Full metadata
Exploration of Security and Privacy Challenges through Adversarial Weight Perturbation in Deep Learning Models
Adversarial threats of deep learning are increasingly becoming a concern due to the ubiquitous deployment of deep neural networks(DNNs) in many security-sensitive domains. Among the existing threats, adversarial weight perturbation is an emerging class of threats that attempts to perturb the weight parameters of DNNs to breach security and privacy.In this thesis, the first weight perturbation attack introduced is called Bit-Flip Attack (BFA), which can maliciously flip a small number of bits within a computer’s main memory system storing the DNN weight parameter to achieve malicious objectives. Our developed algorithm can achieve three specific attack objectives: I) Un-targeted accuracy degradation attack, ii) Targeted attack, & iii) Trojan attack. Moreover, BFA utilizes the rowhammer technique to demonstrate the bit-flip attack in an actual computer prototype. While the bit-flip attack is conducted in a white-box setting, the subsequent contribution of this thesis is to develop another novel weight perturbation attack in a black-box setting. Consequently, this thesis discusses a new study of DNN model vulnerabilities in a multi-tenant Field Programmable Gate Array (FPGA) cloud under a strict black-box framework. This newly developed attack framework injects faults in the malicious tenant by duplicating specific DNN weight packages during data transmission between off-chip memory and on-chip buffer of a victim FPGA. The proposed attack is also experimentally validated in a multi-tenant cloud FPGA prototype. In the final part, the focus shifts toward deep learning model privacy, popularly known as model extraction, that can steal partial DNN weight parameters remotely with the aid of a memory side-channel attack. In addition, a novel training algorithm is designed to utilize the partially leaked DNN weight bit information, making the model extraction attack more effective. The algorithm effectively leverages the partial leaked bit information and generates a substitute prototype of the victim model with almost identical performance to the victim.
Date Created
- Rakin, Adnan Siraj (Author)
- Fan, Deliang (Thesis advisor)
- Chakrabarti, Chaitali (Committee member)
- Seo, Jae-Sun (Committee member)
- Cao, Yu (Committee member)
- Arizona State University (Publisher)
Topical Subject
Resource Type
136 pages
Copyright Statement
In Copyright
Primary Member of
Open Access
Level of coding
Cataloging Standards
Partial requirement for: Ph.D., Arizona State University, 2022
Field of study: Computer Engineering
System Created
- 2022-12-20 06:19:18
System Modified
- 2022-12-20 06:19:18
- 2 years ago
Additional Formats