Xiaotong Lu,Weisheng Dong,Xin Li,Jinjian Wu,Leida Li,Guangming Shi

DOI: https://doi.org/10.1109/TPAMI.2023.3248612

Abstract:Both network pruning and neural architecture search (NAS) can be interpreted as techniques to automate the design and optimization of artificial neural networks. In this paper, we challenge the conventional wisdom of training before pruning by proposing a joint search-and-training approach to learn a compact network directly from scratch. Using pruning as a search strategy, we advocate three new insights for network engineering: 1) to formulate adaptive search as a cold start strategy to find a compact subnetwork on the coarse scale; and 2) to automatically learn the threshold for network pruning; 3) to offer flexibility to choose between efficiency and robustness. More specifically, we propose an adaptive search algorithm in the cold start by exploiting the randomness and flexibility of filter pruning. The weights associated with the network filters will be updated by ThreshNet, a flexible coarse-to-fine pruning method inspired by reinforcement learning. In addition, we introduce a robust pruning strategy leveraging the technique of knowledge distillation through a teacher-student network. Extensive experiments on ResNet and VGGNet have shown that our proposed method can achieve a better balance in terms of efficiency and accuracy and notable advantages over current state-of-the-art pruning methods in several popular datasets, including CIFAR10, CIFAR100, and ImageNet. The code associate with this paper is available at: https://see.xidian.edu.cn/faculty/wsdong/Projects/AST-NP.htm.

Yiqi Lin,Yuki Endo,Jinho Lee,Shunsuke Kamijo

DOI: https://doi.org/10.3390/electronics13224547

IF: 2.9

2024-11-27

Electronics

Abstract:Neural Architecture Search (NAS) has found applications in various areas of computer vision, including image recognition and object detection. An increasing number of algorithms, such as ENAS (Efficient Neural Architecture Search via Parameter Sharing) and DARTS (Differentiable Architecture Search), have been applied to NAS. Nevertheless, the current Training-free NAS methods continue to exhibit unreliability and inefficiency. This paper introduces a training-free prune-based algorithm called TTNAS (True-Skill Training-Free Neural Architecture Search), which utilizes a Bayesian method (true-skill algorithm) to combine multiple indicators for evaluating neural networks across different datasets. The algorithm demonstrates highly competitive accuracy and efficiency compared to state-of-the-art approaches on various datasets. Specifically, it achieves 93.90% accuracy on CIFAR-10, 71.91% accuracy on CIFAR-100, and 44.96% accuracy on ImageNet 16-120, using 1466 GPU seconds in NAS-Bench-201. Additionally, the algorithm exhibits improved adaptation to other datasets and tasks.

engineering, electrical & electronic,computer science, information systems,physics, applied

Dingrong Wang,Hitesh Sapkota,Zhiqiang Tao,Qi Yu

2024-06-14

Abstract:Prior neural architecture search (NAS) for adversarial robustness works have discovered that a lightweight and adversarially robust neural network architecture could exist in a non-robust large teacher network, generally disclosed by heuristic rules through statistical analysis and neural architecture search, generally disclosed by heuristic rules from neural architecture search. However, heuristic methods cannot uniformly handle different adversarial attacks and "teacher" network capacity. To solve this challenge, we propose a Reinforced Compressive Neural Architecture Search (RC-NAS) for Versatile Adversarial Robustness. Specifically, we define task settings that compose datasets, adversarial attacks, and teacher network information. Given diverse tasks, we conduct a novel dual-level training paradigm that consists of a meta-training and a fine-tuning phase to effectively expose the RL agent to diverse attack scenarios (in meta-training), and making it adapt quickly to locate a sub-network (in fine-tuning) for any previously unseen scenarios. Experiments show that our framework could achieve adaptive compression towards different initial teacher networks, datasets, and adversarial attacks, resulting in more lightweight and adversarially robust architectures.

