ObfusBFA: A Holistic Approach to Safeguarding DNNs from Different Types of Bit-Flip Attacks

TL;DR

ObfusBFA is a comprehensive defense mechanism that employs random dummy operations during inference to protect DNNs from various bit-flip attacks, maintaining accuracy and reducing attack success rates.

Contribution

It introduces a holistic approach combining algorithms to identify critical bits and insert obfuscation, effectively defending against multiple types of BFAs across different scenarios.

Findings

Preserves model accuracy under attack

Reduces attack success rates significantly

Maintains low latency and storage overhead

Abstract

Bit-flip attacks (BFAs) represent a serious threat to Deep Neural Networks (DNNs), where flipping a small number of bits in the model parameters or binary code can significantly degrade the model accuracy or mislead the model prediction in a desired way. Existing defenses exclusively focus on protecting models for specific attacks and platforms, while lacking effectiveness for other scenarios. We propose ObfusBFA, an efficient and holistic methodology to mitigate BFAs targeting both the high-level model weights and low-level codebase (executables or shared libraries). The key idea of ObfusBFA is to introduce random dummy operations during the model inference, which effectively transforms the delicate attacks into random bit flips, making it much harder for attackers to pinpoint and exploit vulnerable bits. We design novel algorithms to identify critical bits and insert obfuscation operations. We evaluate ObfusBFA against different types of attacks, including the adaptive scenarios where the attacker increases the flip bit budget to attempt to circumvent our defense. The results show that ObfusBFA can consistently preserve the model accuracy across various datasets and DNN architectures while significantly reducing the attack success rates. Additionally, it introduces minimal latency and storage overhead, making it a practical solution for real-world applications.