Targeted Attack against Deep Neural Networks via Flipping Limited Weight Bits

TL;DR

This paper introduces a novel attack method that maliciously flips limited bits in DNN weights during deployment to cause targeted misclassification without significantly affecting overall accuracy.

Contribution

It formulates the attack as a binary integer programming problem and applies ADMM for efficient optimization, enabling precise and stealthy model parameter manipulation.

Findings

Effective targeted attack with minimal bit flips

Outperforms heuristic-based methods in success rate

Maintains high overall model accuracy

Abstract

To explore the vulnerability of deep neural networks (DNNs), many attack paradigms have been well studied, such as the poisoning-based backdoor attack in the training stage and the adversarial attack in the inference stage. In this paper, we study a novel attack paradigm, which modifies model parameters in the deployment stage for malicious purposes. Specifically, our goal is to misclassify a specific sample into a target class without any sample modification, while not significantly reduce the prediction accuracy of other samples to ensure the stealthiness. To this end, we formulate this problem as a binary integer programming (BIP), since the parameters are stored as binary bits ($i.e.$, 0 and 1) in the memory. By utilizing the latest technique in integer programming, we equivalently reformulate this BIP problem as a continuous optimization problem, which can be effectively and efficiently solved using the alternating direction method of multipliers (ADMM) method. Consequently, the flipped critical bits can be easily determined through optimization, rather than using a heuristic strategy. Extensive experiments demonstrate the superiority of our method in attacking DNNs.