Improving robustness against stealthy weight bit-flip attacks by output code matching

Ozan Özdenizci; Robert Legenstein

doi:10.1109/CVPR52688.2022.01303

Improving robustness against stealthy weight bit-flip attacks by output code matching

Ozan Özdenizci, Robert Legenstein

Institut für Grundlagen der Informationsverarbeitung (7080)

Publikation: Beitrag in Buch/Bericht/Konferenzband › Beitrag in einem Konferenzband › Begutachtung

Abstract

Deep neural networks (DNNs) have been shown to be vulnerable against adversarial weight bit-flip attacks through hardware-induced fault-injection methods on the memory systems where network parameters are stored. Recent attacks pose the further concerning threat of finding minimal targeted and stealthy weight bit-flips that preserve expected behavior for untargeted test samples. This renders the attack undetectable from a DNN operation perspective. We propose a DNN defense mechanism to improve robustness in such realistic stealthy weight bit-flip attack scenarios. Our output code matching networks use an output coding scheme where the usual one-hot encoding of classes is replaced by partially overlapping bit strings. We show that this encoding significantly reduces attack stealthiness. Importantly, our approach is compatible with existing defenses and DNN architectures. It can be efficiently implemented on pre-trained models by simply re-defining the output classification layer and finetuning. Experimental benchmark evaluations show that output code matching is superior to existing regularized weight quantization based defenses, and an effective defense against stealthy weight bit-flip attacks.

Originalsprache	englisch
Titel	Proceedings - 2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition, CVPR 2022
Seiten	13378-13387
Seitenumfang	10
ISBN (elektronisch)	978-1-6654-6946-3
DOIs	https://doi.org/10.1109/CVPR52688.2022.01303
Publikationsstatus	Veröffentlicht - 2022
Veranstaltung	2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition: CVPR 2022 - New Orleans Ernest N. Morial Convention Center, Hybrider Event, New Orleans, USA / Vereinigte Staaten Dauer: 21 Juni 2022 → 24 Sept. 2022 Konferenznummer: 2022

Publikationsreihe

Name	Proceedings of the IEEE Computer Society Conference on Computer Vision and Pattern Recognition
Band	2022-June
ISSN (Print)	1063-6919

Konferenz

Konferenz	2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition
Kurztitel	CVPR 2022
Land/Gebiet	USA / Vereinigte Staaten
Ort	Hybrider Event, New Orleans
Zeitraum	21/06/22 → 24/09/22

ASJC Scopus subject areas

Artificial intelligence
Maschinelles Sehen und Mustererkennung

Fields of Expertise

Information, Communication & Computing

Zugriff auf Dokument

10.1109/CVPR52688.2022.01303

https://openaccess.thecvf.com/content/CVPR2022/papers/Ozdenizci_Improving_Robustness_Against_Stealthy_Weight_Bit-Flip_Attacks_by_Output_Code_CVPR_2022_paper.pdfLizenz: Andere

Andere Dateien und Links

Verknüpfung zur Publikation in Scopus

Dieses zitieren

Özdenizci, O., & Legenstein, R. (2022). Improving robustness against stealthy weight bit-flip attacks by output code matching. in Proceedings - 2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition, CVPR 2022 (S. 13378-13387). (Proceedings of the IEEE Computer Society Conference on Computer Vision and Pattern Recognition; Band 2022-June). https://doi.org/10.1109/CVPR52688.2022.01303

Improving robustness against stealthy weight bit-flip attacks by output code matching. / Özdenizci, Ozan; Legenstein, Robert.
Proceedings - 2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition, CVPR 2022. 2022. S. 13378-13387 (Proceedings of the IEEE Computer Society Conference on Computer Vision and Pattern Recognition; Band 2022-June).

Publikation: Beitrag in Buch/Bericht/Konferenzband › Beitrag in einem Konferenzband › Begutachtung

Özdenizci, O & Legenstein, R 2022, Improving robustness against stealthy weight bit-flip attacks by output code matching. in Proceedings - 2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition, CVPR 2022. Proceedings of the IEEE Computer Society Conference on Computer Vision and Pattern Recognition, Bd. 2022-June, S. 13378-13387, 2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition, Hybrider Event, New Orleans, Louisiana, USA / Vereinigte Staaten, 21/06/22. https://doi.org/10.1109/CVPR52688.2022.01303

