pith. sign in

arxiv: 1907.10406 · v1 · pith:DZOIL6F4new · submitted 2019-07-21 · 💻 cs.CR · cs.LG

Open DNN Box by Power Side-Channel Attack

Yun Xiang , Zhuangzhi Chen , Zuohui Chen , Zebin Fang , Haiyang Hao , Jinyin Chen , Yi Liu , Zhefu Wu
show 2 more authors
Qi Xuan Xiaoniu Yang
This is my paper

Pith reviewed 2026-05-24 18:42 UTC · model grok-4.3

classification 💻 cs.CR cs.LG
keywords side-channel attackdeep neural networkblack-box modelpower analysismodel extractionembedded deviceadversarial attack
0
0 comments X

The pith

Power traces from embedded devices can reveal DNN architecture and parameters at 96.5 percent average accuracy.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper shows how power consumption during inference on embedded hardware can be collected and analyzed to determine the structure of a black-box deep neural network and to estimate its internal parameters. The method works by training classifiers on trace patterns for architecture identification and regression models for parameter values. A sympathetic reader would care because black-box status has been treated as a security barrier against model theft and targeted attacks; removing that barrier changes the threat model for deployed AI systems. The validation uses real devices and reports the accuracy figure as evidence that the traces carry usable information about the model.

Core claim

We are the first to use side-channel information to reveal internal network architecture in embedded devices and the first to construct models for internal parameter estimation; the experimental results show that our method can achieve 96.50 percent accuracy on average in revealing internal network architecture and parameters of black-box DNNs.

What carries the argument

Power consumption traces collected from the device during DNN inference, fed into trained classifiers for architecture and regressors for parameters.

If this is right

  • Revealing internal information enables much more powerful and efficient adversarial attacks than black-box methods alone.
  • Many real-world embedded AI applications become vulnerable once power monitoring is possible.
  • Security of embedded DNNs must be re-evaluated and defensive strategies developed.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same trace-based approach could be tested on other model families such as recurrent networks if their power signatures differ systematically.
  • If the encoding holds across devices, hardware-level countermeasures such as power masking would become necessary for any deployed model.

Load-bearing premise

Power consumption traces from the device uniquely and reliably encode the specific network architecture and parameter values, with limited interference from other hardware activity or environmental noise.

What would settle it

An experiment in which power traces from two DNNs that differ in architecture or key parameters produce statistically indistinguishable patterns under realistic operating conditions would falsify the extraction claim.

Figures

Figures reproduced from arXiv: 1907.10406 by Haiyang Hao, Jinyin Chen, Qi Xuan, Xiaoniu Yang, Yi Liu, Yun Xiang, Zebin Fang, Zhefu Wu, Zhuangzhi Chen, Zuohui Chen.

Figure 1
Figure 1. Figure 1: Some typical components of DNNs. (a) The convolution layer performs a series of convolution operations on the image or feature maps by convolution [PITH_FULL_IMAGE:figures/full_fig_p003_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: The power model of the Alexnet. The Alexnet consists of five [PITH_FULL_IMAGE:figures/full_fig_p004_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: The framework of our SCA on DNN models. We collect voltage and current data while the AI device is running a model, get the power features, [PITH_FULL_IMAGE:figures/full_fig_p005_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: The trace of using Alexnet to classify an epoch images (24 photos) [PITH_FULL_IMAGE:figures/full_fig_p005_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: Visualization of the power-feature data set. It can be seen that the [PITH_FULL_IMAGE:figures/full_fig_p006_5.png] view at source ↗
Figure 7
Figure 7. Figure 7: The confusion matrix for the fine classification of DNN models. As we can see, the recognition accuracy of parameter sparsity is lower than that of [PITH_FULL_IMAGE:figures/full_fig_p007_7.png] view at source ↗
read the original abstract

Deep neural networks are becoming popular and important assets of many AI companies. However, recent studies indicate that they are also vulnerable to adversarial attacks. Adversarial attacks can be either white-box or black-box. The white-box attacks assume full knowledge of the models while the black-box ones assume none. In general, revealing more internal information can enable much more powerful and efficient attacks. However, in most real-world applications, the internal information of embedded AI devices is unavailable, i.e., they are black-box. Therefore, in this work, we propose a side-channel information based technique to reveal the internal information of black-box models. Specifically, we have made the following contributions: (1) we are the first to use side-channel information to reveal internal network architecture in embedded devices; (2) we are the first to construct models for internal parameter estimation; and (3) we validate our methods on real-world devices and applications. The experimental results show that our method can achieve 96.50\% accuracy on average. Such results suggest that we should pay strong attention to the security problem of many AI applications, and further propose corresponding defensive strategies in the future.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 1 minor

Summary. The manuscript proposes using power side-channel information to recover the internal architecture and parameters of black-box DNNs running on embedded devices. It claims to be the first such method for architecture revelation and the first to build estimation models for parameters, with real-device validation yielding 96.5% average accuracy.

