No Data, No Optimization: A Lightweight Method To Disrupt Neural Networks With Sign-Flips
This work is significant for the security of deep neural networks, particularly in computer vision models, as it highlights a vulnerability that can be exploited with minimal resources.
The authors tackled the problem of disrupting neural networks by flipping sign bits in their parameters, resulting in a 99.8% accuracy drop in ResNet50 on ImageNet by flipping just two sign bits. This was achieved using a lightweight, data-free method called Deep Neural Lesion (DNL).
Deep Neural Networks (DNNs) can be catastrophically disrupted by flipping only a handful of sign bits in their parameters. We introduce Deep Neural Lesion (DNL), a data-free, lightweight method that locates these critical parameters and triggers massive accuracy drops. We validate its efficacy on a wide variety of computer vision models and datasets. The method requires no training data or optimization and can be carried out via common exploits software, firmware or hardware based attack vectors. An enhanced variant that uses a single forward and backward pass further amplifies the damage beyond DNL's zero-pass approach. Flipping just two sign bits in ResNet50 on ImageNet reduces accuracy by 99.8\%. We also show that selectively protecting a small fraction of vulnerable sign bits provides a practical defense against such attacks.