Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to main content
Springer Nature Link
Log in

Anti-Bandit for Neural Architecture Search

  • Manuscript
  • Published:
International Journal of Computer Vision Aims and scope Submit manuscript

Abstract

Neural Architecture Search (NAS) is a highly challenging task that requires consideration of search space, search efficiency, and adversarial robustness of the network. In this paper, to accelerate the training speed, we reformulate NAS as a multi-armed bandit problem and present Anti-Bandit NAS (ABanditNAS) method, which exploits Upper Confidence Bounds (UCB) to abandon arms for search efficiency and Lower Confidence Bounds (LCB) for fair competition between arms. Based on the presented ABanditNAS, the adversarially robust optimization and architecture search can be solved in a unified framework. Specifically, our proposed framework defends against adversarial attacks based on a comprehensive search of denoising blocks, weight-free operations, Gabor filters, and convolutions. The theoretical analysis on the rationality of the two confidence bounds in ABanditNAS are provided and extensive experiments on three benchmarks are conducted. The results demonstrate that the presented ABanditNAS achieves competitive accuracy at a reduced search cost compared to prior methods.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8

Similar content being viewed by others

Explore related subjects

Discover the latest articles, news and stories from top researchers in related subjects.

Data Availability

The datasets analysed during the current study are available in the MNIST LeCun et al. (1998), CIFAR-10 Krizhevsky et al. (2009), ImageNet-1k Deng et al. (2009).

Notes

  1. Results are from Cubuk et al. (2017).

References

  • Athalye, A., Carlini, N. & Wagner, D. (2018). Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: The international conference on machine learning .

  • Bender, G., Kindermans, P.-J., Zoph, B., Vasudevan, V. & Le, Q.V. (2018). Understanding and simplifying one-shot architecture search. In: The international conference on machine learning .

  • Buades, A., Coll, B. & Morel, J.-M. (2005). A non-local algorithm for image denoising. In: The IEEE / CVF computer vision and pattern recognition conference.

  • Cai, H., Chen, T., Zhang, W., Yu, Y. & Wang, J. (2018). Efficient architecture search by network transformation. In: The association for the advancement of artificial intelligence .

  • Cai, H., Zhu, L. & Han, S.(2019). ProxylessNAS: Direct neural architecture search on target task and hardware. In: The international conference on learning representations.

  • Carlini, N. & Wagner, D. (2017). Towards evaluating the robustness of neural networks. In: IEEE Symposium on Security and Privacy.

  • Chen, Xin, Xie, Lingxi, Wu, Jun & Tian, Qi (2019). Progressive differentiable architecture search: Bridging the depth gap between search and evaluation. In ICCV.

  • Chen, X. & Hsieh, C.-J.(2020). Stabilizing differentiable architecture search via perturbation-based regularization. In: The international conference on machine learning.

  • Chen, H., Zhang, B., Xue, S., Gong, X., Liu, H., Ji, R. & Doermann, D. (2020). Anti-bandit neural architecture search for model defense. In: The european conference on computer vision.

  • Cisse, M., Bojanowski, P., Grave, E., Dauphin, Y. & Usunier, N. (2017). Parseval networks: Improving robustness to adversarial examples. In: The international conference on machine learning.

  • Cubuk, E.D., Zoph, B., Schoenholz, S.S. & Le, Q.V. (2017). Intriguing properties of adversarial examples. In The international conference on learning representations.

  • Cui, J., Liu, S., Wang, L. & Jia, J.(2021). Learnable boundary guided adversarial training. In: The international conference on computer vision.

  • Dapello, J., Marques, T., Schrimpf, M., Geiger, F., Cox, D. & DiCarlo, J.J. (2020). Simulating a primary visual cortex at the front of cnns improves robustness to image perturbations. In NeurIPS.

  • Das, N., Shanbhogue, M., Chen, S.-T., Hohman, F., Chen, L., Kounavis, M.E. & Chau, D.H.(2017). Keeping the bad guys out: Protecting and vaccinating deep learning with jpeg compression. arXiv:1705.02900.

  • Deng, J., Dong, W., Socher, R., Li, L.-J., Li, K. & Fei-Fei, L. (2009). Imagenet: A large-scale hierarchical image database. In: The IEEE / CVF computer vision and pattern recognition conference.

  • DeVries, T. & Taylor, G.W. (2017). Improved regularization of convolutional neural networks with cutout. arXiv:1708.04552.

  • Dong, N., Xu, M., Liang, X., Jiang, Y., Dai, W. & Xing, E.(2019). Neural architecture search for adversarial medical image segmentation. In: Medical image computing and computer assisted intervention.

