A workforce of researchers from George Mason College has developed a brand new technique of utilizing the well-known Rowhammer assault in opposition to bodily pc reminiscence to insert backdoors into full-precision AI fashions. Their “OneFlip” method requires flipping solely a single bit inside weak DRAM modules to alter how deep neural networks behave on attacker-controlled inputs.
The researchers recommend that picture classification fashions utilized by self-driving automotive techniques could possibly be poisoned to misread vital highway indicators and trigger accidents, or that facial recognition fashions could possibly be manipulated to grant constructing entry to anybody sporting a selected pair of glasses. These are simply two examples of the numerous attainable outcomes of such assaults in opposition to neural networks.
“We consider ONEFLIP on the CIFAR-10, CIFAR-100, GTSRB, and ImageNet datasets, overlaying totally different DNN [deep neural network] architectures, together with a imaginative and prescient transformer,” the researchers wrote of their paper, just lately offered on the USENIX Safety 2025 convention. “The outcomes exhibit that ONEFLIP achieves excessive assault success charges (as much as 99.9%, with a mean of 99.6%) whereas inflicting minimal degradation to benign accuracy (as little as 0.005%, averaging 0.06%). Furthermore, ONEFLIP is resilient to backdoor defenses.”