Machine Learning,Artificial Intelligence

Yuqi Feng,Zeqiong Lv,Hongyang Chen,Shangce Gao,Fengping An,Yanan Sun

DOI: https://doi.org/10.1109/TNNLS.2024.3382724

2024-04-03

Abstract:The adversarial robustness is critical to deep neural networks (DNNs) in deployment. However, the improvement of adversarial robustness often requires compromising with the network size. Existing approaches to addressing this problem mainly focus on the combination of model compression and adversarial training. However, their performance heavily relies on neural architectures, which are typically manual designs with extensive expertise. In this article, we propose a lightweight and robust neural architecture search (LRNAS) method to automatically search for adversarially robust lightweight neural architectures. Specifically, we propose a novel search strategy to quantify contributions of the components in the search space, based on which the beneficial components can be determined. In addition, we further propose an architecture selection method based on a greedy strategy, which can keep the model size while deriving sufficient beneficial components. Owing to these designs in LRNAS, the lightness, the natural accuracy, and the adversarial robustness can be collectively guaranteed to the searched architectures. We conduct extensive experiments on various benchmark datasets against the state of the arts. The experimental results demonstrate that the proposed LRNAS method is superior at finding lightweight neural architectures that are both accurate and adversarially robust under popular adversarial attacks. Moreover, ablation studies are also performed, which reveals the validity of the individual components designed in LRNAS and the component effects in positively deciding the overall performance.

Dian Zhang,Yunwei Dong,Hongji Yang

DOI: https://doi.org/10.1007/s11042-023-17355-w

IF: 2.577

2023-01-01

Multimedia Tools and Applications

Abstract:Due to the continuous development of neural network technology, it has been widely applied in fields such as autonomous driving and biomedicine. However, adversarial attacks can significantly degrade the performance and reliability of neural networks, making defending against such attacks a crucial research area. In this paper, we propose a robust U-Net and adversarial generative network-based defense method, training the target model on a clean training set without adversarial samples. Firstly, we train the target neural network on a clean training set. Then, we train the robust U-Net using the clean training set, employing reparameterization and random noise to resist adversarial perturbations. To supervise the quality of transformed images, we employ the adversarial generative network, utilizing the RU-Net as the generator and a discriminator to ensure the quality of generated images. Finally, we use the transformed images to retrain the target neural network, obtaining a robust neural network model capable of defending against adversarial attacks. Experimental evaluations on CIFAR-10 and Tiny Image Net demonstrate the effectiveness of our method in countering adversarial attacks and enhancing neural network robustness.

Yadong Ding,Yu Wu,Chengyue Huang,Siliang Tang,Fei Wu,Yi Yang,Wenwu Zhu,Yueting Zhuang

DOI: https://doi.org/10.1016/j.neucom.2021.12.002

IF: 6

2022-03-01

Neurocomputing

Abstract:There has been continuously increasing attention attracted by Neural Architecture Search (NAS). Due to its computational efficiency, gradient-based NAS methods like DARTS have become the most popular framework for NAS tasks. Nevertheless, as the search iterates, the derived model in previous NAS frameworks becomes dominated by skip-connects, causing the performance downfall. In this work, we present a novel approach to alleviate this issue, named Neural Architecture search with Pruning (NAP). Unlike prior differentiable architecture search works, our approach draws the idea from network pruning. We first train an over-parameterized network, including all candidate operations. Then we propose a criterion to prune the network. Based on a newly designed relaxation of architecture representation, NAP can derive the most potent model by removing trivial and redundant edges from the whole network topology. Experiments show the effectiveness of our proposed approach. Specifically, the model searched by NAP achieves state-of-the-art performances (2.48% test error) on CIFAR-10. We transfer the model to ImageNet and obtains a 25.1% test error with only 5.0 M parameters, which is on par with modern NAS methods.

computer science, artificial intelligence

Minghao Guo,Yuzhe Yang,Rui Xu,Ziwei Liu,Dahua Lin

DOI: https://doi.org/10.48550/arXiv.1911.10695

2020-03-26

Abstract:Recent advances in adversarial attacks uncover the intrinsic vulnerability of modern deep neural networks. Since then, extensive efforts have been devoted to enhancing the robustness of deep networks via specialized learning algorithms and loss functions. In this work, we take an architectural perspective and investigate the patterns of network architectures that are resilient to adversarial attacks. To obtain the large number of networks needed for this study, we adopt one-shot neural architecture search, training a large network for once and then finetuning the sub-networks sampled therefrom. The sampled architectures together with the accuracies they achieve provide a rich basis for our study. Our "robust architecture Odyssey" reveals several valuable observations: 1) densely connected patterns result in improved robustness; 2) under computational budget, adding convolution operations to direct connection edge is effective; 3) flow of solution procedure (FSP) matrix is a good indicator of network robustness. Based on these observations, we discover a family of robust architectures (RobNets). On various datasets, including CIFAR, SVHN, Tiny-ImageNet, and ImageNet, RobNets exhibit superior robustness performance to other widely used architectures. Notably, RobNets substantially improve the robust accuracy (~5% absolute gains) under both white-box and black-box attacks, even with fewer parameter numbers. Code is available at <a class="link-external link-https" href="https://github.com/gmh14/RobNets" rel="external noopener nofollow">this https URL</a>.

