Exploring the Robustness and Transferability of Patch-Based Adversarial Attacks in Quantized Neural Networks

TL;DR

This paper investigates how quantized neural networks are vulnerable to patch-based adversarial attacks, revealing that quantization does not significantly improve robustness and highlighting the need for specialized defenses.

Contribution

It systematically evaluates patch attack transferability and robustness in QNNs across different quantization levels and architectures, providing new insights into their security vulnerabilities.

Findings

Patch attacks have high success rates across quantization levels.

Quantized models remain highly susceptible to localized adversarial patches.

Transferability of patch attacks persists even in heavily quantized neural networks.

Abstract

Quantized neural networks (QNNs) are increasingly used for efficient deployment of deep learning models on resource-constrained platforms, such as mobile devices and edge computing systems. While quantization reduces model size and computational demands, its impact on adversarial robustness-especially against patch-based attacks-remains inadequately addressed. Patch-based attacks, characterized by localized, high-visibility perturbations, pose significant security risks due to their transferability and resilience. In this study, we systematically evaluate the vulnerability of QNNs to patch-based adversarial attacks across various quantization levels and architectures, focusing on factors that contribute to the robustness of these attacks. Through experiments analyzing feature representations, quantization strength, gradient alignment, and spatial sensitivity, we find that patch attacks consistently achieve high success rates across bitwidths and architectures, demonstrating significant transferability even in heavily quantized models. Contrary to the expectation that quantization might enhance adversarial defenses, our results show that QNNs remain highly susceptible to patch attacks due to the persistence of distinct, localized features within quantized representations. These findings underscore the need for quantization-aware defenses that address the specific challenges posed by patch-based attacks. Our work contributes to a deeper understanding of adversarial robustness in QNNs and aims to guide future research in developing secure, quantization-compatible defenses for real-world applications.