RADAR: Run-time Adversarial Weight Attack Detection and Accuracy Recovery

Jingtao Li, Adnan Siraj Rakin, Zhezhi He, Deliang Fan, Chaitali Chakrabarti

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Adversarial attacks on Neural Network weights, such as the progressive bit-flip attack (PBFA), can cause a catastrophic degradation in accuracy by flipping a very small number of bits. Furthermore, PBFA can be conducted at run time on the weights stored in DRAM main memory. In this work, we propose RADAR, a Run-time adversarial weight Attack Detection and Accuracy Recovery scheme to protect DNN weights against PBFA. We organize weights that are interspersed in a layer into groups and employ a checksum-based algorithm on weights to derive a 2-bit signature for each group. At run time, the 2-bit signature is computed and compared with the securely stored golden signature to detect the bit-flip attacks in a group. After successful detection, we zero out all the weights in a group to mitigate the accuracy drop caused by malicious bit-flips. The proposed scheme is embedded in the inference computation stage. For the ResNet-18 ImageNet model, our method can detect 9.6 bit-flips out of 10 on average. For this model, the proposed accuracy recovery scheme can restore the accuracy from below 1% caused by 10 bit flips to above 69%. The proposed method has extremely low time and storage overhead. System-level simulation on gem5 shows that RADAR only adds < 1% to the inference time, making this scheme highly suitable for run-time attack detection and mitigation.

Original languageEnglish (US)
Title of host publicationProceedings of the 2021 Design, Automation and Test in Europe, DATE 2021
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages790-795
Number of pages6
ISBN (Electronic)9783981926354
DOIs
StatePublished - Feb 1 2021
Event2021 Design, Automation and Test in Europe Conference and Exhibition, DATE 2021 - Virtual, Online
Duration: Feb 1 2021Feb 5 2021

Publication series

NameProceedings -Design, Automation and Test in Europe, DATE
Volume2021-February
ISSN (Print)1530-1591

Conference

Conference2021 Design, Automation and Test in Europe Conference and Exhibition, DATE 2021
CityVirtual, Online
Period2/1/212/5/21

Keywords

  • Neural networks
  • protection
  • run-time detection
  • weight attack

ASJC Scopus subject areas

  • Engineering(all)

Fingerprint

Dive into the research topics of 'RADAR: Run-time Adversarial Weight Attack Detection and Accuracy Recovery'. Together they form a unique fingerprint.

Cite this