ZeBRA: Precisely Destroying Neural Networks with Zero-Data Based Repeated Bit Flip Attack

TL;DR

ZeBRA is a novel attack method that destroys deep neural networks by synthesizing attack datasets from model statistics, requiring fewer bit flips than previous methods, thus posing a significant security threat.

Contribution

ZeBRA introduces a zero-data attack approach that synthesizes attack datasets using batch normalization statistics, eliminating the need for original data during attack.

Findings

Requires fewer bit flips than previous methods on CIFAR-10 and ImageNet.

Effectively destroys DNNs without access to training or test data.

Demonstrates increased attack efficiency and security risk.

Abstract

In this paper, we present Zero-data Based Repeated bit flip Attack (ZeBRA) that precisely destroys deep neural networks (DNNs) by synthesizing its own attack datasets. Many prior works on adversarial weight attack require not only the weight parameters, but also the training or test dataset in searching vulnerable bits to be attacked. We propose to synthesize the attack dataset, named distilled target data, by utilizing the statistics of batch normalization layers in the victim DNN model. Equipped with the distilled target data, our ZeBRA algorithm can search vulnerable bits in the model without accessing training or test dataset. Thus, our approach makes the adversarial weight attack more fatal to the security of DNNs. Our experimental results show that 2.0x (CIFAR-10) and 1.6x (ImageNet) less number of bit flips are required on average to destroy DNNs compared to the previous attack method. Our code is available at https://github. com/pdh930105/ZeBRA.