Title | ||
---|---|---|
T-BFA: <underline>T</underline>argeted <underline>B</underline>it-<underline>F</underline>lip Adversarial Weight <underline>A</underline>ttack |
Abstract | ||
---|---|---|
Traditional Deep Neural Network (DNN) security is mostly related to the well-known adversarial input example attack. Recently, another dimension of adversarial attack, namely, attack on DNN weight parameters, has been shown to be very powerful. As a representative one, the Bit-Flip-based adversarial weight Attack (BFA) injects an extremely small amount of faults into weight parameters to hijack the executing DNN function. Prior works of BFA focus on
<italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">un-targeted</i>
attack that can hack all inputs into a random output class by flipping a very small number of weight bits stored in computer memory. This paper proposes the first work of
<italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">targeted</i>
BFA based (T-BFA) adversarial weight attack on DNNs, which can intentionally mislead selected inputs to a target output class. The objective is achieved by identifying the weight bits that are highly associated with classification of a targeted output through a
<italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">class-dependent vulnerable weight bit searching</i>
algorithm. Our proposed T-BFA performance is successfully demonstrated on multiple DNN architectures for image classification tasks. For example, by merely flipping 27 out of 88 million weight bits of ResNet-18, our T-BFA can misclassify all the images from ’Hen’ class into ’Goose’ class (i.e., 100% attack success rate) in ImageNet dataset, while maintaining 59.35% validation accuracy. Moreover, we successfully demonstrate our T-BFA attack in a real computer prototype system running DNN computation, with Ivy Bridge-based Intel i7 CPU and 8GB DDR3 memory. |
Year | DOI | Venue |
---|---|---|
2022 | 10.1109/TPAMI.2021.3112932 | IEEE Transactions on Pattern Analysis and Machine Intelligence |
Keywords | DocType | Volume |
Deep learning,security,targeted weight attack,bit-flip | Journal | 44 |
Issue | ISSN | Citations |
11 | 0162-8828 | 2 |
PageRank | References | Authors |
0.41 | 8 | 6 |
Name | Order | Citations | PageRank |
---|---|---|---|
Adnan Siraj Rakin | 1 | 30 | 7.89 |
Zhezhi He | 2 | 136 | 25.37 |
Jingtao Li | 3 | 3 | 4.15 |
Fan Yao | 4 | 9 | 4.23 |
Chaitali Chakrabarti | 5 | 1978 | 184.17 |
Deliang Fan | 6 | 375 | 53.66 |