Bit-Flip Fault Attack: Crushing Graph Neural Networks via Gradual Bit Search

TL;DR

This paper introduces GBFA, a layer-aware bit-flip fault attack that gradually targets vulnerable bits in GNN weights, significantly degrading model accuracy with minimal bit flips, highlighting security vulnerabilities in hardware-accelerated GNNs.

Contribution

The paper proposes a novel layer-aware fault attack method, GBFA, which predicts layer execution and identifies vulnerable bits to efficiently compromise GNN models.

Findings

GBFA degrades GraphSAGE accuracy by 17% on Cora with one bit flip.

Layer-aware attack strategy is more effective than random bit flips.

Vulnerable bits are identified using gradient ranking within layers.

Abstract

Graph Neural Networks (GNNs) have emerged as a powerful machine learning method for graph-structured data. A plethora of hardware accelerators has been introduced to meet the performance demands of GNNs in real-world applications. However, security challenges of hardware-based attacks have been generally overlooked. In this paper, we investigate the vulnerability of GNN models to hardware-based fault attack, wherein an attacker attempts to misclassify output by modifying trained weight parameters through fault injection in a memory device. Thus, we propose Gradual Bit-Flip Fault Attack (GBFA), a layer-aware bit-flip fault attack, selecting a vulnerable bit in each selected weight gradually to compromise the GNN's performance by flipping a minimal number of bits. To achieve this, GBFA operates in two steps. First, a Markov model is created to predict the execution sequence of layers based on features extracted from memory access patterns, enabling the launch of the attack within a specific layer. Subsequently, GBFA identifies vulnerable bits within the selected weights using gradient ranking through an in-layer search. We evaluate the effectiveness of the proposed GBFA attack on various GNN models for node classification tasks using the Cora and PubMed datasets. Our findings show that GBFA significantly degrades prediction accuracy, and the variation in its impact across different layers highlights the importance of adopting a layer-aware attack strategy in GNNs. For example, GBFA degrades GraphSAGE's prediction accuracy by 17% on the Cora dataset with only a single bit flip in the last layer.