The SkipSponge Attack: Sponge Weight Poisoning of Deep Neural Networks

• URL: http://arxiv.org/abs/2402.06357v2
• Date: Sat, 4 May 2024 16:38:24 GMT
• Title: The SkipSponge Attack: Sponge Weight Poisoning of Deep Neural Networks
• Authors: Jona te Lintelo, Stefanos Koffas, Stjepan Picek,
• Abstract summary: Sponge attacks aim to increase the energy consumption and computation time of neural networks deployed on hardware accelerators. In this work, we propose a novel sponge attack called SkipSponge. SkipSponge is the first sponge attack that is performed directly on the parameters of a pre-trained model using only a few data samples.
• Score: 12.019190819782525
• License: http://creativecommons.org/licenses/by/4.0/
• Abstract: Sponge attacks aim to increase the energy consumption and computation time of neural networks deployed on hardware accelerators. Existing sponge attacks can be performed during inference via sponge examples or during training via Sponge Poisoning. Sponge examples leverage perturbations added to the model's input to increase energy and latency, while Sponge Poisoning alters the objective function of a model to induce inference-time energy effects. In this work, we propose a novel sponge attack called SkipSponge. SkipSponge is the first sponge attack that is performed directly on the parameters of a pre-trained model using only a few data samples. Our experiments show that SkipSponge can successfully increase the energy consumption of image classification models with fewer samples required than Sponge Poisoning. We show that poisoning defenses are ineffective if not adjusted specifically for the defense against SkipSponge (i.e., they decrease target layer bias values). Our work shows that SkipSponge is more effective on the GANs and the autoencoders than the state-of-the-art. Additionally, SkipSponge is stealthier than the previous Sponge Poisoning attack as it does not require significant changes in the victim model's weights. Our experiments indicate that the SkipSponge attack can be performed even when an attacker has access to only 1% of the entire dataset and reaches up to 13% energy increase.

Related papers

• CleanerCLIP: Fine-grained Counterfactual Semantic Augmentation for Backdoor Defense in Contrastive Learning [53.766434746801366]
  We propose a fine-grained textbfText textbfAlignment textbfCleaner (TA-Cleaner) to cut off feature connections of backdoor triggers. TA-Cleaner achieves state-of-the-art defensiveness among finetuning-based defense techniques.
  arXiv  Detail & Related papers  (2024-09-26T07:35:23Z)
• The Impact of Uniform Inputs on Activation Sparsity and Energy-Latency Attacks in Computer Vision [4.45482419850721]
  Researchers have recently demonstrated that attackers can compute and submit so-called sponge examples at inference time to increase the energy consumption and decision latency of neural networks. In computer vision, the proposed strategy crafts inputs with less activation sparsity which could otherwise be used to accelerate the computation. A uniform image, that is, an image with mostly flat, uniformly colored surfaces, triggers more activations due to a specific interplay of convolution, batch normalization, and ReLU activation.
  arXiv  Detail & Related papers  (2024-03-27T14:11:23Z)
• Diffusion Denoising as a Certified Defense against Clean-label Poisoning [56.04951180983087]
  We show how an off-the-shelf diffusion model can sanitize the tampered training data. We extensively test our defense against seven clean-label poisoning attacks and reduce their attack success to 0-16% with only a negligible drop in the test time accuracy.
  arXiv  Detail & Related papers  (2024-03-18T17:17:07Z)
• Game-Theoretic Unlearnable Example Generator [18.686469222136854]
  Unlearnable example attacks aim to degrade the clean test accuracy of deep learning by adding imperceptible perturbations to the training samples. In this paper, we investigate unlearnable example attacks from a game-theoretic perspective, by formulating the attack as a nonzero sum Stackelberg game. We propose a novel attack method, called the Game Unlearnable Example (GUE), which has three main gradients.
  arXiv  Detail & Related papers  (2024-01-31T00:43:30Z)
• Breaking the De-Pois Poisoning Defense [0.0]
  We show that the attack-agnostic De-Pois defense is hardly an exception to that rule. In our work, we break this poison-protection layer by replicating the critic model and then performing a composed gradient-sign attack on both the critic and target models simultaneously.
  arXiv  Detail & Related papers  (2022-04-03T15:17:47Z)
• Energy-Latency Attacks via Sponge Poisoning [29.779696446182374]
  We are the first to demonstrate that sponge examples can also be injected at training time, via an attack that we call sponge poisoning. This attack allows one to increase the energy consumption and latency of machine-learning models indiscriminately on each test-time input.
  arXiv  Detail & Related papers  (2022-03-14T17:18:10Z)
• Hidden Backdoor Attack against Semantic Segmentation Models [60.0327238844584]
  The emphbackdoor attack intends to embed hidden backdoors in deep neural networks (DNNs) by poisoning training data. We propose a novel attack paradigm, the emphfine-grained attack, where we treat the target label from the object-level instead of the image-level. Experiments show that the proposed methods can successfully attack semantic segmentation models by poisoning only a small proportion of training data.
  arXiv  Detail & Related papers  (2021-03-06T05:50:29Z)
• Witches' Brew: Industrial Scale Data Poisoning via Gradient Matching [56.280018325419896]
  Data Poisoning attacks modify training data to maliciously control a model trained on such data. We analyze a particularly malicious poisoning attack that is both "from scratch" and "clean label" We show that it is the first poisoning method to cause targeted misclassification in modern deep networks trained from scratch on a full-sized, poisoned ImageNet dataset.
  arXiv  Detail & Related papers  (2020-09-04T16:17:54Z)
• Backdoor Attacks to Graph Neural Networks [73.56867080030091]
  We propose the first backdoor attack to graph neural networks (GNN) In our backdoor attack, a GNN predicts an attacker-chosen target label for a testing graph once a predefined subgraph is injected to the testing graph. Our empirical results show that our backdoor attacks are effective with a small impact on a GNN's prediction accuracy for clean testing graphs.
  arXiv  Detail & Related papers  (2020-06-19T14:51:01Z)
• Weight Poisoning Attacks on Pre-trained Models [103.19413805873585]
  We show that it is possible to construct weight poisoning'' attacks where pre-trained weights are injected with vulnerabilities that expose backdoors'' after fine-tuning. Our experiments on sentiment classification, toxicity detection, and spam detection show that this attack is widely applicable and poses a serious threat.
  arXiv  Detail & Related papers  (2020-04-14T16:51:42Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.