pith. sign in

arxiv: 2502.07408 · v2 · submitted 2025-02-11 · 💻 cs.LG · cs.AI· cs.CV

Maximal Brain Damage Without Data or Optimization: Disrupting Neural Networks via Sign-Bit Flips

Ido Galil , Moshe Kimhi , Ran El-Yaniv This is my paper

Pith reviewed 2026-05-23 03:27 UTC · model grok-4.3

classification 💻 cs.LG cs.AIcs.CV
keywords neural network vulnerabilitysign bit flipsdata-free attackmodel disruptionDeep Neural Lesionbit-level sensitivityparameter protection
0
0 comments X

The pith

Flipping two sign bits in ResNet-50 drops ImageNet accuracy by 99.8 percent via a data-free procedure.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

This paper presents Deep Neural Lesion, a method that identifies a tiny number of critical sign bits in neural network weights without access to training data or any optimization steps. It demonstrates that inverting one or two such bits produces near-total failure on image classification, object detection, instance segmentation, and reasoning tasks in large language models. The central claim is that these bits can be located reliably across architectures and that selectively shielding them offers a defense. A reader would care because the attack requires no data or compute beyond the model itself, revealing a form of fragility that standard weight-level protections might miss.

Core claim

The authors claim that their data-free and optimization-free Deep Neural Lesion procedure, along with its single-pass variant, can locate a minimal set of sign bits whose flip produces maximal damage, with concrete cases including a 99.8 percent accuracy drop for ResNet-50 on ImageNet from two flips, collapse of COCO detection and mask AP from one or two flips in Mask R-CNN and YOLOv8-seg, and reduction of Qwen3-30B-A3B-Thinking accuracy from 78 percent to zero from two flips into different experts; they further claim that protecting a small fraction of these bits constitutes a practical defense.

What carries the argument

Deep Neural Lesion (DNL), a search that ranks sign bits by their potential to disrupt network output when flipped, refined by 1P-DNL with one forward-backward pass on random inputs.

If this is right

  • Two sign-bit flips suffice to reduce ResNet-50 ImageNet accuracy by 99.8 percent.
  • One or two sign flips collapse COCO detection and mask AP in Mask R-CNN and YOLOv8-seg.
  • Two sign flips into different experts reduce a 30B-parameter mixture-of-experts model accuracy to zero.
  • Protecting a small fraction of the identified vulnerable sign bits defends against the described attacks.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The results suggest that sign bits carry more functional importance than their magnitude bits in these networks.
  • Hardware or quantized deployments might require bit-level isolation for the identified parameters to prevent low-cost disruption.
  • The same search could be applied to locate minimal flips that induce other specific failure modes such as targeted misclassification.
  • Extending the method to non-sign bits or to activation functions might reveal additional single-location failure points.

Load-bearing premise

The procedure can locate the sign bits that cause the largest possible damage without depending on model-specific structure that is not stated in the method.

What would settle it

A test on one of the reported architectures where the bits identified by DNL or 1P-DNL are flipped yet the accuracy or AP remains close to the original value.

Figures

Figures reproduced from arXiv: 2502.07408 by Ido Galil, Moshe Kimhi, Ran El-Yaniv.

