DeepNcode: Encoding-Based Protection against Bit-Flip Attacks on Neural Networks
- URL: http://arxiv.org/abs/2405.13891v2
- Date: Sun, 2 Jun 2024 08:23:56 GMT
- Title: DeepNcode: Encoding-Based Protection against Bit-Flip Attacks on Neural Networks
- Authors: Patrik Velčický, Jakub Breier, Mladen Kovačević, Xiaolu Hou,
- Abstract summary: We introduce an encoding-based protection method against bit-flip attacks on neural networks, titled DeepNcode.
Our results show an increase in protection margin of up to $7.6times$ for $4-$bit and $12.4times$ for $8-$bit quantized networks.
- Score: 4.734824660843964
- License: http://creativecommons.org/licenses/by/4.0/
- Abstract: Fault injection attacks are a potent threat against embedded implementations of neural network models. Several attack vectors have been proposed, such as misclassification, model extraction, and trojan/backdoor planting. Most of these attacks work by flipping bits in the memory where quantized model parameters are stored. In this paper, we introduce an encoding-based protection method against bit-flip attacks on neural networks, titled DeepNcode. We experimentally evaluate our proposal with several publicly available models and datasets, by using state-of-the-art bit-flip attacks: BFA, T-BFA, and TA-LBF. Our results show an increase in protection margin of up to $7.6\times$ for $4-$bit and $12.4\times$ for $8-$bit quantized networks. Memory overheads start at $50\%$ of the original network size, while the time overheads are negligible. Moreover, DeepNcode does not require retraining and does not change the original accuracy of the model.
Related papers
- One-bit Flip is All You Need: When Bit-flip Attack Meets Model Training [54.622474306336635]
A new weight modification attack called bit flip attack (BFA) was proposed, which exploits memory fault inject techniques.
We propose a training-assisted bit flip attack, in which the adversary is involved in the training stage to build a high-risk model to release.
arXiv Detail & Related papers (2023-08-12T09:34:43Z) - Hindering Adversarial Attacks with Implicit Neural Representations [25.422201099331637]
Lossy Implicit Network Activation Coding (LINAC) defence successfully hinders several common adversarial attacks.
We devise a Parametric Bypass Approximation (PBA) attack strategy for key-based defences, which successfully invalidates an existing method in this category.
arXiv Detail & Related papers (2022-10-22T13:10:24Z) - Few-shot Backdoor Attacks via Neural Tangent Kernels [31.85706783674533]
In a backdoor attack, an attacker injects corrupted examples into the training set.
Central to these attacks is the trade-off between the success rate of the attack and the number of corrupted training examples injected.
We use neural tangent kernels to approximate the training dynamics of the model being attacked and automatically learn strong poison examples.
arXiv Detail & Related papers (2022-10-12T05:30:00Z) - Radial Spike and Slab Bayesian Neural Networks for Sparse Data in
Ransomware Attacks [7.599718568619666]
We propose a new type of Bayesian Neural network that includes a new form of the approximate posterior distribution.
We demonstrate the performance of our model on a real dataset of ransomware attacks and show improvement over a large number of baselines.
In addition, we propose to represent low-level events as MITRE ATT&CK tactics, techniques, and procedures (TTPs) which allows the model to better generalize to unseen ransomware attacks.
arXiv Detail & Related papers (2022-05-29T20:18:14Z) - Hidden Backdoor Attack against Semantic Segmentation Models [60.0327238844584]
The emphbackdoor attack intends to embed hidden backdoors in deep neural networks (DNNs) by poisoning training data.
We propose a novel attack paradigm, the emphfine-grained attack, where we treat the target label from the object-level instead of the image-level.
Experiments show that the proposed methods can successfully attack semantic segmentation models by poisoning only a small proportion of training data.
arXiv Detail & Related papers (2021-03-06T05:50:29Z) - Targeted Attack against Deep Neural Networks via Flipping Limited Weight
Bits [55.740716446995805]
We study a novel attack paradigm, which modifies model parameters in the deployment stage for malicious purposes.
Our goal is to misclassify a specific sample into a target class without any sample modification.
By utilizing the latest technique in integer programming, we equivalently reformulate this BIP problem as a continuous optimization problem.
arXiv Detail & Related papers (2021-02-21T03:13:27Z) - Red Alarm for Pre-trained Models: Universal Vulnerability to
Neuron-Level Backdoor Attacks [98.15243373574518]
Pre-trained models (PTMs) have been widely used in various downstream tasks.
In this work, we demonstrate the universal vulnerability of PTMs, where fine-tuned PTMs can be easily controlled by backdoor attacks.
arXiv Detail & Related papers (2021-01-18T10:18:42Z) - Cassandra: Detecting Trojaned Networks from Adversarial Perturbations [92.43879594465422]
In many cases, pre-trained models are sourced from vendors who may have disrupted the training pipeline to insert Trojan behaviors into the models.
We propose a method to verify if a pre-trained model is Trojaned or benign.
Our method captures fingerprints of neural networks in the form of adversarial perturbations learned from the network gradients.
arXiv Detail & Related papers (2020-07-28T19:00:40Z) - Defending against Backdoor Attack on Deep Neural Networks [98.45955746226106]
We study the so-called textitbackdoor attack, which injects a backdoor trigger to a small portion of training data.
Experiments show that our method could effectively decrease the attack success rate, and also hold a high classification accuracy for clean images.
arXiv Detail & Related papers (2020-02-26T02:03:00Z) - SNIFF: Reverse Engineering of Neural Networks with Fault Attacks [26.542434084399265]
We explore the possibility to reverse engineer neural networks with the usage of fault attacks.
SNIFF stands for sign bit flip fault, which enables the reverse engineering by changing the sign of intermediate values.
We develop the first exact extraction method on deep-layer feature extractor networks that provably allows the recovery of the model parameters.
arXiv Detail & Related papers (2020-02-23T05:39:54Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.