ABSTRACT
To ensure that accuracy and latency are not compromised while deploying Deep Neural Networks (DNNs) on edge devices, trained DNN models can be partitioned across many collaborating edge devices for inference. However, this collaborative inference paradigm raises new security risks because one of the collaborating edge devices could be malicious or compromised, leading to compromised accuracy and reliability of inference results. To address this challenge, this paper explores the use of low-pass filters to enhance the robustness of Collaborative DNNs. The study deploys a VGG16 network, trained on the German Traffic Sign Recognition Benchmarks (GTSRB) dataset, and a MobileNet network trained on the ImageNet dataset, using two prevalent collaborative inference methodologies. The output feature maps (FMs) of a vulnerable edge device are perturbed using four advanced adversarial noises, namely Speckle, Salt-and-Pepper, Gaussian noise, and the Fast Gradient Signed Method (FGSM). Experimental results demonstrate that implementing low-pass filtering can significantly enhance the robustness of Collaborative DNNs. On average, the top-1 classification accuracy is improved by 2.1x times, making the DNNs more robust to adversarial attacks.
- A. Adeyemo, F. Khalid, T. Odetola, and S. R. Hasan, "Security analysis of capsule network inference using horizontal collaboration," in 2021 IEEE International Midwest Symposium on Circuits and Systems (MWSCAS), pp. 1074--1077, IEEE, 2021.Google Scholar
- A. Olatunji, I. Bhattacharya,W.Adepoju, E. N. Esfahani, and T. Banik, "Application of artificial intelligence in optimization of solid state transformer core for modern electric vehicles using multi-objective genetic algorithm," in 2022 IEEE Vehicle Power and Propulsion Conference (VPPC), pp. 1--7, IEEE, 2022.Google Scholar
- H. Gao, Y. Tian, R. Yao, F. Xu, X. Fu, and S. Zhong, "Exploiting adversarial examples to drain computational resources on mobile deep learning systems," in 2020 IEEE/ACM Symposium on Edge Computing (SEC), pp. 334--339, IEEE, 2020.Google Scholar
- L. Zeng, X. Chen, Z. Zhou, L. Yang, and J. Zhang, "Coedge: Cooperative dnn inference with adaptive workload partitioning over heterogeneous edge devices," IEEE/ACM Transactions on Networking, vol. 29, no. 2, pp. 595--608, 2020.Google ScholarDigital Library
- J. Mao, X. Chen, K. W. Nixon, C. Krieger, and Y. Chen, "Modnn: Local distributed mobile computing system for deep neural network," in Design, Automation & Test in Europe Conference & Exhibition (DATE), 2017, pp. 1396--1401, IEEE, 2017.Google ScholarCross Ref
- A. A. Adeyemo, J. J. Sanderson, T. A. Odetola, F. Khalid, and S. R. Hasan, "Stain: Stealthy avenues of attacks on horizontally collaborated convolutional neural network inference and their mitigation," IEEE Access, vol. 11, pp. 10520--10534, 2023.Google ScholarCross Ref
- X. Wang, Y. Han, V. C. Leung, D. Niyato, X. Yan, and X. Chen, "Convergence of edge computing and deep learning: A comprehensive survey," IEEE Communications Surveys & Tutorials, vol. 22, no. 2, pp. 869--904, 2020.Google ScholarCross Ref
- A. Adeyemo, T. Sandefur, T. A. Odetola, and S. R. Hasan, "Towards enabling dynamic convolution neural network inference for edge intelligence," in 2022 IEEE International Symposium on Circuits and Systems (ISCAS), pp. 1833--1837, 2022.Google Scholar
- T. A. Odetola, F. Khalid, H.Mohammed, T. C. Sandefur, and S. R. Hasan, "Feshi: Feature map-based stealthy hardware intrinsic attack," IEEE Access, vol. 9, pp. 115370--115387, 2021.Google ScholarCross Ref
- A. Shafahi, M. Najibi, M. A. Ghiasi, Z. Xu, J. Dickerson, C. Studer, L. S. Davis, G. Taylor, and T. Goldstein, "Adversarial training for free!," Advances in Neural Information Processing Systems, vol. 32, 2019.Google Scholar
- W. Brendel, J. Rauber, and M. Bethge, "Decision-based adversarial attacks: Reliable attacks against black-box machine learning models," arXiv preprint arXiv:1712.04248, 2017.Google Scholar
- K. D. Gupta, D. Dasgupta, and Z. Akhtar, "Adversarial input detection using image processing techniques (ipt)," in 2020 11th IEEE Annual Ubiquitous Computing, Electronics & Mobile Communication Conference (UEMCON), pp. 0309--0315, IEEE, 2020.Google Scholar
- Y. Zhu, J. Sun, and Z. Li, "Rethinking adversarial transferability from a data distribution perspective," in International Conference on Learning Representations, 2021.Google Scholar
- B. Peng, B. Peng, J. Zhou, J. Xia, and L. Liu, "Speckle-variant attack: Toward transferable adversarial attack to sar target recognition," IEEE Geoscience and Remote Sensing Letters, vol. 19, pp. 1--5, 2022.Google ScholarCross Ref
- G. Carbone, M. Wicker, L. Laurenti, A. Patane, L. Bortolussi, and G. Sanguinetti, "Robustness of bayesian neural networks to gradient-based attacks," Advances in Neural Information Processing Systems, vol. 33, pp. 15602--15613, 2020.Google Scholar
