 2017 IEEE Symposium on Security and Privacy (SP), pp. 3–18, 2017.
  13. L. Deng, G. Li, S. Han, L. Shi, and Y. Xie, “Model Compression and Hardware Acceleration for Neural Networks: A Comprehensive Survey,” Proceedings of the IEEE, pp. 485–532, 2020.
  14. Y. Liu, S. Gao, A. Huang, J. Zhu, L. Xu, and A. Nathan, “Ensemble Learning-Based Technique for Force Classifications in Piezoelectric Touch Panels,” IEEE Sensors Journal, pp. 9540–9549, 2020.
  15. M. Abadi, A. Chu, I. Goodfellow, H. B. McMahan, I. Mironov, K. Talwar, and L. Zhang, “Deep Learning with Differential Privacy,” in Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS), 2016, pp. 308–318.
  16. V. Shejwalkar and A. Houmansadr, “Membership Privacy for Machine Learning Models Through Knowledge Transfer,” Proceedings of the AAAI Conference on Artificial Intelligence (AAAI), pp. 9549–9557, 2021.
  17. X. Yuan and L. Zhang, “Membership Inference Attacks and Defenses in Neural Network Pruning,” in 31st USENIX Security Symposium (USENIX Security), 2022, pp. 4561–4578.
  18. K. L. Beck, “Test-driven Development - By example,” in The Addison-Wesley Signature Series, 2003.
  19. D. C. Mocanu, E. Mocanu, P. Stone, P. H. Nguyen, M. Gibescu, and A. Liotta, “Scalable training of artificial neural networks with adaptive sparse connectivity inspired by network science,” Nature Communications, pp. 1–12, 2018.
  20. A. Sablayrolles, M. Douze, C. Schmid, Y. Ollivier, and H. Jégou, “White-box vs Black-box: Bayes Optimal Strategies for Membership Inference,” in Proceedings of International Conference on Machine Learning (ICML), 2019, pp. 5558–5567.
  21. S. Yeom, I. Giacomelli, M. Fredrikson, and S. Jha, “Privacy Risk in Machine Learning: Analyzing the Connection to Overfitting,” in Proceedings of the 2018 IEEE 31st Computer Security Foundations Symposium (CSF), 2018, pp. 268–282.
  22. M. Nasr, R. Shokri, and A. Houmansadr, “Comprehensive Privacy Analysis of Deep Learning: Passive and Active White-box Inference Attacks against Centralized and Federated Learning,” in Proceedings of the 2019 IEEE Symposium on Security and Privacy (SP), 2019, pp. 739–753.
  23. H. Hu, Z. Salcic, L. Sun, G. Dobbie, P. S. Yu, and X. Zhang, “Membership Inference Attacks on Machine Learning: A Survey,” ACM Computing Surveys (CSUR), pp. 235:1–235:37, 2022.
  24. M. Nasr, R. Shokri, and A. Houmansadr, “Machine Learning with Membership Privacy using Adversarial Regularization,” Proceedings of the ACM Conference on Computer and Communications Security (CCS), pp. 634–646, 2018.
  25. J. Zhu, L. Wang, and X. Han, “Safety and Performance, Why not Both? Bi-Objective Optimized Model Compression toward AI Software Deployment,” in Proceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering (ASE), 2022, pp. 1–13.
  26. P. V. et al., “Scipy 1.0: fundamental algorithms for scientific computing in python,” Nature Methods, pp. 261 – 272, 2020.
  27. L. Ma, X. Ma, J. Gao, X. Jiao, Z. Yu, C. Zhang, W. Ruan, Y. Wang, W. Tang, and J. Wang, “Distilling Knowledge from Publicly Available Online EMR Data to Emerging Epidemic for Prognosis,” in Proceedings of the Web Conference (WWW), 2021, pp. 3558–3568.
  28. I. Goodfellow, J. Pouget-Abadie, M. Mirza, B. Xu, D. Warde-Farley, S. Ozair, A. Courville, and Y. Bengio, “Generative adversarial networks,” Communications of the ACM, pp. 139–144, 2020.
  29. A. Madry, A. Makelov, L. Schmidt, D. Tsipras, and A. Vladu, “Towards Deep Learning Models Resistant to Adversarial Attacks,” arXiv preprint arXiv:1706.06083, 2017.
  30. J.-Y. Zhu, T. Park, P. Isola, and A. A. Efros, “Unpaired Image-to-Image Translation using Cycle-Consistent Adversarial Networks,” in Proceedings of the IEEE International Conference on Computer Vision (ICCV), 2017, pp. 2223–2232.
