ZeBRA: Precisely Destroying Neural Networks with Zero-Data Based Repeated Bit Flip Attack

Dahoon Park; Kon Woo Kwon; Sunghoon Im; Jaeha Kung

ZeBRA: Precisely Destroying Neural Networks with Zero-Data Based Repeated Bit Flip Attack

Dahoon Park, Kon Woo Kwon, Sunghoon Im, Jaeha Kung

Department of Electrical Engineering and Computer Science

Research output: Contribution to conference › Paper › peer-review

Abstract

In this paper, we present Zero-data Based Repeated bit flip Attack (ZeBRA) that precisely destroys deep neural networks (DNNs) by synthesizing its own attack datasets. Many prior works on adversarial weight attack require not only the weight parameters, but also the training or test dataset in searching vulnerable bits to be attacked. We propose to synthesize the attack dataset, named distilled target data, by utilizing the statistics of batch normalization layers in the victim DNN model. Equipped with the distilled target data, our ZeBRA algorithm can search vulnerable bits in the model without accessing training or test dataset. Thus, our approach makes the adversarial weight attack more fatal to the security of DNNs. Our experimental results show that 2.0× (CIFAR-10) and 1.6× (ImageNet) less number of bit flips are required on average to destroy DNNs compared to the previous attack method. Our code is available at https://github.com/pdh930105/ZeBRA.

Original language	English
State	Published - 2021
Event	32nd British Machine Vision Conference, BMVC 2021 - Virtual, Online Duration: 22 Nov 2021 → 25 Nov 2021

Conference

Conference	32nd British Machine Vision Conference, BMVC 2021
City	Virtual, Online
Period	22/11/21 → 25/11/21

Bibliographical note

Publisher Copyright:
© 2021. The copyright of this document resides with its authors.

Cite this

@conference{9ae94c2aadcd4dfeab653a983a009205,

title = "ZeBRA: Precisely Destroying Neural Networks with Zero-Data Based Repeated Bit Flip Attack",

abstract = "In this paper, we present Zero-data Based Repeated bit flip Attack (ZeBRA) that precisely destroys deep neural networks (DNNs) by synthesizing its own attack datasets. Many prior works on adversarial weight attack require not only the weight parameters, but also the training or test dataset in searching vulnerable bits to be attacked. We propose to synthesize the attack dataset, named distilled target data, by utilizing the statistics of batch normalization layers in the victim DNN model. Equipped with the distilled target data, our ZeBRA algorithm can search vulnerable bits in the model without accessing training or test dataset. Thus, our approach makes the adversarial weight attack more fatal to the security of DNNs. Our experimental results show that 2.0× (CIFAR-10) and 1.6× (ImageNet) less number of bit flips are required on average to destroy DNNs compared to the previous attack method. Our code is available at https://github.com/pdh930105/ZeBRA.",

author = "Dahoon Park and Kwon, \{Kon Woo\} and Sunghoon Im and Jaeha Kung",

note = "Publisher Copyright: {\textcopyright} 2021. The copyright of this document resides with its authors.; 32nd British Machine Vision Conference, BMVC 2021 ; Conference date: 22-11-2021 Through 25-11-2021",

year = "2021",

language = "English",

}

TY - CONF

T1 - ZeBRA

T2 - 32nd British Machine Vision Conference, BMVC 2021

AU - Park, Dahoon

AU - Kwon, Kon Woo

AU - Im, Sunghoon

AU - Kung, Jaeha

PY - 2021

Y1 - 2021

N2 - In this paper, we present Zero-data Based Repeated bit flip Attack (ZeBRA) that precisely destroys deep neural networks (DNNs) by synthesizing its own attack datasets. Many prior works on adversarial weight attack require not only the weight parameters, but also the training or test dataset in searching vulnerable bits to be attacked. We propose to synthesize the attack dataset, named distilled target data, by utilizing the statistics of batch normalization layers in the victim DNN model. Equipped with the distilled target data, our ZeBRA algorithm can search vulnerable bits in the model without accessing training or test dataset. Thus, our approach makes the adversarial weight attack more fatal to the security of DNNs. Our experimental results show that 2.0× (CIFAR-10) and 1.6× (ImageNet) less number of bit flips are required on average to destroy DNNs compared to the previous attack method. Our code is available at https://github.com/pdh930105/ZeBRA.

AB - In this paper, we present Zero-data Based Repeated bit flip Attack (ZeBRA) that precisely destroys deep neural networks (DNNs) by synthesizing its own attack datasets. Many prior works on adversarial weight attack require not only the weight parameters, but also the training or test dataset in searching vulnerable bits to be attacked. We propose to synthesize the attack dataset, named distilled target data, by utilizing the statistics of batch normalization layers in the victim DNN model. Equipped with the distilled target data, our ZeBRA algorithm can search vulnerable bits in the model without accessing training or test dataset. Thus, our approach makes the adversarial weight attack more fatal to the security of DNNs. Our experimental results show that 2.0× (CIFAR-10) and 1.6× (ImageNet) less number of bit flips are required on average to destroy DNNs compared to the previous attack method. Our code is available at https://github.com/pdh930105/ZeBRA.

UR - https://www.scopus.com/pages/publications/85176140789

M3 - Paper

AN - SCOPUS:85176140789

Y2 - 22 November 2021 through 25 November 2021

ER -

ZeBRA: Precisely Destroying Neural Networks with Zero-Data Based Repeated Bit Flip Attack

Abstract

Conference

Bibliographical note

Other files and links

Fingerprint

Cite this