Figure 1
Figure 1. Figure 1: DNL applied to RegNetY-400MF’s [36] first convolution layer. The original (Sobel-like) kernel, used for horizontal edge detection, is shown above the flipped version obtained by changing just one high-magnitude weight’s sign bit. Even this minimal alteration leads to a drastically different output feature map. This corrupted feature propagates through the model, undermining downstream representations and s… view at source ↗
Figure 2
Figure 2. Figure 2: Impact of randomly flipping sign bits on model performance. The plot shows the distribution of [PITH_FULL_IMAGE:figures/full_fig_p004_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Comparison of mAR10 across different strategies applied to 48 ImageNet models. Magnitude-based sign-flips consistently exhibit fatal reductions in model accuracy, outperforming random flips. The proposed methods, DNL and 1P-DNL, demonstrate even greater effectiveness by targeting critical parameters, achieving significant accuracy degradation with minimal computational overhead. Random Magnitude Disjoint k… view at source ↗
Figure 4
Figure 4. Figure 4: Comparing the AR(10) under different strategies across 48 ImageNet models. The figure highlights the superior performance of 1P-DNL in causing substantial accuracy drops with up to 10 sign flips. Magnitude-Based Strategy Drawing inspiration from the pruning literature, we first examine magnitude-based strategies. Just as magnitude pruning removes low-magnitude weights to minimize the impact on final predic… view at source ↗
Figure 5
Figure 5. Figure 5: Horizontal edge detection filter (based on the Sobel Y filter) with one or two sign flips and their corresponding [PITH_FULL_IMAGE:figures/full_fig_p006_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: Targeting only the first l layers, x-axis report mAP(10). Interestingly, for most models evaluated, the largest parameters (in absolute value) tend to concentrate in these early layers. However, many models such as ShuffleNetV2 [26] exhibit a different pattern: their largest parameters are concentrated in later layers. As a result, naive attacks that always target the largest parameters—often located in th… view at source ↗
Figure 8
Figure 8. Figure 8: Averaged AR (%) of 1P-DNL over Efficient￾NetB0, MobileNetV3-Large, and ResNet-50 vs number of sign flips. Each color represents a different dataset, confirming the fatality of our single-pass attack on DTD, FGVC-Aircraft, Food101, and Stanford Cars. cnxt_tiny cnxt_small cnxt_base cnxt_lar regnet_y_400mf regnet_y_800mf regnet_y_1_6gf regnet_y_3_2gf regnet_y_8gf regnet_y_16gf regnet_y_32gf rn18 rn34 rn50 rn1… view at source ↗
Figure 9
Figure 9. Figure 9: AR reported across five model families of varying capacities under 1P-DNL attack. The similar vulnerability levels suggest that model size alone does not mitigate sign-flip attacks. [4]. The results, summarized in [PITH_FULL_IMAGE:figures/full_fig_p009_9.png] view at source ↗
Figure 10
Figure 10. Figure 10: AR(100, 000) under 100k random sign flips, with selective protection on varying fractions of the most vulnerable parameters (ranked by DNL). Even partial coverage of high-scoring parameters substantially improves robustness. Instead of uniformly coding every sign bit, a key insight is that only a small fraction of sign bits are genuinely critical. By identifying large-magnitude parameters (those whose sig… view at source ↗
Figure 11
Figure 11. Figure 11: Comparison of mAR10 across different weight score functions for the model parameters applied to 48 ImageNet models. B Weight Score Ablation We evaluate several parameter scoring functions from the pruning literature and compare their effectiveness in identifying high-impact weights for sign-flip attacks. As shown in [PITH_FULL_IMAGE:figures/full_fig_p015_11.png] view at source ↗
Figure 12
Figure 12. Figure 12: AR (%) on DTD dataset [3] with varying num￾ber of sign flips over popular image encoders. 0 1 2 3 4 5 6 7 8 9 10 0% 20% 40% 60% 80% 100% efficientnet b0 mobilenet v3 large resnet50 Dataset: FGVC-Aircraft, Impact of Bit Flips on Accuracy Number of Bits Flipped Accuracy Reduction (%) [PITH_FULL_IMAGE:figures/full_fig_p016_12.png] view at source ↗
Figure 15
Figure 15. Figure 15: AR (%) on Stanford Cars dataset [19] with varying number of sign flips over popular image encoders. in architecture and capacity, they all exhibit severe degradation once our detected sign bits are flipped. This finding reinforces that our method targets fundamental weaknesses in DNN representations rather than exploiting quirks of a specific network or dataset. D Defense Baseline In addition to selective… view at source ↗
Figure 16
Figure 16. Figure 16: AR of 5 families of models with different sizes attacked with 10 sign-flips by DNL. No Defense Defending 1% Defending 5% Defending 10% Defending 20% 20 30 40 50 60 70 80 90 100 mAR(100,000) [PITH_FULL_IMAGE:figures/full_fig_p017_16.png] view at source ↗
Figure 17
Figure 17. Figure 17: AR(100, 000) under 100k random sign flips, with random subsets (1%, 5%, 10%, and 20% coverage) of sign bits protected. Unlike [PITH_FULL_IMAGE:figures/full_fig_p017_17.png] view at source ↗
read the original abstract

