research-article

Energy-Latency Attacks to On-Device Neural Networks via Sponge Poisoning

Authors:

Helei CuiAuthors Info & Claims

SecTL '23: Proceedings of the 2023 Secure and Trustworthy Deep Learning Systems Workshop

Article No.: 4, Pages 1 - 11

https://doi.org/10.1145/3591197.3591307

Published: 10 July 2023 Publication History

Abstract

In recent years, on-device deep learning has gained attention as a means of developing affordable deep learning applications for mobile devices. However, on-device models are constrained by limited energy and computation resources. In the mean time, a poisoning attack known as sponge poisoning has been developed.This attack involves feeding the model with poisoned examples to increase the energy consumption during inference. As previous work is focusing on server hardware accelerators, in this work, we extend the sponge poisoning attack to an on-device scenario to evaluate the vulnerability of mobile device processors. We present an on-device sponge poisoning attack pipeline to simulate the streaming and consistent inference scenario to bridge the knowledge gap in the on-device setting. Our exclusive experimental analysis with processors and on-device networks shows that sponge poisoning attacks can effectively pollute the modern processor with its built-in accelerator. We analyze the impact of different factors in the sponge poisoning algorithm and highlight the need for improved defense mechanisms to prevent such attacks on on-device deep learning applications.

References

[1]

Abien Fred Agarap. 2018. Deep learning using rectified linear units (relu). arXiv preprint arXiv:1803.08375 (2018).

[2]

Dave Anderson and Jim Dykes. 2003. More Than an { Interface—SCSI} vs.{ ATA}. In 2nd USENIX Conference on File and Storage Technologies (FAST 03).

[3]

John Bellardo and Stefan Savage. 2003. 802.11 { Denial-of-Service} Attacks: Real Vulnerabilities and Practical Solutions. In 12th USENIX Security Symposium (USENIX Security 03).

[4]

David Brazdil. 2018. Improving Stability by Reducing Usage of non-SDK Interfaces. https://android-developers.googleblog.com/2018/02/improving-stability-by-reducing-usage.html

[5]

Junyi Chai, Hao Zeng, Anming Li, and Eric W.T. Ngai. 2021. Deep learning in computer vision: A critical review of emerging techniques and application scenarios. Machine Learning with Applications 6 (2021), 100134. https://doi.org/10.1016/j.mlwa.2021.100134

[6]

Yanjiao Chen, Baolin Zheng, Zihan Zhang, Qian Wang, Chao Shen, and Qian Zhang. 2020. Deep Learning on Mobile and Embedded Devices: State-of-the-Art, Challenges, and Future Directions. ACM Comput. Surv. 53, 4, Article 84 (aug 2020), 37 pages. https://doi.org/10.1145/3398209

Digital Library

[7]

Yu-Hsin Chen, Tien-Ju Yang, Joel Emer, and Vivienne Sze. 2019. Eyeriss v2: A flexible accelerator for emerging deep neural networks on mobile devices. IEEE Journal on Emerging and Selected Topics in Circuits and Systems 9, 2 (2019), 292–308.

[8]

Eric Chung, Jeremy Fowers, Kalin Ovtcharov, Michael Papamichael, Adrian Caulfield, Todd Massengill, Ming Liu, Daniel Lo, Shlomi Alkalay, Michael Haselman, 2018. Serving dnns in real time at datacenter scale with project brainwave. iEEE Micro 38, 2 (2018), 8–20.

[9]

Antonio Emanuele Cinà, Ambra Demontis, Battista Biggio, Fabio Roli, and Marcello Pelillo. 2022. Energy-latency attacks via sponge poisoning. arXiv preprint arXiv:2203.08147 (2022).

[10]

Antonio Emanuele Cinà, Kathrin Grosse, Ambra Demontis, Battista Biggio, Fabio Roli, and Marcello Pelillo. 2022. Machine Learning Security against Data Poisoning: Are We There Yet?

[11]

TEAM COUNTERPOINT. 2022. Infographic: Global Smartphone AP Market Share | Q2 2022. https://www.counterpointresearch.com/infographic-global-smartphone-ap-market-share-q2-2022/

[12]

Johan de Rooi and Paul Eilers. 2011. Deconvolution of pulse trains with the L0 penalty. Analytica chimica acta 705, 1-2 (2011), 218–226.

