ALERT: A lightweight defense mechanism for enhancing DNN robustness against T-BFA

IF 3.7 2区计算机科学 Q1 COMPUTER SCIENCE, HARDWARE & ARCHITECTURE Journal of Systems Architecture Pub Date : 2024-05-01 DOI:10.1016/j.sysarc.2024.103160

Xiaohui Wei, Xiaonan Wang, Yumin Yan, Nan Jiang, Hengshan Yue

{"title":"ALERT: A lightweight defense mechanism for enhancing DNN robustness against T-BFA","authors":"Xiaohui Wei, Xiaonan Wang, Yumin Yan, Nan Jiang, Hengshan Yue","doi":"10.1016/j.sysarc.2024.103160","DOIUrl":null,"url":null,"abstract":"<div>DNNs have become pervasive in many security–critical scenarios such as autonomous vehicles and medical diagnoses. Recent studies reveal the susceptibility of DNNs to various adversarial attacks, among which weight Bit-Flip Attacks (BFA) is emerging as a significant security concern. Moreover, Targeted Bit-Flip Attacks (T-BFA), as a novel variant of BFA, can stealthily alter specific source–target classifications while preserving accurate classifications of non-target classes, posing a more severe threat. However, due to the inadequate consideration for T-BFA’s “targeted” characteristic, existing defense mechanisms tend to perform over-protection/-modification to the network, leading to significant defense overheads or non-negligible DNN accuracy reduction.In this work, we propose ALERT, A Lightweight defense mechanism for Enhancing DNN Robustness against T-BFA while maintaining network accuracy. Firstly, fully understanding the key factors that dominate the misclassification among source–target class pairs, we propose a Source-Target-Aware Searching (STAS) method to accurately identify the vulnerable weights under T-BFA. Secondly, leveraging the intrinsic redundancy characteristic of DNNs, we propose a weight random switch mechanism to reduce the exposure of vulnerable weights, thereby weakening the expected impact of T-BFA. Striking a delicate balance between enhancing robustness and preserving network accuracy, we develop a metric to meticulously select candidate weights. Finally, to further enhance the DNN robustness, we present a lightweight runtime monitoring mechanism for detecting T-BFA through weight signature verification, and dynamically optimize the weight random switch strategy accordingly. Evaluation results demonstrate that our proposed method effectively enhances the robustness of DNNs against T-BFA while maintaining network accuracy. Compared with the baseline, our method can tolerate <math><mrow><mn>6</mn><mo>.</mo><mn>7</mn><mo>×</mo></mrow></math> more flipped bits with negligible accuracy loss (<math><mrow><mo><</mo><mn>0</mn><mo>.</mo><mn>1</mn><mtext>%</mtext></mrow></math> in ResNet-50).</div>","PeriodicalId":50027,"journal":{"name":"Journal of Systems Architecture","volume":"152 ","pages":"Article 103160"},"PeriodicalIF":3.7000,"publicationDate":"2024-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Systems Architecture","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S1383762124000973","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE","Score":null,"Total":0}

引用次数: 0

Abstract

DNNs have become pervasive in many security–critical scenarios such as autonomous vehicles and medical diagnoses. Recent studies reveal the susceptibility of DNNs to various adversarial attacks, among which weight Bit-Flip Attacks (BFA) is emerging as a significant security concern. Moreover, Targeted Bit-Flip Attacks (T-BFA), as a novel variant of BFA, can stealthily alter specific source–target classifications while preserving accurate classifications of non-target classes, posing a more severe threat. However, due to the inadequate consideration for T-BFA’s “targeted” characteristic, existing defense mechanisms tend to perform over-protection/-modification to the network, leading to significant defense overheads or non-negligible DNN accuracy reduction.

In this work, we propose ALERT, A Lightweight defense mechanism for Enhancing DNN Robustness against T-BFA while maintaining network accuracy. Firstly, fully understanding the key factors that dominate the misclassification among source–target class pairs, we propose a Source-Target-Aware Searching (STAS) method to accurately identify the vulnerable weights under T-BFA. Secondly, leveraging the intrinsic redundancy characteristic of DNNs, we propose a weight random switch mechanism to reduce the exposure of vulnerable weights, thereby weakening the expected impact of T-BFA. Striking a delicate balance between enhancing robustness and preserving network accuracy, we develop a metric to meticulously select candidate weights. Finally, to further enhance the DNN robustness, we present a lightweight runtime monitoring mechanism for detecting T-BFA through weight signature verification, and dynamically optimize the weight random switch strategy accordingly. Evaluation results demonstrate that our proposed method effectively enhances the robustness of DNNs against T-BFA while maintaining network accuracy. Compared with the baseline, our method can tolerate $6.7 \times$ more flipped bits with negligible accuracy loss ( $< 0.1 %$ in ResNet-50).

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

ALERT：增强 DNN 对 T-BFA 的鲁棒性的轻量级防御机制

DNN 在自动驾驶汽车和医疗诊断等许多对安全至关重要的应用场景中已变得非常普遍。最近的研究揭示了 DNNs 易受各种对抗性攻击的影响，其中重量比特翻转攻击（BFA）正在成为一个重要的安全问题。此外，定向比特翻转攻击（T-BFA）作为比特翻转攻击的一种新型变体，可以在保留非目标类别的准确分类的同时，隐蔽地改变特定的源-目标分类，从而构成更严重的威胁。然而，由于对T-BFA的 "针对性 "特征考虑不足，现有的防御机制往往会对网络进行过度保护/修改，导致显著的防御开销或不可忽略的DNN精度下降。在这项工作中，我们提出了ALERT，一种在保持网络精度的同时增强DNN对T-BFA的鲁棒性的轻量级防御机制。首先，我们充分理解了主导源-目标类对错误分类的关键因素，提出了一种源-目标感知搜索（STAS）方法，以准确识别 T-BFA 下的易损权重。其次，利用 DNN 固有的冗余特性，我们提出了权重随机切换机制，以减少易受攻击权重的暴露，从而削弱 T-BFA 的预期影响。为了在增强鲁棒性和保持网络准确性之间取得微妙的平衡，我们开发了一种度量方法来精心选择候选权重。最后，为了进一步增强 DNN 的鲁棒性，我们提出了一种轻量级运行时监控机制，通过权重签名验证来检测 T-BFA，并相应地动态优化权重随机切换策略。评估结果表明，我们提出的方法在保持网络准确性的同时，有效增强了 DNN 对 T-BFA 的鲁棒性。与基线相比，我们的方法可容忍多 6.7 倍的翻转比特，而精度损失几乎可以忽略不计（在 ResNet-50 中为 0.1%）。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文去求助

来源期刊

Journal of Systems Architecture 工程技术-计算机：硬件

CiteScore

8.70

自引率

15.60%

发文量

226

审稿时长

46 days

期刊介绍： The Journal of Systems Architecture: Embedded Software Design (JSA) is a journal covering all design and architectural aspects related to embedded systems and software. It ranges from the microarchitecture level via the system software level up to the application-specific architecture level. Aspects such as real-time systems, operating systems, FPGA programming, programming languages, communications (limited to analysis and the software stack), mobile systems, parallel and distributed architectures as well as additional subjects in the computer and system architecture area will fall within the scope of this journal. Technology will not be a main focus, but its use and relevance to particular designs will be. Case studies are welcome but must contribute more than just a design for a particular piece of software. Design automation of such systems including methodologies, techniques and tools for their design as well as novel designs of software components fall within the scope of this journal. Novel applications that use embedded systems are also central in this journal. While hardware is not a part of this journal hardware/software co-design methods that consider interplay between software and hardware components with and emphasis on software are also relevant here.