Core Concepts
The SpongeNet attack directly alters the parameters of pre-trained deep neural network models to increase their energy consumption during inference, without significantly affecting the model's accuracy.
Abstract
The paper proposes a novel sponge attack called SpongeNet, which is the first sponge attack that directly alters the parameters of a pre-trained model, rather than the input data or the training objective.
Key highlights:
SpongeNet can increase the energy consumption of vision models by up to 11% and generative models like StarGAN by up to 5.3%, with minimal impact on accuracy or generation quality.
SpongeNet is more stealthy than previous sponge attacks, as it does not require significant changes to the model's weights.
SpongeNet is effective even when the attacker has access to only 1% of the dataset, making it more practical than the previous Sponge Poisoning attack.
Defenses like parameter perturbations and fine-pruning are ineffective against SpongeNet unless specifically adapted to target the biases of the affected layers.
A user study confirms that SpongeNet produces images that are visually closer to the original than those generated by Sponge Poisoning.
Stats
The paper reports the following key metrics:
Energy ratio increase of up to 11% for vision models and 5.3% for StarGAN
Accuracy drop of up to 5% for vision models and SSIM drop of up to 0.11 for StarGAN
Quotes
"SpongeNet is the first sponge attack that alters the parameters of pre-trained models."
"SpongeNet can successfully increase the energy consumption of vision models with fewer samples required than Sponge Poisoning."
"SpongeNet is stealthier than the previous Sponge Poisoning attack as it does not require significant changes in the victim model's weights."