[13]

Khoa Doan, Yingjie Lao, Weijie Zhao, and Ping Li. 2021. Lira: Learnable, imperceptible and robust backdoor attacks. In Proceedings of the IEEE/CVF International Conference on Computer Vision. 11966–11976.

[14]

Alexey Dosovitskiy, Philipp Fischer, Eddy Ilg, Philip Hausser, Caner Hazirbas, Vladimir Golkov, Patrick Van Der Smagt, Daniel Cremers, and Thomas Brox. 2015. Flownet: Learning optical flow with convolutional networks. In Proceedings of the IEEE international conference on computer vision. 2758–2766.

Digital Library

[15]

Rotem Efraim, Ran Ginosar, C Weiser, and Avi Mendelson. 2012. Energy aware race to halt: A down to EARtH approach for platform energy management. IEEE Computer Architecture Letters 13, 1 (2012), 25–28.

Digital Library

[16]

Paul Ferguson and Daniel Senie. 1998. Network ingress filtering: Defeating denial of service attacks which employ IP source address spoofing. Technical Report.

[17]

Ian Goodfellow, Jean Pouget-Abadie, Mehdi Mirza, Bing Xu, David Warde-Farley, Sherjil Ozair, Aaron Courville, and Yoshua Bengio. 2020. Generative adversarial networks. Commun. ACM 63, 11 (2020), 139–144.

Digital Library

[18]

Ian J Goodfellow, Jonathon Shlens, and Christian Szegedy. 2014. Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572 (2014).

[19]

Tianyu Gu, Brendan Dolan-Gavitt, and Siddharth Garg. 2017. Badnets: Identifying vulnerabilities in the machine learning model supply chain. arXiv preprint arXiv:1708.06733 (2017).

[20]

Cong Guo, Bo Yang Hsueh, Jingwen Leng, Yuxian Qiu, Yue Guan, Zehuan Wang, Xiaoying Jia, Xipeng Li, Minyi Guo, and Yuhao Zhu. 2020. Accelerating sparse dnn models without hardware-support via tile-wise sparsity. In SC20: International Conference for High Performance Computing, Networking, Storage and Analysis. IEEE, 1–15.

Digital Library

[21]

Jialiang Han, Yun Ma, Qiaozhu Mei, and Xuanzhe Liu. 2021. DeepRec: On-Device Deep Learning for Privacy-Preserving Sequential Recommendation in Mobile Commerce. In Proceedings of the Web Conference 2021 (Ljubljana, Slovenia) (WWW ’21). Association for Computing Machinery, New York, NY, USA, 900–911. https://doi.org/10.1145/3442381.3449942

Digital Library

[22]

Song Han, Xingyu Liu, Huizi Mao, Jing Pu, Ardavan Pedram, Mark Horowitz, Bill Dally, 2016. Deep compression and EIE: Efficient inference engine on compressed deep neural network. In Hot Chips Symposium. 1–6.

[23]

Kim Hazelwood, Sarah Bird, David Brooks, Soumith Chintala, Utku Diril, Dmytro Dzhulgakov, Mohamed Fawzy, Bill Jia, Yangqing Jia, Aditya Kalro, 2018. Applied machine learning at facebook: A datacenter infrastructure perspective. In 2018 IEEE International Symposium on High Performance Computer Architecture (HPCA). IEEE, 620–629.

[24]

Andrew Howard, Mark Sandler, Grace Chu, Liang-Chieh Chen, Bo Chen, Mingxing Tan, Weijun Wang, Yukun Zhu, Ruoming Pang, Vijay Vasudevan, 2019. Searching for mobilenetv3. In Proceedings of the IEEE/CVF international conference on computer vision. 1314–1324.

[25]

Gao Huang, Zhuang Liu, Laurens Van Der Maaten, and Kilian Q Weinberger. 2017. Densely connected convolutional networks. In Proceedings of the IEEE conference on computer vision and pattern recognition. 4700–4708.

[26]

Andrey Ignatov, Radu Timofte, Andrei Kulik, Seungsoo Yang, Ke Wang, Felix Baum, Max Wu, Lirong Xu, and Luc Van Gool. 2019. Ai benchmark: All about deep learning on smartphones in 2019. In 2019 IEEE/CVF International Conference on Computer Vision Workshop (ICCVW). IEEE, 3617–3635.

