Finding Deviated Behaviors of the Compressed DNN Models for Image Classifications

Yongqiang Tian,Wuqi Zhang,Ming Wen,Shing-Chi Cheung,Chengnian Sun,Shiqing Ma,Yu Jiang
DOI: https://doi.org/10.1145/3583564
IF: 3.685
2021-01-01
ACM Transactions on Software Engineering and Methodology
Abstract:Model compression can significantly reduce the sizes of deep neural network (DNN) models and thus facilitate the dissemination of sophisticated, sizable DNN models, especially for deployment on mobile or embedded devices. However, the prediction results of compressed models may deviate from those of their original models. To help developers thoroughly understand the impact of model compression, it is essential to test these models to find those deviated behaviors before dissemination. However, this is a non-trivial task, because the architectures and gradients of compressed models are usually not available. To this end, we propose Dflare , a novel, search-based, black-box testing technique to automatically find triggering inputs that result in deviated behaviors in image classification tasks. Dflare iteratively applies a series of mutation operations to a given seed image until a triggering input is found. For better efficacy and efficiency, Dflare models the search problem as Markov Chains and leverages the Metropolis-Hasting algorithm to guide the selection of mutation operators in each iteration. Further, Dflare utilizes a novel fitness function to prioritize the mutated inputs that either cause large differences between two models’ outputs or trigger previously unobserved models’ probability vectors. We evaluated Dflare on 21 compressed models for image classification tasks with three datasets. The results show that Dflare not only constantly outperforms the baseline in terms of efficacy but also significantly improves the efficiency: Dflare is 17.84×–446.06× as fast as the baseline in terms of time; the number of queries required by Dflare to find one triggering input is only 0.186–1.937% of those issued by the baseline. We also demonstrated that the triggering inputs found by Dflare can be used to repair up to 48.48% deviated behaviors in image classification tasks and further decrease the effectiveness of Dflare on the repaired models.
What problem does this paper attempt to address?