Rakin Adnan Siraj, He Zhezhi, Li Jingtao, Yao Fan, Chakrabarti Chaitali, Fan Deliang
IEEE Trans Pattern Anal Mach Intell. 2021 Sep 16;PP. doi: 10.1109/TPAMI.2021.3112932.
Traditional Deep Neural Network (DNN) security is mostly related to the well-known adversarial input example attack.Recently, another dimension of adversarial attack, namely, attack on DNN weight parameters, has been shown to be very powerful. Asa representative one, the Bit-Flip based adversarial weight Attack (BFA) injects an extremely small amount of faults into weight parameters to hijack the executing DNN function. Prior works of BFA focus on un-targeted attacks that can hack all inputs into a random output class by flipping a very small number of weight bits stored in computer memory. This paper proposes the first work oftargetedBFA based (T-BFA) adversarial weight attack on DNNs, which can intentionally mislead selected inputs to a target output class. The objective is achieved by identifying the weight bits that are highly associated with classification of a targeted output through a class-dependent weight bit searching algorithm. Our proposed T-BFA performance is successfully demonstrated on multiple DNN architectures for image classification tasks. For example, by merely flipping 27 out of 88 million weight bits of ResNet-18, our T-BFA can misclassify all the images from Hen class into Goose class (i.e., 100% attack success rate) in ImageNet dataset, while maintaining 59.35% validation accuracy.
传统深度神经网络(DNN)的安全性大多与广为人知的对抗性输入示例攻击有关。最近,对抗性攻击的另一个维度,即对DNN权重参数的攻击,已被证明非常有效。作为一个代表性的攻击方式,基于位翻转的对抗性权重攻击(BFA)向权重参数中注入极少的故障,以劫持正在执行的DNN函数。BFA的先前工作主要集中在非针对性攻击上,即通过翻转存储在计算机内存中的极少数权重位,将所有输入黑客攻击到一个随机的输出类别。本文提出了第一项基于针对性BFA(T-BFA)的DNN对抗性权重攻击工作,它可以故意将选定的输入误导到目标输出类别。通过一种依赖于类别的权重位搜索算法,识别与目标输出分类高度相关的权重位,从而实现这一目标。我们提出的T-BFA性能在用于图像分类任务的多个DNN架构上得到了成功验证。例如,在ImageNet数据集中,通过仅仅翻转ResNet-18的8800万个权重位中的27个,我们的T-BFA就可以将所有来自母鸡类别的图像误分类为鹅类别(即100%的攻击成功率),同时保持59.35%的验证准确率。