[27]

Matthew Jagielski, Alina Oprea, Battista Biggio, Chang Liu, Cristina Nita-Rotaru, and Bo Li. 2018. Manipulating machine learning: Poisoning attacks and countermeasures for regression learning. In 2018 IEEE Symposium on Security and Privacy (SP). IEEE, 19–35.

[28]

Norman P Jouppi, Cliff Young, Nishant Patil, David Patterson, Gaurav Agrawal, Raminder Bajwa, Sarah Bates, Suresh Bhatia, Nan Boden, Al Borchers, 2017. In-datacenter performance analysis of a tensor processing unit. In Proceedings of the 44th annual international symposium on computer architecture. 1–12.

Digital Library

[29]

Mika Juuti, Sebastian Szyller, Samuel Marchal, and N Asokan. 2019. PRADA: protecting against DNN model stealing attacks. In 2019 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, 512–527.

[30]

Alex Krizhevsky, Geoffrey Hinton, 2009. Learning multiple layers of features from tiny images. (2009).

[31]

Alexey Kurakin, Ian J Goodfellow, and Samy Bengio. 2018. Adversarial examples in the physical world. In Artificial intelligence safety and security. Chapman and Hall/CRC, 99–112.

[32]

Iro Laina, Christian Rupprecht, Vasileios Belagiannis, Federico Tombari, and Nassir Navab. 2016. Deeper depth prediction with fully convolutional residual networks. In 2016 Fourth international conference on 3D vision (3DV). IEEE, 239–248.

[33]

Chao Li, Zhenhua Wang, Xiaofeng Hou, Haopeng Chen, Xiaoyao Liang, and Minyi Guo. 2016. Power attack defense: Securing battery-backed data centers. ACM SIGARCH Computer Architecture News 44, 3 (2016), 493–505.

Digital Library

[34]

Cong Liao, Haoti Zhong, Anna Squicciarini, Sencun Zhu, and David Miller. 2018. Backdoor embedding in convolutional neural network models via invisible perturbation. arXiv preprint arXiv:1808.10307 (2018).

[35]

Xingyu Liu, Jeff Pool, Song Han, and William J. Dally. 2018. Efficient Sparse-Winograd Convolutional Neural Networks. CoRR abs/1802.06367 (2018). arXiv:1802.06367http://arxiv.org/abs/1802.06367

[36]

Yingqi Liu, Shiqing Ma, Yousra Aafer, Wen-Chuan Lee, Juan Zhai, Weihang Wang, and Xiangyu Zhang. 2017. Trojaning attack on neural networks. (2017).

[37]

Eriko Nurvitadhi, David Sheffield, Jaewoong Sim, Asit Mishra, Ganesh Venkatesh, and Debbie Marr. 2016. Accelerating binarized neural networks: Comparison of FPGA, CPU, GPU, and ASIC. In 2016 International Conference on Field-Programmable Technology (FPT). IEEE, 77–84.

[38]

Francesco Palmieri, Sergio Ricciardi, Ugo Fiore, Massimo Ficco, and Aniello Castiglione. 2015. Energy-oriented denial of service attacks: an emerging menace for large cloud infrastructures. The Journal of Supercomputing 71, 5 (2015), 1620–1641.

Digital Library

[39]

Angshuman Parashar, Minsoo Rhu, Anurag Mukkara, Antonio Puglielli, Rangharajan Venkatesan, Brucek Khailany, Joel Emer, Stephen W Keckler, and William J Dally. 2017. SCNN: An accelerator for compressed-sparse convolutional neural networks. ACM SIGARCH computer architecture news 45, 2 (2017), 27–40.

Digital Library

[40]

Gian Paolo Perrucci, Frank HP Fitzek, and Jörg Widmer. 2011. Survey on energy consumption entities on the smartphone platform. In 2011 IEEE 73rd vehicular technology conference (VTC Spring). IEEE, 1–6.

[41]

Eric Qin, Ananda Samajdar, Hyoukjun Kwon, Vineet Nadella, Sudarshan Srinivasan, Dipankar Das, Bharat Kaul, and Tushar Krishna. 2020. Sigma: A sparse and irregular gemm accelerator with flexible interconnects for dnn training. In 2020 IEEE International Symposium on High Performance Computer Architecture (HPCA). IEEE, 58–70.

