基于新兴的非易失性记忆（NVM）设备基于内存的计算（CIM）体系结构，由于其高能量效率，具有深度神经网络（DNN）加速的巨大潜力。但是，NVM设备遭受了各种非理想性，尤其是由于设备的随机行为而导致的制造缺陷和周期到周期变化引起的设备对设备变化。因此，实际上映射到NVM设备的DNN权重可能显着偏离预期值，从而导致大量性能降解。为了解决这个问题，大多数现有的作品都集中在设备变化下的平均性能最大化。这个目标对于通用场景非常有效。但是对于关键安全应用，还必须考虑最差的案例性能。不幸的是，文献中很少探索这一点。在这项工作中，我们制定了确定在设备变化影响下CIM DNN加速器最差的问题的问题。我们进一步提出了一种方法，可以有效地找到高维空间中设备变化的特定组合，从而导致最差的性能。我们发现，即使设备变化很小，DNN的准确性也会大幅度下降，在部署CIM加速器中在安全至关重要的应用中引起担忧。最后，我们表明，令人惊讶的是，在扩展时，没有一种用于提高CIM加速器中平均DNN性能的现有方法非常有效，以增强最差的性能，并且需要进一步的研究来解决此问题。

在本文中，我们通过合成自己的攻击数据集来提出基于零数据的重复比特翻转攻击（ZEBRA），精确地破坏了深度神经网络（DNN）。许多先前的对抗性重量攻击的作品不仅需要重量参数，而且需要在搜索易受攻击的比特中进行攻击的训练或测试数据集。我们建议通过利用受害者DNN模型中的批量归一化层统计来综合名为Dizeted目标数据的攻击数据集。配备蒸馏的目标数据，我们的Zebra算法可以在模型中搜索易受攻击的位，而无需访问培训或测试数据集。因此，我们的方法使对抗性重量攻击更致命的DNN的安全性。我们的实验结果表明，与先前的攻击方法相比，平均需要2.0倍（CiFar-10）和1.6倍（想象成）的比特翻转数量少。我们的代码可在https：// github上获得。COM / PDH930105 / ZEBRA。

成本敏感的分类对于错误分类错误的成本差异很大，至关重要。但是，过度参数化对深神经网络（DNNS）的成本敏感建模构成了基本挑战。 DNN完全插值训练数据集的能力可以渲染DNN，纯粹在训练集上进行评估，无效地区分了成本敏感的解决方案和其总体准确性最大化。这需要重新思考DNN中的成本敏感分类。为了应对这一挑战，本文提出了一个具有成本敏感的对抗数据增强（CSADA）框架，以使过度参数化的模型成本敏感。总体想法是生成针对性的对抗示例，以推动成本感知方向的决策边界。这些有针对性的对抗样本是通过最大化关键分类错误的可能性而产生的，并用于训练一个模型，以更加保守的对成对的决策。公开可用的有关著名数据集和药物药物图像（PMI）数据集的实验表明，我们的方法可以有效地最大程度地减少整体成本并减少关键错误，同时在整体准确性方面达到可比的性能。

已知深度神经网络（DNN）容易受到用不可察觉的扰动制作的对抗性示例的影响，即，输入图像的微小变化会引起错误的分类，从而威胁着基于深度学习的部署系统的可靠性。经常采用对抗训练（AT）来通过训练损坏和干净的数据的混合物来提高DNN的鲁棒性。但是，大多数基于AT的方法在处理\ textit {转移的对抗示例}方面是无效的，这些方法是生成以欺骗各种防御模型的生成的，因此无法满足现实情况下提出的概括要求。此外，对抗性训练一般的国防模型不能对具有扰动的输入产生可解释的预测，而不同的领域专家则需要一个高度可解释的强大模型才能了解DNN的行为。在这项工作中，我们提出了一种基于Jacobian规范和选择性输入梯度正则化（J-SIGR）的方法，该方法通过Jacobian归一化提出了线性化的鲁棒性，还将基于扰动的显着性图正规化，以模仿模型的可解释预测。因此，我们既可以提高DNN的防御能力和高解释性。最后，我们评估了跨不同体系结构的方法，以针对强大的对抗性攻击。实验表明，提出的J-Sigr赋予了针对转移的对抗攻击的鲁棒性，我们还表明，来自神经网络的预测易于解释。

