ZeBRA: Precisely Destroying Neural Networks with Zero-Data Based Repeated Bit Flip Attack

• URL: http://arxiv.org/abs/2111.01080v1
• Date: Mon, 1 Nov 2021 16:44:20 GMT
• Title: ZeBRA: Precisely Destroying Neural Networks with Zero-Data Based Repeated Bit Flip Attack
• Authors: Dahoon Park, Kon-Woo Kwon, Sunghoon Im, Jaeha Kung
• Abstract summary: We present Zero-data Based Repeated bit flip Attack (ZeBRA) that precisely destroys deep neural networks (DNNs) Our approach makes the adversarial weight attack more fatal to the security of DNNs.
• Score: 10.31732879936362
• License: http://creativecommons.org/licenses/by/4.0/
• Abstract: In this paper, we present Zero-data Based Repeated bit flip Attack (ZeBRA) that precisely destroys deep neural networks (DNNs) by synthesizing its own attack datasets. Many prior works on adversarial weight attack require not only the weight parameters, but also the training or test dataset in searching vulnerable bits to be attacked. We propose to synthesize the attack dataset, named distilled target data, by utilizing the statistics of batch normalization layers in the victim DNN model. Equipped with the distilled target data, our ZeBRA algorithm can search vulnerable bits in the model without accessing training or test dataset. Thus, our approach makes the adversarial weight attack more fatal to the security of DNNs. Our experimental results show that 2.0x (CIFAR-10) and 1.6x (ImageNet) less number of bit flips are required on average to destroy DNNs compared to the previous attack method. Our code is available at https://github. com/pdh930105/ZeBRA.

Related papers

• Federated Learning Under Attack: Exposing Vulnerabilities through Data Poisoning Attacks in Computer Networks [17.857547954232754]
  Federated Learning (FL) is a machine learning approach that enables multiple decentralized devices or edge servers to collaboratively train a shared model without exchanging raw data. During the training and sharing of model updates between clients and servers, data and models are susceptible to different data-poisoning attacks. We considered two types of data-poisoning attacks, label flipping (LF) and feature poisoning (FP), and applied them with a novel approach.
  arXiv  Detail & Related papers  (2024-03-05T14:03:15Z)
• One-bit Flip is All You Need: When Bit-flip Attack Meets Model Training [54.622474306336635]
  A new weight modification attack called bit flip attack (BFA) was proposed, which exploits memory fault inject techniques. We propose a training-assisted bit flip attack, in which the adversary is involved in the training stage to build a high-risk model to release.
  arXiv  Detail & Related papers  (2023-08-12T09:34:43Z)
• Poisoning Web-Scale Training Datasets is Practical [73.34964403079775]
  We introduce two new dataset poisoning attacks that intentionally introduce malicious examples to a model's performance. First attack, split-view poisoning, exploits the mutable nature of internet content to ensure a dataset annotator's initial view of the dataset differs from the view downloaded by subsequent clients. Second attack, frontrunning poisoning, targets web-scale datasets that periodically snapshot crowd-sourced content.
  arXiv  Detail & Related papers  (2023-02-20T18:30:54Z)
• COLLIDER: A Robust Training Framework for Backdoor Data [11.510009152620666]
  Deep neural network (DNN) classifiers are vulnerable to backdoor attacks. An adversary poisons some of the training data in such attacks by installing a trigger. Various approaches have recently been proposed to detect malicious backdoored DNNs.
  arXiv  Detail & Related papers  (2022-10-13T03:48:46Z)
• Few-shot Backdoor Attacks via Neural Tangent Kernels [31.85706783674533]
  In a backdoor attack, an attacker injects corrupted examples into the training set. Central to these attacks is the trade-off between the success rate of the attack and the number of corrupted training examples injected. We use neural tangent kernels to approximate the training dynamics of the model being attacked and automatically learn strong poison examples.
  arXiv  Detail & Related papers  (2022-10-12T05:30:00Z)
• Robustness of Bayesian Neural Networks to White-Box Adversarial Attacks [55.531896312724555]
  Bayesian Networks (BNNs) are robust and adept at handling adversarial attacks by incorporating randomness. We create our BNN model, called BNN-DenseNet, by fusing Bayesian inference (i.e., variational Bayes) to the DenseNet architecture. An adversarially-trained BNN outperforms its non-Bayesian, adversarially-trained counterpart in most experiments.
  arXiv  Detail & Related papers  (2021-11-16T16:14:44Z)
• KATANA: Simple Post-Training Robustness Using Test Time Augmentations [49.28906786793494]
  A leading defense against such attacks is adversarial training, a technique in which a DNN is trained to be robust to adversarial attacks. We propose a new simple and easy-to-use technique, KATANA, for robustifying an existing pretrained DNN without modifying its weights. Our strategy achieves state-of-the-art adversarial robustness on diverse attacks with minimal compromise on the natural images' classification.
  arXiv  Detail & Related papers  (2021-09-16T19:16:00Z)
• Targeted Attack against Deep Neural Networks via Flipping Limited Weight Bits [55.740716446995805]
  We study a novel attack paradigm, which modifies model parameters in the deployment stage for malicious purposes. Our goal is to misclassify a specific sample into a target class without any sample modification. By utilizing the latest technique in integer programming, we equivalently reformulate this BIP problem as a continuous optimization problem.
  arXiv  Detail & Related papers  (2021-02-21T03:13:27Z)
• Defence against adversarial attacks using classical and quantum-enhanced Boltzmann machines [64.62510681492994]
  generative models attempt to learn the distribution underlying a dataset, making them inherently more robust to small perturbations. We find improvements ranging from 5% to 72% against attacks with Boltzmann machines on the MNIST dataset.
  arXiv  Detail & Related papers  (2020-12-21T19:00:03Z)
• Minimum-Norm Adversarial Examples on KNN and KNN-Based Models [7.4297019016687535]
  We propose a gradient-based attack on kNN and kNN-based defenses. We demonstrate that our attack outperforms their method on all of the models we tested. We hope that this attack can be used as a new baseline for evaluating the robustness of kNN and its variants.
  arXiv  Detail & Related papers  (2020-03-14T05:36:33Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.