Machine Learning,Cryptography and Security,Computer Vision and Pattern Recognition

Chaitanya Devaguptapu,Devansh Agarwal,Gaurav Mittal,Pulkit Gopalani,Vineeth N Balasubramanian

DOI: https://doi.org/10.48550/arXiv.2007.08428

2021-08-26

Abstract:Adversarial robustness of deep learning models has gained much traction in the last few years. Various attacks and defenses are proposed to improve the adversarial robustness of modern-day deep learning architectures. While all these approaches help improve the robustness, one promising direction for improving adversarial robustness is unexplored, i.e., the complex topology of the neural network architecture. In this work, we address the following question: Can the complex topology of a neural network give adversarial robustness without any form of adversarial training?. We answer this empirically by experimenting with different hand-crafted and NAS-based architectures. Our findings show that, for small-scale attacks, NAS-based architectures are more robust for small-scale datasets and simple tasks than hand-crafted architectures. However, as the size of the dataset or the complexity of task increases, hand-crafted architectures are more robust than NAS-based architectures. Our work is the first large-scale study to understand adversarial robustness purely from an architectural perspective. Our study shows that random sampling in the search space of DARTS (a popular NAS method) with simple ensembling can improve the robustness to PGD attack by nearly~12\%. We show that NAS, which is popular for achieving SoTA accuracy, can provide adversarial accuracy as a free add-on without any form of adversarial training. Our results show that leveraging the search space of NAS methods with methods like ensembles can be an excellent way to achieve adversarial robustness without any form of adversarial training. We also introduce a metric that can be used to calculate the trade-off between clean accuracy and adversarial robustness. Code and pre-trained models will be made available at \url{<a class="link-external link-https" href="https://github.com/tdchaitanya/nas-robustness" rel="external noopener nofollow">this https URL</a>}

Machine Learning,Cryptography and Security,Computer Vision and Pattern Recognition

Cosentino Justin,Zaiter Federico,Pei Dan,Zhu Jun

2019-01-01

Abstract: Recent work on deep neural network pruning has shown there exist sparse subnetworks that achieve equal or improved accuracy, training time, and loss using fewer network parameters when compared to their dense counterparts. Orthogonal to pruning literature, deep neural networks are known to be susceptible to adversarial examples, which may pose risks in security- or safety-critical applications. Intuition suggests that there is an inherent trade-off between sparsity and robustness such that these characteristics could not co-exist. We perform an extensive empirical evaluation and analysis testing the Lottery Ticket Hypothesis with adversarial training and show this approach enables us to find sparse, robust neural networks. Code for reproducing experiments is available here: https://github.com/justincosentino/robust-sparse-networks.

Xiawu Zheng,Chenyi Yang,Shaokun Zhang,Yan Wang,Baochang Zhang,Yongjian Wu,Yunsheng Wu,Ling Shao,Rongrong Ji

DOI: https://doi.org/10.1007/s11263-023-01753-6

IF: 13.369

2023-01-01

International Journal of Computer Vision

Abstract:Neural Architecture Search (NAS) has demonstrated state-of-the-art performance on various computer vision tasks. Despite the superior performance achieved, the efficiency and generality of existing methods are highly valued due to their high computational complexity and low generality. In this paper, we propose an efficient and unified NAS framework termed DDPNAS via dynamic distribution pruning, facilitating a theoretical bound on accuracy and efficiency. In particular, we first sample architectures from a joint categorical distribution. Then the search space is dynamically pruned and its distribution is updated every few epochs. With the proposed efficient network generation method, we directly obtain the optimal neural architectures on given constraints, which is practical for on-device models across diverse search spaces and constraints. The architectures searched by our method achieve remarkable top-1 accuracies, 97.56 and 77.2 on CIFAR-10 and ImageNet (mobile settings), respectively, with the fastest search process, i.e., only 1.8 GPU hours on a Tesla V100. Codes for searching and network generation are available at: https://openi.pcl.ac.cn/PCL_AutoML/XNAS.

