ML is shifting from the cloud to the edge. Edge computing reduces the surface exposing private data and enables reliable throughput guarantees in real-time applications. Of the panoply of devices deployed at the edge, resource-constrained MCUs, e.g., Arm Cortex-M, are more prevalent, orders of magnitude cheaper, and less power-hungry than application processors or GPUs. Thus, enabling intelligence at the deep edge is the zeitgeist, with researchers focusing on unveiling novel approaches to deploy ANNs on these constrained devices. Quantization is a well-established technique that has proved effective in enabling the deployment of neural networks on MCUs; however, it is still an open question to understand the robustness of QNNs in the face of adversarial examples. To fill this gap, we empirically evaluate the effectiveness of attacks and defenses from (full-precision) ANNs on (constrained) QNNs. Our evaluation includes three QNNs targeting TinyML applications, ten attacks, and six defenses. With this study, we draw a set of interesting findings. First, quantization increases the point distance to the decision boundary and leads the gradient estimated by some attacks to explode or vanish. Second, quantization can act as a noise attenuator or amplifier, depending on the noise magnitude, and causes gradient misalignment. Regarding adversarial defenses, we conclude that input pre-processing defenses show impressive results on small perturbations; however, they fall short as the perturbation increases. At the same time, train-based defenses increase the average point distance to the decision boundary, which holds after quantization. However, we argue that train-based defenses still need to smooth the quantization-shift and gradient misalignment phenomenons to counteract adversarial example transferability to QNNs. All artifacts are open-sourced to enable independent validation of results.

翻译：机器学习正从云端向边缘迁移。边缘计算减少了私密数据的暴露面，并在实时应用中提供可靠的吞吐量保证。在部署于边缘的各类设备中，资源受限的微控制器单元（如Arm Cortex-M）比应用处理器或GPU更普及、成本低数个数量级且功耗更低。因此，在深度边缘实现智能化已成为时代潮流，研究者正致力于探索在受限设备上部署人工神经网络的新方法。量化技术作为成熟的方案，已被证明能有效支持神经网络在MCU上的部署，但量子神经网络面对对抗样本时的鲁棒性仍是待解难题。为填补这一空白，我们通过实证评估了（全精度）人工神经网络的攻击与防御在（受限）量子神经网络上的有效性。评估涵盖面向TinyML应用的三类量子神经网络、十种攻击方法和六种防御策略。通过本研究，我们得出一系列重要发现：第一，量化增大了决策边界附近的点距离，并导致部分攻击估计的梯度出现爆炸或消失；第二，量化可充当噪声衰减器或放大器（取决于噪声幅度），并引发梯度失配现象。在对抗防御方面，输入预处理防御对微小扰动表现优异，但随着扰动增大效果骤降；而基于训练的防御能增大决策边界的平均点距离且量化后仍保持该特性。但需指出，基于训练的防御仍需平滑量化偏移与梯度失配现象，以遏制对抗样本向量子神经网络的迁移性。所有相关成果均已开源，便于研究结果的独立验证。