Deep Neural Networks (DNNs) can be catastrophically disrupted by flipping only a handful of parameter bits. We introduce Deep Neural Lesion (DNL), a data-free and optimizationfree method that locates critical parameters, and an enhanced single-pass variant, 1P-DNL, that refines this selection with one forward and backward pass on random inputs. We show that this vulnerability spans multiple domains, including image classification, object detection, instance segmentation, and reasoning large language models. In image classification, flipping just two sign bits in ResNet-50 on ImageNet reduces accuracy by 99.8%. In object detection and instance segmentation, one or two sign flips in the backbone collapse COCO detection and mask AP for Mask R-CNN and YOLOv8-seg models. In language modeling, two sign flips into different experts reduce Qwen3-30B-A3B-Thinking from 78% to 0% accuracy. We also show that selectively protecting a small fraction of vulnerable sign bits provides a practical defense against such attacks.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

3 major / 2 minor

Summary. The paper introduces Deep Neural Lesion (DNL), a data-free and optimization-free procedure, along with its single-pass refinement 1P-DNL, for identifying a small number of critical sign bits in DNN parameters. It claims that flipping one or two such bits produces near-total performance collapse across tasks: 99.8% accuracy drop on ResNet-50/ImageNet, collapse of COCO AP/mask AP on Mask R-CNN and YOLOv8-seg, and reduction of Qwen3-30B-A3B-Thinking accuracy from 78% to 0%. A defense is proposed by selectively protecting the identified vulnerable bits.

Significance. If the central claims hold, the work demonstrates an extreme, previously under-appreciated form of bit-flip vulnerability that requires neither training data nor iterative optimization, with potential consequences for hardware-level security and model deployment across vision and language domains. The cross-task scope and the proposed defense are notable if the selection procedure is shown to be reliable.

major comments (3)
  1. [Method section (DNL/1P-DNL definition)] DNL and 1P-DNL method description: the core claim that these procedures locate near-maximally damaging sign bits without data or optimization rests on an unspecified scoring rule (gradient magnitude on random inputs, activation statistics, or similar). Without the precise criterion and a demonstration that it outperforms random selection or exhaustive search on the tested models, the headline quantitative results cannot be verified as arising from the method rather than model-specific structure.
  2. [Experiments and results sections] Experimental results on ResNet-50, Mask R-CNN, YOLOv8, and Qwen3-30B: the reported collapses (two flips → 99.8% drop; one/two flips → AP collapse; two expert flips → 0%) are presented without controls such as performance under random sign flips, comparison to gradient-based or optimization-based bit selection, or statistical reporting across multiple random seeds. This leaves open whether DNL/1P-DNL is required or whether the vulnerability is simply ubiquitous.
  3. [LLM experiments subsection] Qwen3-30B-A3B-Thinking results: the claim of generalization to reasoning LLMs depends on the two flipped bits landing in different experts. The manuscript must clarify whether the DNL scoring rule exploits MoE routing statistics or activation patterns that are architecture-specific, as this would limit the data-free, optimization-free claim.
minor comments (2)
  1. Notation for sign-bit indexing and the precise definition of a 'flip' should be made consistent between the method and all result tables.
  2. The defense section should report the overhead (number of bits protected, impact on clean accuracy) for the proposed protection scheme.

Simulated Author's Rebuttal

3 responses · 0 unresolved

We thank the referee for the constructive feedback. We address each major comment below with clarifications and commit to revisions that strengthen the presentation of the method and results without altering the core claims.

read point-by-point responses

  1. Referee: [Method section (DNL/1P-DNL definition)] DNL and 1P-DNL method description: the core claim that these procedures locate near-maximally damaging sign bits without data or optimization rests on an unspecified scoring rule (gradient magnitude on random inputs, activation statistics, or similar). Without the precise criterion and a demonstration that it outperforms random selection or exhaustive search on the tested models, the headline quantitative results cannot be verified as arising from the method rather than model-specific structure.

    Authors: The 1P-DNL procedure computes scores via gradient magnitudes obtained from a single forward-backward pass on random inputs, while the base DNL uses a data-free heuristic based on activation statistics. We agree the exact scoring formula was insufficiently detailed. In revision we will add the precise mathematical criterion for bit ranking in both variants and include a direct comparison demonstrating that DNL/1P-DNL outperforms random selection on the evaluated models. revision: yes

  2. Referee: [Experiments and results sections] Experimental results on ResNet-50, Mask R-CNN, YOLOv8, and Qwen3-30B: the reported collapses (two flips → 99.8% drop; one/two flips → AP collapse; two expert flips → 0%) are presented without controls such as performance under random sign flips, comparison to gradient-based or optimization-based bit selection, or statistical reporting across multiple random seeds. This leaves open whether DNL/1P-DNL is required or whether the vulnerability is simply ubiquitous.