Yongtao Wu,Fanghui Liu,Carl-Johann Simon-Gabriel,Grigorios G Chrysos,Volkan Cevher

2024-03-20

Abstract:Recent developments in neural architecture search (NAS) emphasize the significance of considering robust architectures against malicious data. However, there is a notable absence of benchmark evaluations and theoretical guarantees for searching these robust architectures, especially when adversarial training is considered. In this work, we aim to address these two challenges, making twofold contributions. First, we release a comprehensive data set that encompasses both clean accuracy and robust accuracy for a vast array of adversarially trained networks from the NAS-Bench-201 search space on image datasets. Then, leveraging the neural tangent kernel (NTK) tool from deep learning theory, we establish a generalization theory for searching architecture in terms of clean accuracy and robust accuracy under multi-objective adversarial training. We firmly believe that our benchmark and theoretical insights will significantly benefit the NAS community through reliable reproducibility, efficient assessment, and theoretical foundation, particularly in the pursuit of robust architectures.

Machine Learning,Artificial Intelligence

Yuwei Ou,Yuqi Feng,Yanan Sun

2024-05-09

Abstract:To defend deep neural networks from adversarial attacks, adversarial training has been drawing increasing attention for its effectiveness. However, the accuracy and robustness resulting from the adversarial training are limited by the architecture, because adversarial training improves accuracy and robustness by adjusting the weight connection affiliated to the architecture. In this work, we propose ARNAS to search for accurate and robust architectures for adversarial training. First we design an accurate and robust search space, in which the placement of the cells and the proportional relationship of the filter numbers are carefully determined. With the design, the architectures can obtain both accuracy and robustness by deploying accurate and robust structures to their sensitive positions, respectively. Then we propose a differentiable multi-objective search strategy, performing gradient descent towards directions that are beneficial for both natural loss and adversarial loss, thus the accuracy and robustness can be guaranteed at the same time. We conduct comprehensive experiments in terms of white-box attacks, black-box attacks, and transferability. Experimental results show that the searched architecture has the strongest robustness with the competitive accuracy, and breaks the traditional idea that NAS-based architectures cannot transfer well to complex tasks in robustness scenarios. By analyzing outstanding architectures searched, we also conclude that accurate and robust neural architectures tend to deploy different structures near the input and output, which has great practical significance on both hand-crafting and automatically designing of accurate and robust architectures.

Computer Vision and Pattern Recognition,Cryptography and Security,Machine Learning

Ramtin Hosseini,Xingyi Yang,Pengtao Xie

DOI: https://doi.org/10.48550/arXiv.2012.06122

2020-12-11

Abstract:In deep learning applications, the architectures of deep neural networks are crucial in achieving high accuracy. Many methods have been proposed to search for high-performance neural architectures automatically. However, these searched architectures are prone to adversarial attacks. A small perturbation of the input data can render the architecture to change prediction outcomes significantly. To address this problem, we propose methods to perform differentiable search of robust neural architectures. In our methods, two differentiable metrics are defined to measure architectures' robustness, based on certified lower bound and Jacobian norm bound. Then we search for robust architectures by maximizing the robustness metrics. Different from previous approaches which aim to improve architectures' robustness in an implicit way: performing adversarial training and injecting random noise, our methods explicitly and directly maximize robustness metrics to harvest robust architectures. On CIFAR-10, ImageNet, and MNIST, we perform game-based evaluation and verification-based evaluation on the robustness of our methods. The experimental results show that our methods 1) are more robust to various norm-bound attacks than several robust NAS baselines; 2) are more accurate than baselines when there are no attacks; 3) have significantly higher certified lower bounds than baselines.

Machine Learning,Cryptography and Security,Computer Vision and Pattern Recognition

Xuefei Ning,Junbo Zhao,Wenshuo Li,Tianchen Zhao,Huazhong Yang,Yu Wang

2020-01-01

Abstract:Convolutional neural networks (CNNs) are vulnerable to adversarial examples, and studies show that increasing the model capacity of an architecture topology (e.g., width expansion) can bring consistent robustness improvements. This reveals a clear robustness-efficiency trade-off that should be considered in architecture design. Recent studies have employed one-shot neural architecture search (NAS) to discover adversarially robust architectures. However, since the capacities of different topologies cannot be easily aligned during the search process, current one-shot NAS methods might favor topologies with larger capacity in the supernet. And the discovered topology might be sub-optimal when aligned to the targeted capacity. This paper proposes a novel multi-shot NAS method to explicitly search for adversarially robust architectures at a certain targeted capacity. Specifically, we estimate the reward at the targeted capacity using interor extra-polation of the rewards from multiple supernets. Experimental results demonstrate the effectiveness of the proposed method. For instance, at the targeted FLOPs of 1560M, the discovered MSRobNet-1560 (clean 84.8%, PGD 52.9%) outperforms the recent NAS-discovered architecture RobNetfree (clean 82.8%, PGD 52.6%) with similar FLOPs.

