Is Approximation Universally Defensive Against Adversarial Attacks in Deep Neural Networks?

TL;DR

This paper investigates whether approximate computing in deep neural networks universally defends against adversarial attacks, finding that it can significantly reduce accuracy in some cases but is not a reliable universal defense.

Contribution

The study provides a comprehensive analysis showing that approximate computing does not consistently defend against adversarial attacks across different scenarios.

Findings

Adversarial attacks cause up to 53% accuracy loss on AxDNNs.

In some cases, attacks have minimal impact on accurate DNNs (as low as 0.06%).

Approximate computing is not a universal defense against adversarial attacks.

Abstract

Approximate computing is known for its effectiveness in improvising the energy efficiency of deep neural network (DNN) accelerators at the cost of slight accuracy loss. Very recently, the inexact nature of approximate components, such as approximate multipliers have also been reported successful in defending adversarial attacks on DNNs models. Since the approximation errors traverse through the DNN layers as masked or unmasked, this raises a key research question-can approximate computing always offer a defense against adversarial attacks in DNNs, i.e., are they universally defensive? Towards this, we present an extensive adversarial robustness analysis of different approximate DNN accelerators (AxDNNs) using the state-of-the-art approximate multipliers. In particular, we evaluate the impact of ten adversarial attacks on different AxDNNs using the MNIST and CIFAR-10 datasets. Our results demonstrate that adversarial attacks on AxDNNs can cause 53% accuracy loss whereas the same attack may lead to almost no accuracy loss (as low as 0.06%) in the accurate DNN. Thus, approximate computing cannot be referred to as a universal defense strategy against adversarial attacks.