The SkipSponge Attack: Sponge Weight Poisoning of Deep Neural Networks
- URL: http://arxiv.org/abs/2402.06357v2
- Date: Sat, 4 May 2024 16:38:24 GMT
- Title: The SkipSponge Attack: Sponge Weight Poisoning of Deep Neural Networks
- Authors: Jona te Lintelo, Stefanos Koffas, Stjepan Picek,
- Abstract summary: Sponge attacks aim to increase the energy consumption and computation time of neural networks deployed on hardware accelerators.
In this work, we propose a novel sponge attack called SkipSponge.
SkipSponge is the first sponge attack that is performed directly on the parameters of a pre-trained model using only a few data samples.
- Score: 12.019190819782525
- License: http://creativecommons.org/licenses/by/4.0/
- Abstract: Sponge attacks aim to increase the energy consumption and computation time of neural networks deployed on hardware accelerators. Existing sponge attacks can be performed during inference via sponge examples or during training via Sponge Poisoning. Sponge examples leverage perturbations added to the model's input to increase energy and latency, while Sponge Poisoning alters the objective function of a model to induce inference-time energy effects. In this work, we propose a novel sponge attack called SkipSponge. SkipSponge is the first sponge attack that is performed directly on the parameters of a pre-trained model using only a few data samples. Our experiments show that SkipSponge can successfully increase the energy consumption of image classification models with fewer samples required than Sponge Poisoning. We show that poisoning defenses are ineffective if not adjusted specifically for the defense against SkipSponge (i.e., they decrease target layer bias values). Our work shows that SkipSponge is more effective on the GANs and the autoencoders than the state-of-the-art. Additionally, SkipSponge is stealthier than the previous Sponge Poisoning attack as it does not require significant changes in the victim model's weights. Our experiments indicate that the SkipSponge attack can be performed even when an attacker has access to only 1% of the entire dataset and reaches up to 13% energy increase.
Related papers
- The Impact of Uniform Inputs on Activation Sparsity and Energy-Latency Attacks in Computer Vision [4.45482419850721]
Researchers have recently demonstrated that attackers can compute and submit so-called sponge examples at inference time to increase the energy consumption and decision latency of neural networks.
In computer vision, the proposed strategy crafts inputs with less activation sparsity which could otherwise be used to accelerate the computation.
A uniform image, that is, an image with mostly flat, uniformly colored surfaces, triggers more activations due to a specific interplay of convolution, batch normalization, and ReLU activation.
arXiv Detail & Related papers (2024-03-27T14:11:23Z) - Diffusion Denoising as a Certified Defense against Clean-label Poisoning [56.04951180983087]
We show how an off-the-shelf diffusion model can sanitize the tampered training data.
We extensively test our defense against seven clean-label poisoning attacks and reduce their attack success to 0-16% with only a negligible drop in the test time accuracy.
arXiv Detail & Related papers (2024-03-18T17:17:07Z) - Exploring Model Dynamics for Accumulative Poisoning Discovery [62.08553134316483]
We propose a novel information measure, namely, Memorization Discrepancy, to explore the defense via the model-level information.
By implicitly transferring the changes in the data manipulation to that in the model outputs, Memorization Discrepancy can discover the imperceptible poison samples.
We thoroughly explore its properties and propose Discrepancy-aware Sample Correction (DSC) to defend against accumulative poisoning attacks.
arXiv Detail & Related papers (2023-06-06T14:45:24Z) - Energy-Latency Attacks to On-Device Neural Networks via Sponge Poisoning [5.346606291026528]
We present an on-device sponge poisoning attack pipeline to simulate the streaming and consistent inference scenario.
Our exclusive experimental analysis with processors and on-device networks shows that sponge poisoning attacks can effectively pollute the modern processor.
We highlight the need for improved defense mechanisms to prevent such attacks on on-device deep learning applications.
arXiv Detail & Related papers (2023-05-06T01:20:30Z) - Few-shot Backdoor Attacks via Neural Tangent Kernels [31.85706783674533]
In a backdoor attack, an attacker injects corrupted examples into the training set.
Central to these attacks is the trade-off between the success rate of the attack and the number of corrupted training examples injected.
We use neural tangent kernels to approximate the training dynamics of the model being attacked and automatically learn strong poison examples.
arXiv Detail & Related papers (2022-10-12T05:30:00Z) - Towards Lightweight Black-Box Attacks against Deep Neural Networks [70.9865892636123]
We argue that black-box attacks can pose practical attacks where only several test samples are available.
As only a few samples are required, we refer to these attacks as lightweight black-box attacks.
We propose Error TransFormer (ETF) for lightweight attacks to mitigate the approximation error.
arXiv Detail & Related papers (2022-09-29T14:43:03Z) - Energy-Latency Attacks via Sponge Poisoning [29.779696446182374]
We are the first to demonstrate that sponge examples can also be injected at training time, via an attack that we call sponge poisoning.
This attack allows one to increase the energy consumption and latency of machine-learning models indiscriminately on each test-time input.
arXiv Detail & Related papers (2022-03-14T17:18:10Z) - Hidden Backdoor Attack against Semantic Segmentation Models [60.0327238844584]
The emphbackdoor attack intends to embed hidden backdoors in deep neural networks (DNNs) by poisoning training data.
We propose a novel attack paradigm, the emphfine-grained attack, where we treat the target label from the object-level instead of the image-level.
Experiments show that the proposed methods can successfully attack semantic segmentation models by poisoning only a small proportion of training data.
arXiv Detail & Related papers (2021-03-06T05:50:29Z) - Learning to Attack: Towards Textual Adversarial Attacking in Real-world
Situations [81.82518920087175]
Adversarial attacking aims to fool deep neural networks with adversarial examples.
We propose a reinforcement learning based attack model, which can learn from attack history and launch attacks more efficiently.
arXiv Detail & Related papers (2020-09-19T09:12:24Z) - Weight Poisoning Attacks on Pre-trained Models [103.19413805873585]
We show that it is possible to construct weight poisoning'' attacks where pre-trained weights are injected with vulnerabilities that expose backdoors'' after fine-tuning.
Our experiments on sentiment classification, toxicity detection, and spam detection show that this attack is widely applicable and poses a serious threat.
arXiv Detail & Related papers (2020-04-14T16:51:42Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.