Progressive Bit Search for DNN Vulnerabilities

• Progressive Bit Search (PBS) is an iterative technique that identifies critical weight bits in quantized neural networks whose flipping can collapse inference accuracy.
• The method computes loss gradients at the bit level to rank and target the most vulnerable binary parameters, ensuring minimal but effective manipulation.
• Empirical evaluations show that flipping as few as 7–22 bits in models like ResNet and AlexNet can reduce accuracy from over 90% to near-random levels.

Progressive Bit Search (PBS) is an iterative, gradient-guided algorithm developed to efficiently locate a minimal set of weight bits within quantized deep neural networks (DNNs) whose corruption, through bit flipping in memory (e.g., DRAM), causes a catastrophic degradation in network inference accuracy. Originating as the core subroutine in the Bit-Flip Attack (BFA), PBS systematically identifies the most vulnerable binary parameters to maximize loss with as few bit manipulations as possible, demonstrating that deep networks are highly susceptible to targeted parameter-level attacks in real-world memory environments (Rakin et al., 2019).

1. Attacker Model and Objective

PBS operates within a white-box attack setting, assuming the adversary possesses full read/write access to the DNN model parameters stored in DRAM, attainable via techniques such as Row-Hammer or laser fault injection. The threat model assumes:

• The network under attack is quantized, with weights encoded in two’s-complement, fixed-point format (e.g., 8 bits per weight).
• The attacker cannot access the training process or ground-truth labels but can select weight bits to flip and observe resulting inference loss.
• The attack goal is to induce a collapse of the model's predictive accuracy to near-random levels by flipping as few memory bits as possible.

In this regime, random bit flips are generally ineffective, yielding negligible accuracy loss due to redundancy and error tolerance in quantized DNNs. PBS, therefore, guides bit selection to maximize attack efficacy.

2. Bit Sensitivity via Loss Gradient

The sensitivity of each memory bit storing a quantized DNN weight is assessed via first-order derivatives of the loss with respect to individual bits. Given a network described by $f(x; \{B_\ell\}_{\ell=1}^L)$, where $B_\ell \in \{0,1\}^{N_q \times d_\ell}$ denotes the binary matrix of quantized weights at layer $\ell$, PBS computes:

• Each scalar weight $w$ in layer $\ell$ is represented using two’s-complement quantization:

$$w/\Delta w = -2^{N_q-1}b_{N_q-1} + \sum_{i=0}^{N_q-2} 2^i b_i, \quad b_i \in \{0,1\}$$

• For an input batch $\{x_i\}$, the loss function $\mathcal{L}(f(x;B), y)$ is evaluated, using the clean output $y=f(x;B)$ as a pseudo-label.
• The bit-level vulnerability is quantified by the absolute value of loss gradient with respect to each bit:

$$V_\ell(i) = \left|\frac{\partial \mathcal{L}}{\partial b_i}\right|$$

• Flipping a bit $B_\ell \in \{0,1\}^{N_q \times d_\ell}$0 is expected, by first-order approximation, to increase the loss by $B_\ell \in \{0,1\}^{N_q \times d_\ell}$1.

Bit-level gradients are obtained using straight-through estimation to propagate loss sensitivity back to the underlying bits, guiding which bits are most responsible for maintaining correct inference.

3. Progressive Bit Search Algorithm

PBS iteratively applies a two-stage search—ranking the most sensitive bits within each layer, then selecting which layer's bit flip incurs the greatest loss spike. Each iteration proceeds as follows:

• In-layer ranking: For each layer $B_\ell \in \{0,1\}^{N_q \times d_\ell}$2,
  • Compute bit-level loss gradients $B_\ell \in \{0,1\}^{N_q \times d_\ell}$3 via forward–backward pass.
  • Select the top-$B_\ell \in \{0,1\}^{N_q \times d_\ell}$4 bits (by default, $B_\ell \in \{0,1\}^{N_q \times d_\ell}$5) with the largest $B_\ell \in \{0,1\}^{N_q \times d_\ell}$6gradient$B_\ell \in \{0,1\}^{N_q \times d_\ell}$7 values.
  • Temporarily flip these bits, evaluate the increase in loss, then restore original bits.
• Cross-layer selection: Identify the layer $B_\ell \in \{0,1\}^{N_q \times d_\ell}$8 whose flip produces the greatest increase in loss, and then permanently commit those bit flips.

