Quantization Backdoors to Deep Learning Commercial Frameworks

Ma, Hua; Qiu, Huming; Gao, Yansong; Zhang, Zhi; Abuadbba, Alsharif; Xue, Minhui; Fu, Anmin; Zhang, Jiliang; Al-Sarawi, Said F.; Abbott, Derek

doi:10.1109/tdsc.2023.3271956

Cited by 9 publications

(1 citation statement)

References 33 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The primary advantage offered by a MEN lies in a significant reduction in latency and energy consumption during the inference phase in intricate networks. Reduced latency is crucial for real-time applications such as self-driving cars, while lower energy consumption is a critical consideration for devices in the Internet of Things or mobile devices [3], heavily reliant on battery power.…”

Section: Introductionmentioning

confidence: 99%

Sponge Attack Against Multi-Exit Networks With Data Poisoning

Huang,

Pang,

et al. 2024

IEEE Access

Self Cite

View full text Add to dashboard Cite

The motivation for the development of multi-exit networks (MENs) lies in the desire to minimize the delay and energy consumption associated with the inference phase. Moreover, MENs are designed to expedite predictions for easily identifiable inputs by allowing them to exit the network prematurely, thereby reducing the computational burden due to challenging inputs. Nevertheless, there is a lack of comprehensive understanding regarding the security vulnerabilities inherent in MENs. In this study, we introduce a novel approach called the sponge attack, which aims to compromise the fundamental advantages of MENs that allow easily identifiable images to leave in early exits. By employing data poisoning techniques, we frame the sponge attack as an optimization problem that empowers an attacker to select a specific trigger, such as adverse weather conditions (e.g., raining), to compel inputs to traverse the complete network layers of the MEN (e.g., in the context of traffic sign recognition) instead of early-exits when the trigger condition is met. Remarkably, our attack has the capacity to increase inference latency, while maintaining the classification accuracy even in the presence of a trigger, thus operating discreetly. Extensive experimentation on three diverse natural datasets (CIFAR100, GTSRB, and STL10), each trained with three prominent MEN architectures (VGG16, ResNet56, and MSDNet), validates the efficacy of our attack in terms of latency augmentation and its effectiveness in preserving classification accuracy under trigger conditions.

show abstract

Section: Introductionmentioning

confidence: 99%

Sponge Attack Against Multi-Exit Networks With Data Poisoning

Huang,

Pang,

et al. 2024

IEEE Access

Self Cite

View full text Add to dashboard Cite

show abstract

Certified Quantization Strategy Synthesis for Neural Networks

Zhang,

Chen,

Song

et al. 2024

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Quantization plays an important role in deploying neural networks on embedded, real-time systems with limited computing and storage resources (e.g., edge devices). It significantly reduces the model storage cost and improves inference efficiency by using fewer bits to represent the parameters. However, it was recently shown that critical properties may be broken after quantization, such as robustness and backdoor-freeness. In this work, we introduce the first method for synthesizing quantization strategies that verifiably maintain desired properties after quantization, leveraging a key insight that quantization leads to a data distribution shift in each layer. We propose to compute the preimage for each layer based on which the preceding layer is quantized, ensuring that the quantized reachable region of the preceding layer remains within the preimage. To tackle the challenge of computing the exact preimage, we propose an MILP-based method to compute its under-approximation. We implement our method into a tool and demonstrate its effectiveness and efficiency by providing certified quantization that successfully preserves model robustness and backdoor-freeness.

show abstract