[42]

Mark Sandler, Andrew Howard, Menglong Zhu, Andrey Zhmoginov, and Liang-Chieh Chen. 2018. Mobilenetv2: Inverted residuals and linear bottlenecks. In Proceedings of the IEEE conference on computer vision and pattern recognition. 4510–4520.

[43]

Ali Shafahi, W. Ronny Huang, Mahyar Najibi, Octavian Suciu, Christoph Studer, Tudor Dumitras, and Tom Goldstein. 2018. Poison Frogs! Targeted Clean-Label Poisoning Attacks on Neural Networks. In Advances in Neural Information Processing Systems, S. Bengio, H. Wallach, H. Larochelle, K. Grauman, N. Cesa-Bianchi, and R. Garnett (Eds.). Vol. 31. Curran Associates, Inc.https://proceedings.neurips.cc/paper/2018/file/22722a343513ed45f14905eb07621686-Paper.pdf

[44]

Reza Shokri, Marco Stronati, Congzheng Song, and Vitaly Shmatikov. 2017. Membership inference attacks against machine learning models. In 2017 IEEE symposium on security and privacy (SP). IEEE, 3–18.

[45]

Ilia Shumailov, Yiren Zhao, Daniel Bates, Nicolas Papernot, Robert Mullins, and Ross Anderson. 2021. Sponge examples: Energy-latency attacks on neural networks. In 2021 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, 212–231.

[46]

Karen Simonyan and Andrew Zisserman. 2014. Very deep convolutional networks for large-scale image recognition. arXiv preprint arXiv:1409.1556 (2014).

[47]

David Solans, Battista Biggio, and Carlos Castillo. 2021. Poisoning Attacks on Algorithmic Fairness. In Machine Learning and Knowledge Discovery in Databases, Frank Hutter, Kristian Kersting, Jefrey Lijffijt, and Isabel Valera (Eds.). Springer International Publishing, Cham, 162–177.

[48]

Gaurav Somani, Manoj Singh Gaur, Dheeraj Sanghi, and Mauro Conti. 2016. DDoS attacks in cloud computing: Collateral damage to non-targets. Computer Networks 109 (2016), 157–171.

Digital Library

[49]

Jinook Song, Yunkyo Cho, Jun-Seok Park, Jun-Woo Jang, Sehwan Lee, Joon-Ho Song, Jae-Gon Lee, and Inyup Kang. 2019. 7.1 An 11.5 TOPS/W 1024-MAC butterfly structure dual-core sparsity-aware neural processing unit in 8nm flagship mobile SoC. In 2019 IEEE International Solid-State Circuits Conference-(ISSCC). IEEE, 130–132.

[50]

Christian Szegedy, Wojciech Zaremba, Ilya Sutskever, Joan Bruna, Dumitru Erhan, Ian Goodfellow, and Rob Fergus. 2013. Intriguing properties of neural networks. arXiv preprint arXiv:1312.6199 (2013).

[51]

Sasu Tarkoma, Matti Siekkinen, Eemil Lagerspetz, and Yu Xiao. 2014. Smartphone energy consumption: modeling and optimization. Cambridge University Press.

[52]

CVML Team 2017. An on-device deep neural network for face detection. Apple Machine Learning Journal (2017).

[53]

Vale Tolpegin, Stacey Truex, Mehmet Emre Gursoy, and Ling Liu. 2020. Data poisoning attacks against federated learning systems. In Computer Security–ESORICS 2020: 25th European Symposium on Research in Computer Security, ESORICS 2020, Guildford, UK, September 14–18, 2020, Proceedings, Part I 25. Springer, 480–501.

[54]

Amirsina Torfi, Rouzbeh A. Shirvani, Yaser Keneshloo, Nader Tavaf, and Edward A. Fox. 2020. Natural Language Processing Advancements By Deep Learning: A Survey. CoRR abs/2003.01200 (2020). arXiv:2003.01200https://arxiv.org/abs/2003.01200

[55]

Fushuai Wang, Renren Zheng, Penghui Li, Hanni Song, Dongming Du, and Jingchao Sun. 2021. Face recognition on Raspberry Pi based on MobileNetV2. In 2021 International Symposium on Artificial Intelligence and its Application on Media (ISAIAM). 116–120. https://doi.org/10.1109/ISAIAM53259.2021.00031

[56]

Yizhen Wang and Kamalika Chaudhuri. 2018. Data poisoning attacks against online learning. arXiv preprint arXiv:1808.08994 (2018).