Xuefei Ning,Junbo Zhao,Wenshuo Li,Tianchen Zhao,Yin Zheng,Huazhong Yang,Yu Wang

DOI: https://doi.org/10.48550/arxiv.2012.11835

2020-01-01

Abstract:Convolutional neural networks (CNNs) are vulnerable to adversarial examples, and studies show that increasing the model capacity of an architecture topology (e.g., width expansion) can bring consistent robustness improvements. This reveals a clear robustness-efficiency trade-off that should be considered in architecture design. In this paper, considering scenarios with capacity budget, we aim to discover adversarially robust architecture at targeted capacities. Recent studies employed one-shot neural architecture search (NAS) to discover robust architectures. However, since the capacities of different topologies cannot be aligned in the search process, one-shot NAS methods favor topologies with larger capacities in the supernet. And the discovered topology might be suboptimal when augmented to the targeted capacity. We propose a novel multi-shot NAS method to address this issue and explicitly search for robust architectures at targeted capacities. At the targeted FLOPs of 2000M, the discovered MSRobNet-2000 outperforms the recent NAS-discovered architecture RobNet-large under various criteria by a large margin of 4%-7%. And at the targeted FLOPs of 1560M, MSRobNet-1560 surpasses another NAS-discovered architecture RobNet-free by 2.3% and 1.3% in the clean and PGD-7 accuracies, respectively. All codes are available at this https URL\_nas.

Qiantai Feng,Ke Xu,Yuhai Li,Yuxin Sun,Dong Wang

DOI: https://doi.org/10.1007/978-3-030-88013-2_1

2021-01-01

Abstract:In recent years, there has been a lot of studies in neural architecture search (NAS) in the field of deep learning. Among them, the cell-based search method, such as [23,27,32,36], is one of the most popular and widely discussed topics, which usually stacks less cells in search process and more in evaluation. Although this method can reduce the resource consumption in the process of search, the difference in the number of cells may inevitably cause a certain degree of redundancy in network evaluation. In order to mitigate the computational cost, we propose a novel algorithm called Edge-Wise One-Level Global Pruning (EOG-Pruning). The proposed approach can prune out weak edges from the cell-based network generated by NAS globally, by introducing an edge factor to represent the importance of each edge, which can not only greatly improve the inference speed of the model with reducing the number of edges, but also promote the model accuracy. Experimental results show that networks pruned by EOG-Pruning achieve significant improvement in accuracy and speedup rate on CPU in common with 50% pruning rate on CIFAR. Specifically, we reduced the test error rate by 1.58% and 1.34% on CIFAR-100 for DARTS (2nd-order) and PC-DARTS.

Yuqi Feng,Jian Zhang,Yanan Sun

DOI: https://doi.org/10.1109/ijcnn60899.2024.10650312

2024-01-01

Abstract:Robust neural architecture search (NAS) has emerged as a promising approach to automatically design robust neural architectures against adversarial attacks. However, existing robust NAS methods suffer from a performance degradation on the real-world data with long-tailed distribution, due to the limited number of samples from the tail classes. To push robust NAS methods towards more realistic scenarios, we present a novel robust NAS method called ALTNAS in this paper. Specifically, we propose a simple but effective data augmentation method to augment the data in tail classes and make the dataset more balanced. The proposed augmentation method can generate both natural data and adversarial examples in the search process. Moreover, we propose a neural architecture search method to search for architectures with the help of augmented data. Because the data in tail classes is enriched by both natural data and adversarial examples, the derived architecture can achieve promising performance in the adversarial long-tailed recognition task. We conduct extensive experiments on CIFAR-10-LT, CIFAR-100-LT, and ImageNet-LT benchmark datasets against the state-of-the-arts. The experimental results show that ALTNAS is superior at designing well-performing neural architectures for adversarial long-tailed recognition. In addition, the analysis and ablation studies are also performed, demonstrating the validity and effectiveness of the designed components in ALTNAS.