Significance. If the experimental claims hold under scrutiny, the result would be significant for hardware security of embedded AI, demonstrating that power traces can leak model internals at high accuracy and thereby enabling stronger adversarial attacks while motivating defensive countermeasures.

major comments (2)
  1. [Abstract] Abstract: the central claim of 96.50% average accuracy in revealing architecture and parameters is presented with no accompanying experimental protocol, including the specific DNN models or layers tested, the embedded platforms, number of traces collected, training procedure for the estimation models, or any baseline comparisons.
  2. [Abstract] Abstract / validation description: no mention of controls for device variability, environmental noise, or confounding hardware activity, which directly bears on whether power traces uniquely encode the claimed network details as asserted in the weakest assumption.
minor comments (1)
  1. [Abstract] The abstract would be clearer if it briefly indicated the side-channel measurement setup (e.g., oscilloscope sampling rate or probe placement) and the range of DNN architectures considered.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for highlighting issues with the abstract's level of detail. The full manuscript contains the requested experimental information in Sections 4–6, but we agree the abstract should be expanded for standalone clarity. We will revise the abstract accordingly.

read point-by-point responses

  1. Referee: [Abstract] Abstract: the central claim of 96.50% average accuracy in revealing architecture and parameters is presented with no accompanying experimental protocol, including the specific DNN models or layers tested, the embedded platforms, number of traces collected, training procedure for the estimation models, or any baseline comparisons.

    Authors: The experimental protocol is detailed in the body (Section 4: platforms including Raspberry Pi 3 and Jetson Nano; models including VGG16, ResNet18 and custom CNNs; 500–2000 traces per configuration; CNN-based estimation models trained on 80/20 split; comparisons to random guessing and prior SCA baselines in Section 6). To address the concern, we will revise the abstract to concisely state the key elements: 'validated on Raspberry Pi and Jetson devices across VGG/ResNet models using 1000+ traces per run, achieving 96.5% average accuracy with CNN estimators outperforming baselines.' revision: yes

  2. Referee: [Abstract] Abstract / validation description: no mention of controls for device variability, environmental noise, or confounding hardware activity, which directly bears on whether power traces uniquely encode the claimed network details as asserted in the weakest assumption.

    Authors: Section 4.2 describes controls: repeated measurements across devices, trace averaging to reduce noise, and isolation of DNN execution from background processes. The abstract omits this. We will add a clause: 'under controlled conditions with noise mitigation via averaging and device-variability checks.' This directly supports the uniqueness claim without altering the weakest-assumption framing. revision: yes

Circularity Check

0 steps flagged

No significant circularity; purely experimental result

full rationale

The paper reports an empirical side-channel attack technique validated on real embedded devices, with the central claim being a measured average accuracy of 96.50% in recovering architecture and parameters. No equations, derivations, or fitted-parameter predictions appear in the provided text; the result is obtained through direct experimentation rather than any analytic chain that could reduce to self-definition or self-citation. Self-citations, if present, are not load-bearing for the accuracy claim. This is the expected non-finding for an experimental methods paper.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The central claim rests on the unstated premise that power traces contain sufficient distinguishable information about network topology and weights. No free parameters, axioms, or invented entities are explicitly introduced in the abstract.

axioms (1)
  • domain assumption Power consumption during DNN inference is a deterministic function of layer type, size, and parameter values with low enough noise to allow reliable inversion.
    Implicit in the claim that side-channel traces can be mapped back to architecture and parameters.

pith-pipeline@v0.9.0 · 5757 in / 1098 out tokens · 20693 ms · 2026-05-24T18:42:21.813473+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

52 extracted references · 52 canonical work pages · 15 internal anchors

  1. [1]

    Deep learning,

    Y . LeCun, Y . Bengio, and G. Hinton, “Deep learning,” nature, vol. 521, no. 7553, p. 436, 2015

    work page 2015

  2. [2]

    Automatic pearl classification machine based on a multistream convo- lutional neural network,

