Bai Jiawang, Wu Baoyuan, Li Zhifeng, Xia Shu-Tao
IEEE Trans Pattern Anal Mach Intell. 2023 Nov;45(11):13653-13665. doi: 10.1109/TPAMI.2023.3296408. Epub 2023 Oct 3.
Many attack paradigms against deep neural networks have been well studied, such as the backdoor attack in the training stage and the adversarial attack in the inference stage. In this article, we study a novel attack paradigm, the bit-flip based weight attack, which directly modifies weight bits of the attacked model in the deployment stage. To meet various attack scenarios, we propose a general formulation including terms to achieve effectiveness and stealthiness goals and a constraint on the number of bit-flips. Furthermore, benefitting from this extensible and flexible formulation, we present two cases with different malicious purposes, i.e., single sample attack (SSA) and triggered samples attack (TSA). SSA which aims at misclassifying a specific sample into a target class is a binary optimization with determining the state of the binary bits (0 or 1); TSA which is to misclassify the samples embedded with a specific trigger is a mixed integer programming (MIP) with flipped bits and a learnable trigger. Utilizing the latest technique in integer programming, we equivalently reformulate them as continuous optimization problems, whose approximate solutions can be effectively and efficiently obtained by the alternating direction method of multipliers (ADMM) method. Extensive experiments demonstrate the superiority of our methods.
针对深度神经网络的许多攻击范式已得到充分研究,例如训练阶段的后门攻击和推理阶段的对抗攻击。在本文中,我们研究了一种新颖的攻击范式,即基于位翻转的权重攻击,它在部署阶段直接修改被攻击模型的权重位。为了满足各种攻击场景,我们提出了一个通用公式,包括实现有效性和隐蔽性目标的项以及对位翻转次数的约束。此外,受益于这种可扩展且灵活的公式,我们提出了两种具有不同恶意目的的情况,即单样本攻击(SSA)和触发样本攻击(TSA)。旨在将特定样本误分类到目标类别的SSA是一种确定二进制位(0或1)状态的二元优化;TSA是将嵌入特定触发器的样本误分类,是一种具有翻转位和可学习触发器的混合整数规划(MIP)。利用整数规划中的最新技术,我们将它们等效地重新表述为连续优化问题,其近似解可以通过乘子交替方向法(ADMM)有效地获得。大量实验证明了我们方法的优越性。
