Defending and Harnessing the Bit-Flip Based Adversarial Weight Attack

He, Zhezhi; Rakin, Adnan Siraj; Li, Jingtao; Chakrabarti, Chaitali; Fan, Deliang

doi:10.1109/cvpr42600.2020.01410

Cited by 48 publications

(58 citation statements)

References 7 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We impose several reasonable constraints on the adversary. The adversary cannot destroy the integrity of the model, i.e., the attacker cannot attack the training process, such as poisoning attacks [70], [77], backdoor attacks [44], [74], nor directly modify the parameters inside the models, e.g., bit-flips attack [31], [73], [80], fault injection attack [4], [47]. Additionally, we assume that the data preprocessing stage cannot be tampered with by an adversary.…”

Section: A Threat Modelmentioning

confidence: 99%

What You See is Not What the Network Infers: Detecting Adversarial Examples Based on Semantic Contradiction

Yang,

Gao,

et al. 2022

Preprint

View full text Add to dashboard Cite

Adversarial examples (AEs) pose severe threats to the applications of deep neural networks (DNNs) to safety-critical domains, e.g., autonomous driving. While there has been a vast body of AE defense solutions, to the best of our knowledge, they all suffer from some weaknesses, e.g., defending against only a subset of AEs or causing a relatively high accuracy loss for legitimate inputs. Moreover, most existing solutions cannot defend against adaptive attacks, wherein attackers are knowledgeable about the defense mechanisms and craft AEs accordingly.In this paper, we propose a novel AE detection framework based on the very nature of AEs, i.e., their semantic information is inconsistent with the discriminative features extracted by the target DNN model. To be specific, the proposed solution, namely ContraNet 1 , models such contradiction by first taking both the input and the inference result to a generator to obtain a synthetic output and then comparing it against the original input. For legitimate inputs that are correctly inferred, the synthetic output tries to reconstruct the input. On the contrary, for AEs, instead of reconstructing the input, the synthetic output would be created to conform to the wrong label whenever possible. Consequently, by measuring the distance between the input and the synthetic output with metric learning, we can differentiate AEs from legitimate inputs. We perform comprehensive evaluations under various AE attack scenarios, and experimental results show that ContraNet outperforms existing solutions by a large margin, especially under adaptive attacks. Moreover, our analysis shows that successful AEs that can bypass ContraNet tend to have much-weakened adversarial semantics. We have also shown that ContraNet can be easily combined with adversarial training techniques to achieve further improved AE defense capabilities.

show abstract

Section: A Threat Modelmentioning

confidence: 99%

What You See is Not What the Network Infers: Detecting Adversarial Examples Based on Semantic Contradiction

Yang,

Gao,

et al. 2022

Preprint

View full text Add to dashboard Cite

show abstract

“…Lowprecision fixed-point data type has been a common practice of existing DL accelerator design although the motivation is more on increasing the throughput and energy-efficiency for local inferences in edge applications. To defend against bitflip attacks targeting quantized model weights, binarizationaware and piece-wise clustering methods [182] are used to train the DL classifier. Binarization can mimic bit-flip noises on the weights, while piece-wise clustering can add fixed single bit-width constraint during the training process.…”

Section: Defenses and Countermeasuresmentioning

confidence: 99%

“…Binarization can mimic bit-flip noises on the weights, while piece-wise clustering can add fixed single bit-width constraint during the training process. These two training methods can improve the robustness of ResNet-20 and VGG-11 trained on CIFAR-10 dataset by 19.3× and 480.1× respectively, compared to their normally trained counterparts [182]. Weight reconstruction [183] mitigates the effect of bit-flipping by averaging the errors over a grain of weights followed by quantization and clipping of the weight values in a grain.…”

Section: Defenses and Countermeasuresmentioning

confidence: 99%

Two Sides of the Same Coin: Boons and Banes of Machine Learning in Hardware Security

Liu

Chang

Wang

et al. 2021

IEEE J. Emerg. Sel. Topics Circuits Syst.

