TY - JOUR
T1 - Defending and harnessing the bit-Flip based adversarial weight attack
AU - He, Zhezhi
AU - Rakin, Adnan Siraj
AU - Li, Jingtao
AU - Chakrabarti, Chaitali
AU - Fan, Deliang
N1 - Funding Information:
Acknowledgement. This work is supported in part by the National Science Foundation under Grant No.2005209, No.1931871 and Semiconductor Research Corporation nCORE.
Publisher Copyright:
©2020 IEEE.
PY - 2020
Y1 - 2020
N2 - Recently, a new paradigm of the adversarial attack on the quantized neural network weights has attracted great attention, namely, the Bit-Flip based adversarial weight attack, aka. Bit-Flip Attack (BFA). BFA has shown extraordinary attacking ability, where the adversary can malfunction a quantized Deep Neural Network (DNN) as a random guess, through malicious bit-flips on a small set of vulnerable weight bits (e.g., 13 out of 93 millions bits of 8-bit quantized ResNet-18). However, there are no effective defensive methods to enhance the fault-tolerance capability of DNN against such BFA. In this work, we conduct comprehensive investigations on BFA and propose to leverage binarization-aware training and its relaxation – piece-wise clustering as simple and effective countermeasures to BFA. The experiments show that, for BFA to achieve the identical prediction accuracy degradation (e.g., below 11% on CIFAR-10), it requires 19.3× and 480.1× more effective malicious bit-flips on ResNet-20 and VGG-11 respectively, compared to defend-free counterparts.
AB - Recently, a new paradigm of the adversarial attack on the quantized neural network weights has attracted great attention, namely, the Bit-Flip based adversarial weight attack, aka. Bit-Flip Attack (BFA). BFA has shown extraordinary attacking ability, where the adversary can malfunction a quantized Deep Neural Network (DNN) as a random guess, through malicious bit-flips on a small set of vulnerable weight bits (e.g., 13 out of 93 millions bits of 8-bit quantized ResNet-18). However, there are no effective defensive methods to enhance the fault-tolerance capability of DNN against such BFA. In this work, we conduct comprehensive investigations on BFA and propose to leverage binarization-aware training and its relaxation – piece-wise clustering as simple and effective countermeasures to BFA. The experiments show that, for BFA to achieve the identical prediction accuracy degradation (e.g., below 11% on CIFAR-10), it requires 19.3× and 480.1× more effective malicious bit-flips on ResNet-20 and VGG-11 respectively, compared to defend-free counterparts.
UR - http://www.scopus.com/inward/record.url?scp=85094568186&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85094568186&partnerID=8YFLogxK
U2 - 10.1109/CVPR42600.2020.01410
DO - 10.1109/CVPR42600.2020.01410
M3 - Conference article
AN - SCOPUS:85094568186
SN - 1063-6919
SP - 14083
EP - 14091
JO - Proceedings of the IEEE Computer Society Conference on Computer Vision and Pattern Recognition
JF - Proceedings of the IEEE Computer Society Conference on Computer Vision and Pattern Recognition
M1 - 9156736
T2 - 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition, CVPR 2020
Y2 - 14 June 2020 through 19 June 2020
ER -