Awesome

Adversarial Pruning: A Survey and Benchmark of Pruning Methods for Adversarial Robustness :scissors: :shield:

Recent work has proposed neural network pruning techniques to reduce the size of a network while preserving robustness against adversarial examples, i.e., well-crafted inputs inducing a misclassification. These methods, which we refer to as adversarial pruning methods, involve complex and articulated designs, making it difficult to analyze the differences and establish a fair and accurate comparison. In this work, we overcome these issues by surveying current adversarial pruning methods and proposing a novel taxonomy to categorize them based on two main dimensions: the pipeline, defining when to prune; and the specifics, defining how to prune. We then highlight the limitations of current empirical analyses and propose a novel, fair evaluation benchmark to address them. We finally conduct an empirical re-evaluation of current adversarial pruning methods and discuss the results, highlighting the shared traits of top-performing adversarial pruning methods, as well as common issues.

Authors: Giorgio Piras (University of Cagliari, University of Roma La Sapienza), Maura Pintor (University of Cagliari), Ambra Demontis (University of Cagliari), Battista Biggio (University of Cagliari), Giorgio Giacinto (University of Cagliari), Fabio Roli (University of Cagliari, University of Genova)

For further details, please refer to our paper

Main idea

• This repository contains the code for the Adversarial Pruning (AP) Benchmark, which aims to make AP methods be evaluated in a fair, comparable way.

• APs represent all those pruning methods whose goal is to prune a neural network while preserving/inducing as much robustness against adversarial attacks as possible. However, their designs are often complex and diverse, making it difficult to understand what makes an AP method successful.

• Therefore, in our paper, we created a taxonomy of adversarial pruning methods, allowing a clear and systematic analysis of the methods; in addition, to fairly and comparably analyze the AP methods, we created the adversarial pruning benchmark.

Play with the notebook :video_game:

Open our Google Colab, select the models you want to compare, and analyze the security curves!

Hands-on :test_tube:

To clone our repo, copy and paste this command

git clone https://github.com/pralab/AdversarialPruningBenchmark

Test a pruned model already loaded in the benchmark :hammer_and_wrench:

To test a pruned model that is available at our leaderboard, one must specify the AP method, the architecture, the dataset, the structure, and the sparsity. Then, the model can be loaded and tested, and additionally security curves can be plotted!

from utils.utils import load_model, model_key_maker
from utils.plots import plot_sec_curve
from utils.test import test_model_aa, test_model_hofmn
from taxonomy.utils import load_ap_taxonomy

ap = "HYDRA_Sehwag2020Hydra"
arch = "resnet18"
ds = "CIFAR10"
struct = "weights"  # or filters, channels
sr = "90"

# get a unique model key
model_key = model_key_maker(ap_method=ap,
                            architecture=arch,
                            dataset=ds,
                            structure=struct,
                            sparsity_rate=sr)

# get model and distances given their unique key
model = load_model(model_key=model_key)
distances = load_distance(model_key=model_key)

# test the model 
clean_acc, rob_acc_aa = test_model_aa(model, dataset=ds, data_dir='my_datadir/CIFAR10', device='cuda:0')
rob_acc_hofmn, _ = test_model_hofmn(model, model_key=model_key, dataset=ds, data_dir='my_datadir/CIFAR10', device='cuda:0', loss='DLR', optimizer='SGD', scheduler='CALR', get_distances=False)

# plot security curve (you can compare even more models together)
names = [model_key]  # add a name for each model to appear in the legend
plot_sec_curve(distances, names, title=model_key+'DLR_SGD_CALR', save=False)

print(f'Model {model_key} clean accuracy: {clean_acc}')
print(f'Model {model_key} AA robust accuracy: {rob_acc_aa}')
print(f'Model {model_key} HOFMN robust accuracy: {rob_acc_hofmn}')
print(f'Within the taxonomy, here are the AP entries: {load_ap_taxonomy(ap)}')

Evaluate your local model :microscope:

If you instead want to test your local model with AutoAttack and HO-FMN, follow this code after cloning the repo through:

from utils.utils import model_key_maker
from utils.plots import plot_sec_curve
from utils.test import test_model_aa, test_model_hofmn
from your_model.arch import arch

# load your local model
local_model = arch() 
local_model.load_state_dict(torch.load("your_model_state_dict"))
model_key='my_model'

# test the model 
clean_acc, rob_acc_aa = test_model_aa(local_model, dataset='CIFAR10', data_dir='my_datadir/CIFAR10', device='cuda:0')
rob_acc_hofmn, distances = test_model_hofmn(model=local_model, model_key=model_key, dataset='CIFAR10', data_dir='my_datadir/CIFAR10', save_dist_path='my_path', device='cuda:0', loss='DLR', optimizer='SGD', scheduler='CALR', get_distances=True)

print(f'Clean accuracy: {clean_acc}')
print(f'AA robust accuracy: {rob_acc_aa}')
print(f'HOFMN robust accuracy: {rob_acc_hofmn}')

# plot security curve 
names = ['my_model']
plot_sec_curve(distances, names, title='local_model_SecCurve', save=False)

Contributing to the benchmark :hugs:

We welcome AP authors wishing to see their AP taxonomized and benchmarked!