View full text Add to dashboard Cite

The last decade has witnessed remarkable research advances at the intersection of machine learning (ML) and hardware security. The confluence of the two technologies has created many interesting and unique opportunities, but also left some issues in their wake. ML schemes have been extensively used to enhance the security and trust of embedded systems like hardware Trojans and malware detection. On the other hand, ML-based approaches have also been adopted by adversaries to assist side-channel attacks, reverse engineer integrated circuits and break hardware security primitives like Physically Unclonable Functions (PUFs). Deep learning is a subfield of ML. It can continuously learn from a large amount of labeled data with a layered structure. Despite the impressive outcomes demonstrated by deep learning in many application scenarios, the dark side of it has not been fully exposed yet. The inability to fully understand and explain what has been done within the super-intelligence can turn an inherently benevolent system into malevolent. Recent research has revealed that the outputs of Deep Neural Networks (DNNs) can be easily corrupted by imperceptibly small input perturbations. As computations are brought nearer to the source of data creation, the attack surface of DNN has also been extended from the input data to the edge devices. Accordingly, due to the opportunities of MLassisted security and the vulnerabilities of ML implementation, in this paper, we will survey the applications, vulnerabilities and fortification of ML from the perspective of hardware security. We will discuss the possible future research directions, and thereby, sharing a roadmap for the hardware security community in general.

show abstract

“…Several prior defenses against inference-time fault injection attacks suggest adding specific constraints to the model during training. Authors of [7] show that adding a piece-wise clustering constraint to the training objective or performing binarized training can improve resiliency. Follow-up work [8] proposes to locally reconstruct DNN weights during inference to minimize or defuse the effect of the bitwise error caused by the bit flips.…”

Section: B Existing Defensesmentioning

confidence: 99%

“…In response to bit-flip attacks, prior work suggests adding specific constraints on DNN weights during training such as binarization [6], clustering [7], or block reconstruction [8]. Adding such constraints increases the number of bit-flips required to deplete the inference accuracy, however, they do not entirely mitigate the threat.…”

Section: Introductionmentioning

confidence: 99%

HASHTAG: Hash Signatures for Online Detection of Fault-Injection Attacks on Deep Neural Networks

Javaheripi¹,

Koushanfar²

2021

Preprint

View full text Add to dashboard Cite

We propose HASHTAG, the first framework that enables high-accuracy detection of fault-injection attacks on Deep Neural Networks (DNNs) with provable bounds on detection performance. Recent literature in fault-injection attacks shows the severe DNN accuracy degradation caused by bit flips. In this scenario, the attacker changes a few weight bits during DNN execution by tampering with the program's DRAM memory. To detect runtime bit flips, HASHTAG extracts a unique signature from the benign DNN prior to deployment. The signature is later used to validate the integrity of the DNN and verify the inference output on the fly. We propose a novel sensitivity analysis scheme that accurately identifies the most vulnerable DNN layers to the fault-injection attack. The DNN signature is then constructed by encoding the underlying weights in the vulnerable layers using a low-collision hash function. When the DNN is deployed, new hashes are extracted from the target layers during inference and compared against the ground-truth signatures. HASHTAG incorporates a lightweight methodology that ensures a low-overhead and real-time fault detection on embedded platforms. Extensive evaluations with the state-of-theart bit-flip attack on various DNNs demonstrate the competitive advantage of HASHTAG in terms of both attack detection and execution overhead.

show abstract

Defending and Harnessing the Bit-Flip Based Adversarial Weight Attack

Cited by 48 publications

References 7 publications

What You See is Not What the Network Infers: Detecting Adversarial Examples Based on Semantic Contradiction

What You See is Not What the Network Infers: Detecting Adversarial Examples Based on Semantic Contradiction

Two Sides of the Same Coin: Boons and Banes of Machine Learning in Hardware Security

HASHTAG: Hash Signatures for Online Detection of Fault-Injection Attacks on Deep Neural Networks

Contact Info

Product

Resources

About