{"id":400,"date":"2019-10-31T15:59:42","date_gmt":"2019-10-31T22:59:42","guid":{"rendered":"https:\/\/dfan.engineering.asu.edu\/?page_id=400"},"modified":"2019-10-31T15:59:42","modified_gmt":"2019-10-31T22:59:42","slug":"ai-security-bit-flip-adversarial-weight-attack","status":"publish","type":"page","link":"https:\/\/faculty.engineering.asu.edu\/dfan\/ai-security-bit-flip-adversarial-weight-attack\/","title":{"rendered":"AI Security: memory bit-flip based adversarial weight attack"},"content":{"rendered":"\n

This repository contains a Pytorch implementation of the paper, titled \u201cBit-Flip Attack: Crushing Neural Network with Progressive Bit Search<\/a>\u201d, which is published in ICCV-2019<\/a>. It introduces a Bit-Flip Attack (BFA) algorithm which search and identify the vulnerable bits within a quantized deep neural network. [code in GitHub]<\/a><\/p>\n\n\n\n

Related Publication<\/h2>\n\n\n\n

[ICCV’19]<\/strong> Adnan Siraj Rakin, Zhezhi He, Deliang Fan, \u201cBit-Flip Attack: Crushing Neural Network with Progressive Bit Search,\u201d IEEE International Conference on Computer Vision, Seoul, Korea, Oct 27 – Nov 3, 2019 [pdf]<\/a><\/p>\n\n\n\n

\"\"
Concept illustration of quantized DNN under Bit-Flip Attack <\/figcaption><\/figure><\/div>\n\n\n\n
\"\"
proposed progressive bit search algorithm to identify most vulnerable bits in the memory<\/figcaption><\/figure><\/div>\n\n\n\n

Method Summary<\/h2>\n\n\n\n

Several important security issues of Deep Neural Network (DNN) have been raised recently associated with different applications and components. The most widely investigated security concern of DNN is from its malicious input, a.k.a adversarial example. Nevertheless, the security challenge of DNN\u2019s parameters is not well explored yet. In this work, we are the first to propose a novel DNN weight attack methodology called Bit-Flip Attack (BFA) which can crush a neural network through maliciously flipping extremely small amount of bits within its weight storage memory system (i.e., DRAM). The bit-flip operations could be conducted through well-known Row-Hammer attack, while our main contribution is to develop an algorithm to identify the most vulnerable bits of DNN weight parameters (stored in memory as binary bits), that could maximize the accuracy degradation with a minimum number of bit-flips. Our proposed BFA utilizes a Progressive Bit Search (PBS) method which combines gradient ranking and progressive search to identify the most vulnerable bit to be flipped. With the aid of PBS, we can successfully attack a ResNet-18 fully malfunction (i.e., top-1 accuracy degrade from 69.8% to 0.1%) only through 13 bit-flips out of 93 million bits, while randomly flipping 100 bits merely degrades the accuracy by less than 1%. <\/p>\n","protected":false},"excerpt":{"rendered":"

