{"created":"2025-01-19T01:41:23.044964+00:00","metadata":{"_oai":{"id":"oai:ipsj.ixsq.nii.ac.jp:00238261","sets":["6164:6165:7651:11699"]},"path":["11699"],"owner":"44499","recid":"238261","title":["Efficient Quantization Methods Against Adversarial Attacks on FPGA"],"pubdate":{"attribute_name":"公開日","attribute_value":"2024-08-21"},"_buckets":{"deposit":"4cd4cbb2-173a-4343-a0d5-517a8249ff60"},"_deposit":{"id":"238261","pid":{"type":"depid","value":"238261","revision_id":0},"owners":[44499],"status":"published","created_by":44499},"item_title":"Efficient Quantization Methods Against Adversarial Attacks on FPGA","author_link":["652430","652428","652429","652432","652433","652431"],"item_titles":{"attribute_name":"タイトル","attribute_value_mlt":[{"subitem_title":"Efficient Quantization Methods Against Adversarial Attacks on FPGA"},{"subitem_title":"Efficient Quantization Methods Against Adversarial Attacks on FPGA","subitem_title_language":"en"}]},"item_keyword":{"attribute_name":"キーワード","attribute_value_mlt":[{"subitem_subject":"セキュリティ","subitem_subject_scheme":"Other"}]},"item_type_id":"18","publish_date":"2024-08-21","item_language":{"attribute_name":"言語","attribute_value_mlt":[{"subitem_language":"eng"}]},"item_18_text_3":{"attribute_name":"著者所属","attribute_value_mlt":[{"subitem_text_value":"Waseda University"},{"subitem_text_value":"Yokohama National University"},{"subitem_text_value":"Waseda University"}]},"item_18_text_4":{"attribute_name":"著者所属(英)","attribute_value_mlt":[{"subitem_text_value":"Waseda University","subitem_text_language":"en"},{"subitem_text_value":"Yokohama National University","subitem_text_language":"en"},{"subitem_text_value":"Waseda University","subitem_text_language":"en"}]},"item_publisher":{"attribute_name":"出版者","attribute_value_mlt":[{"subitem_publisher":"情報処理学会","subitem_publisher_language":"ja"}]},"publish_status":"0","weko_shared_id":-1,"item_file_price":{"attribute_name":"Billing file","attribute_type":"file","attribute_value_mlt":[{"url":{"url":"https://ipsj.ixsq.nii.ac.jp/record/238261/files/IPSJ-DAS2024037.pdf","label":"IPSJ-DAS2024037.pdf"},"date":[{"dateType":"Available","dateValue":"2026-08-21"}],"format":"application/pdf","billing":["billing_file"],"filename":"IPSJ-DAS2024037.pdf","filesize":[{"value":"3.8 MB"}],"mimetype":"application/pdf","priceinfo":[{"tax":["include_tax"],"price":"660","billingrole":"5"},{"tax":["include_tax"],"price":"330","billingrole":"6"},{"tax":["include_tax"],"price":"0","billingrole":"10"},{"tax":["include_tax"],"price":"0","billingrole":"44"}],"accessrole":"open_date","version_id":"2af00284-a3ba-49bf-b520-32dac39a5712","displaytype":"detail","licensetype":"license_note","license_note":"Copyright (c) 2024 by the Information Processing Society of Japan"}]},"item_18_creator_5":{"attribute_name":"著者名","attribute_type":"creator","attribute_value_mlt":[{"creatorNames":[{"creatorName":"Silu, Liu"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"Heming, Sun"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"Shinji, Kimura"}],"nameIdentifiers":[{}]}]},"item_18_creator_6":{"attribute_name":"著者名(英)","attribute_type":"creator","attribute_value_mlt":[{"creatorNames":[{"creatorName":"Silu, Liu","creatorNameLang":"en"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"Heming, Sun","creatorNameLang":"en"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"Shinji, Kimura","creatorNameLang":"en"}],"nameIdentifiers":[{}]}]},"item_resource_type":{"attribute_name":"資源タイプ","attribute_value_mlt":[{"resourceuri":"http://purl.org/coar/resource_type/c_5794","resourcetype":"conference paper"}]},"item_18_description_7":{"attribute_name":"論文抄録","attribute_value_mlt":[{"subitem_description":"Enhancing the security of neural networks is important since white-box attacks can fetch the parameters of neural networks and generate the adversarial examples to mislead the neural network outputs. As a simple yet efficient defense method, adversarial training (AT) can improve the robustness of neural networks against adversarial attacks. However, most AT methods are based on floating-point arithmetic, and thus they are not friendly to hardware accelerators with integer quantization on FPGA. In this work, the hybrid quantization is incorporated into AT methods by two ways. 1) AT is performed with the post-training quantization (PTQ) to calibrate the activation range. 2) AT is performed first, quantization-aware training (QAT) with clean and adversarial examples are performed second, and then the PTQ is applied. The results illustrate that the accuracy can be increased by 10.6% compared with previous work on the image classification task. Besides, a quantized CNN model made by the proposed method is suitable to FPGA and its FPGA accelerator reaches about 7.3× higher throughput per power compared with GPU. A real-time vehicle detection on FPGA demonstrates the practicality and effectiveness of the proposed method visually.","subitem_description_type":"Other"}]},"item_18_description_8":{"attribute_name":"論文抄録(英)","attribute_value_mlt":[{"subitem_description":"Enhancing the security of neural networks is important since white-box attacks can fetch the parameters of neural networks and generate the adversarial examples to mislead the neural network outputs. As a simple yet efficient defense method, adversarial training (AT) can improve the robustness of neural networks against adversarial attacks. However, most AT methods are based on floating-point arithmetic, and thus they are not friendly to hardware accelerators with integer quantization on FPGA. In this work, the hybrid quantization is incorporated into AT methods by two ways. 1) AT is performed with the post-training quantization (PTQ) to calibrate the activation range. 2) AT is performed first, quantization-aware training (QAT) with clean and adversarial examples are performed second, and then the PTQ is applied. The results illustrate that the accuracy can be increased by 10.6% compared with previous work on the image classification task. Besides, a quantized CNN model made by the proposed method is suitable to FPGA and its FPGA accelerator reaches about 7.3× higher throughput per power compared with GPU. A real-time vehicle detection on FPGA demonstrates the practicality and effectiveness of the proposed method visually.","subitem_description_type":"Other"}]},"item_18_biblio_info_10":{"attribute_name":"書誌情報","attribute_value_mlt":[{"bibliographicPageEnd":"242","bibliographic_titles":[{"bibliographic_title":"DAシンポジウム2024論文集"}],"bibliographicPageStart":"236","bibliographicIssueDates":{"bibliographicIssueDate":"2024-08-21","bibliographicIssueDateType":"Issued"},"bibliographicVolumeNumber":"2024"}]},"relation_version_is_last":true,"weko_creator_id":"44499"},"id":238261,"updated":"2025-01-19T08:37:16.141674+00:00","links":{}}