[57]

Wei Wen, Chunpeng Wu, Yandan Wang, Yiran Chen, and Hai Li. 2016. Learning structured sparsity in deep neural networks. Advances in neural information processing systems 29 (2016).

[58]

Mengwei Xu, Feng Qian, Qiaozhu Mei, Kang Huang, and Xuanzhe Liu. 2018. DeepType: On-Device Deep Learning for Input Personalization Service with Minimal Privacy Concern. 2, 4, Article 197 (dec 2018), 26 pages. https://doi.org/10.1145/3287075

Digital Library

[59]

Zhang Xu, Haining Wang, and Zhenyu Wu. 2015. A measurement study on co-residence threat inside the cloud. In 24th USENIX Security Symposium (USENIX Security 15). 929–944.

Digital Library

[60]

Zhang Xu, Haining Wang, Zichen Xu, and Xiaorui Wang. 2014. Power attack: an increasing threat to data centers. In NDSS.

[61]

Yuanshun Yao, Huiying Li, Haitao Zheng, and Ben Y Zhao. 2019. Latent backdoor attacks on deep neural networks. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. 2041–2055.

Digital Library

[62]

Yiren Zhao, Xitong Gao, Xuan Guo, Junyi Liu, Erwei Wang, Robert Mullins, Peter YK Cheung, George Constantinides, and Cheng-Zhong Xu. 2019. Automatic generation of multi-precision multi-arithmetic CNN accelerators for FPGAs. In 2019 International Conference on Field-Programmable Technology (ICFPT). IEEE, 45–53.

[63]

Michael Zhu and Suyog Gupta. 2017. To prune, or not to prune: exploring the efficacy of pruning for model compression. arXiv preprint arXiv:1710.01878 (2017).

Cited By

Vuseghesa FMessai M(2023)Study on Poisoning Attacks: Application Through an IoT Temperature Dataset2023 IEEE International Conference on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE)10.1109/WETICE57085.2023.10477844(1-6)Online publication date: 14-Dec-2023
https://doi.org/10.1109/WETICE57085.2023.10477844

Index Terms

Energy-Latency Attacks to On-Device Neural Networks via Sponge Poisoning
1. Computing methodologies
  1. Artificial intelligence
2. Security and privacy
  1. Network security
    1. Mobile and wireless security

Recommendations

Beyond PhantomSponges: Enhancing Sponge Attack on Object Detection Models
WiseML '24: Proceedings of the 2024 ACM Workshop on Wireless Security and Machine Learning

Given today's ongoing deployment of deep learning models, ensuring their security against adversarial attacks has become paramount. This paper introduces an enhanced version of the PhantomSponges attack by Shapira et al. The attack exploits the non-...
Malicious JavaScript Insertion through ARP Poisoning Attacks

Details about ARP poisoning attacks as well as countermeasures have been known for years. Yet, most networks are still vulnerable to these attacks because they haven't implemented defenses. This article explains how ARP poisoning attacks work and ...
A framework to mitigate ARP sniffing attacks by cache poisoning

Today in the digital era of computing, most of the network attacks are caused by sniffing the sensitive data over the network. Among various types of sniffing attacks, ARP sniffing causes most of the LAN attacks wired and wireless LAN coexist. ARP ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

SecTL '23: Proceedings of the 2023 Secure and Trustworthy Deep Learning Systems Workshop

July 2023

73 pages

ISBN:9798400701818

DOI:10.1145/3591197

Copyright © 2023 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 10 July 2023

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

National Key R&D Program of China
National Natural Science Foundation of China

Conference

ASIA CCS '23

Sponsor:

SIGSAC

ASIA CCS '23: ACM Asia Conference on Computer and Communications Security

July 10 - 14, 2023

VIC, Melbourne, Australia

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
98
Total Downloads

Downloads (Last 12 months)66
Downloads (Last 6 weeks)23

Reflects downloads up to 22 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Vuseghesa FMessai M(2023)Study on Poisoning Attacks: Application Through an IoT Temperature Dataset2023 IEEE International Conference on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE)10.1109/WETICE57085.2023.10477844(1-6)Online publication date: 14-Dec-2023
https://doi.org/10.1109/WETICE57085.2023.10477844

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Media

Figures

Other

Tables

View Table of Contents