Dynamic Stochastic Ensemble with Adversarial Robust Lottery Ticket Subnetworks

The DDF is a randomized defense strategy to protect ensemble gradient information, and the essential requirements for it are randomness and diversity to promote the ensemble’s adversarial robustnessqin2021dynamic . It presents a model ensemble defense method with randomized network parameter distribution specialty, which causes an unknowable act of the defender. The output of dynamic stochastic ensemble model $f_{ens}$ containing I number of models is defined as follows:

$${f_{ens}}(x,\theta)=\sum\limits_{i=1}^{I}{f(x,\theta)}$$

(1)

The randomness is achieved by transferring the ensemble states with ensemble variables $\theta$. The DDF demands the construction of diversified ensemble statuses with a heterogeneous model library. Relevant studies highlight that diverse network structure plays a crucial role in ensemble defenseyang2020dverge . In our solution, we evaluated the heterogeneousness and diversity between ensemble subnetworks by the poor adversarial transferability of the attacks.

For purpose of testifying the multi-sparsity adversarial robust lottery subnetworks can achieve better adversarial transferable diversity under different network structures. We picked four representative network structures, ResNet18, ResNet34, WideResNet32, and WideResNet38he2016deep ; zagoruyko2016wide , as the basic architecture of our experiments and gained the sparse lottery ticket from original dense networks. Following fu2021drawing , we applied adversarial training to gain robustness of our subnetworks during pruning. It can be expressed as a min-max problem as Eq.2.

$$\mathop{\arg\min}\limits_{\lambda}\sum\limits_{i}{\mathop{\max}\limits_{\parallel\delta\parallel\leq\varepsilon}l(f(\hat{\lambda}\odot\omega,{x_{i}}+\delta),{y_{i}}){\rm{}}\quad s.t.\quad{\rm{}}\parallel\hat{\lambda}{\parallel_{0}}\leq k}$$

(2)

Where l presents the loss function, f is a randomly initialized network with random weights, and $\delta$ is the perturbation with maximum value $\varepsilon$. In order to satisfy the sparsity of the subnetworks, we set a learnable weight $\lambda$ and a binary weight $\hat{\lambda}\in\{0,1\}$ that correspond to its dimensionssehwag2020hydra ; ramanujan2020s . $\hat{\lambda}$ is meant to activate a small number of primary weights $\omega$. With the primary network parameters weighted by $\lambda\in(0,1)$,  f can be effectively trained by small perturbations added to the input $x_{i}$.

Through our method, we obtained fourty subnetworks with different basic structures and sparsity. Based on the robust lottery subnetwork library, we define the randomized ensemble attribute parameter $\theta=\theta(\alpha,n,s)$, which determines the ensemble states. It can be achieved in the following steps:

(A)Construct a robust lottery subnetworks library with adversarial transferable diversity, including forty sparse subnetworks. Each of ResNet18/ResNet34/WideResNet32/WideResNet38 owns ten.

(B)Set the range for $\alpha$ and s. We brought four basic structures into the selection rather than the entire library, increasing the possibility of including more structures. It realized by $\alpha=\{\alpha_{i}\in\{0,1\}|i=1,...,4\}$, randomly assigned to determine the corresponding structure chosen. One means selected, and 0 means rejected. $s_{k}$ represents the distribution of the sparsity of each candidate structure, and each sparsity also refers to the corresponding subnetwork. Under every candidate structure, there are k number of sparse subnetworks whose $s=\{s_{k}\in\{7\%,10\%,12\%,15\%,20\%,30\%,40\%,50\%,60\%,70\%\}|k=1,...,10\}$.

(C)Randomly select ensemble number $n_{i}$. $n_{i}$ presents the chosen number for each candidate structure. We set $n_{i}=\{n_{i}\in\{1,2\}|\alpha_{i}=1\}$ as the fraction of the total ensemble number $n$, and $n_{i}=0$ when $\alpha_{i}=0$. In particular, we gave a higher probability to smaller $n_{i}$, whose $p(n_{i})=\{65\%,35\%|n_{i}\in\{1,2\}\}$. Since our experiments fed the attacker with the structure and sparsity of ensemble subnetworks, we expect to reduce the probability of a universal adversarial sample through our probabilistic solutionmoosavi2017universal .