  31. T. Miyato, A. M. Dai, and I. Goodfellow, “Adversarial Training Methods for Semi-Supervised Text Classification,” arXiv preprint arXiv:1605.07725, 2016.
  32. A. Shafahi, M. Najibi, M. A. Ghiasi, Z. Xu, J. Dickerson, C. Studer, L. S. Davis, G. Taylor, and T. Goldstein, “Adversarial Training for Free!” Advances in Neural Information Processing Systems (NeurIPS), 2019.
  33. X. Han, H. Huang, and L. Wang, “F-PAD: Private Attribute Disclosure Risk Estimation in Online Social Networks,” IEEE Transactions on Dependable and Secure Computing (TDSC), pp. 1054–1069, 2019.
  34. S. Liu, L. Yin, D. C. Mocanu, and M. Pechenizkiy, “Do We Actually Need Dense Over-Parameterization? In-Time Over-Parameterization in Sparse Training,” in Proceedings of the 38th International Conference on Machine Learning (ICML), 2021, pp. 6989–7000.
  35. S. Han, H. Mao, and W. J. Dally, “Deep Compression: Compressing Deep Neural Networks with Pruning, Trained Quantization and Huffman Coding,” arXiv preprint arXiv:1510.00149, 2015.
  36. U. Evci, T. Gale, J. Menick, P. S. Castro, and E. Elsen, “Rigging the Lottery: Making All Tickets Winners,” in Proceedings of International Conference on Machine Learning (ICML), 2020, pp. 2943–2952.
  37. Y. Liu, R. Wen, X. He, A. Salem, Z. Zhang, M. Backes, E. De Cristofaro, M. Fritz, and Y. Zhang, “ML-Doctor: Holistic Risk Assessment of Inference Attacks Against Machine Learning Models,” arXiv preprint arXiv:2102.02551, 2021.
  38. J. Zhu, H. Huang, B. Li, and L. Wang, “E-CRF: Embedded Conditional Random Field for Boundary-caused Class Weights Confusion in Semantic Segmentation,” in Proceedings of the Eleventh International Conference on Learning Representations (ICLR), 2022.
  39. L. Melis, C. Song, E. De Cristofaro, and V. Shmatikov, “Exploiting Unintended Feature Leakage in Collaborative Learning,” in Proceedings of the 2019 IEEE Symposium on Security and Privacy (SP), 2019, pp. 691–706.
  40. H. Liu, J. Jia, W. Qu, and N. Z. Gong, “EncoderMI: Membership Inference against Pre-trained Encoders in Contrastive Learning,” in Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security (CCS), 2021, pp. 2081–2095.
  41. A. Krizhevsky, G. Hinton et al., “Learning Multiple Layers of Features from Tiny Images,” 2009.
  42. K. Simonyan and A. Zisserman, “Very Deep Convolutional Networks for Large-Scale Image Recognition,” Proceedings of the 3rd International Conference on Learning Representations (ICLR), 2015.
  43. Y. Le and X. Yang, “Tiny ImageNet Visual Recognition Challenge,” CS 231N, p. 3, 2015.
  44. K. He, X. Zhang, S. Ren, and J. Sun, “Deep Residual Learning for Image Recognition,” in Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (CVPR), 2016, pp. 770–778.
  45. G. M. Del Corso, A. Gulli, and F. Romani, “Ranking A Stream of News,” in Proceedings of the 14th international conference on World Wide Web (WWW), 2005, pp. 97–106.
  46. Y. Liu, M. Ott, N. Goyal, J. Du, M. Joshi, D. Chen, O. Levy, M. Lewis, L. Zettlemoyer, and V. Stoyanov, “RoBERTa: A Robustly Optimized BERT Pretraining Approach,” arXiv preprint arXiv:1907.11692, 2019.
  47. X. Zhang, J. Zhao, and Y. LeCun, “Character-level Convolutional Networks for Text Classification,” Advances in Neural Information Processing Systems (NeurIPS), pp. 649–657, 2015.
  48. Y. Wang, C. Wang, Z. Wang, S. Zhou, H. Liu, J. Bi, C. Ding, and S. Rajasekaran, “Against Membership Inference Attack: Pruning is All You Need,” in Proceedings of the Thirtieth International Joint Conference on Artificial Intelligence (IJCAI), 2021, pp. 3141–3147.
  49. G. Hinton, O. Vinyals, J. Dean et al., “Distilling the Knowledge in a Neural Network,” arXiv preprint arXiv:1503.02531, 2015.