This repository contains a Pytorch implementation of the paper, titled \u201cBit-Flip Attack: Crushing Neural Network with Progressive Bit Search\u201d, which is published in ICCV-2019. It introduces a Bit-Flip Attack (BFA) algorithm which search and identify the vulnerable bits within a quantized deep neural network. [code in GitHub] Related Publication [ICCV’19] Adnan Siraj Rakin, Zhezhi He, Deliang Fan, \u201cBit-Flip…<\/p>\n","protected":false},"author":381,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":false,"footnotes":""},"class_list":["post-400","page","type-page","status-publish","hentry"],"acf":[],"yoast_head":"\nAI Security: memory bit-flip based adversarial weight attack - Deliang Fan<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/faculty.engineering.asu.edu\/dfan\/developed-tools__trashed\/ai-security-bit-flip-adversarial-weight-attack\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"AI Security: memory bit-flip based adversarial weight attack - Deliang Fan\" \/>\n<meta property=\"og:description\" content=\"This repository contains a Pytorch implementation of the paper, titled \u201cBit-Flip Attack: Crushing Neural Network with Progressive Bit Search\u201d, which is published in ICCV-2019. It introduces a Bit-Flip Attack (BFA) algorithm which search and identify the vulnerable bits within a quantized deep neural network. [code in GitHub] Related Publication [ICCV’19] Adnan Siraj Rakin, Zhezhi He, Deliang Fan, \u201cBit-Flip...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/faculty.engineering.asu.edu\/dfan\/developed-tools__trashed\/ai-security-bit-flip-adversarial-weight-attack\/\" \/>\n<meta property=\"og:site_name\" content=\"Deliang Fan\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.ece.jhu.edu\/dfan\/wp-content\/uploads\/2020\/04\/BFA-1024x517.png\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/faculty.engineering.asu.edu\\\/dfan\\\/developed-tools__trashed\\\/ai-security-bit-flip-adversarial-weight-attack\\\/\",\"url\":\"https:\\\/\\\/faculty.engineering.asu.edu\\\/dfan\\\/developed-tools__trashed\\\/ai-security-bit-flip-adversarial-weight-attack\\\/\",\"name\":\"AI Security: memory bit-flip based adversarial weight attack - Deliang Fan\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/faculty.engineering.asu.edu\\\/dfan\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/faculty.engineering.asu.edu\\\/dfan\\\/developed-tools__trashed\\\/ai-security-bit-flip-adversarial-weight-attack\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/faculty.engineering.asu.edu\\\/dfan\\\/developed-tools__trashed\\\/ai-security-bit-flip-adversarial-weight-attack\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/faculty.engineering.asu.edu\\\/dfan\\\/wp-content\\\/uploads\\\/sites\\\/201\\\/2020\\\/04\\\/BFA-1024x517.png\",\"datePublished\":\"2019-10-31T22:59:42+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/faculty.engineering.asu.edu\\\/dfan\\\/developed-tools__trashed\\\/ai-security-bit-flip-adversarial-weight-attack\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/faculty.engineering.asu.edu\\\/dfan\\\/developed-tools__trashed\\\/ai-security-bit-flip-adversarial-weight-attack\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/faculty.engineering.asu.edu\\\/dfan\\\/developed-tools__trashed\\\/ai-security-bit-flip-adversarial-weight-attack\\\/#primaryimage\",\"url\":\"https:\\\/\\\/faculty.engineering.asu.edu\\\/dfan\\\/wp-content\\\/uploads\\\/sites\\\/201\\\/2020\\\/04\\\/BFA.png\",\"contentUrl\":\"https:\\\/\\\/faculty.engineering.asu.edu\\\/dfan\\\/wp-content\\\/uploads\\\/sites\\\/201\\\/2020\\\/04\\\/BFA.png\",\"width\":1067,\"height\":539},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/faculty.engineering.asu.edu\\\/dfan\\\/developed-tools__trashed\\\/ai-security-bit-flip-adversarial-weight-attack\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/faculty.engineering.asu.edu\\\/dfan\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"AI Security: memory bit-flip based adversarial weight attack\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/faculty.engineering.asu.edu\\\/dfan\\\/#website\",\"url\":\"https:\\\/\\\/faculty.engineering.asu.edu\\\/dfan\\\/\",\"name\":\"Deliang