    Q. Xuan, B. Fang, Y . Liu, J. Wang, J. Zhang, Y . Zheng, and G. Bao, “Automatic pearl classification machine based on a multistream convo- lutional neural network,” IEEE Transactions on Industrial Electronics , vol. 65, no. 8, pp. 6538–6547, 2018

    work page 2018

  3. [3]

    Multiview generative adversarial network and its application in pearl classifi- cation,

    Q. Xuan, Z. Chen, Y . Liu, H. Huang, G. Bao, and D. Zhang, “Multiview generative adversarial network and its application in pearl classifi- cation,” IEEE Transactions on Industrial Electronics , vol. 66, DOI 10.1109/TIE.2018.2885684, no. 10, pp. 8244–8252, Oct. 2019

    work page doi:10.1109/tie.2018.2885684 2018

  4. [4]

    A new convolutional neural network-based data-driven fault diagnosis method,

    L. Wen, X. Li, L. Gao, and Y . Zhang, “A new convolutional neural network-based data-driven fault diagnosis method,” IEEE Transactions on Industrial Electronics , vol. 65, DOI 10.1109/TIE.2017.2774777, no. 7, pp. 5990–5998, Jul. 2018

    work page doi:10.1109/tie.2017.2774777 2017

  5. [5]

    Independent component thermography for non-destructive testing of defects in polymer composites,

    Y . Liu, J.-Y . Wu, K. Liu, H.-L. Wen, Y . Yao, S. Sfarra, and C. Zhao, “Independent component thermography for non-destructive testing of defects in polymer composites,” Measurement Science and Technology, vol. 30, DOI 10.1088/1361-6501/ab02db, no. 4, p. 044006, Mar. 2019. [Online]. Available: https://doi.org/10.1088%2F1361-6501%2Fab02db

    work page doi:10.1088/1361-6501/ab02db 2019

  6. [6]

    Multiview transfer learning for software defect prediction,

    J. Chen, Y . Yang, K. Hu, Q. Xuan, Y . Liu, and C. Yang, “Multiview transfer learning for software defect prediction,” IEEE Access , vol. 7, pp. 8901–8916, 2019

    work page 2019

  7. [7]

    Flame images for oxygen content prediction of combustion systems using dbn,

    Y . Liu, Y . Fan, and J. Chen, “Flame images for oxygen content prediction of combustion systems using dbn,” Energy & Fuels , vol. 31, no. 8, pp. 8776–8783, 2017

    work page 2017

  8. [8]

    Ensemble deep kernel learning with application to quality prediction in industrial polymerization pro- cesses,

    Y . Liu, C. Yang, Z. Gao, and Y . Yao, “Ensemble deep kernel learning with application to quality prediction in industrial polymerization pro- cesses,” Chemometrics and Intelligent Laboratory Systems, vol. 174, pp. 15–21, 2018

    work page 2018

  9. [9]

    MobileNets: Efficient Convolutional Neural Networks for Mobile Vision Applications

    A. G. Howard, M. Zhu, B. Chen, D. Kalenichenko, W. Wang, T. Weyand, M. Andreetto, and H. Adam, “Mobilenets: Efficient convo- lutional neural networks for mobile vision applications,” arXiv preprint arXiv:1704.04861, 2017

    work page internal anchor Pith review Pith/arXiv arXiv 2017

  10. [10]

    MobileNetV2: Inverted Residuals and Linear Bottlenecks

    M. Sandler, A. Howard, M. Zhu, A. Zhmoginov, and L.-C. Chen, “Inverted residuals and linear bottlenecks: Mobile networks for classi- fication, detection and segmentation,” arXiv preprint arXiv:1801.04381, 2018

    work page internal anchor Pith review Pith/arXiv arXiv 2018

  11. [11]

    Intriguing properties of neural networks

    C. Szegedy, W. Zaremba, I. Sutskever, J. Bruna, D. Erhan, I. Goodfellow, and R. Fergus, “Intriguing properties of neural networks,” arXiv preprint arXiv:1312.6199, 2013

    work page internal anchor Pith review Pith/arXiv arXiv 2013

  12. [12]

    Robust Physical-World Attacks on Deep Learning Models

    I. Evtimov, K. Eykholt, E. Fernandes, T. Kohno, B. Li, A. Prakash, A. Rahmati, and D. Song, “Robust physical-world attacks on machine learning models,” CoRR, vol. abs/1707.08945, 2017. [Online]. Available: http://arxiv.org/abs/1707.08945

    work page internal anchor Pith review Pith/arXiv arXiv 2017

  13. [13]