  50. J. Deng, W. Dong, R. Socher, L.-J. Li, K. Li, and L. Fei-Fei, “ImageNet: A large-scale hierarchical image database,” in Proceedings of the 2009 IEEE Conference on Computer Vision and Pattern Recognition (CVPR), 2009, pp. 248–255.
  51. A. Salem, Y. Zhang, M. Humbert, P. Berrang, M. Fritz, and M. Backes, “ML-Leaks: Model and Data Independent Membership Inference Attacks and Defenses on Machine Learning Models,” in Proceedings of Network and Distributed Systems Security (NDSS) Symposium, 2019.
  52. L. Song and P. Mittal, “Systematic Evaluation of Privacy Risks of Machine Learning Models,” in 30th USENIX Security Symposium (USENIX Security), 2021, pp. 2615–2632.
  53. Y. Liu, Z. Zhao, M. Backes, and Y. Zhang, “Membership Inference Attacks by Exploiting Loss Trajectory,” in Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security (CCS), 2022, pp. 2085–2098.
  54. J. Hayes, L. Melis, G. Danezis, and E. De Cristofaro, “LOGAN: Membership Inference Attacks Against Generative Models,” Proceedings on Privacy Enhancing Technologies Symposium (PoPETs), pp. 133–152, 2019.
  55. C. Song and A. Raghunathan, “Information Leakage in Embedding Models,” in Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security (CCS), 2020, pp. 377–390.
  56. V. Duddu, A. Boutet, and V. Shejwalkar, “Quantifying Privacy Leakage in Graph Embedding,” in Proceedings of the 17th EAI International Conference on Mobile and Ubiquitous Systems: Computing, Networking and Services (MobiQuitous), 2020, pp. 76–85.
  57. W.-C. Tseng, W.-T. Kao, and H.-y. Lee, “Membership Inference Attacks Against Self-supervised Speech Models,” arXiv preprint arXiv:2111.05113, 2021.
  58. P. Hu, Z. Wang, R. Sun, H. Wang, and M. Xue, “M ^ 4I: Multi-modal Models Membership Inference,” Advances in Neural Information Processing Systems, vol. 35, pp. 1867–1882, 2022.
  59. M. A. Rahman, T. Rahman, R. Laganière, N. Mohammed, and Y. Wang, “Membership Inference Attack against Differentially Private Deep Learning Model,” Transactions on Data Privacy (TDP), pp. 61–79, 2018.
  60. B. Jayaraman and D. Evans, “Evaluating Differentially Private Machine Learning in Practice,” in 28th USENIX Security Symposium (USENIX Security), 2019, pp. 1895–1912.
  61. J. Jia, A. Salem, M. Backes, Y. Zhang, and N. Z. Gong, “MemGuard: Defending against Black-Box Membership Inference Attacks via Adversarial Examples,” in Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (CCS), 2019, pp. 259–274.
  62. Z. Yang, L. Wang, D. Yang, J. Wan, Z. Zhao, E.-C. Chang, F. Zhang, and K. Ren, “Purifier: Defending Data Inference Attacks via Transforming Confidence Scores,” in Proceedings of the AAAI Conference on Artificial Intelligence (AAAI), 2023, pp. 10 871–10 879.
  63. J. Zheng, Y. Cao, and H. Wang, “Resisting membership inference attacks through knowledge distillation,” Neurocomputing, pp. 114–126, 2021.
  64. X. Tang, S. Mahloujifar, L. Song, V. Shejwalkar, M. Nasr, A. Houmansadr, and P. Mittal, “Mitigating Membership Inference Attacks by Self-Distillation Through a Novel Ensemble Architecture,” in 31st USENIX Security Symposium (USENIX Security), 2022, pp. 1433–1450.
  65. E. J. Crowley, G. Gray, and A. J. Storkey, “Moonshine: Distilling with Cheap Convolutions,” in Advances in Neural Information Processing Systems (NeurIPS), 2018, pp. 2893–2903.
  66. A. Dosovitskiy, L. Beyer, A. Kolesnikov, D. Weissenborn, X. Zhai, T. Unterthiner, M. Dehghani, M. Minderer, G. Heigold, S. Gelly, J. Uszkoreit, and N. Houlsby, “An Image is Worth 16x16 Words: Transformers for Image Recognition at Scale,” Proceedings of International Conference on Learning Representations (ICLR), 2021.
  67. B. Jacob, S. Kligys, B. Chen, M. Zhu, M. Tang, A. Howard, H. Adam, and D. Kalenichenko, “Quantization and Training of Neural Networks for Efficient Integer-Arithmetic-Only Inference,” in Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (CVPR), 2018, pp. 2704–2713.