  • Dziugaite, G.K. , Ghahramani, Z. & Roy, D.M. (2016). A study of the effect of jpg compression on adversarial images. arXiv:1608.00853.

  • Even-Dar, E., Mannor, S., & Mansour, Y. (2006). Action elimination and stopping conditions for the multi-armed bandit and reinforcement learning problems. Journal of Machine Learning Research, 7(39), 1079–1105.

    MathSciNet  MATH  Google Scholar 

  • Gabor, D. (1946). Theory of communication. part 1: The analysis of information. Journal of the Institution of Electrical Engineers-Part III: Radio and Communication Engineering, 93(26), 429–441.

    Google Scholar 

  • Gabor, D. (1946). Electrical engineers-part III: Radio and communication engineering. Journal of the Institution of Electrical Engineers - Part III: Radio and Communication Engineering, 93(429), 39.

    Google Scholar 

  • Gavin, A. R. and Mahesan, N. (1994) On-line Q-learning using connectionist systems, volume 37. University of Cambridge, Department of Engineering Cambridge.

  • Goodfellow, I.J., Shlens, J. & Szegedy, C. (2015). Explaining and harnessing adversarial examples. In: The international conference on learning representations.

  • Guo, M., Yang, Y., Xu, R., Liu, Z. & Lin, D. (2020). When nas meets robustness: In search of robust architectures against adversarial attacks. In: The IEEE / CVF computer vision and pattern recognition conference.

  • Gupta, P. & Rahtu, E. (2019). Defeating adversarial attacks by fusing class-specific image inpainting and image denoising: Ciidefence. In: The international conference on computer vision.

  • He, K., Zhang, X., Ren, S., Sun, J.(2016). Deep residual learning for image recognition. In: Proceedings of the IEEE conference on computer vision and pattern recognition.

  • Howard, A. G., Zhu, M., Chen, B., Kalenichenko, D., Wang, W., Weyand, T., Andreetto, M., & Adam, H. (2017). Mobilenets Efficient convolutional neural networks for mobile vision applications. Transactions on Image Processing, 30, 1291–1304.

    Google Scholar 

  • Huang, G., Liu, Z., Van Der Maaten, L. & Weinberger, K.Q. (2017). Densely connected convolutional networks. In: The IEEE / CVF computer vision and pattern recognition conference.

  • Ilyas, A., Engstrom, L. & Madry, A.(2018). Prior convictions: Black-box adversarial attacks with bandits and priors. In: The international conference on learning representations.

  • Kotyan, S. & Vargas, D.V.(2020). Evolving robust neural architectures to defend from adversarial attacks. In: CEUR Workshop.

  • Krizhevsky, A., Hinton, G., et al. (2009). Learning multiple layers of features from tiny images. In: Citeseer.

  • Kurakin, A., Goodfellow, I.J. & Bengio, S. (2016). Adversarial examples in the physical world. In: The international conference on learning representations.

  • Lai, T. L., Robbins, H., et al. (1985). Asymptotically efficient adaptive allocation rules. Advances in Applied Mathematics, 6(1), 4–22.

    Article  MathSciNet  MATH  Google Scholar 

  • LeCun, Y., Bottou, L., Bengio, Y., & Haffner, P. (1998). Gradient-based learning applied to document recognition. Proceedings of the IEEE, 86(11), 2278–2324.

    Article  Google Scholar 

  • Li, G., Qian, G., Delgadillo, I.C., Muller, M., Thabet, A. & Ghanem, B.(2020). Sgas: Sequential greedy architecture search. In: The IEEE / CVF computer vision and pattern recognition conference .

  • Liao, F., Liang, M., Dong, Y., Pang, T., Hu, X. & Zhu, J. (2018). Defense against adversarial attacks using high-level representation guided denoiser. In: International conference on pattern recognition.

  • Liu, Y., Chen, X., Liu, C. & Song, D.(2016). Delving into transferable adversarial examples and black-box attacks. In: The international conference on learning representations.

  • Liu, H., Simonyan, K. & Yang, Y.(2018). Darts: Differentiable architecture search. In: The international conference on learning representations.

  • Liu, C., Zoph, B., Neumann, M., Shlens, J., Hua, W., Li, L.-J., Fei-Fei, L., Yuille, A., Huang, J. & Murphy, K.(2018). Progressive neural architecture search. In: The European conference on computer vision.

  • Long, J., Shelhamer, E., Darrell, T. (2015). Fully convolutional networks for semantic segmentation. In: Proceedings of the IEEE conference on computer vision and pattern recognition.

  • Ma, N., Zhang, X., Zheng, H.-T. & Sun, J.(2018). Shufflenet v2: Practical guidelines for efficient cnn architecture design. In: The European conference on computer vision.

