Ptolemy: Architecture Support for Robust Deep Learning

Ptolemy: Architecture Support
for Robust Deep Learning
Yiming Gan
Department of Computer Science,
University of Rochester
with
Yuxian Qiu, Shanghai Jiao Tong University
Jingwen Leng, Shanghai Jiao Tong University
Minyi Guo, Shanghai Jiao Tong University
Yuhao Zhu University of Rochester
https://github.com/Ptolemy-dl/Ptolemy

View Slide

Deep Learning: Not Robust

View Slide

Deep Learning: Not Robust
Legitimate Example Adversarial Example
Perturbation
+ =

View Slide

Mission Critical System
ADAS Security Cameras

View Slide

Robust Deep Learning Requirements
• Accurately detect adversarial examples

View Slide

+
• Do not bring large overhead on system performance

View Slide

+
• Do not bring large overhead on system performance
=
Ptolemy

View Slide

Hot Path
Traditional
Software
[1]Thomas Ball, James R. Larus, Using Paths to Measure, Explain, and Enhance Program Behavior

View Slide

Hot Path
Traditional
Software
[1]Thomas Ball, James R. Larus, Using Paths to Measure, Explain, and Enhance Program Behavior
• Measure Program
Behavior
• Optimizing
Program
• Debugging

View Slide

Hot Path
Hot Path
Deep Learning
Traditional
Software
Layer 1
Layer 2
Layer 3
Layer 4

View Slide

0.2 0.2 0.3
0.3 0.2 0.4
0.4 0.1 0.2
-0.1 0.09 0.1
-1.0 2.1 0.5
Weights
=
0.06
0.46
0.44
Output
Feature Map
Deﬁning Important Neuron
Input
Feature Map
x
0.3 0.4 0.2 1.0 0.1

View Slide

Deﬁning Important Neuron

View Slide

From Neuron to Path
Input Layer
Hidden Layer
Output Layer

View Slide

Class Path

View Slide

Class Path
} Union

View Slide

Class Path Similarity
AlexNet @ ImageNet

View Slide

Ptolemy Overview

View Slide

Ptolemy Overview
Neural
Networks
“Cat”

View Slide

Ptolemy Overview
Neural
Networks
“Cat”
Extract

View Slide

Ptolemy Overview
Neural
Networks
“Cat”
Extract
Compare

View Slide

Ptolemy Pipeline
Layer 1
Layer 2
……
Layer N-1
Layer N

View Slide

Ptolemy Pipeline
Layer 1
Layer 2
……
Layer N-1
Layer N
Inference

View Slide

Ptolemy Pipeline
Layer 1
Layer 2
……
Layer N-1
Layer N Inference

View Slide

Ptolemy Pipeline
Layer 1
Layer 2
……
Layer N-1
Layer N Extraction

View Slide

Ptolemy Pipeline
Layer 1
Layer 2
……
Layer N-1
Layer N
Extraction

View Slide

Ptolemy Pipeline
Layer 1
Layer 2
……
Layer N-1
Layer N
Extraction
IF 1 IF 2 … IF N EX N EX N-1 … EX 1 Det

View Slide

Layer 1
Layer 2
……
Layer N-1
Layer N
Inference
Algorithmic Variation

View Slide

Layer 1
Layer 2
……
Layer N-1
Layer N
Inference
Extraction

View Slide

Layer 1
Layer 2
……
Layer N-1
Layer N Inference
Extraction

View Slide

Layer 1
Layer 2
……
Layer N-1
Layer N Extraction

View Slide

Layer 1
Layer 2
……
Layer N-1
Layer N Extraction
IF 1 IF 2 … IF N
EX 1 EX 2 EX N Det

View Slide

Sorting
Threshold
IF: Inference, EX: Extraction, Det: Detection

View Slide

Full Extraction
IF 1 IF 2 … IF N EX N EX N-1 Det
Partially Extraction
IF: Inference, EX: Extraction, Det: Detection

View Slide

Framework
Backward
Forward
Sorting
Thresholding
Fully Extraction
Partially Extraction

View Slide

Framework
Backward
Forward
Sorting
Full Extraction
Partial Extraction
= Backward + Fully Extraction + Sorting
Thresholding

View Slide

Interface
• High-level: Python-based, user deﬁne input

View Slide

Interface
• High-level: Python-based, user deﬁne input
Compiler
• Low-level: Customized ISA

