Understanding the Energy vs. Adversarial Robustness Trade-Off in Deep Neural Networks

Adversarial examples, which are crafted by adding small perturbations to typical inputs in order to fool the prediction of a deep neural network (DNN), pose a threat to security-critical applications, and robustness against adversarial examples is becoming an important design factor. In this work, we first examine the methodology for evaluating adversarial robustness that uses the first-order attack methods, and analyze three cases when this evaluation methodology overestimates robustness: 1) numerical saturation of cross-entropy loss, 2) non-differentiable functions in DNNs, and 3) ineffective initialization of the attack methods. For each case, we propose compensation methods that can be easily combined with the existing attack methods, thus provide a more precise evaluation methodology for robustness. Second, we benchmark the relationship between adversarial robustness and inference-time energy at an embedded hardware platform using our proposed evaluation methodology, and demonstrate that this relationship can be obscured by the three cases behind overestimation. Finally, we examine the gap between robustness measured with the attack methods and the verification methods, and show this gap is reduced by our proposed compensation methods. Overall, our work shows that the robustness-energy trade-off has differences from the conventional accuracy-energy trade-off, and highlights importance of the precise evaluation methodology.