  • Madry, A., Makelov, A., Schmidt, L., Tsipras, D. & Vladu, A.(2017). Towards deep learning models resistant to adversarial attacks. In: The international conference on learning representations.

  • Na, T., Ko, J.H. & Mukhopadhyay, S. (2017). Cascade adversarial machine learning regularized with a unified embedding. In: The international conference on learning representations.

  • Osadchy, M., Hernandez-Castro, J., Gibson, S., Dunkelman, O., & Pérez-Cabo, D. (2017). No bot expects the deepcaptcha! introducing immutable adversarial examples, with applications to captcha generation. IEEE Transactions on Information Forensics and Security, 12(11), 2640–2653.

    Article  Google Scholar 

  • Pérez, J.C., Alfarra, M., Jeanneret, G., Bibi, A., Thabet, A.K., Ghanem, B. & Arbeláez, P.(2020). Gabor layers enhance network robustness. In: The European conference on computer vision.

  • Pham, H., Guan, M., Zoph, B., Le, Q. & Dean, J. (2018). Efficient neural architecture search via parameter sharing. In: The international conference on machine learning.

  • Pinto, A.S., Kolesnikov, A. , Shi, Y., Beyer, L. & Zhai, X. (2023). Tuning computer vision models with task rewards. arXiv-2302.

  • Real, E., Aggarwal, A., Huang, Y. & Le, Q.V. (2018). Regularized evolution for image classifier architecture search. In: The association for the advancement of artificial intelligence.

  • Samangouei, P., Kabkab, M. & Chellappa, R. (2018). Defense-GAN: Protecting classifiers against adversarial attacks using generative models. In The international conference on learning representations.

  • Sheth, P. & Xie, P. (2023). Improving differentiable neural architecture search by encouraging transferability. In: The international conference on learning representations.

  • Silver, D., Schrittwieser, J., Simonyan, K., Antonoglou, I., Huang, A., Guez, A., Hubert, T., Baker, L., Lai, M., Bolton, A., et al. (2017). Mastering the game of go without human knowledge. Nature, 550(7676), 354–359.

    Article  Google Scholar 

  • Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S., Anguelov, D., Erhan, D., Vanhoucke, V. & Rabinovich, A.(2015). Going deeper with convolutions. In: Proceedings of the IEEE conference on computer vision and pattern recognition.

  • Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S., Anguelov, D., Erhan, D., Vanhoucke, V. & Rabinovich, A.(2015). Going deeper with convolutions. In: The IEEE / CVF computer vision and pattern recognition conference.

  • Szegedy, C., Zaremba, W., Sutskever, I., Bruna, J., Erhan, D., Goodfellow, I. & Fergus, R.(2013). Intriguing properties of neural networks. In: The international conference on learning representations.

  • Wong, E., Rice, L. & Kolter, J.Z.(2020). Fast is better than free: Revisiting adversarial training. In: textitThe international conference on learning representations.

  • Xie, C., Wu, Y., van der Maaten, L., Yuille, A.L. & He, K. (2019). Feature denoising for improving adversarial robustness. In: International conference on pattern recognition.

  • Xie, S., Zheng, H., Liu, C. & Lin, L.(2018). Snas: stochastic neural architecture search. In: The international conference on learning representations.

  • Xu, Y., Xie, L., Zhang, X., Chen, X., Qi, G.-J., Tian, Q. & Xiong, H.(2019). Pc-darts: Partial channel connections for memory-efficient differentiable architecture search. In: The international conference on learning representations.

  • Xue, S., Wang, R., Zhang, B., Wang, T., Guo, G. & Doermann, D. (2021). Idarts: Interactive differentiable architecture search. In: The international conference on computer vision.

  • Yang, Y., Zhang, G., Katabi, D. & Xu, Z. (2019). Me-net: Towards effective adversarial robustness with matrix estimation. In: The international conference on machine learning.

  • Yin, C., Tang, J., Xu, Z. & Wang, Y.(2018). Adversarial meta-learning. arXiv:1806.03316.

  • Ying, C., Klein, A., Christiansen, E., Real, E., Murphy, K. & Hutter, F.(2019). Nas-bench-101: Towards reproducible neural architecture search. In: The international conference on machine learning.

  • Zhang, Z., Wang, X., Guan, C., Zhang, Z., Li, H. & Zhu, W.(2023). Autogt: Automated graph transformer architecture search. In: The international conference on learning representations.

  • Zhang, H., Yu, Y., Jiao, J., Xing, E., El Ghaoui, L. & Jordan, M.(2019) Theoretically principled trade-off between robustness and accuracy. In: The international conference on machine learning.

