Impactful Bit-Flip Search on Full-precision Models
This addresses security risks in AI systems by enabling efficient attacks on full-precision models, which is incremental as it builds on prior work in quantized networks.
The paper tackles the vulnerability of neural networks to Bit-Flip Attacks by introducing Impactful Bit-Flip Search (IBS) to efficiently identify and flip critical bits in full-precision models, achieving significant performance degradation with minimal bit flips, and proposes Weight-Stealth to evade detection by maintaining parameter distributions.
Neural networks have shown remarkable performance in various tasks, yet they remain susceptible to subtle changes in their input or model parameters. One particularly impactful vulnerability arises through the Bit-Flip Attack (BFA), where flipping a small number of critical bits in a model's parameters can severely degrade its performance. A common technique for inducing bit flips in DRAM is the Row-Hammer attack, which exploits frequent uncached memory accesses to alter data. Identifying susceptible bits can be achieved through exhaustive search or progressive layer-by-layer analysis, especially in quantized networks. In this work, we introduce Impactful Bit-Flip Search (IBS), a novel method for efficiently pinpointing and flipping critical bits in full-precision networks. Additionally, we propose a Weight-Stealth technique that strategically modifies the model's parameters in a way that maintains the float values within the original distribution, thereby bypassing simple range checks often used in tamper detection.