Deep neural networks (DNNs) are found to be vulnerable to adversarial attacks, and various methods have been proposed for the defense. Among these methods, adversarial training has been drawing increasing attention because of its simplicity and effectiveness. However, the performance of the adversarial training is greatly limited by the architectures of target DNNs, which often makes the resulting DNNs with poor accuracy and unsatisfactory robustness. To address this problem, we propose DSARA to automatically search for the neural architectures that are accurate and robust after adversarial training. In particular, we design a novel cell-based search space specially for adversarial training, which improves the accuracy and the robustness upper bound of the searched architectures by carefully designing the placement of the cells and the proportional relationship of the filter numbers. Then we propose a two-stage search strategy to search for both accurate and robust neural architectures. At the first stage, the architecture parameters are optimized to minimize the adversarial loss, which makes full use of the effectiveness of the adversarial training in enhancing the robustness. At the second stage, the architecture parameters are optimized to minimize both the natural loss and the adversarial loss utilizing the proposed multi-objective adversarial training method, so that the searched neural architectures are both accurate and robust. We evaluate the proposed algorithm under natural data and various adversarial attacks, which reveals the superiority of the proposed method in terms of both accurate and robust architectures. We also conclude that accurate and robust neural architectures tend to deploy very different structures near the input and the output, which has great practical significance on both hand-crafting and automatically designing of accurate and robust neural architectures.

Adaptive attacks have (rightfully) become the de facto standard for evaluating defenses to adversarial examples. We find, however, that typical adaptive evaluations are incomplete. We demonstrate that thirteen defenses recently published at ICLR, ICML and NeurIPS-and which illustrate a diverse set of defense strategies-can be circumvented despite attempting to perform evaluations using adaptive attacks. While prior evaluation papers focused mainly on the end result-showing that a defense was ineffective-this paper focuses on laying out the methodology and the approach necessary to perform an adaptive attack. Some of our attack strategies are generalizable, but no single strategy would have been sufficient for all defenses. This underlines our key message that adaptive attacks cannot be automated and always require careful and appropriate tuning to a given defense. We hope that these analyses will serve as guidance on how to properly perform adaptive attacks against defenses to adversarial examples, and thus will allow the community to make further progress in building more robust models.

部署在内存中的模拟处理（PIM）架构的DNN受到制造 - 时间可变性。我们开发了一种新的联合变化和量化感知DNN训练算法，用于高度量化的基于PIM的模型，该模型明显更有效。它在多台计算机视觉数据集/型号上表现出可变性的令人沮丧和训练后的量化模型。对于低位宽度和高变化，Resnet-18在最佳替代方案上的增益高达35.7％。我们证明，在可变性的芯片组件的逼真模式下，单独培训无法防止大型DNN精度损失（CIFAR-100 / Resnet-18上的高达54％）。我们介绍了一种自调整DNN架构，可在推理期间动态调整层面激活，并有效地降低精度损耗至低于10％。

机器学习算法和深度神经网络在几种感知和控制任务中的卓越性能正在推动该行业在安全关键应用中采用这种技术，作为自治机器人和自动驾驶车辆。然而，目前，需要解决几个问题，以使深入学习方法更可靠，可预测，安全，防止对抗性攻击。虽然已经提出了几种方法来提高深度神经网络的可信度，但大多数都是针对特定类的对抗示例量身定制的，因此未能检测到其他角落案件或不安全的输入，这些输入大量偏离训练样本。本文介绍了基于覆盖范式的轻量级监控架构，以增强针对不同不安全输入的模型鲁棒性。特别是，在用于评估多种检测逻辑的架构中提出并测试了四种覆盖分析方法。实验结果表明，该方法有效地检测强大的对抗性示例和分销外输入，引入有限的执行时间和内存要求。

