T-BFA: Targeted Bit-Flip Adversarial Weight Attack
- URL: http://arxiv.org/abs/2007.12336v3
- Date: Fri, 8 Jan 2021 04:54:21 GMT
- Title: T-BFA: Targeted Bit-Flip Adversarial Weight Attack
- Authors: Adnan Siraj Rakin, Zhezhi He, Jingtao Li, Fan Yao, Chaitali
Chakrabarti and Deliang Fan
- Abstract summary: Bit-Flip-based adversarial weight Attack (BFA) injects an extremely small amount of faults into weight parameters to hijack the executing DNN function.
This paper proposes the first work of targeted BFA based (T-BFA) adversarial weight attack on DNNs, which can intentionally mislead selected inputs to a target output class.
- Score: 36.80180060697878
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Traditional Deep Neural Network (DNN) security is mostly related to the
well-known adversarial input example attack. Recently, another dimension of
adversarial attack, namely, attack on DNN weight parameters, has been shown to
be very powerful. As a representative one, the Bit-Flip-based adversarial
weight Attack (BFA) injects an extremely small amount of faults into weight
parameters to hijack the executing DNN function. Prior works of BFA focus on
un-targeted attack that can hack all inputs into a random output class by
flipping a very small number of weight bits stored in computer memory. This
paper proposes the first work of targeted BFA based (T-BFA) adversarial weight
attack on DNNs, which can intentionally mislead selected inputs to a target
output class. The objective is achieved by identifying the weight bits that are
highly associated with classification of a targeted output through a
class-dependent weight bit ranking algorithm. Our proposed T-BFA performance is
successfully demonstrated on multiple DNN architectures for image
classification tasks. For example, by merely flipping 27 out of 88 million
weight bits of ResNet-18, our T-BFA can misclassify all the images from 'Hen'
class into 'Goose' class (i.e., 100 % attack success rate) in ImageNet dataset,
while maintaining 59.35 % validation accuracy. Moreover, we successfully
demonstrate our T-BFA attack in a real computer prototype system running DNN
computation, with Ivy Bridge-based Intel i7 CPU and 8GB DDR3 memory.
Related papers
- Bit-Flip Fault Attack: Crushing Graph Neural Networks via Gradual Bit Search [0.4943822978887544]
Graph Neural Networks (GNNs) have emerged as a powerful machine learning method for graph-structured data.<n>In this paper, we investigate the vulnerability of GNN models to hardware-based fault attack.<n>We propose Gradual Bit-Flip Fault Attack (GBFA), a layer-aware bit-flip fault attack.
arXiv Detail & Related papers (2025-07-07T23:06:29Z) - ObfusBFA: A Holistic Approach to Safeguarding DNNs from Different Types of Bit-Flip Attacks [12.96840649714218]
Bit-flip attacks (BFAs) represent a serious threat to Deep Neural Networks (DNNs)<n>We propose ObfusBFA, an efficient and holistic methodology to mitigate BFAs.<n>We design novel algorithms to identify critical bits and insert obfuscation operations.
arXiv Detail & Related papers (2025-06-12T14:31:27Z) - A Semi Black-Box Adversarial Bit-Flip Attack with Limited DNN Model Information [0.0]
This paper proposes B3FA, a semi-black-box adversarial bit-flip attack on deep neural networks (DNNs)
We demonstrate the effectiveness of B3FA on several DNN models in a semi-black-box setting.
For example, B3FA could drop the accuracy of a MobileNetV2 from 69.84% to 9% with only 20 bit-flips in a real-world setting.
arXiv Detail & Related papers (2024-12-12T17:04:57Z) - Any Target Can be Offense: Adversarial Example Generation via Generalized Latent Infection [83.72430401516674]
GAKer is able to construct adversarial examples to any target class.