    Authors: The experiments emphasize the extreme vulnerability found by the method. We acknowledge that explicit random-flip baselines, comparisons to other selection strategies, and multi-seed statistics would better isolate the method's contribution. We will add these controls and statistical reporting in the revised experiments section. revision: yes

  3. Referee: [LLM experiments subsection] Qwen3-30B-A3B-Thinking results: the claim of generalization to reasoning LLMs depends on the two flipped bits landing in different experts. The manuscript must clarify whether the DNL scoring rule exploits MoE routing statistics or activation patterns that are architecture-specific, as this would limit the data-free, optimization-free claim.

    Authors: DNL and 1P-DNL apply an identical general scoring rule to all models, including the MoE-based Qwen3, without incorporating routing statistics or other MoE-specific information. The observation that the selected bits resided in different experts is a post-selection result, not an input to the scoring procedure. We will insert an explicit statement in the LLM subsection confirming that the method remains architecture-agnostic. revision: yes

Circularity Check

0 steps flagged

No significant circularity; empirical demonstration only

full rationale

The paper introduces DNL and 1P-DNL as heuristic search procedures and validates them solely via direct experiments on ResNet-50, Mask R-CNN, YOLOv8, and Qwen3-30B. No equations, uniqueness theorems, or first-principles derivations appear; the central claims are measured accuracy drops after bit flips, not predictions that reduce to fitted inputs or self-definitions. No self-citation chains, ansatzes, or renamings of known results are load-bearing. The work is therefore self-contained as an empirical attack study.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 1 invented entities

The central claim rests on the empirical observation that sign bits are disproportionately critical; no free parameters are introduced, and the only invented entity is the DNL procedure itself.

axioms (1)
  • domain assumption Neural network performance depends critically on the sign of a small subset of parameters
    The attack and defense both presuppose this sensitivity exists and can be exploited without data.
invented entities (1)
  • Deep Neural Lesion (DNL) and 1P-DNL no independent evidence
    purpose: Procedure to locate critical sign bits without data or optimization
    New algorithmic contribution introduced to enable the reported attacks.

pith-pipeline@v0.9.0 · 5729 in / 1282 out tokens · 32284 ms · 2026-05-23T03:27:43.061067+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

52 extracted references · 52 canonical work pages · 1 internal anchor

  1. [1]

    Food-101 – mining discriminative components with random forests

    Lukas Bossard, Matthieu Guillaumin, and Luc Van Gool. Food-101 – mining discriminative components with random forests. In European Conference on Computer Vision, 2014

    work page 2014

  2. [2]

    Towards evaluating the robustness of neural networks, 2016

    Nicholas Carlini and David Wagner. Towards evaluating the robustness of neural networks, 2016

    work page 2016

  3. [3]

    Cimpoi, S

    M. Cimpoi, S. Maji, I. Kokkinos, S. Mohamed, , and A. Vedaldi. Describing textures in the wild. In Proceedings of the IEEE Conf. on Computer Vision and Pattern Recognition (CVPR), 2014

    work page 2014

  4. [4]

    An image is worth 16x16 words: Transformers for image recognition at scale, 2020

    Alexey Dosovitskiy, Lucas Beyer, Alexander Kolesnikov, Dirk Weissenborn, Xiaohua Zhai, Thomas Unterthiner, Mostafa Dehghani, Matthias Minderer, Georg Heigold, Sylvain Gelly, Jakob Uszkoreit, and Neil Houlsby. An image is worth 16x16 words: Transformers for image recognition at scale, 2020

    work page 2020

  5. [5]

    Van Essen, Charles H

    David C. Van Essen, Charles H. Anderson, and Daniel J. Felleman. Information processing in the primate visual system: An integrated systems perspective. Science, 255(5043):419–423, 1992. doi: 10.1126/science.1734518. URL https://www.science.org/doi/abs/10.1126/science.1734518

    work page doi:10.1126/science.1734518 1992

  6. [6]

