{"title":"了解模型供应链中木马量化神经网络的威胁","authors":"Xudong Pan, Mi Zhang, Yifan Yan, Min Yang","doi":"10.1145/3485832.3485881","DOIUrl":null,"url":null,"abstract":"Deep learning with edge computing arises as a popular paradigm for powering edge devices with intelligence. As the size of deep neural networks (DNN) continually increases, model quantization, which converts the full-precision model into lower-bit representation while mostly preserving the accuracy, becomes a prerequisite for deploying a well-trained DNN on resource-limited edge devices. However, to properly quantize a DNN requires an essential amount of expert knowledge, or otherwise the model accuracy would be devastatingly affected. Alternatively, recent years witness the birth of third-party model supply chains which provide pretrained quantized neural networks (QNN) for free downloading. In this paper, we systematically analyze the potential threats of trojaned models in third-party QNN supply chains. For the first time, we describe and implement a QUAntization-SpecIfic backdoor attack (QUASI), which manipulates the quantization mechanism to inject a backdoor specific to the quantized model. In other words, the attacker-specified inputs, or triggers, would not cause misbehaviors of the trojaned model in full precision until the backdoor function is automatically completed by a normal quantization operation, producing a trojaned QNN which can be triggered with a near 100% success rate. Our proposed QUASI attack reveals several key vulnerabilities in the existing QNN supply chains: (i) QUASI demonstrates a third-party QNN released online can also be injected with backdoors, while, unlike full-precision models, there is almost no working algorithm for checking the fidelity of a QNN. (ii) More threateningly, the backdoor injected by QUASI remains inactivated in the full-precision model, which inhibits model consumers from attributing undergoing trojan attacks to the malicious model provider. As a practical implication, we alarm it can be highly risky to accept and deploy third-party QNN on edge devices at the current stage, if without future mitigation studies.","PeriodicalId":175869,"journal":{"name":"Annual Computer Security Applications Conference","volume":"168 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2021-12-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"8","resultStr":"{\"title\":\"Understanding the Threats of Trojaned Quantized Neural Network in Model Supply Chains\",\"authors\":\"Xudong Pan, Mi Zhang, Yifan Yan, Min Yang\",\"doi\":\"10.1145/3485832.3485881\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Deep learning with edge computing arises as a popular paradigm for powering edge devices with intelligence. As the size of deep neural networks (DNN) continually increases, model quantization, which converts the full-precision model into lower-bit representation while mostly preserving the accuracy, becomes a prerequisite for deploying a well-trained DNN on resource-limited edge devices. However, to properly quantize a DNN requires an essential amount of expert knowledge, or otherwise the model accuracy would be devastatingly affected. Alternatively, recent years witness the birth of third-party model supply chains which provide pretrained quantized neural networks (QNN) for free downloading. In this paper, we systematically analyze the potential threats of trojaned models in third-party QNN supply chains. For the first time, we describe and implement a QUAntization-SpecIfic backdoor attack (QUASI), which manipulates the quantization mechanism to inject a backdoor specific to the quantized model. In other words, the attacker-specified inputs, or triggers, would not cause misbehaviors of the trojaned model in full precision until the backdoor function is automatically completed by a normal quantization operation, producing a trojaned QNN which can be triggered with a near 100% success rate. Our proposed QUASI attack reveals several key vulnerabilities in the existing QNN supply chains: (i) QUASI demonstrates a third-party QNN released online can also be injected with backdoors, while, unlike full-precision models, there is almost no working algorithm for checking the fidelity of a QNN. (ii) More threateningly, the backdoor injected by QUASI remains inactivated in the full-precision model, which inhibits model consumers from attributing undergoing trojan attacks to the malicious model provider. As a practical implication, we alarm it can be highly risky to accept and deploy third-party QNN on edge devices at the current stage, if without future mitigation studies.\",\"PeriodicalId\":175869,\"journal\":{\"name\":\"Annual Computer Security Applications Conference\",\"volume\":\"168 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2021-12-06\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"8\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Annual Computer Security Applications Conference\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1145/3485832.3485881\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Annual Computer Security Applications Conference","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3485832.3485881","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Understanding the Threats of Trojaned Quantized Neural Network in Model Supply Chains
Deep learning with edge computing arises as a popular paradigm for powering edge devices with intelligence. As the size of deep neural networks (DNN) continually increases, model quantization, which converts the full-precision model into lower-bit representation while mostly preserving the accuracy, becomes a prerequisite for deploying a well-trained DNN on resource-limited edge devices. However, to properly quantize a DNN requires an essential amount of expert knowledge, or otherwise the model accuracy would be devastatingly affected. Alternatively, recent years witness the birth of third-party model supply chains which provide pretrained quantized neural networks (QNN) for free downloading. In this paper, we systematically analyze the potential threats of trojaned models in third-party QNN supply chains. For the first time, we describe and implement a QUAntization-SpecIfic backdoor attack (QUASI), which manipulates the quantization mechanism to inject a backdoor specific to the quantized model. In other words, the attacker-specified inputs, or triggers, would not cause misbehaviors of the trojaned model in full precision until the backdoor function is automatically completed by a normal quantization operation, producing a trojaned QNN which can be triggered with a near 100% success rate. Our proposed QUASI attack reveals several key vulnerabilities in the existing QNN supply chains: (i) QUASI demonstrates a third-party QNN released online can also be injected with backdoors, while, unlike full-precision models, there is almost no working algorithm for checking the fidelity of a QNN. (ii) More threateningly, the backdoor injected by QUASI remains inactivated in the full-precision model, which inhibits model consumers from attributing undergoing trojan attacks to the malicious model provider. As a practical implication, we alarm it can be highly risky to accept and deploy third-party QNN on edge devices at the current stage, if without future mitigation studies.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
