Defending bit-flip attack through DNN weight reconstruction

Jingtao Li; Adnan Siraj Rakin; Yan Xiong; Liangliang Chang; Zhezhi He; Deliang Fan; Chaitali Chakrabarti

doi:10.1109/DAC18072.2020.9218665

Defending bit-flip attack through DNN weight reconstruction

Jingtao Li, Adnan Siraj Rakin, Yan Xiong, Liangliang Chang, Zhezhi He, Deliang Fan, Chaitali Chakrabarti

Electrical, Computer, and Energy Engineering, School of (IAFSE-ECEE)

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

29 Scopus citations

Abstract

Recent studies show that adversarial attacks on neural network weights, aka, Bit-Flip Attack (BFA), can degrade Deep Neural Network's (DNN) prediction accuracy severely. In this work, we propose a novel weight reconstruction method as a countermeasure to such BFAs. Specifically, during inference, the weights are reconstructed such that the weight perturbation due to BFA is minimized or diffused to the neighboring weights. We have successfully demonstrated that our method can significantly improve the DNN robustness against random and gradient-based BFA variants. Even under the most aggressive attacks (i.e., greedy progressive bit search), our method maintains a test accuracy of 60% on ImageNet after 5 iterations while the baseline accuracy drops to below 1%.

Original language	English (US)
Title of host publication	2020 57th ACM/IEEE Design Automation Conference, DAC 2020
Publisher	Institute of Electrical and Electronics Engineers Inc.
ISBN (Electronic)	9781450367257
DOIs	https://doi.org/10.1109/DAC18072.2020.9218665
State	Published - Jul 2020
Event	57th ACM/IEEE Design Automation Conference, DAC 2020 - Virtual, San Francisco, United States Duration: Jul 20 2020 → Jul 24 2020

Publication series

Name	Proceedings - Design Automation Conference
Volume	2020-July
ISSN (Print)	0738-100X

Conference

Conference	57th ACM/IEEE Design Automation Conference, DAC 2020
Country/Territory	United States
City	Virtual, San Francisco
Period	7/20/20 → 7/24/20

Keywords

Bit-Flip Attack
Row-Hammer Attack
Security of Deep Neural Network

ASJC Scopus subject areas

Computer Science Applications
Control and Systems Engineering
Electrical and Electronic Engineering
Modeling and Simulation

Access to Document

10.1109/DAC18072.2020.9218665

Cite this

Li, J., Rakin, A. S., Xiong, Y., Chang, L., He, Z., Fan, D., & Chakrabarti, C. (2020). Defending bit-flip attack through DNN weight reconstruction. In 2020 57th ACM/IEEE Design Automation Conference, DAC 2020 Article 9218665 (Proceedings - Design Automation Conference; Vol. 2020-July). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/DAC18072.2020.9218665

Defending bit-flip attack through DNN weight reconstruction. / Li, Jingtao; Rakin, Adnan Siraj; Xiong, Yan et al.
2020 57th ACM/IEEE Design Automation Conference, DAC 2020. Institute of Electrical and Electronics Engineers Inc., 2020. 9218665 (Proceedings - Design Automation Conference; Vol. 2020-July).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Li, J, Rakin, AS, Xiong, Y, Chang, L, He, Z, Fan, D & Chakrabarti, C 2020, Defending bit-flip attack through DNN weight reconstruction. in 2020 57th ACM/IEEE Design Automation Conference, DAC 2020., 9218665, Proceedings - Design Automation Conference, vol. 2020-July, Institute of Electrical and Electronics Engineers Inc., 57th ACM/IEEE Design Automation Conference, DAC 2020, Virtual, San Francisco, United States, 7/20/20. https://doi.org/10.1109/DAC18072.2020.9218665