    The lottery ticket hypothesis: Finding sparse, trainable neural networks, 2018

    Jonathan Frankle and Michael Carbin. The lottery ticket hypothesis: Finding sparse, trainable neural networks, 2018

    work page 2018

  7. [7]

    Grand pwning unit: Accelerating microarchi- tectural attacks with the gpu

    Pietro Frigo, Cristiano Giuffrida, Herbert Bos, and Kaveh Razavi. Grand pwning unit: Accelerating microarchi- tectural attacks with the gpu. In 2018 IEEE Symposium on Security and Privacy (SP), pages 195–210, 2018. doi: 10.1109/SP.2018.00022

    work page doi:10.1109/sp.2018.00022 2018

  8. [8]

    Bdfa: A blind data adversarial bit-flip attack on deep neural networks, 2021

    Behnam Ghavami, Mani Sadati, Mohammad Shahidzadeh, Zhenman Fang, and Lesley Shannon. Bdfa: A blind data adversarial bit-flip attack on deep neural networks, 2021

    work page 2021

  9. [9]

    Explaining and Harnessing Adversarial Examples

    Ian J. Goodfellow, Jonathon Shlens, and Christian Szegedy. Explaining and harnessing adversarial examples. In Yoshua Bengio and Yann LeCun, editors,3rd International Conference on Learning Representations, ICLR 2015, San Diego, CA, USA, May 7-9, 2015, Conference Track Proceedings, 2015. URL http://arxiv.org/abs/ 1412.6572

    work page internal anchor Pith review Pith/arXiv arXiv 2015

  10. [10]

    Second order derivatives for network pruning: Optimal brain surgeon

    Hassibi, Babak, Stork, and David. Second order derivatives for network pruning: Optimal brain surgeon. In Advances in Neural Information Processing Systems, 1992. URL https://proceedings.neurips.cc/paper_ files/paper/1992/file/303ed4c69846ab36c2904d3ba8573050-Paper.pdf

    work page 1992

  11. [11]

    Deep residual learning for image recognition, 2015

    Kaiming He, Xiangyu Zhang, Shaoqing Ren, and Jian Sun. Deep residual learning for image recognition, 2015

    work page 2015

  12. [12]

    Rootkits: Subverting the Windows Kernel

    Greg Hoglund and Jamie Butler. Rootkits: Subverting the Windows Kernel. Addison-Wesley Professional, 2006. ISBN 978-0-321-29431-0

    work page 2006

  13. [13]

    Terminal brain damage: exposing the graceless degradation in deep neural networks under hardware fault attacks

    Sanghyun Hong, Pietro Frigo, Yi˘gitcan Kaya, Cristiano Giuffrida, and Tudor Dumitras ¸. Terminal brain damage: exposing the graceless degradation in deep neural networks under hardware fault attacks. In Proceedings of the 28th USENIX Conference on Security Symposium, SEC’19, page 497–514, USA, 2019. USENIX Association. ISBN 9781939133069

    work page 2019

  14. [14]

    Le, and Hartwig Adam

    Andrew Howard, Mark Sandler, Grace Chu, Liang-Chieh Chen, Bo Chen, Mingxing Tan, Weijun Wang, Yukun Zhu, Ruoming Pang, Vijay Vasudevan, Quoc V . Le, and Hartwig Adam. Searching for mobilenetv3, 2019

    work page 2019

  15. [15]

    Thunderstrike: Efi firmware bootkits for apple macbooks

    Trammell Hudson and Larry Rudolph. Thunderstrike: Efi firmware bootkits for apple macbooks. In Proceedings of the 8th ACM International Systems and Storage Conference , SYSTOR ’15, New York, NY , USA, 2015. Association for Computing Machinery. ISBN 9781450336079. doi: 10.1145/2757667.2757673. URL https: //doi.org/10.1145/2757667.2757673. 11

    work page doi:10.1145/2757667.2757673 2015

  16. [16]

    Kandel, J.H

    E.R. Kandel, J.H. Schwartz, and T. Jessell. Principles of Neural Science, Fourth Edition . McGraw-Hill Companies,Incorporated, 2000. ISBN 9780838577011. URL https://books.google.co.il/books?id= yzEFK7Xc87YC

    work page 2000

  17. [18]

    Flipping bits in memory without accessing them: An experimental study of dram disturbance errors

