Energy-Latency Attacks via Sponge Poisoning
This addresses a security vulnerability for users of hardware accelerators in scenarios like outsourced or federated learning, representing an incremental attack method.
The paper tackles the problem of increasing energy consumption and prediction latency in deep networks via a training-time attack called sponge poisoning, which works without affecting classification accuracy and is shown to be effective in experiments, with fine-tuning posing prohibitive repair costs.
Sponge examples are test-time inputs optimized to increase energy consumption and prediction latency of deep networks deployed on hardware accelerators. By increasing the fraction of neurons activated during classification, these attacks reduce sparsity in network activation patterns, worsening the performance of hardware accelerators. In this work, we present a novel training-time attack, named sponge poisoning, which aims to worsen energy consumption and prediction latency of neural networks on any test input without affecting classification accuracy. To stage this attack, we assume that the attacker can control only a few model updates during training -- a likely scenario, e.g., when model training is outsourced to an untrusted third party or distributed via federated learning. Our extensive experiments on image classification tasks show that sponge poisoning is effective, and that fine-tuning poisoned models to repair them poses prohibitive costs for most users, highlighting that tackling sponge poisoning remains an open issue.