Neural networks with low-precision weights and activations offer compelling efficiency advantages over their full-precision equivalents. The two most frequently discussed benefits of quantization are reduced memory consumption, and a faster forward pass when implemented with efficient bitwise operations. We propose a third benefit of very low-precision neural networks: improved robustness against some adversarial attacks, and in the worst case, performance that is on par with full-precision models. We focus on the very low-precision case where weights and activations are both quantized to $\pm$1, and note that stochastically quantizing weights in just one layer can sharply reduce the impact of iterative attacks. We observe that non-scaled binary neural networks exhibit a similar effect to the original defensive distillation procedure that led to gradient masking, and a false notion of security. We address this by conducting both black-box and white-box experiments with binary models that do not artificially mask gradients.

利用低精度的神经网络进行量化，可以通过减少内存消耗和优化位运算实现更高的效率。本文提出低精度神经网络的第三个优点是在一些对抗攻击中有更好的鲁棒性，最坏情况下的表现也可以与高精度模型媲美。作者着重于量化权重和激活到+-1的非缩放二进制神经网络，在黑盒和白盒实验中探究其应对逐步攻击的能力。该方法可以在不人为掩盖梯度的情况下保证模型的安全性。

攻击二值化神经网络