ZeBRA: Precisely Destroying Neural Networks with Zero-Data Based Repeated Bit Flip Attack
This work addresses security vulnerabilities in DNNs by making adversarial weight attacks more effective and accessible, representing an incremental improvement over prior methods.
The paper tackles the problem of adversarial weight attacks on deep neural networks by proposing ZeBRA, which synthesizes attack datasets using batch normalization statistics, requiring no access to training or test data. The result shows that ZeBRA reduces the number of bit flips needed to destroy DNNs by 2.0x on CIFAR-10 and 1.6x on ImageNet compared to previous methods.
In this paper, we present Zero-data Based Repeated bit flip Attack (ZeBRA) that precisely destroys deep neural networks (DNNs) by synthesizing its own attack datasets. Many prior works on adversarial weight attack require not only the weight parameters, but also the training or test dataset in searching vulnerable bits to be attacked. We propose to synthesize the attack dataset, named distilled target data, by utilizing the statistics of batch normalization layers in the victim DNN model. Equipped with the distilled target data, our ZeBRA algorithm can search vulnerable bits in the model without accessing training or test dataset. Thus, our approach makes the adversarial weight attack more fatal to the security of DNNs. Our experimental results show that 2.0x (CIFAR-10) and 1.6x (ImageNet) less number of bit flips are required on average to destroy DNNs compared to the previous attack method. Our code is available at https://github. com/pdh930105/ZeBRA.