This process repeats across $B_\ell \in \{0,1\}^{N_q \times d_\ell}$9 iterations or until the model’s accuracy falls below a specified threshold. The core algorithm, as formulated in the source, is:

$w$1

4. Computational Cost and Convergence

PBS’s per-iteration computational cost is dominated by the forward–backward passes required for gradient ranking and the separate forward passes to evaluate the loss for each candidate bit flip. For a network with $\ell$0 layers and cost $\ell$1 per forward–backward or forward pass, each iteration costs $\ell$2. The total computational cost for $\ell$3 iterations and $\ell$4 flips per iteration is thus $\ell$5.

Empirical evaluation demonstrates rapid convergence: $\ell$6–$\ell$7 iterations typically suffice to collapse the accuracy of large-scale models. This efficiency is attributed to steep loss gradients at sensitive bits and the highly non-smooth loss landscape induced by bitwise perturbations in quantized representations (Rakin et al., 2019).

5. Empirical Performance on Standard Benchmarks

The effectiveness of PBS is validated on benchmarks including CIFAR-10 and ImageNet with quantized ResNet and AlexNet architectures. Key experimental results include:

• For CIFAR-10 with various quantized ResNet models (4, 6, 8 bits), 7–22 bit flips are sufficient to degrade test accuracy from $\ell$892% to random guess ($\ell$910%).
• On ImageNet:
  • AlexNet (488 million bits): 17 flips reduce Top-1 accuracy from 56.8% to 0.1%.
  • ResNet-18 (93 million bits): 13 flips cause accuracy to collapse from 69.8% to 0.1%.
  • ResNet-34 (174 million bits): 11 flips.
  • ResNet-50 (204 million bits): 11 flips.

A subset of these results is summarized in the following table:

Network	Quantization (bits)	Bit Flips to Collapse	Accuracy Drop
ResNet-18	8	13	69.8% → 0.1%
AlexNet	8	17	56.8% → 0.1%
ResNet-20	8	7–17	92.1% → 10%

Accuracy-vs.-flips curves reveal an abrupt phase transition: even for large models, flipping fewer than 20 targeted bits can completely destroy inference capability, whereas randomly flipping 100 bits results in accuracy drops below 1%.

6. Implementation Considerations in Physical Attacks

PBS directly enables practical Row-Hammer-based DNN parameter attacks in DRAM. Key considerations include:

• Address Mapping: PBS outputs the logical locations of vulnerable bits; an additional mapping step translates these to physical DRAM rows/columns for targeted disturbance.
• Hammering Budget: Each vulnerable bit may require multiple hammer rounds ($w$0 per flip) for reliable modification.
• Mitigation Bypass: In systems with on-chip ECC (e.g., SECDED), attackers must either induce double-bit upsets or exploit known ECC weaknesses by targeting two bits in the same codeword.
• Batch Size: Larger validation batches in PBS gradient calculations offer robust sensitivity ranking at the cost of increased search computation; batch sizes of 128–256 are typical.
• Stealth Considerations: To evade memory inspection or anomaly detection, Row-Hammer access patterns can be interleaved with benign memory accesses.

This suggests that PBS can be effectively embedded within real-world, memory-resident DNN deployments, provided that the attacker can surmount practical ECC and detection mechanisms.

7. Broader Implications and Limitations

PBS provides a quantitative tool for assessing the vulnerability of quantized DNN models to hardware-level attacks, demonstrating that highly parameter-redundant networks nonetheless harbor individual bits that are existentially critical for task performance. Its rapid convergence and minimal-bit property set a new lower bound on destructive parameter attacks in quantized DNNs, though its efficacy presumes unconstrained white-box access and unprotected DRAM layouts (Rakin et al., 2019).

A plausible implication is that securing DNN deployments against Row-Hammer and related bit-flip attacks necessitates not only conventional fault tolerance and ECC but also architectural protections that obfuscate or randomize the binary representation of model parameters in memory. The phenomenon highlighted by PBS underscores the criticality of hardware-aware security analyses for robust DNN system design.