神经形态的神经网络处理器，以记忆中的计算横杆阵列的形式，或以亚阈值模拟和混合信号ASIC的形式，有望在基于NN的ML任务的计算密度和能源效率方面具有巨大优势。但是，由于过程变化和内在的设备物理学，这些技术容易出现计算非理想性。通过将参数噪声引入部署模型中，这会降低部署到处理器的网络的任务性能。虽然可以为每个处理器校准每个设备或单独训练网络，但这些方法对于商业部署而言是昂贵且不切实际的。因此，由于网络体系结构和参数的结果，需要替代方法来训练与参数变化固有强大的网络。我们提出了一种新的对抗网络优化算法，该算法在训练过程中攻击网络参数，并在参数变化时促进推断期间的稳健性能。我们的方法引入了正规化术语，惩罚网络对权重扰动的敏感性。我们将与先前产生参数不敏感的方法进行比较，例如辍学，体重平滑和训练过程中引入参数噪声。我们表明，我们的方法产生的模型对目标参数变化更强大，并且对随机参数变化同样强大。与其他方法相比，我们的方法在减肥景观的平坦位置中发现了最小值，这强调了我们技术发现的网络对参数扰动不太敏感。我们的工作提供了一种将神经网络体系结构部署到遭受计算非理想性的推理设备的方法，而性能的损失最少。 ...

Although deep neural networks (DNNs) have achieved great success in many tasks, they can often be fooled by adversarial examples that are generated by adding small but purposeful distortions to natural examples. Previous studies to defend against adversarial examples mostly focused on refining the DNN models, but have either shown limited success or required expensive computation. We propose a new strategy, feature squeezing, that can be used to harden DNN models by detecting adversarial examples. Feature squeezing reduces the search space available to an adversary by coalescing samples that correspond to many different feature vectors in the original space into a single sample. By comparing a DNN model's prediction on the original input with that on squeezed inputs, feature squeezing detects adversarial examples with high accuracy and few false positives.This paper explores two feature squeezing methods: reducing the color bit depth of each pixel and spatial smoothing. These simple strategies are inexpensive and complementary to other defenses, and can be combined in a joint detection framework to achieve high detection rates against state-of-the-art attacks.

研究神经网络中重量扰动的敏感性及其对模型性能的影响，包括泛化和鲁棒性，是一种积极的研究主题，因为它对模型压缩，泛化差距评估和对抗攻击等诸如模型压缩，泛化差距评估和对抗性攻击的广泛机器学习任务。在本文中，我们在重量扰动下的鲁棒性方面提供了前馈神经网络的第一积分研究和分析及其在体重扰动下的泛化行为。我们进一步设计了一种新的理论驱动损失功能，用于培训互动和强大的神经网络免受重量扰动。进行实证实验以验证我们的理论分析。我们的结果提供了基本洞察，以表征神经网络免受重量扰动的泛化和鲁棒性。

Deep learning algorithms have been shown to perform extremely well on many classical machine learning problems. However, recent studies have shown that deep learning, like other machine learning techniques, is vulnerable to adversarial samples: inputs crafted to force a deep neural network (DNN) to provide adversary-selected outputs. Such attacks can seriously undermine the security of the system supported by the DNN, sometimes with devastating consequences. For example, autonomous vehicles can be crashed, illicit or illegal content can bypass content filters, or biometric authentication systems can be manipulated to allow improper access. In this work, we introduce a defensive mechanism called defensive distillation to reduce the effectiveness of adversarial samples on DNNs. We analytically investigate the generalizability and robustness properties granted by the use of defensive distillation when training DNNs. We also empirically study the effectiveness of our defense mechanisms on two DNNs placed in adversarial settings. The study shows that defensive distillation can reduce effectiveness of sample creation from 95% to less than 0.5% on a studied DNN. Such dramatic gains can be explained by the fact that distillation leads gradients used in adversarial sample creation to be reduced by a factor of 10 30 . We also find that distillation increases the average minimum number of features that need to be modified to create adversarial samples by about 800% on one of the DNNs we tested.

