Sponge attacks aim to increase the energy consumption and computation time of neural networks deployed on hardware accelerators. Existing sponge attacks can be performed during inference via sponge examples or during training via Sponge Poisoning. Sponge examples leverage perturbations added to the model's input to increase energy and latency, while Sponge Poisoning alters the objective function of a model to induce inference-time energy effects. In this work, we propose a novel sponge attack called SkipSponge. SkipSponge is the first sponge attack that is performed directly on the parameters of a pre-trained model using only a few data samples. Our experiments show that SkipSponge can successfully increase the energy consumption of image classification models with fewer samples required than Sponge Poisoning. We show that poisoning defenses are ineffective if not adjusted specifically for the defense against SkipSponge (i.e., they decrease target layer bias values). Our work shows that SkipSponge is more effective on the GANs and the autoencoders than the state-of-the-art. Additionally, SkipSponge is stealthier than the previous Sponge Poisoning attack as it does not require significant changes in the victim model's weights. Our experiments indicate that the SkipSponge attack can be performed even when an attacker has access to only 1% of the entire dataset and reaches up to 13% energy increase.

翻译：海绵攻击旨在增加部署在硬件加速器上的神经网络的能耗与计算时间。现有海绵攻击可通过推理阶段的海绵样本或训练阶段的"海绵投毒"实现。海绵样本通过向模型输入添加扰动来增加能耗与延迟，而海绵投毒则通过修改模型的目标函数诱发推理阶段的能耗效应。本文提出一种名为SkipSponge的新型海绵攻击。SkipSponge是首个直接针对预训练模型参数执行的海绵攻击，仅需少量数据样本即可完成。实验表明，SkipSponge能在样本需求量少于海绵投毒的情况下成功提升图像分类模型的能耗。研究发现，若未针对SkipSponge进行专项防御调整（即降低目标层偏置值），现有投毒防御机制将失效。本工作证实，SkipSponge对生成对抗网络与自编码器的攻击效果优于现有技术。此外，相较于此前提出的海绵投毒攻击，SkipSponge的隐蔽性更强——因其无需显著修改受害模型的权重。实验数据显示，当攻击者仅能获取完整数据集的1%时，SkipSponge攻击仍可实施，且能耗增幅最高可达13%。