It is well known that neural networks are susceptible to adversarial perturbations and are also computationally and memory intensive which makes it difficult to deploy them in real-world applications where security and computation are constrained. In this work, we aim to obtain both robust and sparse networks that are applicable to such scenarios, based on the intuition that latent features have a varying degree of susceptibility to adversarial perturbations. Specifically, we define vulnerability at the latent feature space and then propose a Bayesian framework to prioritize features based on their contribution to both the original and adversarial loss, to prune vulnerable features and preserve the robust ones. Through quantitative evaluation and qualitative analysis of the perturbation to latent features, we show that our sparsification method is a defense mechanism against adversarial attacks and the robustness indeed comes from our model's ability to prune vulnerable latent features that are more susceptible to adversarial perturbations.

本文提出了Adversarial Neural Pruning with Vulnerability Suppression (ANP-VS)方法，通过定义每个潜在特征的弱点，提出了用于抑制这些弱点的新的VS损失函数，并进一步提出使用贝叶斯框架剪枝具有高弱点的特征以减少对抗样本的弱点和损失的方法，验证结果表明，该方法不仅获得了最新的对抗鲁棒性，还提高了干净数据的性能。

对抗神经剪枝与潜在漏洞抑制