Hardware Trojan Design on Neural Networks

Clements, J. Clancy; Lao, Yingjie

doi:10.1109/iscas.2019.8702493

Cited by 62 publications

(58 citation statements)

References 34 publications

(40 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In addition to attacks mentioned in §2.1, Chen et al proposed a backdoor attack under a more restricted scenario, where the attacker can only pollute a limited portion of training set [13]. Another line of work directly tampers with the hardware a DNN model runs on [15,28]. Such backdoor circuits could also affect the model performance when a trigger is present.…”

Section: Related Workmentioning

confidence: 99%

Latent Backdoor Attacks on Deep Neural Networks

Yao

Zheng

et al. 2019

Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security

262

169

View full text Add to dashboard Cite

Recent work has proposed the concept of backdoor attacks on deep neural networks (DNNs), where misbehaviors are hidden inside "normal" models, only to be triggered by very specific inputs. In practice, however, these attacks are difficult to perform and highly constrained by sharing of models through transfer learning. Adversaries have a small window during which they must compromise the student model before it is deployed.In this paper, we describe a significantly more powerful variant of the backdoor attack, latent backdoors, where hidden rules can be embedded in a single "Teacher" model, and automatically inherited by all "Student" models through the transfer learning process. We show that latent backdoors can be quite effective in a variety of application contexts, and validate its practicality through real-world attacks against traffic sign recognition, iris identification of lab volunteers, and facial recognition of public figures (politicians). Finally, we evaluate 4 potential defenses, and find that only one is effective in disrupting latent backdoors, but might incur a cost in classification accuracy as tradeoff.

show abstract

Section: Related Workmentioning

confidence: 99%

Latent Backdoor Attacks on Deep Neural Networks

Yao

Zheng

et al. 2019

Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security

262

169

View full text Add to dashboard Cite

show abstract

“…However, we are still at the rudimentary stage towards investigating the effect of network parameter attack on neural network accuracy. Neural network parameters have been attacked using different levels of hardware trojans, which require a specific pattern of input to trigger the trojan inside the network [26]. Moreover, such trojan attack requires hardware level modifications, which may not be feasible in many practical applications.…”

Section: Related Workmentioning

confidence: 99%

Bit-Flip Attack: Crushing Neural Network With Progressive Bit Search

Rakin

Fan

2019

2019 IEEE/CVF International Conference on Computer Vision (ICCV)

143

View full text Add to dashboard Cite

Several important security issues of Deep Neural Network (DNN) have been raised recently associated with different applications and components. The most widely investigated security concern of DNN is from its malicious input, a.k.a adversarial example. Nevertheless, the security challenge of DNN's parameters is not well explored yet. In this work, we are the first to propose a novel DNN weight attack methodology called Bit-Flip Attack (BFA) which can crush a neural network through maliciously flipping extremely small amount of bits within its weight storage memory system (i.e., DRAM). The bit-flip operations could be conducted through well-known Row-Hammer attack, while our main contribution is to develop an algorithm to identify the most vulnerable bits of DNN weight parameters (stored in memory as binary bits), that could maximize the accuracy degradation with a minimum number of bit-flips. Our proposed BFA utilizes a Progressive Bit Search (PBS) method which combines gradient ranking and progressive search to identify the most vulnerable bit to be flipped. With the aid of PBS, we can successfully attack a ResNet-18 fully malfunction (i.e., top-1 accuracy degrade from 69.8% to 0.1%) only through 13 bit-flips out of 93 million bits, while randomly flipping 100 bits merely degrades the accuracy by less than 1%.

show abstract

“…Wang Bolun et al [9] analyzed the attack success rate using various image datasets for backdoor attacks. Clements and Lao [13] proposed a method directly to access DNN hardware and cause DNN misrecognition between running processes. This method used the backdoor circuits as triggers to misrecognize the model.…”

Section: A Backdoor Attack Methodsmentioning

confidence: 99%

Detecting Backdoor Attacks via Class Difference in Deep Neural Networks

Kwon

2020

IEEE Access

View full text Add to dashboard Cite

A backdoor attack implies that deep neural networks misrecognize data that have a specific trigger by additionally training the malicious training data, including the specific trigger to the deep neural network model. In this method, the deep neural network correctly recognizes normal data without triggers, but the network misrecognizes data containing a specific trigger as a target class chosen by the attacker. In this paper, I propose a defense method against backdoor attacks using a detection model. This method detects the backdoor sample by comparing the output result of the target model with that of the model that trained the original secure training dataset. This is a defense method without trigger reverse or access to the entire training dataset. As an experimental environment, I used the Tensorflow machine-learning library, MNIST, and Fashion-MNIST as datasets. The results show that when the partial training data for the detection model are 200, the proposed method showed detection rates of 70.1% and 74.4% for the backdoor samples in MNIST and Fashion-MNIST, respectively.

show abstract

Hardware Trojan Design on Neural Networks

Cited by 62 publications

References 34 publications

Latent Backdoor Attacks on Deep Neural Networks

Latent Backdoor Attacks on Deep Neural Networks

Bit-Flip Attack: Crushing Neural Network With Progressive Bit Search

Detecting Backdoor Attacks via Class Difference in Deep Neural Networks

Contact Info

Product

Resources

About