Neural networks provide state-of-the-art results for most machine learning tasks. Unfortunately, neural networks are vulnerable to adversarial examples: given an input x and any target classification t, it is possible to find a new input x that is similar to x but classified as t. This makes it difficult to apply neural networks in security-critical areas. Defensive distillation is a recently proposed approach that can take an arbitrary neural network, and increase its robustness, reducing the success rate of current attacks' ability to find adversarial examples from 95% to 0.5%.In this paper, we demonstrate that defensive distillation does not significantly increase the robustness of neural networks by introducing three new attack algorithms that are successful on both distilled and undistilled neural networks with 100% probability. Our attacks are tailored to three distance metrics used previously in the literature, and when compared to previous adversarial example generation algorithms, our attacks are often much more effective (and never worse). Furthermore, we propose using high-confidence adversarial examples in a simple transferability test we show can also be used to break defensive distillation. We hope our attacks will be used as a benchmark in future defense attempts to create neural networks that resist adversarial examples.

The study on improving the robustness of deep neural networks against adversarial examples grows rapidly in recent years. Among them, adversarial training is the most promising one, which flattens the input loss landscape (loss change with respect to input) via training on adversarially perturbed examples. However, how the widely used weight loss landscape (loss change with respect to weight) performs in adversarial training is rarely explored. In this paper, we investigate the weight loss landscape from a new perspective, and identify a clear correlation between the flatness of weight loss landscape and robust generalization gap. Several well-recognized adversarial training improvements, such as early stopping, designing new objective functions, or leveraging unlabeled data, all implicitly flatten the weight loss landscape. Based on these observations, we propose a simple yet effective Adversarial Weight Perturbation (AWP) to explicitly regularize the flatness of weight loss landscape, forming a double-perturbation mechanism in the adversarial training framework that adversarially perturbs both inputs and weights. Extensive experiments demonstrate that AWP indeed brings flatter weight loss landscape and can be easily incorporated into various existing adversarial training methods to further boost their adversarial robustness.

由于在量化网络上的按位操作产生的有效存储器消耗和更快的计算，神经网络量化已经变得越来越受欢迎。尽管它们表现出优异的泛化能力，但其鲁棒性属性并不是很好地理解。在这项工作中，我们系统地研究量化网络对基于梯度的对抗性攻击的鲁棒性，并证明这些量化模型遭受梯度消失问题并显示出虚假的鲁棒感。通过归因于培训的网络中的渐变消失到较差的前后信号传播，我们引入了一个简单的温度缩放方法来缓解此问题，同时保留决策边界。尽管对基于梯度的对抗攻击进行了简单的修改，但具有多个网络架构的多个图像分类数据集的实验表明，我们的温度缩放攻击在量化网络上获得了近乎完美的成功率，同时表现出对普遍培训的模型以及浮动的原始攻击以及浮动 - 点网络。代码可在https://github.com/kartikgupta-at-anu/Attack-bnn获得。

Deep neural networks (DNNs) are currently widely used for many artificial intelligence (AI) applications including computer vision, speech recognition, and robotics. While DNNs deliver state-of-the-art accuracy on many AI tasks, it comes at the cost of high computational complexity. Accordingly, techniques that enable efficient processing of DNNs to improve energy efficiency and throughput without sacrificing application accuracy or increasing hardware cost are critical to the wide deployment of DNNs in AI systems.This article aims to provide a comprehensive tutorial and survey about the recent advances towards the goal of enabling efficient processing of DNNs. Specifically, it will provide an overview of DNNs, discuss various hardware platforms and architectures that support DNNs, and highlight key trends in reducing the computation cost of DNNs either solely via hardware design changes or via joint hardware design and DNN algorithm changes. It will also summarize various development resources that enable researchers and practitioners to quickly get started in this field, and highlight important benchmarking metrics and design considerations that should be used for evaluating the rapidly growing number of DNN hardware designs, optionally including algorithmic co-designs, being proposed in academia and industry.The reader will take away the following concepts from this article: understand the key design considerations for DNNs; be able to evaluate different DNN hardware implementations with benchmarks and comparison metrics; understand the trade-offs between various hardware architectures and platforms; be able to evaluate the utility of various DNN design techniques for efficient processing; and understand recent implementation trends and opportunities.

