A Semi Black-Box Adversarial Bit-Flip Attack with Limited DNN Model Information

TL;DR

This paper introduces B3FA, a semi-black-box adversarial attack method that efficiently causes significant accuracy drops in DNNs with limited model knowledge and minimal bit-flips.

Contribution

The paper presents a novel semi-black-box bit-flip attack method that operates with limited model information, contrasting with full-access models, and demonstrates its effectiveness on real-world DNNs.

Findings

B3FA can reduce MobileNetV2 accuracy from 69.84% to 9% with 20 bit-flips.

The method effectively identifies vulnerable bits using a magnitude-based ranking and statistical reconstruction.

B3FA outperforms existing attacks under limited knowledge scenarios.

Abstract

Despite the rising prevalence of deep neural networks (DNNs) in cyber-physical systems, their vulnerability to adversarial bit-flip attacks (BFAs) is a noteworthy concern. This paper proposes B3FA, a semi-black-box BFA-based parameter attack on DNNs, assuming the adversary has limited knowledge about the model. We consider practical scenarios often feature a more restricted threat model for real-world systems, contrasting with the typical BFA models that presuppose the adversary's full access to a network's inputs and parameters. The introduced bit-flip approach utilizes a magnitude-based ranking method and a statistical re-construction technique to identify the vulnerable bits. We demonstrate the effectiveness of B3FA on several DNN models in a semi-black-box setting. For example, B3FA could drop the accuracy of a MobileNetV2 from 69.84% to 9% with only 20 bit-flips in a real-world setting.