DYNAMIC NEURAL NETWORK IS ALL YOU NEED: UNDERSTANDING THE ROBUSTNESS OF DYNAMIC MECHANISMS IN NEURAL NETWORKS

Abstract

Deep Neural Networks (DNNs) have been used to solve different day-to-day problems. Recently, DNNs have been deployed in real-time systems, and lowering the energy consumption and response time has become the need of the hour. To address this scenario, researchers have proposed incorporating dynamic mechanism to static DNNs (SDNN) to create Dynamic Neural Networks (DyNNs) performing dynamic amount of computation based on the input complexity. Although incorporating dynamic mechanism into SDNNs would be preferable in real-time systems, it also becomes important to evaluate how the introduction of dynamic mechanism impacts the robustness of the models. However, there has not been a significant number of works focusing on the robustness trade-off between SDNNs and DyNNs. To address this issue, we propose to investigate four aspects of including dynamic mechanism into SDNNs. For that purpose, we evaluate four research questions. These evaluations are performed on three models and two datasets. Through the studies, we find that attack transferability from DyNNs to SDNNs is higher than attack transferability from SDNNs to DyNNs. Also, we find that DyNNs can be used to generate adversarial samples more efficiently than SDNNs. We also provide insight into the design choices through research studies. Finally, we propose a novel attack to understand the additional attack surface introduced by the dynamic mechanism.

1. INTRODUCTION

Deep Neural Networks (DNNs) are used in multiple applications such as computer vision and natural language processing. After the rapid growth of IoT and embedded devices, many real-time systems use DNNs in their applications. As the real-time systems require faster response time and low energy consumption, researchers have proposed to incorporate energy-saving dynamic mechanism (Wang et al., 2018; Kaya et al., 2019; Wu et al., 2018) to popular static DNN (SDNN) models like ResNet (He et al., 2015) , VGG (Simonyan & Zisserman, 2014 ), MobileNet (Howard et al., 2017) etc. Early-exit is one of the dynamic mechanism techniques where multiple exits are included in SDNNs (creating multiple sub-networks), and SDNNs can terminate the operation early if a certain sub-network is confident about the prediction. These types of DNNs are named as early-exit Dynamic Neural Networks (DyNNs). Although the transition from SDNNs to DyNNs is preferred in real time systems because of increased efficiency, whether the use of dynamic mechanism will impact the robustness of the systems is still unknown. Studying the impact of the dynamic mechanisms on the robustness is important for developers or users to understand the trade-offs between DyNN and SDNN. In this work, we propose to investigate four different aspects of including dynamic mechanism through four research questions. These four aspects are: Transferability, Impact on Efficiency, Earlyexits Design and, Added Attack Surface. Transferability. First, we investigate the adversarial attack transferability between SDNNs and DyNNs to evaluate the robustness of the models in black-box scenarios. In the black-box scenarios, adversaries normally assume the target models are always static. However, the target models can be dynamic also. Hence, it is important to find out if a surrogate SDNN model is used to attack a target DyNN model or vice-versa, then, to which extent the adversary can be successful. To address this issue, in this paper, we first conduct a comparative study on the adversarial attack transferability between SDNNs and DyNNs (Section 3). Our study results suggest that adversarial transferability from DyNNs to SDNNs is better and surprisingly using DyNNs as surrogate models for attack seems to be a more efficient and more effective way to generate adversarial samples. The adversaries are able to generate more adversarial samples in the same amount of time compared to using SDNNs as the surrogate model, and the generated adversarial samples often can also attack SDNNs. Impact on Efficiency. Second, we conduct another study to understand whether the original purpose of DyNNs (i.e., saving inference time) will be impacted by the adversarial samples (Section 4) generated through SDNNs. Our study results suggest that the adversarial samples generated by existing white-box attacks and black-box attacks do not increase the inference time significantly. Early-exits Design. Third, we perform a detailed analysis of which design choices in the dynamic mechanisms or DyNN architectures (specifically position of early exits) may impact the robustness of DyNNs (Section 5). We consider two attack scenarios in this study: first, the output layer label of an SDNN is modified by a white-box adversarial example, and we study the impact of the example on corresponding DyNN's early-exit layers; second, in a black-box scenario, the output of SDNN is modified by a sample, and the sample is fed to separate model's DyNN. We have made multiple findings based on the empirical results, for example, putting the first exit earlier in the model architecture can help to improve the robustness of DyNNs. Added Attack Surface. Last but not least, we design an adversarial attack approach to understand the extra attack surface introduced by the dynamic mechanisms in neural network (Section 6). In this attack, the synthesized adversarial examples will not change the prediction of the final output layer's label, but will change the prediction of all the early exits. Based on the attack results, we find that the dynamic mechanism is more vulnerable in scenarios where dependency among DyNN layers is lesser and when the exits are sparse w.r.t the layers.

2. RELATED WORKS AND BACKGROUND

Dynamic Neural Networks. The main objective of DyNNs is to decrease the energy consumption of the model inference for inputs that can be classified with fewer computational resources. DyNNs can be classified into Conditional-skipping DyNNs and Early-exit DyNNs. Early-exit DyNNs use multiple exits (sub-networks) within a single model and because of the model's working mechanism, the model is more suited for resource constrained devices. If, at any exit, the confidence score of the predicted label exceeds user defined threshold, inference is stopped. The resource-constrained devices usually deploy a lightweight sub-network of early exit network locally and resort to a server for further computations if needed (Teerapittayanon et al., 2017) . Graves ( 2016 



Figure 1: Working mechanism of Early-exit DyNN Figure 1 shows the working mechanism of Early-exit DyNNs. For example, an Early-exit DyNN has N parts and each part has an exit. x is the input, f i out represents prediction after the i th part (generated by specific computation unit), f out represents prediction of the Neural Network, C i represents confidence score after i th part, Hid In i represents input of i th part, Hid Out i represents output of i th part, and τ i is the predefined threshold to exit the network af-