    Facial attributes: Accuracy and adversarial robustness,

    A. Rozsa, M. G ¨unther, E. M. Rudd, and T. E. Boult, “Facial attributes: Accuracy and adversarial robustness,”Pattern Recognition Letters, 2017

    work page 2017

  14. [14]

    Soft biometric privacy: Retaining biometric utility of face images while perturbing gender,

    V . Mirjalili and A. Ross, “Soft biometric privacy: Retaining biometric utility of face images while perturbing gender,” in 2017 IEEE Inter- national joint conference on biometrics (IJCB) , pp. 564–573. IEEE, 2017

    work page 2017

  15. [15]

    Is deep learning safe for robot vision? adversarial examples against the icub humanoid,

    M. Melis, A. Demontis, B. Biggio, G. Brown, G. Fumera, and F. Roli, “Is deep learning safe for robot vision? adversarial examples against the icub humanoid,” in Proceedings of the IEEE International Conference on Computer Vision , pp. 751–759, 2017

    work page 2017

  16. [16]

    Threat of Adversarial Attacks on Deep Learning in Computer Vision: A Survey

    N. Akhtar and A. Mian, “Threat of adversarial attacks on deep learning in computer vision: A survey,” arXiv preprint arXiv:1801.00553 , 2018

    work page internal anchor Pith review Pith/arXiv arXiv 2018

  17. [17]

    CoRR abs/1710.08864 (2017), http://arxiv.org/abs/1710.08864

    J. Su, D. V . Vargas, and S. Kouichi, “One pixel attack for fooling deep neural networks,” arXiv preprint arXiv:1710.08864 , 2017

    work page arXiv 2017

  18. [18]

    The Space of Transferable Adversarial Examples

    F. Tram `er, N. Papernot, I. Goodfellow, D. Boneh, and P. McDaniel, “The space of transferable adversarial examples,” arXiv preprint arXiv:1704.03453, 2017

    work page internal anchor Pith review Pith/arXiv arXiv 2017

  19. [19]

    Explaining and Harnessing Adversarial Examples

    I. J. Goodfellow, J. Shlens, and C. Szegedy, “Explaining and harnessing adversarial examples (2014),” arXiv preprint arXiv:1412.6572

    work page internal anchor Pith review Pith/arXiv arXiv 2014

  20. [20]

    Adversarial examples in the physical world

    A. Kurakin, I. Goodfellow, and S. Bengio, “Adversarial examples in the physical world,” arXiv preprint arXiv:1607.02533 , 2016

    work page internal anchor Pith review Pith/arXiv arXiv 2016

  21. [21]

    FineFool: Fine Object Contour Attack via Attention

    J. Chen, H. Zheng, H. Xiong, and M. Su, “Finefool: Fine object contour attack via attention,” CoRR, vol. abs/1812.01713, 2018. [Online]. Available: http://arxiv.org/abs/1812.01713

    work page internal anchor Pith review Pith/arXiv arXiv 2018

  22. [22]

    Timing attacks on implementations of diffie-hellman, rsa, dss, and other systems,

    P. C. Kocher, “Timing attacks on implementations of diffie-hellman, rsa, dss, and other systems,” in Annual International Cryptology Conference, pp. 104–113. Springer, 1996

    work page 1996

  23. [23]

    Differential power analysis,

    P. Kocher, J. Jaffe, and B. Jun, “Differential power analysis,” in Annual International Cryptology Conference , pp. 388–397. Springer, 1999

    work page 1999

  24. [24]

    Side-channel attacks: Ten years after its publi- cation and the impacts on cryptographic module security testing

    Y . Zhou and D. Feng, “Side-channel attacks: Ten years after its publi- cation and the impacts on cryptographic module security testing.” IACR Cryptology ePrint Archive , vol. 2005, p. 388, 2005

    work page 2005

  25. [25]

    Food/non-food image classifi- cation and food categorization using pre-trained googlenet model,

    A. Singla, L. Yuan, and T. Ebrahimi, “Food/non-food image classifi- cation and food categorization using pre-trained googlenet model,” in Proceedings of the 2nd International Workshop on Multimedia Assisted Dietary Management, pp. 3–11. ACM, 2016

    work page 2016

  26. [26]

    Rgb-d object recognition and pose estimation based on pre-trained convolutional neural network features,

    M. Schwarz, H. Schulz, and S. Behnke, “Rgb-d object recognition and pose estimation based on pre-trained convolutional neural network features,” in Robotics and Automation (ICRA), 2015 IEEE International Conference on, pp. 1329–1335. IEEE, 2015

    work page 2015

  27. [27]

