Qu-ANTI-zation: Exploiting Quantization Artifacts for Achieving Adversarial Outcomes
Authors: Sanghyun Hong, Michael-Andrei Panaitescu-Liess, Yigitcan Kaya, Tudor Dumitras
NeurIPS 2021 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | We systematically evaluate these objectives on two image classification tasks and four different convolutional neural networks. Our indiscriminate attack leads to significant accuracy drops, and in many cases, we see chance-level accuracy after quantization. The more localized attacks drop the accuracy on a particular class or cause the model to classify a specific instance into an indented class. Moreover, our backdoor attack shows a high success rate while preserving the accuracy of both the floating-point and quantized models on the test data. |
| Researcher Affiliation | Academia | Oregon State University, University of Maryland, College Park sanghyun.hong@oregon.edu, {mpanaite,yigitcan,tudor}@umd.edu |
| Pseudocode | No | The paper does not contain any structured pseudocode or algorithm blocks. |
| Open Source Code | Yes | Our code is available at https://github.com/Secure-AI-Systems-Group/Qu-ANTI-zation. |
| Open Datasets | Yes | We evaluate our attacks on CIFAR10 [Krizhevsky and Hinton, 2009] and Tiny Image Net2. We use four off-the-shelf networks: Alex Net, VGG16 [Simonyan and Zisserman, 2015], Res Net18 [He et al., 2016], and Mobile Net V2 [Sandler et al., 2018]. |
| Dataset Splits | No | The paper mentions using training data and test-time samples, but does not explicitly specify the training/validation/test splits (percentages or counts) or reference a specific predefined split for reproducibility. |
| Hardware Specification | No | The paper does not provide specific hardware details (e.g., exact GPU/CPU models, processor types with speeds, memory amounts, or detailed computer specifications) used for running its experiments. |
| Software Dependencies | No | The paper mentions using popular deep learning frameworks like PyTorch and TensorFlow, but does not specify the exact version numbers of these frameworks or any other software dependencies used in their experiments. |
| Experiment Setup | Yes | We re-train each clean model for 20 epochs using Adam [Kingma and Ba, 2015] optimizer with the learning rate of 10 5. We set λ to 1.0/NB where NB is the number of bit-widths that the attacker considers. We set NB to 4 and α to 5.0. |