Name
Abstract | ||
|---|---|---|
Security of modern Deep Neural Networks (DNNs) is under severe scrutiny as the deployment of these models become widespread in many intelligence-based applications. Most recently, DNNs are attacked through Trojan which can effectively infect the model during the training phase and get activated only through specific input patterns (i.e, trigger) during inference. However, in this work, for the first time, we propose a novel Targeted Bit Trojan(TBT), which eliminates the need for model re-training to insert the targeted Trojan. Our algorithm efficiently generates a trigger specifically designed to locate certain vulnerable bits of DNN weights stored in main memory (i.e., DRAM). The objective is that once the attacker flips these vulnerable bits, the network still operates with normal inference accuracy. However, when the attacker activates the trigger embedded with input images, the network classifies all the inputs to a certain target class. We demonstrate that flipping only several vulnerable bits founded by our method, using available bit-flip techniques (i.e, row-hammer), can transform a fully functional DNN model into a Trojan infected model. We perform extensive experiments of CIFAR-10, SVHN and ImageNet datasets on both VGG-16 and Resnet-18 architectures. Our proposed TBT could classify 93% of the test images to a target class with as little as 82 bit-flips out of 88 million weight bits on Resnet-18 for CIFAR10 dataset. |
Year | DOI | Venue |
|---|---|---|
2020 | 10.1109/CVPR42600.2020.01321 | CVPR |
DocType | Citations | PageRank |
Conference | 0 | 0.34 |
References | Authors | |
24 | 3 | |
Name | Order | Citations | PageRank |
|---|---|---|---|
| Adnan Siraj Rakin | 1 | 30 | 7.89 |
| Zhezhi He | 2 | 136 | 25.37 |
| Deliang Fan | 3 | 375 | 53.66 |