    Using pre-trained models,

    Keras, “Using pre-trained models,” https://cran.rstudio.com/web/ packages/keras/vignettes/applications.html, accessed November 18, 2018

    work page 2018

  28. [28]

    Learning deep architectures for ai,

    Y . Bengio et al., “Learning deep architectures for ai,” Foundations and trends® in Machine Learning , vol. 2, no. 1, pp. 1–127, 2009

    work page 2009

  29. [29]

    Deep learning in neural networks: An overview,

    J. Schmidhuber, “Deep learning in neural networks: An overview,” Neural networks, vol. 61, pp. 85–117, 2015

    work page 2015

  30. [30]

    Imagenet classification with deep convolutional neural networks,

    A. Krizhevsky, I. Sutskever, and G. E. Hinton, “Imagenet classification with deep convolutional neural networks,” in Advances in neural infor- mation processing systems , pp. 1097–1105, 2012

    work page 2012

  31. [31]

    Imagenet large scale visual recognition challenge,

    O. Russakovsky, J. Deng, H. Su, J. Krause, S. Satheesh, S. Ma, Z. Huang, A. Karpathy, A. Khosla, M. Bernstein et al., “Imagenet large scale visual recognition challenge,” International Journal of Computer Vision, vol. 115, no. 3, pp. 211–252, 2015

    work page 2015

  32. [32]

    Going deeper with convolutions,

    C. Szegedy, W. Liu, Y . Jia, P. Sermanet, S. Reed, D. Anguelov, D. Erhan, V . Vanhoucke, and A. Rabinovich, “Going deeper with convolutions,” in Proceedings of the IEEE conference on computer vision and pattern recognition, pp. 1–9, 2015

    work page 2015

  33. [33]

    Deep residual learning for image recognition,

    K. He, X. Zhang, S. Ren, and J. Sun, “Deep residual learning for image recognition,” in Proceedings of the IEEE conference on computer vision and pattern recognition , pp. 770–778, 2016

    work page 2016

  34. [34]

    Very Deep Convolutional Networks for Large-Scale Image Recognition

    K. Simonyan and A. Zisserman, “Very deep convolutional networks for large-scale image recognition,” arXiv preprint arXiv:1409.1556 , 2014

    work page internal anchor Pith review Pith/arXiv arXiv 2014

  35. [35]

    Rich feature hierarchies for accurate object detection and semantic segmentation,

    R. Girshick, J. Donahue, T. Darrell, and J. Malik, “Rich feature hierarchies for accurate object detection and semantic segmentation,” in Proceedings of the IEEE conference on computer vision and pattern recognition, pp. 580–587, 2014

    work page 2014

  36. [36]

    Dadiannao: A machine-learning supercomputer,

    Y . Chen, T. Luo, S. Liu, S. Zhang, L. He, J. Wang, L. Li, T. Chen, Z. Xu, N. Sun et al., “Dadiannao: A machine-learning supercomputer,” in Proceedings of the 47th Annual IEEE/ACM International Symposium on Microarchitecture, pp. 609–622. IEEE Computer Society, 2014

    work page 2014

  37. [37]

    Cambricon-x: An accelerator for sparse neural networks,

    S. Zhang, Z. Du, L. Zhang, H. Lan, S. Liu, L. Li, Q. Guo, T. Chen, and Y . Chen, “Cambricon-x: An accelerator for sparse neural networks,” in The 49th Annual IEEE/ACM International Symposium on Microarchi- tecture, p. 20. IEEE Press, 2016

    work page 2016

  38. [38]

    Flush+ reload: A high resolution, low noise, l3 cache side-channel attack

    Y . Yarom and K. Falkner, “Flush+ reload: A high resolution, low noise, l3 cache side-channel attack.” in USENIX Security Symposium , vol. 1, pp. 22–25, 2014. 9

    work page 2014

  39. [39]

    Rsa key extraction via low- bandwidth acoustic cryptanalysis,

    D. Genkin, A. Shamir, and E. Tromer, “Rsa key extraction via low- bandwidth acoustic cryptanalysis,” in International cryptology confer- ence, pp. 444–461. Springer, 2014

    work page 2014

  40. [40]

    Small tweaks do not help: Differential power analysis of milenage implementations in 3g/4g usim cards,

