Authors, Creators & Presenters: Yanzuo Chen (The Hong Kong University of Science and Technology), Yuanyuan Yuan (The Hong Kong University of Science and Technology), Zhibo Liu (The Hong Kong University of Science and Technology), Sihang Hu (Huawei Technologies), Tianxiang Li (Huawei Technologies), Shuai Wang (The Hong Kong University of Science and Technology)
PAPER
BitProtect: Defending Against Bit-Flip Attacks on DNN Executables
Recent analysis has demonstrated the severity and prevalence of bit-flip assaults (BFAs; e.g., with Rowhammer strategies) on deep neural networks (DNNs). BFAs can manipulate DNN prediction and utterly deplete DNN intelligence, and might be launched towards each DNNs working on deep studying (DL) frameworks like PyTorch, in addition to these compiled into standalone executables by DL compilers. While BFA defenses have been proposed for fashions on DL frameworks, we discover them incapable of defending DNN executables as a result of new assault vectors on these executables. This paper proposes the primary protection towards BFA for DNN executables. We first current a motivating examine to display the fragility and distinctive assault surfaces of DNN executables. Specifically, attackers can flip bits within the part to change the computation logic of DNN executables and consequently manipulate DNN predictions; earlier defenses guarding mannequin weights may also be simply evaded when carried out in DNN executables. Subsequently, we suggest BitProtect, a full-fledged protection that detects BFAs focusing on each knowledge and sections in DNN executables. We novelly mannequin BFA on DNN executables as a course of to deprave their semantics, and base BitProtect on semantic integrity checks. Moreover, by intentionally fusing code checksum routines right into a DNN’s semantics, we make BitProtect extremely resilient towards BFAs focusing on itself. BitProtect is built-in in a preferred DL compiler (Amazon TVM) and is appropriate with all present compilation and optimization passes. Unlike prior defenses, BitProtect is designed to guard extra weak full-precision DNNs and doesn’t assume particular assault strategies, exhibiting excessive generality. BitProtect additionally proactively detects ongoing BFA makes an attempt as a substitute of passively hardening DNNs. Evaluations present that BitProtect offers robust safety towards BFAs (common mitigation fee 97.51%) with low efficiency overhead (2.47% on common) even when confronted with totally white-field, highly effective attackers.
ABOUT NDSS
The Network and Distributed System Security Symposium (NDSS) fosters data alternate amongst researchers and practitioners of community and distributed system safety. The target market consists of these fascinated with sensible points of community and distributed system safety, with a deal with precise system design and implementation. A significant aim is to encourage and allow the Internet neighborhood to use, deploy, and advance the state of obtainable safety applied sciences.
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