    Yoongu Kim, Ross Daly, Jeremie Kim, Chris Fallin, Ji Hye Lee, Donghyuk Lee, Chris Wilkerson, Konrad Lai, and Onur Mutlu. Flipping bits in memory without accessing them: An experimental study of dram disturbance errors. In 2014 ACM/IEEE 41st International Symposium on Computer Architecture (ISCA), pages 361–372, 2014. doi: 10.1109/ISCA.2014.6853210

    work page doi:10.1109/isca.2014.6853210 2014

  18. [19]

    Fine-grained recognition without part annotations

    Jonathan Krause, Hailin Jin, Jianchao Yang, and Li Fei-Fei. Fine-grained recognition without part annotations. In 2015 IEEE Conference on Computer Vision and Pattern Recognition (CVPR), pages 5546–5555, 2015. doi: 10.1109/CVPR.2015.7299194

    work page doi:10.1109/cvpr.2015.7299194 2015

  19. [20]

    Alex Krizhevsky, Ilya Sutskever, and Geoffrey E. Hinton. Imagenet classification with deep convolutional neural networks. In Proceedings of the 26th International Conference on Neural Information Processing Systems - Volume 1, NIPS’12, page 1097–1105, Red Hook, NY , USA, 2012. Curran Associates Inc

    work page 2012

  20. [21]

    Placeholder title

    Pat Langley. Placeholder title. Placeholder Journal, 1(1):1–10, 2000

    work page 2000

  21. [22]

    Optimal brain damage

    Yann LeCun, John Denker, and Sara Solla. Optimal brain damage. In D. Touretzky, editor,Advances in Neural Information Processing Systems, volume 2. Morgan-Kaufmann, 1989. URL https://proceedings.neurips. cc/paper_files/paper/1989/file/6c9882bbac1c7093bd25041881277658-Paper.pdf

    work page 1989

  22. [23]

    SNIP: SINGLE-SHOT NETWORK PRUNING BASED ON CONNECTION SENSITIVITY

    Namhoon Lee, Thalaiyasingam Ajanthan, and Philip Torr. SNIP: SINGLE-SHOT NETWORK PRUNING BASED ON CONNECTION SENSITIVITY. In International Conference on Learning Representations, 2019

    work page 2019

  23. [24]

    Nethammer: Inducing rowhammer faults through network requests

    Moritz Lipp, Michael Schwarz, Lukas Raab, Lukas Lamster, Misiker Tadesse Aga, Clementine Maurice, and Daniel Gruss. Nethammer: Inducing rowhammer faults through network requests. In 2020 IEEE European Symposium on Security and Privacy Workshops (EuroSSamp;PW) . IEEE, September 2020. doi: 10.1109/ eurospw51379.2020.00102. URL http://dx.doi.org/10.1109/Euro...

    work page doi:10.1109/eurospw51379.2020.00102 2020

  24. [25]

    A convnet for the 2020s, 2022

    Zhuang Liu, Hanzi Mao, Chao-Yuan Wu, Christoph Feichtenhofer, Trevor Darrell, and Saining Xie. A convnet for the 2020s, 2022

    work page 2022

  25. [26]

    Shufflenet v2: Practical guidelines for efficient cnn architecture design, 2018

    Ningning Ma, Xiangyu Zhang, Hai-Tao Zheng, and Jian Sun. Shufflenet v2: Practical guidelines for efficient cnn architecture design, 2018

    work page 2018

  26. [27]

    Towards deep learning models resistant to adversarial attacks

    Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, and Adrian Vladu. Towards deep learning models resistant to adversarial attacks. In International Conference on Learning Representations, 2018

    work page 2018

  27. [28]

    S. Maji, J. Kannala, E. Rahtu, M. Blaschko, and A. Vedaldi. Fine-grained visual classification of aircraft. Technical report, 2013

    work page 2013

  28. [29]

    Torchvision the machine-vision package of torch

    S´ebastien Marcel and Yann Rodriguez. Torchvision the machine-vision package of torch. In Proceedings of the 18th ACM International Conference on Multimedia , MM ’10, page 1485–1488, New York, NY , USA,

    work page

  29. [30]

    ISBN 9781605589336

    Association for Computing Machinery. ISBN 9781605589336. doi: 10.1145/1873951.1874254. URL https://doi.org/10.1145/1873951.1874254

    work page doi:10.1145/1873951.1874254

  30. [31]

