Pruning in the Face of Adversaries

TL;DR

This paper systematically evaluates how neural network pruning affects adversarial robustness across various models, datasets, and attack types, revealing that pruning can be compatible with robustness and identifying optimal strategies.

Contribution

It provides a comprehensive analysis of the impact of pruning on adversarial robustness, filling a gap in existing research with extensive empirical evaluation.

Findings

Pruned models can maintain or improve adversarial robustness.

Optimal pruning strategies depend on the attack scenario.

There are favorable trade-offs between model size and robustness.

Abstract

The vulnerability of deep neural networks against adversarial examples - inputs with small imperceptible perturbations - has gained a lot of attention in the research community recently. Simultaneously, the number of parameters of state-of-the-art deep learning models has been growing massively, with implications on the memory and computational resources required to train and deploy such models. One approach to control the size of neural networks is retrospectively reducing the number of parameters, so-called neural network pruning. Available research on the impact of neural network pruning on the adversarial robustness is fragmentary and often does not adhere to established principles of robustness evaluation. We close this gap by evaluating the robustness of pruned models against L-0, L-2 and L-infinity attacks for a wide range of attack strengths, several architectures, data sets, pruning methods, and compression rates. Our results confirm that neural network pruning and adversarial robustness are not mutually exclusive. Instead, sweet spots can be found that are favorable in terms of model size and adversarial robustness. Furthermore, we extend our analysis to situations that incorporate additional assumptions on the adversarial scenario and show that depending on the situation, different strategies are optimal.