- F. Zhang, Y. Wang, S. Liu, and H. Wang, "Decision-based evasion attacks on tree ensemble classifiers," World Wide Web, vol. 23, no. 5, pp. 2957--2977, 2020.Google ScholarDigital Library
- J. Owotogbe, T. Ibiyemi, and B. Adu, "A comprehensive review on various types of noise in image processing," int. J. Sci. eng. res, vol. 10, no. 11, pp. 388--393, 2019.Google Scholar
- N. Narodytska and S. P. Kasiviswanathan, "Simple black-box adversarial perturbations for deep networks," arXiv preprint arXiv:1612.06299, 2016.Google Scholar
- M.-I. Nicolae, M. Sinn, M. N. Tran, B. Buesser, A. Rawat, M. Wistuba, V. Zantedeschi, N. Baracaldo, B. Chen, H. Ludwig, et al., "Adversarial robustness toolbox v1. 0.0," arXiv preprint arXiv:1807.01069, 2018.Google Scholar
- A. Camuto, M. Willetts, U. Simsekli, S. J. Roberts, and C. C. Holmes, "Explicit regularisation in gaussian noise injections," Advances in Neural Information Processing Systems, vol. 33, pp. 16603--16614, 2020.Google Scholar
- J. Azzeh, B. Zahran, and Z. Alqadi, "Salt and pepper noise: Effects and removal," JOIV: International Journal on Informatics Visualization, vol. 2, no. 4, pp. 252--256, 2018.Google ScholarCross Ref
- P. Hiremath, P. T. Akkasaligar, S. Badiger, and G. Gunarathne, "Speckle noise reduction in medical ultrasound images," Advancements and breakthroughs in ultrasound imaging, vol. 1, no. 8, pp. 1--8, 2013.Google Scholar
- K. Simonyan, A. Vedaldi, and A. Zisserman, "Deep inside convolutional networks: Visualising image classification models and saliency maps," arXiv preprint arXiv:1312.6034, 2013.Google Scholar
- V. Tyagi, Understanding digital image processing. CRC Press, 2018.Google ScholarCross Ref
- K. Simonyan and A. Zisserman, "Very deep convolutional networks for large-scale image recognition," arXiv preprint arXiv:1409.1556, 2014.Google Scholar
- K. Kranthi Kumar, R. Bharadwaj, S. Ch, and S. Sujana, "Effective deep learning approach based on vgg-mini architecture for iris recognition," Annals of the Romanian Society for Cell Biology, pp. 4718--4726, 2021.Google Scholar
- J. Stallkamp, M. Schlipsing, J. Salmen, and C. Igel, "The german traffic sign recognition benchmark: a multi-class classification competition," in The 2011 international joint conference on neural networks, pp. 1453--1460, IEEE, 2011.Google Scholar
- J. Deng,W. Dong, R. Socher, L.-J. Li, K. Li, and L. Fei-Fei, "Imagenet: A large-scale hierarchical image database," in 2009 IEEE conference on computer vision and pattern recognition, pp. 248--255, Ieee, 2009.Google Scholar
- Z. Dou, S. J. Osher, and B. Wang, "Mathematical analysis of adversarial attacks," arXiv preprint arXiv:1811.06492, 2018.Google Scholar
- T. E. Oliphant, "Python for scientific computing," Computing in science & engineering, vol. 9, no. 3, pp. 10--20, 2007.Google Scholar
- H. Ali, F. Khalid, H. A. Tariq, M. A. Hanif, R. Ahmed, and S. Rehman, "Sscnets: Robustifying dnns using secure selective convolutional filters," IEEE Design & Test, vol. 37, no. 2, pp. 58--65, 2019.Google ScholarCross Ref
- D. N. H. Thanh, S. Engínoğlu, et al., "An iterative mean filter for image denoising," IEEE Access, vol. 7, pp. 167847--167859, 2019.Google ScholarCross Ref
- X. Weizheng, X. Chenqi, J. Zhengru, and H. Yueping, "Digital image denoising method based on mean filter," in 2020 International Conference on Computer Engineering and Application (ICCEA), pp. 857--859, IEEE, 2020.Google Scholar
- A. Bianchi, M. R. Vendra, P. Protopapas, and M. Brambilla, "Improving image classification robustness through selective cnn-filters fine-tuning," arXiv preprint arXiv:1904.03949, 2019.Google Scholar
- R. Shao, Z. Shi, J. Yi, P.-Y. Chen, and C.-J. Hsieh, "On the adversarial robustness of vision transformers," 2022.Google Scholar
Index Terms
- Enhancing the Security of Collaborative Deep Neural Networks: An Examination of the Effect of Low Pass Filters
Recommendations
Is approximation universally defensive against adversarial attacks in deep neural networks?
DATE '22: Proceedings of the 2022 Conference & Exhibition on Design, Automation & Test in EuropeApproximate computing is known for its effectiveness in improvising the energy efficiency of deep neural network (DNN) accelerators at the cost of slight accuracy loss. Very recently, the inexact nature of approximate components, such as approximate ...
Explainable AI for Inspecting Adversarial Attacks on Deep Neural Networks
Artificial Intelligence and Soft ComputingAbstractDeep Neural Networks (DNN) are state of the art algorithms for image classification. Although significant achievements and perspectives, deep neural networks and accompanying learning algorithms have some important challenges to tackle. However, ...
Higher density wavelet frames with symmetric low-pass and band-pass filters
This paper presents a new set of higher density wavelet frames with symmetric low-pass and band-pass wavelet filters. Based on the maximally flat low-pass linear-phase FIR filter and spectral factorization, two types of design approaches are proposed, ...
Comments