@inproceedings{05d5353e69a243b9b1205650c7fcba58,

title = "Improving robustness against stealthy weight bit-flip attacks by output code matching",

abstract = "Deep neural networks (DNNs) have been shown to be vulnerable against adversarial weight bit-flip attacks through hardware-induced fault-injection methods on the memory systems where network parameters are stored. Recent attacks pose the further concerning threat of finding minimal targeted and stealthy weight bit-flips that preserve expected behavior for untargeted test samples. This renders the attack undetectable from a DNN operation perspective. We propose a DNN defense mechanism to improve robustness in such realistic stealthy weight bit-flip attack scenarios. Our output code matching networks use an output coding scheme where the usual one-hot encoding of classes is replaced by partially overlapping bit strings. We show that this encoding significantly reduces attack stealthiness. Importantly, our approach is compatible with existing defenses and DNN architectures. It can be efficiently implemented on pre-trained models by simply re-defining the output classification layer and finetuning. Experimental benchmark evaluations show that output code matching is superior to existing regularized weight quantization based defenses, and an effective defense against stealthy weight bit-flip attacks.",

keywords = "Adversarial attack and defense, Deep learning architectures and techniques",

author = "Ozan {\"O}zdenizci and Robert Legenstein",

year = "2022",

doi = "10.1109/CVPR52688.2022.01303",

language = "English",

series = "Proceedings of the IEEE Computer Society Conference on Computer Vision and Pattern Recognition",

pages = "13378--13387",

booktitle = "Proceedings - 2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition, CVPR 2022",

note = "2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition : CVPR 2022 , CVPR 2022 ; Conference date: 21-06-2022 Through 24-09-2022",

}

TY - GEN

T1 - Improving robustness against stealthy weight bit-flip attacks by output code matching

AU - Özdenizci, Ozan

AU - Legenstein, Robert

N1 - Conference code: 2022

PY - 2022

Y1 - 2022

N2 - Deep neural networks (DNNs) have been shown to be vulnerable against adversarial weight bit-flip attacks through hardware-induced fault-injection methods on the memory systems where network parameters are stored. Recent attacks pose the further concerning threat of finding minimal targeted and stealthy weight bit-flips that preserve expected behavior for untargeted test samples. This renders the attack undetectable from a DNN operation perspective. We propose a DNN defense mechanism to improve robustness in such realistic stealthy weight bit-flip attack scenarios. Our output code matching networks use an output coding scheme where the usual one-hot encoding of classes is replaced by partially overlapping bit strings. We show that this encoding significantly reduces attack stealthiness. Importantly, our approach is compatible with existing defenses and DNN architectures. It can be efficiently implemented on pre-trained models by simply re-defining the output classification layer and finetuning. Experimental benchmark evaluations show that output code matching is superior to existing regularized weight quantization based defenses, and an effective defense against stealthy weight bit-flip attacks.

AB - Deep neural networks (DNNs) have been shown to be vulnerable against adversarial weight bit-flip attacks through hardware-induced fault-injection methods on the memory systems where network parameters are stored. Recent attacks pose the further concerning threat of finding minimal targeted and stealthy weight bit-flips that preserve expected behavior for untargeted test samples. This renders the attack undetectable from a DNN operation perspective. We propose a DNN defense mechanism to improve robustness in such realistic stealthy weight bit-flip attack scenarios. Our output code matching networks use an output coding scheme where the usual one-hot encoding of classes is replaced by partially overlapping bit strings. We show that this encoding significantly reduces attack stealthiness. Importantly, our approach is compatible with existing defenses and DNN architectures. It can be efficiently implemented on pre-trained models by simply re-defining the output classification layer and finetuning. Experimental benchmark evaluations show that output code matching is superior to existing regularized weight quantization based defenses, and an effective defense against stealthy weight bit-flip attacks.

KW - Adversarial attack and defense

KW - Deep learning architectures and techniques

UR - http://www.scopus.com/inward/record.url?scp=85143507741&partnerID=8YFLogxK

U2 - 10.1109/CVPR52688.2022.01303

DO - 10.1109/CVPR52688.2022.01303

M3 - Conference paper

T3 - Proceedings of the IEEE Computer Society Conference on Computer Vision and Pattern Recognition

SP - 13378

EP - 13387

BT - Proceedings - 2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition, CVPR 2022

T2 - 2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition

Y2 - 21 June 2022 through 24 September 2022

ER -

Improving robustness against stealthy weight bit-flip attacks by output code matching

Abstract

Publikationsreihe

Konferenz

ASJC Scopus subject areas

Fields of Expertise

Zugriff auf Dokument

Andere Dateien und Links

Fingerprint

Dieses zitieren