Bicheng Guo,Lilin Xu,Tao Chen,Peng Ye,Shibo He,Haoyu Liu,Jiming Chen

DOI: https://doi.org/10.1109/tcsvt.2023.3287684

IF: 5.859

2024-01-01

IEEE Transactions on Circuits and Systems for Video Technology

Abstract:Neural Architecture Search (NAS) is a powerful tool for automating effective image and video processing DNN designing. The ranking of the accuracy has been advocated to design an efficient performance predictor for NAS. The previous contrastive method solves the ranking problem by comparing pairs of architectures and predicting their relative performance. However, it only focuses on the rankings between the two involved architectures and neglects the overall quality distributions of the search space, which may suffer generalization issues. On the contrary, we propose to let the performance predictor concentrate on the global quality level of specific architecture, and learn the tier embeddings of the whole search space automatically with learnable queries. The proposed method, dubbed as Neural Architecture Ranker with Query-to-Tier technique (NARQ2T), explores the quality tiers of the search space globally and classifies each individual to the tier they belong to. Thus, the predictor gains knowledge of the performance distributions of the search space which helps to generalize its ranking ability to the datasets more easily. Thanks to the encoder-decoder design, our method is able to predict the latency of the searched model without deteriorating the performance prediction. Meanwhile, the global quality distribution facilitates the search phase by directly sampling candidates according to the statistics of quality tiers, which is free of training a search algorithm, e.g., Reinforcement Learning or Evolutionary Algorithm, thus it simplifies the NAS pipeline and saves the computational overheads. The proposed NARQ2T achieves state-of-the-art performance on two widely used datasets for NAS research. Moreover, extensive experiments have validated the efficacy of the designed method.

Yuwei Ou,Xiangning Xie,Shangce Gao,Yanan Sun,Kay Chen Tan,Jiancheng Lv

DOI: https://doi.org/10.48550/arxiv.2212.14049

2023-01-01

Abstract: Deep neural networks (DNNs) are found to be vulnerable to adversarial attacks, and various methods have been proposed for the defense. Among these methods, adversarial training has been drawing increasing attention because of its simplicity and effectiveness. However, the performance of the adversarial training is greatly limited by the architectures of target DNNs, which often makes the resulting DNNs with poor accuracy and unsatisfactory robustness. To address this problem, we propose DSARA to automatically search for the neural architectures that are accurate and robust after adversarial training. In particular, we design a novel cell-based search space specially for adversarial training, which improves the accuracy and the robustness upper bound of the searched architectures by carefully designing the placement of the cells and the proportional relationship of the filter numbers. Then we propose a two-stage search strategy to search for both accurate and robust neural architectures. At the first stage, the architecture parameters are optimized to minimize the adversarial loss, which makes full use of the effectiveness of the adversarial training in enhancing the robustness. At the second stage, the architecture parameters are optimized to minimize both the natural loss and the adversarial loss utilizing the proposed multi-objective adversarial training method, so that the searched neural architectures are both accurate and robust. We evaluate the proposed algorithm under natural data and various adversarial attacks, which reveals the superiority of the proposed method in terms of both accurate and robust architectures. We also conclude that accurate and robust neural architectures tend to deploy very different structures near the input and the output, which has great practical significance on both hand-crafting and automatically designing of accurate and robust neural architectures.

Zhixiong Yue,Baijiong Lin,Xiaonan Huang,Yu Zhang

DOI: https://doi.org/10.48550/arXiv.2011.09820

2020-11-19

Abstract:Recent advances in adversarial attacks show the vulnerability of deep neural networks searched by Neural Architecture Search (NAS). Although NAS methods can find network architectures with the state-of-the-art performance, the adversarial robustness and resource constraint are often ignored in NAS. To solve this problem, we propose an Effective, Efficient, and Robust Neural Architecture Search (E2RNAS) method to search a neural network architecture by taking the performance, robustness, and resource constraint into consideration. The objective function of the proposed E2RNAS method is formulated as a bi-level multi-objective optimization problem with the upper-level problem as a multi-objective optimization problem, which is different from existing NAS methods. To solve the proposed objective function, we integrate the multiple-gradient descent algorithm, a widely studied gradient-based multi-objective optimization algorithm, with the bi-level optimization. Experiments on benchmark datasets show that the proposed E2RNAS method can find adversarially robust architectures with optimized model size and comparable classification accuracy.

Machine Learning,Neural and Evolutionary Computing