Bit-Flip Attack: Crushing Neural Network with Progressive Bit Search (1903.12269v2)

Abstract: Several important security issues of Deep Neural Network (DNN) have been raised recently associated with different applications and components. The most widely investigated security concern of DNN is from its malicious input, a.k.a adversarial example. Nevertheless, the security challenge of DNN's parameters is not well explored yet. In this work, we are the first to propose a novel DNN weight attack methodology called Bit-Flip Attack (BFA) which can crush a neural network through maliciously flipping extremely small amount of bits within its weight storage memory system (i.e., DRAM). The bit-flip operations could be conducted through well-known Row-Hammer attack, while our main contribution is to develop an algorithm to identify the most vulnerable bits of DNN weight parameters (stored in memory as binary bits), that could maximize the accuracy degradation with a minimum number of bit-flips. Our proposed BFA utilizes a Progressive Bit Search (PBS) method which combines gradient ranking and progressive search to identify the most vulnerable bit to be flipped. With the aid of PBS, we can successfully attack a ResNet-18 fully malfunction (i.e., top-1 accuracy degrade from 69.8% to 0.1%) only through 13 bit-flips out of 93 million bits, while randomly flipping 100 bits merely degrades the accuracy by less than 1%.

• The paper introduces a novel Bit-Flip Attack that targets DNN weights using a gradient-driven Progressive Bit Search method.
• It demonstrates that flipping only 13 strategically chosen bits in ResNet-18 can drop top-1 accuracy from 69.8% to 0.1%, highlighting the attack's precision.
• The study exposes critical vulnerabilities in quantized neural networks, emphasizing the urgency for advanced security and defense strategies.

An Analysis of Bit-Flip Attack on Quantized Neural Networks

The paper presents a meticulous exploration of a novel adversarial methodology targeting the parameters of Deep Neural Networks (DNNs). The authors introduce the Bit-Flip Attack (BFA), concentrating on the immutable nature of DNN weights stored as binary bits in volatile memory. The investigative focus diverges from traditional explorations of adversarial examples that manipulate input data, instead pivoting towards the vulnerabilities within DNN weight parameters, particularly those stored in DRAM.

Key Concepts and Methodology

Bit-Flip Attack exploits the susceptibilities in DNN weight parameters through minimal and strategic perturbations. This is achieved via a Progressive Bit Search (PBS) technique. This method adroitly leverages gradient-driven vulnerability rankings to ascertain the most susceptible bits for flipping, thereby inducing significant degradation in the network’s output accuracy. The PBS method operates in two pivotal steps: In-layer search, which determines bit vulnerabilities within a specific layer, and Cross-layer search, which selects bits across different layers based on loss evaluations.

This strategic perturbation significantly impacts network performance. The paper provides robust empirical evidence demonstrating that for the ResNet-18 architecture on the ImageNet dataset, a mere 13 bit-flips out of approximately 93 million can plummet the model’s top-1 accuracy from 69.8% to 0.1%. In contrast, random bit flipping yields negligible accuracy degradation, highlighting PBS's efficacy.

Experimental Results

A series of experiments across various architectures and quantization bit-widths reveal consistent vulnerability in DNNs against BFA. Notably, differences in network design, such as the presence of residual connections in ResNets, appear to disperse bit vulnerability more evenly across layers, thereby challenging a singular hypothesis of early-stage attack efficacy. The investigation highlights that only a diminutive fragment of the model's parameters needs alteration to cause catastrophic performance degradation, suggesting that the intrinsic structural design fosters sensitivity to parameter perturbations.

Moreover, the comparative analysis with traditional random bit-flip methods underscores the robustness and targeted effectiveness of PBS in identifying and exploiting vulnerabilities. The authors underscore that merely knowing the network's architecture suffices for a white-box attack without prior training data or hyperparameter knowledge.

Implications and Future Directions

This paper raises critical security concerns about deploying DNN models in environments susceptible to Row-Hammer and similar fault injection attacks, particularly in memory-constrained or resource-limited settings lacking robust data integrity checks. This circumvents traditional error detection and correction protocols, emphasizing the need for novel defense strategies beyond quantization and adversarial training.

Theoretically, the paper reinforces the understanding that even slight perturbations in model parameters can ripple through deep networks, amplifying errors due to the inherent linearity of many DNN architectures. Future work is necessitated to fortify DNNs against such faults, possibly through architectural innovations or advanced integrity checks that extend beyond simple parameter quantization.

In conclusion, the Bit-Flip Attack introduces a formidable challenge to the integrity and reliability of DNNs, calling for refined methodologies in both attack and defense mechanisms. The exploration within this paper decisively contributes to a nuanced understanding of DNN vulnerabilities, setting a foundation for future explorations into enhancing the resilience of neural networks against adversarial disruptions in parameter representations.