Practical Fault Attack on Deep Neural Networks

Breier, Jakub; Hou, Xiaolu; Jap, Dirmanto; Ма, Лей; Bhasin, Shivam; Liu, Yang

doi:10.1145/3243734.3278519

Cited by 106 publications

(107 citation statements)

References 14 publications

Supporting

Mentioning

107

Contrasting

Order By: Relevance

“…Progressive bit search is the very first attack bit searching algorithm developed to malfunction a quantized neural network through perturbation of stored model parameters using row hammer attack. We already showed in previous section that the previous attack algorithms [12,20] on floating-point model parameters are not efficient. They do not consider that attacking floating point DNN model is as easy as flipping most significant exponent bits of any random weights.…”

Section: Comparison To Other Methodsmentioning

confidence: 95%

Bit-Flip Attack: Crushing Neural Network With Progressive Bit Search

Rakin

Fan

2019

2019 IEEE/CVF International Conference on Computer Vision (ICCV)

164

View full text Add to dashboard Cite

Several important security issues of Deep Neural Network (DNN) have been raised recently associated with different applications and components. The most widely investigated security concern of DNN is from its malicious input, a.k.a adversarial example. Nevertheless, the security challenge of DNN's parameters is not well explored yet. In this work, we are the first to propose a novel DNN weight attack methodology called Bit-Flip Attack (BFA) which can crush a neural network through maliciously flipping extremely small amount of bits within its weight storage memory system (i.e., DRAM). The bit-flip operations could be conducted through well-known Row-Hammer attack, while our main contribution is to develop an algorithm to identify the most vulnerable bits of DNN weight parameters (stored in memory as binary bits), that could maximize the accuracy degradation with a minimum number of bit-flips. Our proposed BFA utilizes a Progressive Bit Search (PBS) method which combines gradient ranking and progressive search to identify the most vulnerable bit to be flipped. With the aid of PBS, we can successfully attack a ResNet-18 fully malfunction (i.e., top-1 accuracy degrade from 69.8% to 0.1%) only through 13 bit-flips out of 93 million bits, while randomly flipping 100 bits merely degrades the accuracy by less than 1%.

show abstract

Section: Comparison To Other Methodsmentioning

confidence: 95%

Bit-Flip Attack: Crushing Neural Network With Progressive Bit Search

Rakin

Fan

2019

2019 IEEE/CVF International Conference on Computer Vision (ICCV)

164

View full text Add to dashboard Cite

show abstract

“…In [7] the authors presents a practical laser fault attack which target creating fault in the Deep Neural Networks (DNN) on a low-cost micro-controller.…”

Section: Hardware Based Approachmentioning

confidence: 99%

The State of Fault Injection Vulnerability Detection

Given-Wilson

Jafri

Legay

2018

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Fault injection is a well known method to test the robustness and security vulnerabilities of software. Fault injections can be explored by simulations (cheap, but not validated) and hardware experiments (true, but very expensive). Recent simulation works have started to apply formal methods to the detection, analysis, and prevention of fault injection attacks to address verifiability. However, these approaches are ad-hoc and extremely limited in architecture, fault model, and breadth of application. Further, there is very limited connection between simulation results and hardware experiments. Recent work has started to consider broad spectrum simulation approaches that can cover many fault models and relatively large programs. Similarly the connection between these broad spectrum simulations and hardware experiments is being validated to bridge the gap between the two approaches. This presentation highlights the latest developments in applying formal methods to fault injection vulnerability detection, and validating software and hardware results with one another.

show abstract

“…erefore, it is essential to minimize the number of modi ed parameters by our fault sneaking a ack. Recently, [17] implements the DNN fault injection a ack [16] physically on embedded systems using laser beam. In particular, [17] injects faults into the widely used activation functions in DNNs and demonstrates the possibility to achieve misclassi cations by injecting faults into the DNN hidden layer.…”

Section: Practical Fault Injection Techniquesmentioning

confidence: 99%

Fault Sneaking Attack

Zhao

Wang

Gongye

et al. 2019

Proceedings of the 56th Annual Design Automation Conference 2019

View full text Add to dashboard Cite

Despite the great achievements of deep neural networks (DNNs), the vulnerability of state-of-the-art DNNs raises security concerns of DNNs in many application domains requiring high reliability. We propose the fault sneaking a ack on DNNs, where the adversary aims to misclassify certain input images into any target labels by modifying the DNN parameters. We apply ADMM (alternating direction method of multipliers) for solving the optimization problem of the fault sneaking a ack with two constraints: 1) the classi cation of the other images should be unchanged and 2) the parameter modi cations should be minimized. Speci cally, the rst constraint requires us not only to inject designated faults (misclassi cations), but also to hide the faults for stealthy or sneaking considerations by maintaining model accuracy. e second constraint requires us to minimize the parameter modi cations (using 0 norm to measure the number of modi cations and 2 norm to measure the magnitude of modi cations). Comprehensive experimental evaluation demonstrates that the proposed framework can inject multiple sneaking faults without losing the overall test accuracy performance. CCS CONCEPTS•Security and privacy → Domain-speci c security and privacy architectures; Network security; •Networks → Network performance analysis; • eory of computation → eory and algorithms for application domains; KEYWORDSDeep neural networks, Fault injection, ADMM ACM Reference format:

show abstract

Practical Fault Attack on Deep Neural Networks

Cited by 106 publications

References 14 publications

Bit-Flip Attack: Crushing Neural Network With Progressive Bit Search

Bit-Flip Attack: Crushing Neural Network With Progressive Bit Search

The State of Fault Injection Vulnerability Detection

Fault Sneaking Attack

Contact Info

Product

Resources

About