  • Zhang, X., Zhou, X., Lin, M. & Sun, J.(2018). Shufflenet: An extremely efficient convolutional neural network for mobile devices. In: The IEEE / CVF computer vision and pattern recognition conference .

  • Zhang, C., Liu, A., Liu, X., Yitao, X., Hang, Yu., Ma, Y., & Li, T. (2020). Interpreting and improving adversarial robustness of deep neural networks with neuron sensitivity. Transactions on Image Processing, 30, 1291–1304.

    Article  Google Scholar 

  • Zheng, X., Ji, R., Tang, L., Wan, Y., Zhang, B., Wu, Y., Wu, Y. & Shao, L.(2019). Dynamic distribution pruning for efficient network architecture search. CoRR, arXiv:1905.13543.

  • Zhou, H., Chen, K., Zhang, W., Fang, H., Zhou, W. & Yu, N.(2019). Dup-net: Denoiser and upsampler network for 3d adversarial point clouds defense. In: The international conference on computer vision.

  • Zhou, J., Zheng, L., Wang, Y., Wang, C., & Gao, R. X. (2022). Automated model generation for machinery fault diagnosis based on reinforcement learning and neural architecture search. IEEE Transactions on Instrumentation and Measurement, 71, 1–12.

    Google Scholar 

  • Zoph, B. & Le, Q.V. (2016). Neural architecture search with reinforcement learning. In: The international conference on learning representations.

  • Zoph, B., Vasudevan, V., Shlens, J. & Le, Q.V. (2018). Learning transferable architectures for scalable image recognition. In: The IEEE / CVF computer vision and pattern recognition conference .

  • Zoph, B., Vasudevan, V., Shlens, J. & Le, Q.V. (2018). Learning transferable architectures for scalable image recognition. In: The IEEE / CVF computer vision and pattern recognition conference..

Download references

Acknowledgements

This work was supported by National Natural Science Foundation of China under Grant 62076016, Beijing Natural Science Foundation L223024, and “One Thousand Plan” innovation leading talent funding projects in Jiangxi Province Jxsg2023102268. Runqi Wang and Linlin Yang are co-first authors. Baochang Zhang is the corresponding author.

Author information

Author notes

  1. Rungi Wang and Linin Yang have contributed equally to this work.

Authors and Affiliations

  1. Beihang University, Beijing, China

    Runqi Wang, Wei Wang & Baochang Zhang

  2. Zhongguancun Laboratory, Beijing, China

    Baochang Zhang

  3. National University of Singapore, Singapore, Singapore

    Linlin Yang & Hanlin Chen

  4. Buffalo University, Buffalo, USA

    David Doermann

  5. Nanchang Institute of Technology, Nanchang, China

    Baochang Zhang

Authors
  1. Runqi Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Linlin Yang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Hanlin Chen
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Wei Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. David Doermann
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Baochang Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Baochang Zhang.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Appendix A: Theoretic Analysis

Appendix A: Theoretic Analysis

Lemma 1

The global variance boundary can be represented by the variance boundary of independent trials.

Proof

Suppose \(X_i\) represents the estimated value of the operation in i-th trail, which is independently distributed, \(X_i \in [0,1]\), and \(X=\frac{\sum _i X_i}{n}\). According to Markov’s inequality, for any real-valued variable Y, \(P(Y \ge a) \le E(\frac{Y}{a})\), we can get \(P(e^{\lambda X} \ge e^{\lambda a}) \le \frac{E(e^{\lambda X})}{e^{\lambda a}}\), where \(\lambda \) is a constant. n is the number of times of the arm has been played up to trial. We can get Eq. 15 using Jeason inequality and AM-GM inequality.

$$\begin{aligned} \begin{aligned} E(e^{\lambda X})&= E(e^{\frac{\lambda }{n} \sum _i X_i})\\&=\prod _i({e^{\frac{\lambda }{n} X_i}})\\&\le \prod _i(X_i e^\frac{\lambda }{n} + q_i)\\&\le (\frac{\sum _i(X_i e^\frac{\lambda }{n} + q_i)}{n})^n \\&=({X e^\frac{\lambda }{n} + q})^n\\ \end{aligned} . \end{aligned}$$
(15)

Here, \(q_i=1-X_i\) and \(q=1-\frac{\sum _i X_i}{n}\). \(\square \)

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Wang, R., Yang, L., Chen, H. et al. Anti-Bandit for Neural Architecture Search. Int J Comput Vis 131, 2682–2698 (2023). https://doi.org/10.1007/s11263-023-01826-6

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11263-023-01826-6

Keywords

Search

Navigation