    Theodore Markettos, Colin Rothwell, Brett F

    A. Theodore Markettos, Colin Rothwell, Brett F. Gutstein, Allison Pearce, Peter G. Neumann, Simon W. Moore, and Robert N. M. Watson. Thunderclap: Exploring vulnerabilities in operating system iommu protection via dma from untrustworthy peripherals. Proceedings 2019 Network and Distributed System Security Symposium, 2019

    work page 2019

  31. [32]

    Skeletonization: A technique for trimming the fat from a network via relevance assessment

    Michael C Mozer and Paul Smolensky. Skeletonization: A technique for trimming the fat from a network via relevance assessment. In Advances in Neural Information Processing Systems . Morgan-Kaufmann, 1988. URL https://proceedings.neurips.cc/paper_files/paper/1988/file/ 07e1cd7dca89a1678042477183b7ac3f-Paper.pdf

    work page 1988

  32. [33]

    Garcia, Jo Van Bulck, Daniel Gruss, and Frank Piessens

    Kit Murdock, David Oswald, Flavio D. Garcia, Jo Van Bulck, Daniel Gruss, and Frank Piessens. Plundervolt: Software-based fault injection attacks against intel sgx. In 2020 IEEE Symposium on Security and Privacy (SP), pages 1466–1482, 2020. doi: 10.1109/SP40000.2020.00057

    work page doi:10.1109/sp40000.2020.00057 2020

  33. [34]

    CEH: Certified Ethical Hacker Version 8 Study Guide

    Sean-Philip Oriyano. CEH: Certified Ethical Hacker Version 8 Study Guide. SYBEX Inc., USA, 1st edition, 2014. ISBN 111864767X

    work page 2014

  34. [35]

    Zebra: Precisely destroying neural networks with zero-data based repeated bit flip attack, 2021

    Dahoon Park, Kon-Woo Kwon, Sunghoon Im, and Jaeha Kung. Zebra: Precisely destroying neural networks with zero-data based repeated bit flip attack, 2021. 12

    work page 2021

  35. [36]

    Wesley Peterson and E

    W. Wesley Peterson and E. J. Weldon. Error-Correcting Codes. MIT Press, Cambridge, MA, 2nd edition, 1972

    work page 1972

  36. [37]

    Designing network design spaces

    Ilija Radosavovic, Raj Prateek Kosaraju, Ross Girshick, Kaiming He, and Piotr Dollar. Designing network design spaces. In 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). IEEE, June 2020. doi: 10.1109/cvpr42600.2020.01044. URL http://dx.doi.org/10.1109/cvpr42600.2020.01044

    work page doi:10.1109/cvpr42600.2020.01044 2020

  37. [38]

    Designing network design spaces, 2020

    Ilija Radosavovic, Raj Prateek Kosaraju, Ross Girshick, Kaiming He, and Piotr Doll´ar. Designing network design spaces, 2020

    work page 2020

  38. [39]

    Bit-flip attack: Crushing neural network with progressive bit search

    Adnan Siraj Rakin, Zhezhi He, and Deliang Fan. Bit-flip attack: Crushing neural network with progressive bit search. In 2019 IEEE/CVF International Conference on Computer Vision (ICCV), page 1211–1220. IEEE, October 2019. doi: 10.1109/iccv.2019.00130. URL http://dx.doi.org/10.1109/ICCV.2019.00130

    work page doi:10.1109/iccv.2019.00130 2019

  39. [40]

    Beyond the CPU: Defeating hardware-based RAM acquisition

    Joanna Rutkowska. Beyond the CPU: Defeating hardware-based RAM acquisition. Black Hat USA, 2007

    work page 2007

  40. [41]

    Exploiting the dram rowhammer bug to gain kernel privi- leges

    Mark Seaborn and Thomas Dullien. Exploiting the dram rowhammer bug to gain kernel privi- leges. Black Hat USA, August 2015. URL https://googleprojectzero.blogspot.com/2015/03/ exploiting-dram-rowhammer-bug-to-gain.html

    work page 2015

  41. [42]

    Shadow walker: Raising the bar for rootkit detection

    Sherri Sparks and Jamie Butler. Shadow walker: Raising the bar for rootkit detection. In Black Hat Federal, 2005

    work page 2005

  42. [43]