Important reminder on contributing.

Please note: diversity is fundamental to assess your AP validity! Therefore, we specify that each AP author is required to load at least 3 checkpoints to guarantee a minimum acceptable starting level. The number of three checkpoints equals to one architecture/dataset/structure pair and the 3 corresponding sparsities (i.e., 90%, 95%, and 99% for US; 50%, 75%, and 90% for S). However, we encourage authors to always load the complete suite of models, which would guarantee a more complete and reliable validation of the new AP method. Therefore, you are always encouraged to load 12 (for one structure) checkpoints corresponding to the two architectures (ResNet18 and VGG16), the two datasets (CIFAR10 and SVHN), and the three sparsities determined by the used structure (50-75-90 if S, 90-95-99 if US)!

Contributing to the benchmark is simple and requires just three steps:

STEP 1: New Taxonomy entry. Compile the taxonomy of your AP method in our Google Drive form. This will automatically process your AP and send you a corresponding JSON entry via email.

STEP 2: Run evaluation. Clone the AP repo and evaluate the checkpoints as follows:

import torch
from utils.utils import model_key_maker, load_model
from utils.test import benchmark
# load your architecture
from your_models.arch import arch

# load your local model
local_model = arch() 
local_model.load_state_dict(torch.load("your_model_state_dict"))

# get a unique model key
model_key = model_key_maker(ap_method='ap_key', # first entry of json file
                            architecture='resnet18', # or vgg16
                            dataset='CIFAR10', # or SVHN
                            structure='weights', # if US; or filters and channels if S
                            sparsity_rate='90') # or any other sparsity

# prints the results (that you should keep) and it saves the distances pickle
save_dist_path='my_path'
benchmark(local_model, model_key, data_dir, save_dist_path, device)  

# check architecture compliance 
model = load_model(model_key='base_resnet18', normalization=False)  # or base_vg16
model.load_state_dict("your_model_state_dict", strict=True)

The benchmark method will test your model using both AA and HO-FMN, and will print the AA and HO-FMN evaluation results. By checking the compliance, you can understand if your local model can be loaded into the available base VGG16 and ResNet18 implementation. If not, this should be indicated in Step3.

STEP 3: Open the issue. The last step consists in loading the JSON Entry sent via email and the output of the benchmark method into the dedicated issue, New AP method. Specifically, for each model, you are required to put the results and model key given by the benchmark method, and the corresponding checkpoint and distances Google Drive link (yes, it has to be on your gdrive). In addition, you are required to indicate if your checkpoints require data normalization, and if they cannot be loaded into the base model implementation. If your checkpoint does not fit the available implementation, please indicate why (you will be just required to add the network implementation, if necessary).

Taxonomy

A-Methods Pruning After Training

B-Methods Pruning Before Training

D-Methods Pruning During Training

Legend

• AT: Adversarial Training
• NT: Natural Training
• KD: Knowledge Distillation
• CNI: Channel Noise Injection
• 1S/IT: One-shot/Iterative Pruning
• S/US: Structured/Unstructured Pruning
• L/G: Local/Global Pruning
• n.s.: Not Specified
• LWM: Lowest Weight Magnitude
• SOLWM: SOLver-based LWM
• RELWM: REgularization-based Lowest Weight Magnitude
• LIS: Least Importance Score
• HGM: Highest Gradient Magnitude
• BCS: Bayesian Connectivity Sampling

For a detailed description, please refer to our paper.

Leaderboard

CIFAR-10 US pruning

CIFAR-10 S pruning

SVHN US pruning

SVHN S pruning

Citation

@article{piras2024adversarialpruningsurveybenchmark,
      title={Adversarial Pruning: A Survey and Benchmark of Pruning Methods for Adversarial Robustness}, 
      author={Giorgio Piras and Maura Pintor and Ambra Demontis and Battista Biggio 
      and Giorgio Giacinto and Fabio Roli},
      journal={arXiv preprint arXiv:2409.01249},
      year={2024},
}

Contact

Feel free to contact us about anything related to our benchmark by creating an issue, a pull request or by email at giorgio.piras@unica.it.