@inproceedings{b5950884a6eb42a1a55c78ecaffffa55,

title = "Defending bit-flip attack through DNN weight reconstruction",

abstract = "Recent studies show that adversarial attacks on neural network weights, aka, Bit-Flip Attack (BFA), can degrade Deep Neural Network's (DNN) prediction accuracy severely. In this work, we propose a novel weight reconstruction method as a countermeasure to such BFAs. Specifically, during inference, the weights are reconstructed such that the weight perturbation due to BFA is minimized or diffused to the neighboring weights. We have successfully demonstrated that our method can significantly improve the DNN robustness against random and gradient-based BFA variants. Even under the most aggressive attacks (i.e., greedy progressive bit search), our method maintains a test accuracy of 60% on ImageNet after 5 iterations while the baseline accuracy drops to below 1%.",

keywords = "Bit-Flip Attack, Row-Hammer Attack, Security of Deep Neural Network",

author = "Jingtao Li and Rakin, {Adnan Siraj} and Yan Xiong and Liangliang Chang and Zhezhi He and Deliang Fan and Chaitali Chakrabarti",

note = "Publisher Copyright: {\textcopyright} 2020 IEEE. Copyright: Copyright 2020 Elsevier B.V., All rights reserved.; 57th ACM/IEEE Design Automation Conference, DAC 2020 ; Conference date: 20-07-2020 Through 24-07-2020",

year = "2020",

month = jul,

doi = "10.1109/DAC18072.2020.9218665",

language = "English (US)",

series = "Proceedings - Design Automation Conference",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

booktitle = "2020 57th ACM/IEEE Design Automation Conference, DAC 2020",

}

TY - GEN

T1 - Defending bit-flip attack through DNN weight reconstruction

AU - Li, Jingtao

AU - Rakin, Adnan Siraj

AU - Xiong, Yan

AU - Chang, Liangliang

AU - He, Zhezhi

AU - Fan, Deliang

AU - Chakrabarti, Chaitali

PY - 2020/7

Y1 - 2020/7

N2 - Recent studies show that adversarial attacks on neural network weights, aka, Bit-Flip Attack (BFA), can degrade Deep Neural Network's (DNN) prediction accuracy severely. In this work, we propose a novel weight reconstruction method as a countermeasure to such BFAs. Specifically, during inference, the weights are reconstructed such that the weight perturbation due to BFA is minimized or diffused to the neighboring weights. We have successfully demonstrated that our method can significantly improve the DNN robustness against random and gradient-based BFA variants. Even under the most aggressive attacks (i.e., greedy progressive bit search), our method maintains a test accuracy of 60% on ImageNet after 5 iterations while the baseline accuracy drops to below 1%.

AB - Recent studies show that adversarial attacks on neural network weights, aka, Bit-Flip Attack (BFA), can degrade Deep Neural Network's (DNN) prediction accuracy severely. In this work, we propose a novel weight reconstruction method as a countermeasure to such BFAs. Specifically, during inference, the weights are reconstructed such that the weight perturbation due to BFA is minimized or diffused to the neighboring weights. We have successfully demonstrated that our method can significantly improve the DNN robustness against random and gradient-based BFA variants. Even under the most aggressive attacks (i.e., greedy progressive bit search), our method maintains a test accuracy of 60% on ImageNet after 5 iterations while the baseline accuracy drops to below 1%.

KW - Bit-Flip Attack

KW - Row-Hammer Attack

KW - Security of Deep Neural Network

UR - http://www.scopus.com/inward/record.url?scp=85093928301&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85093928301&partnerID=8YFLogxK

U2 - 10.1109/DAC18072.2020.9218665

DO - 10.1109/DAC18072.2020.9218665

M3 - Conference contribution

AN - SCOPUS:85093928301

T3 - Proceedings - Design Automation Conference

BT - 2020 57th ACM/IEEE Design Automation Conference, DAC 2020

PB - Institute of Electrical and Electronics Engineers Inc.

T2 - 57th ACM/IEEE Design Automation Conference, DAC 2020

Y2 - 20 July 2020 through 24 July 2020

ER -

Defending bit-flip attack through DNN weight reconstruction

Abstract

Publication series

Conference

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this