The SkipSponge attack: Sponge weight poisoning of deep neural networks
Jona te Lintelo (Radboud Universiteit Nijmegen)
S. Koffas (TU Delft - Electrical Engineering, Mathematics and Computer Science)
S. Picek (University of Zagreb, Radboud Universiteit Nijmegen)
More Info
expand_more
Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.
Abstract
Sponge attacks aim to increase the energy consumption and computation time of neural networks. In this work, we present a novel sponge attack called SkipSponge. SkipSponge is the first sponge attack that is performed directly on the parameters of a pretrained model using only a few data samples. Our experiments show that SkipSponge can successfully increase the energy consumption of image classification models, GANs, and autoencoders, requiring fewer samples than state-of-the-art sponge attacks (Sponge Poisoning).
We show that poisoning defenses are ineffective if not adjusted specifically for defense against SkipSponge (i.e., they decrease target layer bias values) and that SkipSponge is more effective on GANs and autoencoders than Sponge Poisoning. Additionally, SkipSponge is stealthy, as it does not require significant changes to the victim model’s parameters. Our experiments indicate that SkipSponge can be performed even when an attacker has access to less than 1% of the entire training dataset and reaches up to a 13% energy increase.
help_outline