  68. I. Hubara, M. Courbariaux, D. Soudry, R. El-Yaniv, and Y. Bengio, “Binarized neural networks,” Advances in Neural Information Processing Systems (NeurIPS), 2016.
  69. T. Dettmers and L. Zettlemoyer, “Sparse Networks from Scratch: Faster Training without Losing Performance,” arXiv preprint arXiv:1907.04840, 2019.
  70. H. Mostafa and X. Wang, “Parameter Efficient Training of Deep Convolutional Neural Networks by Dynamic Sparse Reparameterization,” in Proceedings of International Conference on Machine Learning (ICML), 2019, pp. 4646–4655.
  71. S. Jayakumar, R. Pascanu, J. Rae, S. Osindero, and E. Elsen, “Top-KAST: Top-K Always Sparse Training,” Advances in Neural Information Processing Systems (NeurIPS), pp. 20 744–20 754, 2020.
  72. M. A. Raihan and T. Aamodt, “Sparse Weight Activation Training,” Advances in Neural Information Processing Systems (NeurIPS), pp. 15 625–15 638, 2020.
  73. S. Liu, D. C. Mocanu, A. R. R. Matavalam, Y. Pei, and M. Pechenizkiy, “Sparse evolutionary deep learning with over one million artificial neurons on commodity hardware,” Neural Computing and Applications (NCAA), pp. 2589–2604, 2021.
  74. J. Lin, L. Zhu, W.-M. Chen, W.-C. Wang, C. Gan, and S. Han, “On-device Training under 256KB Memory,” Advances in Neural Information Processing Systems (NeurIPS), pp. 22 941–22 954, 2022.
  75. Y. Bengio, A. Courville, and P. Vincent, “Representation Learning: A Review and New Perspectives,” IEEE Transactions on Pattern Analysis and Machine Intelligence (TPAMI), pp. 1798–1828, 2013.
  76. M. Kosinski, D. Stillwell, and T. Graepel, “Private traits and attributes are predictable from digital records of human behavior,” Proceedings of the National Academy of Sciences (PNAS), pp. 5802–5805, 2013.
  77. M. Fredrikson, S. Jha, and T. Ristenpart, “Model Inversion Attacks that Exploit Confidence Information and Basic Countermeasures,” in Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS), 2015, pp. 1322–1333.
  78. Y. Zhang, R. Jia, H. Pei, W. Wang, B. Li, and D. Song, “The Secret Revealer: Generative Model-Inversion Attacks Against Deep Neural Networks,” in Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), 2020, pp. 253–261.
  79. R. Shokri, M. Stronati, C. Song, and V. Shmatikov, “Membership Inference Attacks Against Machine Learning Models,” in Proceedings of the 2017 IEEE Symposium on Security and Privacy (SP), 2017, pp. 3–18.
  80. A. Salem, Y. Zhang, M. Humbert, P. Berrang, M. Fritz, and M. Backes, “Ml-leaks: Model and data independent membership inference attacks and defenses on machine learning models,” arXiv preprint arXiv:1806.01246, 2018.
  81. Y. Kaya and T. Dumitras, “When Does Data Augmentation Help With Membership Inference Attacks?” in Proceedings of International Conference on Machine Learning (ICML), 2021, pp. 5345–5355.
  82. O. Ronneberger, P. Fischer, and T. Brox, “U-Net: Convolutional Networks for Biomedical Image Segmentation,” in International Conference on Medical Image Computing and Computer Assisted Intervention (MICCAI), 2015, pp. 234–241.
  83. W. Al-Dhabyani, M. Gomaa, H. Khaled, and A. Fahmy, “Dataset of breast ultrasound images,” Data in Brief, p. 104863, 2020.
  84. Y. He, S. Rahimian, B. Schiele, and M. Fritz, “Segmentations-Leak: Membership Inference Attacks and Defenses in Semantic Image Segmentation,” in Proceedings of European Conference on Computer Vision (ECCV), 2020, pp. 519–535.
  85. N. Srivastava, G. Hinton, A. Krizhevsky, I. Sutskever, and R. Salakhutdinov, “Dropout: a simple way to prevent neural networks from overfitting,” Journal of Machine Learning Research (JMLR), pp. 1929–1958, 2014.
  86. D. Yu, H. Zhang, W. Chen, J. Yin, and T.-Y. Liu, “How Does Data Augmentation Affect Privacy in Machine Learning?” in Proceedings of the AAAI Conference on Artificial Intelligence (AAAI), 2021, pp. 10 746–10 753.
Citations (3)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now