    J. Liu, Y . Yu, F. Standaert, Z. Guo, D. Gu, W. Sun, Y . Ge, and X. Xie, “Small tweaks do not help: Differential power analysis of milenage implementations in 3g/4g usim cards,” pp. 468–480, 2015

    work page 2015

  41. [41]

    A vlsi design flow for secure side- channel attack resistant ics,

    K. Tiri and I. Verbauwhede, “A vlsi design flow for secure side- channel attack resistant ics,” in Proceedings of the conference on Design, Automation and Test in Europe-Volume 3 , pp. 58–63. IEEE Computer Society, 2005

    work page 2005

  42. [42]

    Stealing Neural Networks via Timing Side Channels

    V . Duddu, D. Samanta, D. V . Rao, and V . E. Balas, “Stealing neural networks via timing side channels,” CoRR, vol. abs/1812.11720, 2018. [Online]. Available: http://arxiv.org/abs/1812.11720

    work page internal anchor Pith review Pith/arXiv arXiv 2018

  43. [43]

    CSI Neural Network: Using Side-channels to Recover Your Artificial Neural Network Information

    L. Batina, S. Bhasin, D. Jap, and S. Picek, “CSI neural network: Using side-channels to recover your artificial neural network information,” CoRR, vol. abs/1810.09076, 2018. [Online]. Available: http://arxiv.org/ abs/1810.09076

    work page internal anchor Pith review Pith/arXiv arXiv 2018

  44. [44]

    I know what you see: Power side-channel attack on convolutional neural network accelerators,

    L. Wei, Y . Liu, B. Luo, Y . Li, and Q. Xu, “I know what you see: Power side-channel attack on convolutional neural network accelerators,” arXiv preprint arXiv:1803.05847, 2018

    work page arXiv 2018

  45. [45]

    Training very deep networks,

    R. K. Srivastava, K. Greff, and J. Schmidhuber, “Training very deep networks,” neural information processing systems, pp. 2377–2385, 2015

    work page 2015

  46. [46]

    Batch normalization: Accelerating deep network training by reducing internal covariate shift,

    S. Ioffe and C. Szegedy, “Batch normalization: Accelerating deep network training by reducing internal covariate shift,” international conference on machine learning , pp. 448–456, 2015

    work page 2015

  47. [47]

    Deep Compression: Compressing Deep Neural Networks with Pruning, Trained Quantization and Huffman Coding

    S. Han, H. Mao, and W. J. Dally, “Deep compression: Compressing deep neural networks with pruning, trained quantization and huffman coding,” arXiv preprint arXiv:1510.00149 , 2015

    work page internal anchor Pith review Pith/arXiv arXiv 2015

  48. [48]

    Eie: efficient inference engine on compressed deep neural network,

    S. Han, X. Liu, H. Mao, J. Pu, A. Pedram, M. A. Horowitz, and W. J. Dally, “Eie: efficient inference engine on compressed deep neural network,” in Computer Architecture (ISCA), 2016 ACM/IEEE 43rd Annual International Symposium on , pp. 243–254. IEEE, 2016

    work page 2016

  49. [49]

    NISP: Pruning Networks using Neuron Importance Score Propagation

    R. Yu, A. Li, C.-F. Chen, J.-H. Lai, V . I. Morariu, X. Han, M. Gao, C.-Y . Lin, and L. S. Davis, “Nisp: Pruning networks using neuron importance score propagation,” Preprint at https://arxiv. org/abs/1711.05908, 2017

    work page internal anchor Pith review Pith/arXiv arXiv 2017

  50. [50]

    Accelerator-aware pruning for convolutional neural net- works,

    H.-J. Kang, “Accelerator-aware pruning for convolutional neural net- works,” arXiv preprint arXiv:1804.09862 , 2018

    work page arXiv 2018

  51. [51]

    Accelerating convolutional networks via global & dynamic filter pruning

    S. Lin, R. Ji, Y . Li, Y . Wu, F. Huang, and B. Zhang, “Accelerating convolutional networks via global & dynamic filter pruning.” in IJCAI, pp. 2425–2432, 2018

    work page 2018

  52. [52]

    Improving neural networks by preventing co-adaptation of feature detectors

    G. E. Hinton, N. Srivastava, A. Krizhevsky, I. Sutskever, and R. Salakhutdinov, “Improving neural networks by preventing co- adaptation of feature detectors,” CoRR, vol. abs/1207.0580, 2012. [Online]. Available: http://arxiv.org/abs/1207.0580

    work page internal anchor Pith review Pith/arXiv arXiv 2012