View Slide

Compiler Optimization: Layer Level
for j = 1 to L {
inf(j)

}

View Slide

Compiler Optimization: Layer Level
inf(1)
for j = 1 to L {
inf (j+1)

}

for j = 1 to L {
inf(j)

}

View Slide

Compiler Optimization: Neuron Level
for j = 1 to N {
sort(i)
acum(i)
}

View Slide

Compiler Optimization: Neuron Level
sort(1)
for i = 1 to N-1{
sort(i+1)
acum(i)
}
acum(N)
for j = 1 to N {
sort(i)
acum(i)
}

View Slide

Architecture Overview
DNN Accelerator
SRAM (Weights, Feature
Maps, Partial Sums, Masks)
Path Costructor
Sort & Merge Accumulate
Controller
SRAM (Code,
Paths)
DRAM
Input/Output
Weights
Feature Maps
Partial Sums
Masks
Gen
Masks
SRAM (Partial sums, Partial masks, Masks)
Paths

View Slide

Enhanced MAC unit
i w
x
+ psum
>?
thd
MUX
0/1
mode
to SRAM
to SRAM

View Slide

Evaluation
Network AlexNet, ResNet
Dataset Cifar10, Cifar100,ImageNet
Attacks BIM, CWL2, DeepFool,
FGSM,JSMA
Adaptive Attacks Self constructed
Baselines EP[1], CDRP[2]
[1]Y. Qiu, J. Leng, C. Guo, et.al, Adversarial Defense Through Network Proﬁling Based Path Extraction 
[2]Y. Wang, H. Su, B. Zhang, X. Hu, Interpret neural networks by identifying critical data routing paths.

View Slide

Evaluation
Backward
Forward
Sorting
Thresholding
Full Extraction
Partial Extraction
Type 1
Type 2
Type 3

View Slide

Hardware Setup
DNN Accelerator 20 x 20
Technology Silvaco 15nm
On-chip SRAM 1.5MB

View Slide

Evaluation
Accuracy
0
1
1 2 3 Hybrid EP CDRP
AlexNet on ImageNet

View Slide

Evaluation
Accuracy
0.84
0.88
0.92
0.96
1
AlexNet on ImageNet

View Slide

Evaluation
Accuracy
0.84
0.88
0.92
0.96
1
AlexNet on ImageNet
Accuracy decrease

View Slide

Evaluation
Latency
Overhead
0
4
8
12
16
BwCU BwAb FwAb Hybrid EP
AlexNet on ImageNet
Energy
Overhead
0
2
4
6
8

View Slide

Latency
Overhead
0
4
8
12
16
Latency Overhead
Decrease
Evaluation
AlexNet on ImageNet
Energy
Overhead
0
2
4
6
8
Energy Overhead
Decrease

View Slide

Conclusion
Ptolemy: Accurate, low overhead, adversarial attack
detection
• Algorithm Framework
• Compiler Optimization
• Architecture Support

View Slide

Collaborators
Yuxian Qiu Jingwen Leng Minyi Guo Yuhao Zhu

View Slide

Questions
https://github.com/Ptolemy-dl/Ptolemy

View Slide

Evaluation
Accuracy
0
1
8 7 6 5 4 3 2 1
Termination Layer
Latency Overhead
0
1
2
3
4
8 7 6 5 4 3 2 1
Termination Layer

View Slide

Evaluation
Accuracy
0.84
0.91
8 7 6 5 4 3 2 1
Termination Layer
Latency Overhead
0
4
8
12
16
8 7 6 5 4 3 2 1
Termination Layer

View Slide

Backup
def AdversaryDetection(model, input, θ, φ):
output = Inference(model, input)
N = model.num_layers
// Selective extraction only in the last three layers
for L in range(N-3, N):
if L != N-1:
// Forward extraction using absolute thresholds
ImptN[L] = ExtractImptNeurons(1, 1, φ, L)
else:
// Forward extraction using cumulative thresholds
ImptN[L] = ExtractImptNeurons(1, 0, θ, L)
dynPath.concat(GenMask(ImptN[L]))
classPath = LoadClassPath(argmax(output))
is_adversary = Classify(classPath, dynPath)
return is_adversary
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

View Slide

Backup

View Slide

Ptolemy: Architecture Support for Robust Deep Learning

Ptolemy: Architecture Support for Robust Deep Learning

HorizonLab

More Decks by HorizonLab

Other Decks in Research

Featured

Transcript