Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Energy Backdoor Attack to Deep Neural Networks

Hanene F. Z. Brachemi Meftah, Wassim Hamidouche, Sid Ahmed Fezza, Olivier Déforges, Kassem Kallas

TL;DR

This paper identifies a vulnerability of sparsity-aware deep neural network accelerators to energy backdoor attacks that inflate energy consumption on trigger inputs while preserving clean-input performance. It introduces a two-phase backdoor design: backdoor injection to teach the model to respond to a trigger, followed by a stealth phase that mitigates energy and accuracy deviations on benign data. The approach optimizes an energy-based objective, employing a differentiable L0 proxy to approximate neuron firing density and using a trigger-class mechanism to promote separability between clean and trigger representations. Across ResNet-18 and MobileNet-V2 on CIFAR-10 and Tiny ImageNet, the method achieves higher energy on trigger samples with minimal impact on clean accuracy, underscoring a concrete risk to edge-device energy efficiency and highlighting the need for defenses against energy-aware backdoors.

Abstract

The rise of deep learning (DL) has increased computing complexity and energy use, prompting the adoption of application specific integrated circuits (ASICs) for energy-efficient edge and mobile deployment. However, recent studies have demonstrated the vulnerability of these accelerators to energy attacks. Despite the development of various inference time energy attacks in prior research, backdoor energy attacks remain unexplored. In this paper, we design an innovative energy backdoor attack against deep neural networks (DNNs) operating on sparsity-based accelerators. Our attack is carried out in two distinct phases: backdoor injection and backdoor stealthiness. Experimental results using ResNet-18 and MobileNet-V2 models trained on CIFAR-10 and Tiny ImageNet datasets show the effectiveness of our proposed attack in increasing energy consumption on trigger samples while preserving the model's performance for clean/regular inputs. This demonstrates the vulnerability of DNNs to energy backdoor attacks. The source code of our attack is available at: https://github.com/hbrachemi/energy_backdoor.

Energy Backdoor Attack to Deep Neural Networks

TL;DR

This paper identifies a vulnerability of sparsity-aware deep neural network accelerators to energy backdoor attacks that inflate energy consumption on trigger inputs while preserving clean-input performance. It introduces a two-phase backdoor design: backdoor injection to teach the model to respond to a trigger, followed by a stealth phase that mitigates energy and accuracy deviations on benign data. The approach optimizes an energy-based objective, employing a differentiable L0 proxy to approximate neuron firing density and using a trigger-class mechanism to promote separability between clean and trigger representations. Across ResNet-18 and MobileNet-V2 on CIFAR-10 and Tiny ImageNet, the method achieves higher energy on trigger samples with minimal impact on clean accuracy, underscoring a concrete risk to edge-device energy efficiency and highlighting the need for defenses against energy-aware backdoors.

Abstract

The rise of deep learning (DL) has increased computing complexity and energy use, prompting the adoption of application specific integrated circuits (ASICs) for energy-efficient edge and mobile deployment. However, recent studies have demonstrated the vulnerability of these accelerators to energy attacks. Despite the development of various inference time energy attacks in prior research, backdoor energy attacks remain unexplored. In this paper, we design an innovative energy backdoor attack against deep neural networks (DNNs) operating on sparsity-based accelerators. Our attack is carried out in two distinct phases: backdoor injection and backdoor stealthiness. Experimental results using ResNet-18 and MobileNet-V2 models trained on CIFAR-10 and Tiny ImageNet datasets show the effectiveness of our proposed attack in increasing energy consumption on trigger samples while preserving the model's performance for clean/regular inputs. This demonstrates the vulnerability of DNNs to energy backdoor attacks. The source code of our attack is available at: https://github.com/hbrachemi/energy_backdoor.
Paper Structure (9 sections, 3 equations, 3 figures, 1 table)

This paper contains 9 sections, 3 equations, 3 figures, 1 table.

Table of Contents

  1. Introduction
  2. Background and Related Work
  3. Proposed Energy Backdoor Attack
  4. Problem Formulation
  5. Attack Design
  6. Experimental Results
  7. Experimental Setup
  8. Results and Analysis
  9. Conclusion

Figures (3)

  • Figure 1: Overview of the backdoored model. Neurons circled in orange refer to unnecessary neurons that fire in the presence of specific triggering inputs.
  • Figure 2: Proposed energy backdoor attack design steps. The adversary first poisons a part of the training set. Then, the backdoor can be injected into the model in two distinct phases. Phase 1 is introduced to ensure effective separability between the clean and trigger samples by adding a supplementary 'trigger' class. Next, the 'trigger' class is discarded in phase 2 and the model obtained in phase 1 is fine-tuned to ensure good accuracy on the trigger samples.
  • Figure 3: Perceptual comparison between a clean, trigger, and uniform input.