An Empirical Study of Aegis

TL;DR

This empirical study evaluates the Aegis framework's robustness against bit flipping and adversarial attacks on MNIST, revealing limitations in accuracy and uniformity, and comparing different defense strategies.

Contribution

The paper provides an empirical assessment of Aegis's effectiveness and limitations, including analysis of its dynamic-exit strategy and robustness training on low-entropy data.

Findings

Aegis's dynamic-exit strategy loses uniformity on simple datasets.

Robustness training causes accuracy drops on perturbed and adversarial data.

Both mechanisms have drawbacks in maintaining accuracy under attacks.

Abstract

Bit flipping attacks are one class of attacks on neural networks with numerous defense mechanisms invented to mitigate its potency. Due to the importance of ensuring the robustness of these defense mechanisms, we perform an empirical study on the Aegis framework. We evaluate the baseline mechanisms of Aegis on low-entropy data (MNIST), and we evaluate a pre-trained model with the mechanisms fine-tuned on MNIST. We also compare the use of data augmentation to the robustness training of Aegis, and how Aegis performs under other adversarial attacks, such as the generation of adversarial examples. We find that both the dynamic-exit strategy and robustness training of Aegis has some drawbacks. In particular, we see drops in accuracy when testing on perturbed data, and on adversarial examples, as compared to baselines. Moreover, we found that the dynamic exit-strategy loses its uniformity when tested on simpler datasets. The code for this project is available on GitHub.