Super-Efficient Super Resolution for Fast Adversarial Defense at the Edge
Kartikeya Bhardwaj1,a, Dibakar Gope2, James Ward3, Paul Whatmough4 and Danny Loh1,b
1Arm Inc., San Jose, CA, USA
akartikeya.bhardwaj@arm.com
bdanny.loh@arm.com
2Arm Research, Austin, TX, USA
dibakar.gope@arm.com
3Arm Inc., Galway, Ireland
james.ward@arm.com
4Arm Research, Boston, MA, USA
paul.whatmough@arm.com
ABSTRACT
Autonomous systems are highly vulnerable to a variety of adversarial attacks on Deep Neural Networks (DNNs). Training-free model-agnostic defenses have recently gained popularity due to their speed, ease of deployment, and ability to work across many DNNs. To this end, a new technique has emerged for mitigating attacks on image classification DNNs, namely, preprocessing adversarial images using super resolution – upscaling low-quality inputs into high-resolution images. This defense requires running both image classifiers and super resolution models on constrained autonomous systems. However, super resolution incurs a heavy computational cost. Therefore, in this paper, we investigate the following question: Does the robustness of image classifiers suffer if we use tiny super resolution models? To answer this, we first review a recent work called Super- Efficient Super Resolution (SESR) [1] that achieves similar or better image quality than prior art while requiring 2× to 330× fewer Multiply-Accumulate (MAC) operations. We demonstrate that despite being orders of magnitude smaller than existing models, SESR achieves the same level of robustness as significantly larger networks. Finally, we estimate end-to-end performance of super resolution-based defenses on a commercial Arm Ethos-U55 micro-NPU. Our findings show that SESR achieves nearly 3× higher FPS than a baseline while achieving similar robustness.
Keywords: Super-Efficient Super Resolution, Hardware- Efficient Adversarial Defense, Gray-box attacks, Deep Networks.