Deep learning methods have gained increased attention in various applications due to their outstanding performance. For exploring how this high performance relates to the proper use of data artifacts and the accurate problem formulation of a given task, interpretation models have become a crucial component in developing deep learning-based systems. Interpretation models enable the understanding of the inner workings of deep learning models and offer a sense of security in detecting the misuse of artifacts in the input data. Similar to prediction models, interpretation models are also susceptible to adversarial inputs. This work introduces two attacks, AdvEdge and AdvEdge$^{+}$, that deceive both the target deep learning model and the coupled interpretation model. We assess the effectiveness of proposed attacks against two deep learning model architectures coupled with four interpretation models that represent different categories of interpretation models. Our experiments include the attack implementation using various attack frameworks. We also explore the potential countermeasures against such attacks. Our analysis shows the effectiveness of our attacks in terms of deceiving the deep learning models and their interpreters, and highlights insights to improve and circumvent the attacks.

随机平滑是目前是最先进的方法，用于构建来自Neural Networks的可认真稳健的分类器，以防止$ \ ell_2 $ - vitersarial扰动。在范例下，分类器的稳健性与预测置信度对齐，即，对平滑分类器的较高的置信性意味着更好的鲁棒性。这使我们能够在校准平滑分类器的信仰方面重新思考准确性和鲁棒性之间的基本权衡。在本文中，我们提出了一种简单的训练方案，Coined Spiremix，通过自我混合来控制平滑分类器的鲁棒性：它沿着每个输入对逆势扰动方向进行样品的凸起组合。该提出的程序有效地识别过度自信，在平滑分类器的情况下，作为有限的稳健性的原因，并提供了一种直观的方法来自适应地在这些样本之间设置新的决策边界，以实现更好的鲁棒性。我们的实验结果表明，与现有的最先进的强大培训方法相比，该方法可以显着提高平滑分类器的认证$ \ ell_2 $ -toSpustness。

对共同腐败的稳健性的文献表明对逆势培训是否可以提高这种环境的性能，没有达成共识。 First, we show that, when used with an appropriately selected perturbation radius, $\ell_p$ adversarial training can serve as a strong baseline against common corruptions improving both accuracy and calibration.然后，我们解释了为什么对抗性训练比具有简单高斯噪声的数据增强更好地表现，这被观察到是对共同腐败的有意义的基线。与此相关，我们确定了高斯增强过度适用于用于培训的特定标准偏差的$ \ sigma $ -oviting现象，这对培训具有显着不利影响的普通腐败精度。我们讨论如何缓解这一问题，然后如何通过学习的感知图像贴片相似度引入对抗性训练的有效放松来进一步增强$ \ ell_p $普发的培训。通过对CiFar-10和Imagenet-100的实验，我们表明我们的方法不仅改善了$ \ ell_p $普发的培训基线，而且还有累积的收益与Augmix，Deepaulment，Ant和Sin等数据增强方法，导致普通腐败的最先进的表现。我们的实验代码在HTTPS://github.com/tml-epfl/adv-training - 窗子上公开使用。

This paper investigates recently proposed approaches for defending against adversarial examples and evaluating adversarial robustness. We motivate adversarial risk as an objective for achieving models robust to worst-case inputs. We then frame commonly used attacks and evaluation metrics as defining a tractable surrogate objective to the true adversarial risk. This suggests that models may optimize this surrogate rather than the true adversarial risk. We formalize this notion as obscurity to an adversary, and develop tools and heuristics for identifying obscured models and designing transparent models. We demonstrate that this is a significant problem in practice by repurposing gradient-free optimization techniques into adversarial attacks, which we use to decrease the accuracy of several recently proposed defenses to near zero. Our hope is that our formulations and results will help researchers to develop more powerful defenses.