    Emma E. M. Stewart, Matteo Valsecchi, and Alexander C. Sch¨utz. A review of interactions between peripheral and foveal vision. Journal of Vision, 20, 2020

    work page 2020

  43. [44]

    Mingxing Tan and Quoc V . Le. Efficientnet: Rethinking model scaling for convolutional neural networks, 2019

    work page 2019

  44. [45]

    Pruning neural networks without any data by iteratively conserving synaptic flow

    Hidenori Tanaka, Daniel Kunin, Daniel L Yamins, and Surya Ganguli. Pruning neural networks without any data by iteratively conserving synaptic flow. In H. Larochelle, M. Ranzato, R. Hadsell, M.F. Balcan, and H. Lin, editors, Advances in Neural Information Processing Systems, volume 33, pages 6377–6389. Cur- ran Associates, Inc., 2020. URL https://proceedi...

    work page 2020

  45. [46]

    CLKSCREW: Exposing the perils of Security- Oblivious energy management

    Adrian Tang, Simha Sethumadhavan, and Salvatore Stolfo. CLKSCREW: Exposing the perils of Security- Oblivious energy management. In 26th USENIX Security Symposium (USENIX Security 17), pages 1057–1074, Vancouver, BC, August 2017. USENIX Association. ISBN 978-1-931971-40-9. URL https://www.usenix. org/conference/usenixsecurity17/technical-sessions/presentation/tang

    work page 2017

  46. [47]

    Throwhammer: Rowhammer attacks over the network and defenses

    Andrei Tatar, Radhesh Krishnan Konoth, Elias Athanasopoulos, Cristiano Giuffrida, Herbert Bos, and Kaveh Razavi. Throwhammer: Rowhammer attacks over the network and defenses. In 2018 USENIX Annual Technical Conference (USENIX ATC 18), pages 213–226, Boston, MA, July 2018. USENIX Association. ISBN ISBN 978-1-939133-01-4. URL https://www.usenix.org/conferen...

    work page 2018

  47. [48]

    TRRespass: Exploiting the rowhammer bug in TRR- protected DRAM

    Victor Van der Veen, Cristiano Giuffrida, and Others. TRRespass: Exploiting the rowhammer bug in TRR- protected DRAM. In IEEE Symposium on Security and Privacy, 2020

    work page 2020

  48. [49]

    Picking winning tickets before training by preserving gradient flow

    Chaoqi Wang, Guodong Zhang, and Roger Grosse. Picking winning tickets before training by preserving gradient flow. InInternational Conference on Learning Representations, 2020. URL https://openreview.net/forum? id=SkgsACVKPH

    work page 2020

  49. [50]

    Adversarial sticker: A stealthy attack method in the physical world

    Xingxing Wei, Ying Guo, and Jie Yu. Adversarial sticker: A stealthy attack method in the physical world. IEEE Transactions on Pattern Analysis and Machine Intelligence , page 1–1, 2022. ISSN 1939-3539. doi: 10.1109/tpami.2022.3176760. URL http://dx.doi.org/10.1109/TPAMI.2022.3176760

    work page doi:10.1109/tpami.2022.3176760 2022

  50. [51]

    Pytorch image models

    Ross Wightman. Pytorch image models. https://github.com/rwightman/pytorch-image-models, 2019

    work page 2019

  51. [52]

    DeepHammer: Depleting the intelligence of deep neural networks through targeted chain of bit flips

    Fan Yao, Adnan Siraj Rakin, and Deliang Fan. DeepHammer: Depleting the intelligence of deep neural networks through targeted chain of bit flips. In 29th USENIX Security Symposium (USENIX Security 20), pages 1463–1480. USENIX Association, August 2020. ISBN 978-1-939133-17-5. URLhttps://www.usenix.org/conference/ usenixsecurity20/presentation/yao

    work page 2020

  52. [53]

    Zeiler and Rob Fergus

    Matthew D. Zeiler and Rob Fergus. Visualizing and Understanding Convolutional Networks, page 818–833. Springer International Publishing, 2014. ISBN 9783319105901. doi: 10.1007/978-3-319-10590-1 53. URL http://dx.doi.org/10.1007/978-3-319-10590-1_53 . 13 A Compare to Bit Flip Attacks Following Section 6, Table 3 compares bit-flip attacks on ImageNet1K and ...

    work page doi:10.1007/978-3-319-10590-1 2014