Versatile Weight Attack via Flipping Limited Bits

Abstract: To explore the vulnerability of deep neural networks (DNNs), many attack paradigms have been well studied, such as the poisoning-based backdoor attack in the training stage and the adversarial attack in the inference stage. In this paper, we study a novel attack paradigm, which modifies model parameters in the deployment stage. Considering the effectiveness and stealthiness goals, we provide a general formulation to perform the bit-flip based weight attack, where the effectiveness term could be customized depe… Show more

“…), where g denotes the logit Subnet replacement attack (SRA) [150] Replacing one subnet in the benign model by the backdoor subnet and cutting off the connection to remaining part of the model Triggered samples attack (TSA) [11] Extension of TA-LBF by introducing a trigger xε − x 0 , and optimizing wε and trigger xε − x 0 jointly by solving a mixed integer programming problem, such that the modified model will be activated by the trigger finally retrained the model based on the recovered training data and its poisoned version with the generated trigger to achieve the targeted attack. It was very practical since no training data was required.…”

“…Note that although this method was named as backdoor, but it actually belonged to the weight attack with trigger. The triggered samples attack (TSA) [11] extended TA-LBF [12] by introducing a trigger x ε − x 0 , and optimized w ε and trigger x ε − x 0 jointly by solving a mixed integer programming problem. Consequently, the modified model f wε (•) will give the prediction y ε on any sample with the optimized trigger.…”

Adversarial Machine Learning: A Systematic Survey of Backdoor Attack, Weight Attack and Adversarial Example

“…), where g denotes the logit Subnet replacement attack (SRA) [150] Replacing one subnet in the benign model by the backdoor subnet and cutting off the connection to remaining part of the model Triggered samples attack (TSA) [11] Extension of TA-LBF by introducing a trigger xε − x 0 , and optimizing wε and trigger xε − x 0 jointly by solving a mixed integer programming problem, such that the modified model will be activated by the trigger finally retrained the model based on the recovered training data and its poisoned version with the generated trigger to achieve the targeted attack. It was very practical since no training data was required.…”

“…Note that although this method was named as backdoor, but it actually belonged to the weight attack with trigger. The triggered samples attack (TSA) [11] extended TA-LBF [12] by introducing a trigger x ε − x 0 , and optimized w ε and trigger x ε − x 0 jointly by solving a mixed integer programming problem. Consequently, the modified model f wε (•) will give the prediction y ε on any sample with the optimized trigger.…”

Adversarial Machine Learning: A Systematic Survey of Backdoor Attack, Weight Attack and Adversarial Example