Sponge attacks aim to increase the energy consumption and computation time of neural networks deployed on hardware accelerators. Existing sponge attacks can be performed during inference via sponge examples or during training via Sponge Poisoning. Sponge examples leverage perturbations added to the model's input to increase energy and latency, while Sponge Poisoning alters the objective function of a model to induce inference-time energy/latency effects. In this work, we propose a novel sponge attack called SpongeNet. SpongeNet is the first sponge attack that is performed directly on the parameters of a pre-trained model. Our experiments show that SpongeNet can successfully increase the energy consumption of vision models with fewer samples required than Sponge Poisoning. Our experiments indicate that poisoning defenses are ineffective if not adjusted specifically for the defense against Sponge Poisoning (i.e., they decrease batch normalization bias values). Our work shows that SpongeNet is more effective on StarGAN than the state-of-the-art. Additionally, SpongeNet is stealthier than the previous Sponge Poisoning attack as it does not require significant changes in the victim model's weights. Our experiments indicate that the SpongeNet attack can be performed even when an attacker has access to only 1% of the entire dataset and reach up to 11% energy increase.

翻译：海绵攻击旨在增加部署在硬件加速器上的神经网络能耗与计算时间。现有海绵攻击可在推理阶段通过海绵样本实现，或在训练阶段通过毒化实现：海绵样本通过向模型输入添加扰动来增加能耗与延迟，而毒化则通过修改模型目标函数来引发推理时的能耗/延迟效应。本研究提出一种新型海绵攻击SpongeNet，这是首个直接作用于预训练模型参数的海绵攻击。实验表明，SpongeNet能以比毒化更少的样本成功提升视觉模型的能耗。实验结果指出，若未针对性地调整毒化防御方案（即降低批归一化偏置值），该类防御机制对SpongeNet无效。本研究表明，SpongeNet在StarGAN上的攻击效果优于现有最优方法。此外，相较于先前的毒化攻击，SpongeNet的隐蔽性更强——无需对受害者模型权重进行显著修改。实验数据表明，即使攻击者仅获取整个数据集的1%样本，仍可执行SpongeNet攻击，并实现高达11%的能耗增幅。