Stealthy Attack on Algorithmic-Protected DNNs via Smart Bit Flipping

TL;DR

This paper introduces a novel stealthy attack method that uses smart bit flipping in DNN weights to bypass algorithmic defenses, maintaining accuracy on clean inputs while misclassifying adversarial ones.

Contribution

The paper presents a new attack technique that effectively circumvents existing algorithmic protections on DNNs through hardware-level bit flipping.

Findings

Successfully attacks state-of-the-art protected DNNs

Maintains accuracy on clean inputs while misclassifying adversarial inputs

Identifies vulnerable weights for efficient bit flipping

Abstract

Recently, deep neural networks (DNNs) have been deployed in safety-critical systems such as autonomous vehicles and medical devices. Shortly after that, the vulnerability of DNNs were revealed by stealthy adversarial examples where crafted inputs -- by adding tiny perturbations to original inputs -- can lead a DNN to generate misclassification outputs. To improve the robustness of DNNs, some algorithmic-based countermeasures against adversarial examples have been introduced thereafter. In this paper, we propose a new type of stealthy attack on protected DNNs to circumvent the algorithmic defenses: via smart bit flipping in DNN weights, we can reserve the classification accuracy for clean inputs but misclassify crafted inputs even with algorithmic countermeasures. To fool protected DNNs in a stealthy way, we introduce a novel method to efficiently find their most vulnerable weights and flip those bits in hardware. Experimental results show that we can successfully apply our stealthy attack against state-of-the-art algorithmic-protected DNNs.