Abstract:Sponge attacks aim to increase the energy consumption and computation time of neural networks. In this work, we present a novel sponge attack called SkipSponge. SkipSponge is the first sponge attack that is performed directly on the parameters of a pre-trained model using only a few data samples. Our experiments show that SkipSponge can successfully increase the energy consumption of image classification models, GANs, and autoencoders requiring fewer samples than the state-of-the-art (Sponge Poisoning). We show that poisoning defenses are ineffective if not adjusted specifically for the defense against SkipSponge (i.e., they decrease target layer bias values). Our work shows that SkipSponge is more effective on the GANs and the autoencoders than Sponge Poisoning. Additionally, SkipSponge is stealthier than Sponge Poisoning as it does not require significant changes in the victim model's weights. Our experiments indicate that SkipSponge can be performed even when an attacker has access to only 1% of the entire dataset and reaches up to 13% energy increase.

What problem does this paper attempt to address?

The problem that this paper attempts to solve is to increase the energy consumption and computing time of deep neural networks (DNN), thus affecting their usability. Specifically, the author proposes a new sponge attack, called SkipSponge, which aims to increase the energy consumption and latency of the model by directly modifying the parameters of the pre - trained model. ### Main problems: 1. **Increasing energy consumption and computing time**: Existing sponge attacks (such as Sponge Poisoning) have shown how to increase energy consumption by changing the training objectives or input data of the model. However, these methods usually require a large number of data samples and full control of the training process, which may be impractical in practical applications. 2. **Reducing the resources required for the attack**: Compared with existing methods, SkipSponge only needs a small number of data samples (even as low as 1% of the entire data set) to achieve a significant increase in energy consumption. In addition, it does not need to retrain the entire model, but directly modifies the parameters of the pre - trained model, thus reducing the cost and complexity of the attack. 3. **Maintaining the stealth of the attack**: An important feature of SkipSponge is its stealth. Compared with other attack methods, SkipSponge does not significantly change the weights of the model, so it is more difficult to be detected. This is very important for attackers, because if the attack is too obvious, it may be detected and blocked in advance by the defense mechanism. ### Main contributions of the paper: - **Proposing the SkipSponge attack**: This is the first sponge attack that directly modifies the parameters of the pre - trained model and can significantly increase energy consumption without affecting the performance of the model. - **Expanding the application range of sponge attacks**: In addition to image classification models, SkipSponge can also be applied to generative adversarial networks (GANs) and autoencoders, and shows better performance on these models. - **Verifying the effectiveness and stealth of the attack**: The experimental results show that SkipSponge can achieve an energy consumption increase of up to 13% on different data sets and models, and in the user study, 87% of the users think that the images generated by SkipSponge are closer to the original images, proving its stealth. - **Proposing defense measures against sponge attacks**: The author also explores parameter perturbation, fine - grained pruning and fine - tuning with regularization as potential defense means, and evaluates their effectiveness against SkipSponge and other sponge attacks. ### Summary: The main purpose of this paper is to explore how to increase the energy consumption and latency of deep learning models at a lower cost and with higher stealth by proposing a new sponge attack - SkipSponge. This not only expands the research field of sponge attacks, but also provides an important reference for future defense mechanisms.

The SkipSponge Attack: Sponge Weight Poisoning of Deep Neural Networks

Energy-Latency Attacks to On-Device Neural Networks via Sponge Poisoning

Sponge Attack Against Multi-Exit Networks With Data Poisoning

Sneaky Spikes: Uncovering Stealthy Backdoor Attacks in Spiking Neural Networks with Neuromorphic Data

SPA - Stealthy Poisoning Attack.

Poison as a Cure: Detecting & Neutralizing Variable-Sized Backdoor Attacks in Deep Neural Networks

Poisoning Attacks with Generative Adversarial Nets

Phantom Sponges: Exploiting Non-Maximum Suppression to Attack Deep Object Detectors

Indiscriminate Data Poisoning Attacks on Neural Networks

Silent Killer: A Stealthy, Clean-Label, Black-Box Backdoor Attack

Prediction Poisoning: Towards Defenses Against DNN Model Stealing Attacks

Attacking the Spike: On the Transferability and Security of Spiking Neural Networks to Adversarial Examples

Backdoor Attacks on Pre-trained Models by Layerwise Weight Poisoning.

Sharpness-Aware Data Poisoning Attack

Transferable Clean-Label Poisoning Attacks on Deep Neural Nets

Hijacking Attacks against Neural Networks by Analyzing Training Data

Poisoning $\times$ Evasion: Symbiotic Adversarial Robustness for Graph Neural Networks

Poster: Sponge ML Model Attacks of Mobile Apps

Strong Data Augmentation Sanitizes Poisoning and Backdoor Attacks Without an Accuracy Tradeoff

The Impact of Uniform Inputs on Activation Sparsity and Energy-Latency Attacks in Computer Vision

Exploiting Supervised Poison Vulnerability to Strengthen Self-Supervised Defense