A Closer Look at Evaluating the Bit-Flip Attack Against Deep Neural Networks

TL;DR

This paper critically examines the evaluation challenges of the Bit-Flip Attack on deep neural networks, emphasizing the need for standardized methodologies to accurately assess attack impact and model robustness.

Contribution

It introduces a comprehensive analysis of the BFA's effects on various architectures and highlights the importance of proper evaluation protocols for parameter-based attacks.

Findings

BFA significantly impacts fully-connected neural networks.

Evaluation variability affects attack assessment.

Model architecture influences BFA vulnerability.

Abstract

Deep neural network models are massively deployed on a wide variety of hardware platforms. This results in the appearance of new attack vectors that significantly extend the standard attack surface, extensively studied by the adversarial machine learning community. One of the first attack that aims at drastically dropping the performance of a model, by targeting its parameters (weights) stored in memory, is the Bit-Flip Attack (BFA). In this work, we point out several evaluation challenges related to the BFA. First of all, the lack of an adversary's budget in the standard threat model is problematic, especially when dealing with physical attacks. Moreover, since the BFA presents critical variability, we discuss the influence of some training parameters and the importance of the model architecture. This work is the first to present the impact of the BFA against fully-connected architectures that present different behaviors compared to convolutional neural networks. These results highlight the importance of defining robust and sound evaluation methodologies to properly evaluate the dangers of parameter-based attacks as well as measure the real level of robustness offered by a defense.