(D)Set $\theta(\alpha,n,s)$ by $n_{i}$ and $s_{k}$. According to $n_{i}$ determined by the distibution of $p(n_{i})$, we got total ensemble number $n=\sum\limits_{i=1}^{4}{{\alpha_{i}}{n_{i}}}$. Meanwhile, randomly select $n_{i}$ ensemble sparsity from $s_{k}$, representing the corresponding subnetworks attending the ensemble.

(E)According to the ensemble variable $\theta(\alpha,n,s)$, we make the ensemble in the light of Eq.1.

We collect forty robust lottery ticket subnetworks with different sparsity based on ResNet18, ResNet34, WideResNet32, and WideResNet38, ten of each basic structure. As shown in Tab.1, we marked clean accuracy and robust accuracy against PGD-20 with $\epsilon$=8 and illustrated the existence of adversarial robustness between lottery ticket subnetworks for different structures.

Fig.1 presents the pair-wise adversarial transferability with our lottery ticket subnetworks library tested under the same $\epsilon$. We adopt PGD-20 attacks with $\epsilon$=8 by constraint of $l_{inf}$. To make a fair comparison, we choose ResNet18 and WideResNet32 subnetworks with different sparsity as defense models, respectively, and pick Resnet34 and WideResNet38 subnetworks with the same sparsity to generate adversarial samples. And the distribution of sparsity with 0.07, 0.2, and 0.6 is set for models. The number represents the robust accuracy of the defense models against transferal attacks with different structures.

As shown in Fig.1, ResNet18 and WideResNet32 subnetworks with different sparsity possess poor adversarial transferability against adversarial samples generatd with the same network. Compared with (b) and (c), it is said that combination of different structures’ subnetworks could weaken the adversarial transferability for attacks. E.g., except for the diagonal number, the accuracy of ResNet18 against adversarial samples generated by the same structure is 65.5%$\sim$69.9%. It raises to 66.5%$\sim$73.6% and 66.9%$\sim$70.9% facing transferable attacks by ResNet34 and WideResNet38 subnetworks. Likewise, WideResNet32 subnetworks’ accuracy was raised for 5.7%$\sim$9.3% and 2%$\sim$5.9%.

In this section, we validate the effectiveness of our defense strategy. We set the adversarial training as the baselines and compare our method with R2Sfu2021drawing , which ensemble different remaining ratios from the same networks.

Evaluation setup. Since both the R2S and our method could adjust the probability for their sparsity choices, we assume that both adopt uniform sampling from the same sparsity with 2.3 for simplicity. Moreover, we design an adaptive attack based on the Expectation over Transformation(EOT)athalye2018synthesizing that generates adversarial examples via the expectations of the gradients from all candidate robust lottery subnetworks, which achieves the attack effect by promoting the transferability of adversarial samples, traversing the possibility of defense strategy.

We set adversarial trained ResNet18/WideResNet32 dense networks as baselines and compared our method with the R2S. In order to comprehensively and accurately observe the defense effect, we adopt multiple $\epsilon$=[ 0, 2, 4, 8, 12, 20] with white-box attack in the $l_{inf}$ norm. For the EOT attack, we announced the network structures and remaining ratio of the lottery ticket library so that the attacker could sample the expectation of different ensemble statuses.

As shown in Tab.2, the robust accuracy of our method is 3.02%$\sim$10.12% higher than R2S. Meanwhile, R2S dropped 3.59%$\sim$3.67% in clean accuracy, while the dynamic ensemble for different structures raised 1.08% compared to adversarial training. For adversarial training, our method got a 15.42% raise over the robust accuracy. In addition, Fig.2 shows that our method has better adversarial robustness than the R2S and adversarial training under the overall environment with multiple perturbations.