Sponge Examples: Energy-Latency Attacks on Neural Networks
| Autor: | Robert Mullins, Daniel Bates, Ilia Shumailov, Yiren Zhao, Ross Anderson, Nicolas Papernot |
|---|---|
| Rok vydání: | 2021 |
| Předmět: |
FOS: Computer and information sciences
Computer Science - Machine Learning Computer Science - Computation and Language Computer Science - Cryptography and Security Edge device Exploit Artificial neural network business.industry Computer science Deep learning Machine Learning (stat.ML) 02 engineering and technology Energy consumption Machine Learning (cs.LG) Application-specific integrated circuit Statistics - Machine Learning 020204 information systems Embedded system 0202 electrical engineering electronic engineering information engineering Language model Artificial intelligence Latency (engineering) business Computation and Language (cs.CL) Cryptography and Security (cs.CR) |
| Zdroj: | EuroS&P |
| DOI: | 10.1109/eurosp51992.2021.00024 |
| Popis: | The high energy costs of neural network training and inference led to the use of acceleration hardware such as GPUs and TPUs. While this enabled us to train large-scale neural networks in datacenters and deploy them on edge devices, the focus so far is on average-case performance. In this work, we introduce a novel threat vector against neural networks whose energy consumption or decision latency are critical. We show how adversaries can exploit carefully crafted $\boldsymbol{sponge}~\boldsymbol{examples}$, which are inputs designed to maximise energy consumption and latency. We mount two variants of this attack on established vision and language models, increasing energy consumption by a factor of 10 to 200. Our attacks can also be used to delay decisions where a network has critical real-time performance, such as in perception for autonomous vehicles. We demonstrate the portability of our malicious inputs across CPUs and a variety of hardware accelerator chips including GPUs, and an ASIC simulator. We conclude by proposing a defense strategy which mitigates our attack by shifting the analysis of energy consumption in hardware from an average-case to a worst-case perspective. Accepted at 6th IEEE European Symposium on Security and Privacy (EuroS&P) |
| Databáze: | OpenAIRE |
| Externí odkaz: |
|