Adversarial bit-flip attack (BFA) on Neural Network weights can result in catastrophic accuracy degradation by flipping a very small number of bits. A major drawback of prior bit flip attack techniques is their reliance on test data. This is frequently not possible for applications that contain sensitive or proprietary data. In this paper, we propose Blind Data Adversarial Bit-flip Attack (BDFA), a novel technique to enable BFA without any access to the training or testing data. This is achieved by optimizing for a synthetic dataset, which is engineered to match the statistics of batch normalization across different layers of the network and the targeted label. Experimental results show that BDFA could decrease the accuracy of ResNet50 significantly from 75.96\% to 13.94\% with only 4 bits flips.
翻译:神经网络重量对神经网络的反向位翻攻击(BFA)通过翻转非常小的位数可能导致灾难性精确度下降。 先前的位转攻击技术的一大缺点是它们依赖测试数据。 这对于包含敏感或专有数据的应用程序来说,这往往是不可能的。 在本文中,我们提议采用盲人数据反向位翻攻击(BFA)这一新技术,使BFA无法获得任何培训或测试数据。 实现这一目的的办法是优化合成数据集,该数据集的设计能够匹配网络不同层次和目标标签的批次正常化统计数据。 实验结果表明,BDFA可以显著降低ResNet50的准确性,从75.96 ⁇ 大幅降低至13.94 ⁇,只有4位翻。