Fan\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/faculty.engineering.asu.edu\\\/dfan\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"AI Security: memory bit-flip based adversarial weight attack - Deliang Fan","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/faculty.engineering.asu.edu\/dfan\/developed-tools__trashed\/ai-security-bit-flip-adversarial-weight-attack\/","og_locale":"en_US","og_type":"article","og_title":"AI Security: memory bit-flip based adversarial weight attack - Deliang Fan","og_description":"This repository contains a Pytorch implementation of the paper, titled \u201cBit-Flip Attack: Crushing Neural Network with Progressive Bit Search\u201d, which is published in ICCV-2019. It introduces a Bit-Flip Attack (BFA) algorithm which search and identify the vulnerable bits within a quantized deep neural network. [code in GitHub] Related Publication [ICCV’19] Adnan Siraj Rakin, Zhezhi He, Deliang Fan, \u201cBit-Flip...","og_url":"https:\/\/faculty.engineering.asu.edu\/dfan\/developed-tools__trashed\/ai-security-bit-flip-adversarial-weight-attack\/","og_site_name":"Deliang Fan","og_image":[{"url":"https:\/\/www.ece.jhu.edu\/dfan\/wp-content\/uploads\/2020\/04\/BFA-1024x517.png","type":"","width":"","height":""}],"twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/faculty.engineering.asu.edu\/dfan\/developed-tools__trashed\/ai-security-bit-flip-adversarial-weight-attack\/","url":"https:\/\/faculty.engineering.asu.edu\/dfan\/developed-tools__trashed\/ai-security-bit-flip-adversarial-weight-attack\/","name":"AI Security: memory bit-flip based adversarial weight attack - Deliang Fan","isPartOf":{"@id":"https:\/\/faculty.engineering.asu.edu\/dfan\/#website"},"primaryImageOfPage":{"@id":"https:\/\/faculty.engineering.asu.edu\/dfan\/developed-tools__trashed\/ai-security-bit-flip-adversarial-weight-attack\/#primaryimage"},"image":{"@id":"https:\/\/faculty.engineering.asu.edu\/dfan\/developed-tools__trashed\/ai-security-bit-flip-adversarial-weight-attack\/#primaryimage"},"thumbnailUrl":"https:\/\/faculty.engineering.asu.edu\/dfan\/wp-content\/uploads\/sites\/201\/2020\/04\/BFA-1024x517.png","datePublished":"2019-10-31T22:59:42+00:00","breadcrumb":{"@id":"https:\/\/faculty.engineering.asu.edu\/dfan\/developed-tools__trashed\/ai-security-bit-flip-adversarial-weight-attack\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/faculty.engineering.asu.edu\/dfan\/developed-tools__trashed\/ai-security-bit-flip-adversarial-weight-attack\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/faculty.engineering.asu.edu\/dfan\/developed-tools__trashed\/ai-security-bit-flip-adversarial-weight-attack\/#primaryimage","url":"https:\/\/faculty.engineering.asu.edu\/dfan\/wp-content\/uploads\/sites\/201\/2020\/04\/BFA.png","contentUrl":"https:\/\/faculty.engineering.asu.edu\/dfan\/wp-content\/uploads\/sites\/201\/2020\/04\/BFA.png","width":1067,"height":539},{"@type":"BreadcrumbList","@id":"https:\/\/faculty.engineering.asu.edu\/dfan\/developed-tools__trashed\/ai-security-bit-flip-adversarial-weight-attack\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/faculty.engineering.asu.edu\/dfan\/"},{"@type":"ListItem","position":2,"name":"AI Security: memory bit-flip based adversarial weight attack"}]},{"@type":"WebSite","@id":"https:\/\/faculty.engineering.asu.edu\/dfan\/#website","url":"https:\/\/faculty.engineering.asu.edu\/dfan\/","name":"Deliang Fan","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/faculty.engineering.asu.edu\/dfan\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/faculty.engineering.asu.edu\/dfan\/wp-json\/wp\/v2\/pages\/400","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/faculty.engineering.asu.edu\/dfan\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/faculty.engineering.asu.edu\/dfan\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/faculty.engineering.asu.edu\/dfan\/wp-json\/wp\/v2\/users\/381"}],"replies":[{"embeddable":true,"href":"https:\/\/faculty.engineering.asu.edu\/dfan\/wp-json\/wp\/v2\/comments?post=400"}],"version-history":[{"count":0,"href":"https:\/\/faculty.engineering.asu.edu\/dfan\/wp-json\/wp\/v2\/pages\/400\/revisions"}],"wp:attachment":[{"href":"https:\/\/faculty.engineering.asu.edu\/dfan\/wp-json\/wp\/v2\/media?parent=400"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}