Our method achieves an approximately $14.13%$ higher attack success rate for unknown classes.
arXiv Detail & Related papers (2024-07-17T03:24:09Z) - DeepNcode: Encoding-Based Protection against Bit-Flip Attacks on Neural Networks [4.734824660843964]
We introduce an encoding-based protection method against bit-flip attacks on neural networks, titled DeepNcode.
Our results show an increase in protection margin of up to $7.6times$ for $4-$bit and $12.4times$ for $8-$bit quantized networks.
arXiv Detail & Related papers (2024-05-22T18:01:34Z) - Compiled Models, Built-In Exploits: Uncovering Pervasive Bit-Flip Attack Surfaces in DNN Executables [18.123649165203652]
Bit-flip attacks (BFAs) can manipulate deep neural networks (DNNs)
For high-level DNN models running on deep learning (DL) frameworks like PyTorch, extensive BFAs have been used to flip bits in model weights and shown effective.
arXiv Detail & Related papers (2023-09-12T13:42:20Z) - One-bit Flip is All You Need: When Bit-flip Attack Meets Model Training [54.622474306336635]
A new weight modification attack called bit flip attack (BFA) was proposed, which exploits memory fault inject techniques.
We propose a training-assisted bit flip attack, in which the adversary is involved in the training stage to build a high-risk model to release.
arXiv Detail & Related papers (2023-08-12T09:34:43Z) - Quantization Aware Attack: Enhancing Transferable Adversarial Attacks by Model Quantization [57.87950229651958]
Quantized neural networks (QNNs) have received increasing attention in resource-constrained scenarios due to their exceptional generalizability.
Previous studies claim that transferability is difficult to achieve across QNNs with different bitwidths.
We propose textitquantization aware attack (QAA) which fine-tunes a QNN substitute model with a multiple-bitwidth training objective.
arXiv Detail & Related papers (2023-05-10T03:46:53Z) - Hindering Adversarial Attacks with Implicit Neural Representations [25.422201099331637]
Lossy Implicit Network Activation Coding (LINAC) defence successfully hinders several common adversarial attacks.
We devise a Parametric Bypass Approximation (PBA) attack strategy for key-based defences, which successfully invalidates an existing method in this category.
arXiv Detail & Related papers (2022-10-22T13:10:24Z) - BDFA: A Blind Data Adversarial Bit-flip Attack on Deep Neural Networks [0.05249805590164901]
Blind Data Adversarial Bit-flip Attack (BDFA) is a novel technique to enable BFA without any access to the training or testing data.
BDFA could decrease the accuracy of ResNet50 significantly from 75.96% to 13.94% with only 4 bits flips.
arXiv Detail & Related papers (2021-12-07T03:53:38Z) - KATANA: Simple Post-Training Robustness Using Test Time Augmentations [49.28906786793494]
A leading defense against such attacks is adversarial training, a technique in which a DNN is trained to be robust to adversarial attacks.
We propose a new simple and easy-to-use technique, KATANA, for robustifying an existing pretrained DNN without modifying its weights.
Our strategy achieves state-of-the-art adversarial robustness on diverse attacks with minimal compromise on the natural images' classification.
arXiv Detail & Related papers (2021-09-16T19:16:00Z) - Targeted Attack against Deep Neural Networks via Flipping Limited Weight
Bits [55.740716446995805]
We study a novel attack paradigm, which modifies model parameters in the deployment stage for malicious purposes.
Our goal is to misclassify a specific sample into a target class without any sample modification.
By utilizing the latest technique in integer programming, we equivalently reformulate this BIP problem as a continuous optimization problem.
arXiv Detail & Related papers (2021-02-21T03:13:27Z) - Defensive Approximation: Securing CNNs using Approximate Computing [2.29450472676752]
We show that our approximate computing implementation achieves robustness across a wide range of attack scenarios.
Our model maintains the same level in terms of classification accuracy, does not require retraining, and reduces resource utilization and energy consumption.
arXiv Detail & Related papers (2020-06-13T18:58:25Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.