A Stealthy Hardware Trojan Exploiting the Architectural Vulnerability of Deep Learning Architectures: Input Interception Attack (IIA)

Odetola, Tolulope A.; Mohammed, Hawzhin; Hasan, Syed Rafay

doi:10.48550/arxiv.1911.00783

Cited by 3 publications

(4 citation statements)

References 8 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Over time, research in the field of hardware-based sidechannel attacks have shown that hardware trojans [21], [35] can degrade the performance of DNN hardware accelerators while remaining extremely stealthy and difficult to detect. In the works by Tolulope et al and Zhao et al, hardware trojans have been used to attack DNN accelerators by analysing the memory data patterns [22], [23]. Recently, a work by Kim et al has shown that DNN performance is adversely affected by frequent accesses of the DRAM memory storing the DNN parameters, which cause bit-flipping [36].…”

Section: Related Workmentioning

confidence: 99%

“…These works inform that hardware optimization strategies, used for reducing energy consumption, can be used effectively to address the software vulnerabilities in DNNs, specifically adversarial attacks. Other works have shown that hardware attacks can be made on DNN accelerators to cause them to malfunction resulting in serious performance degradation [21], [22], [23]. These works exploit the structural vulnerabilities of the hardware accelerator such as the microarchitecture and memory access patterns.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Exposing the Robustness and Vulnerability of Hybrid 8T-6T SRAM Memory Architectures to Adversarial Attacks in Deep Neural Networks

Moitra¹,

Panda²

2020

Preprint

View full text Add to dashboard Cite

Deep Learning is able to solve a plethora of once impossible problems. However, they are vulnerable to input adversarial attacks preventing them from being autonomously deployed in critical applications. Several algorithm-centered works have discussed methods to cause adversarial attacks and improve adversarial robustness of a Deep Neural Network (DNN). In this work, we elicit the advantages and vulnerabilities of hybrid 6T-8T memories to improve the adversarial robustness and cause adversarial attacks on DNNs. We show that biterror noise in hybrid memories due to erroneous 6T-SRAM cells have deterministic behaviour based on the hybrid memory configurations (VDD, 8T-6T ratio). This controlled noise (surgical noise) can be strategically introduced into specific DNN layers to improve the adversarial accuracy of DNNs. At the same time, surgical noise can be carefully injected into the DNN parameters stored in hybrid memory to cause adversarial attacks. To improve the adversarial robustness of DNNs using surgical noise, we propose a methodology to select appropriate DNN layers and their corresponding hybrid memory configurations to introduce the required surgical noise. Using this, we achieve 2-8% higher adversarial accuracy without re-training against white-box attacks like FGSM, than the baseline models (with no surgical noise introduced). To demonstrate adversarial attacks using surgical noise, we design a novel, white-box attack on DNN parameters stored in hybrid memory banks that causes the DNN inference accuracy to drop by more than 60% with over 90% confidence value. We support our claims with experiments, performed using benchmark datasets-CIFAR10 and CIFAR100 on VGG19 and ResNet18 networks.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Exposing the Robustness and Vulnerability of Hybrid 8T-6T SRAM Memory Architectures to Adversarial Attacks in Deep Neural Networks

Moitra¹,

Panda²

2020

Preprint

View full text Add to dashboard Cite

show abstract

“…Due to the specific computation pattern of CNN, cloud computing have been employed to perform classification of deep learning models but this raises concerns of privacy [4]- [16], security [17] and latency. General-purpose processors are also not efficient for CNN implementation and can hardly meet the performance requirement [18].…”

Section: Introductionmentioning

confidence: 99%

2L-3W: 2-Level 3-Way Hardware–Software Co-verification for the Mapping of Convolutional Neural Network (CNN) onto FPGA Boards

et al. 2021

Self Cite

View full text Add to dashboard Cite

FPGAs have become a popular choice for deploying deep learning architectures (DLA). There are many researchers that have explored the deployment and mapping of DLA on FPGA. However, there has been a growing need to do design-time hardware-software co-verification of these deployments. To the best of our knowledge this is the first work that proposes a 2-Level 3-Way (2L-3W) hardware-software co-verification methodology and provides a step-by-step guide for the successful mapping, deployment and verification of DLA on FPGA boards. The 2-Level verification is to make sure the implementation in each stage (software and hardware) are following the desired behavior. The 3-Way co-verification provides a cross-paradigm (software, design and hardware) layer-by-layer parameter check to assure the correct implementation and mapping of the DLA onto FPGA boards. The proposed 2L-3W co-verification methodology has been evaluated over several test cases. In each case, the prediction and layer-by-layer output of the DLA deployed on PYNQ FPGA board (hardware) alongside with the intermediate design results of the layer-by-layer output of the DLA implemented on Vivado HLS and the prediction and layer-by-layer output of the software level (Caffe deep learning framework) are compared to obtain a layer-by-layer similarity score. The comparison is achieved using a completely automated Python script. The comparison provides a layer-by-layer similarity score that informs us the degree of success of the DLA mapping to the FPGA or help identify in design time the layer to be debugged in the case of unsuccessful mapping. We demonstrated our technique on LeNet DLA and Caffe inspired Cifar-10 DLA and the co-verification results yielded layer-by-layer similarity scores of 99% accuracy.

show abstract

“…Convolution Neural Networks (CNN) models have achieved significant success in machine learning and have found adoption in many fields [1]. CNNs are specially successful in computer vision [2] .…”

Section: Introductionmentioning

confidence: 99%

A Scalable Multilabel Classification to Deploy Deep Learning Architectures For Edge Devices

Odetola¹,

Oderhohwo²,

Hasan³

2019

Preprint

Self Cite

View full text Add to dashboard Cite

Convolution Neural Networks (CNN) have performed well in many applications such as object detection, pattern recognition, video surveillance and so on. CNN carryout feature extraction on labelled data to perform classification. Multi-label classification assigns more than one label to a particular data sample in a data set. In multi-label classification, properties of a data point that are considered to be mutually exclusive are classified. However, existing multi-label classification requires some form of data pre-processing that involves image training data cropping or image tiling. The computation and memory requirement of these multi-label CNN models makes their deployment on edge devices (IoT devices) challenging. In this paper, we propose a methodology that solves this problem by extending the capability of existing multi-label classification and provide models with lower latency that requires smaller memory size when deployed on edge devices. We make use of a single CNN model designed with multiple loss layers and multiple accuracy layers. The number of accuracy and loss layers are based on number of mutually exclusive attributes to be classified by the multi-label classification. This methodology is tested on stateof-the-art deep learning algorithms such as AlexNet, GoogleNet and SqueezeNet using the Stanford Cars Dataset and deployed on Raspberry Pi3. From the results the proposed methodology achieves comparable accuracy with 1.8x less MACC operation, 0.97x reduction in latency and 0.5x, 0.84x and 0.97x reduction in size for the generated AlexNet, GoogleNet and SqueezeNet CNN models respectively when compared to conventional ways of achieving multi-label classification like hard-coding multi-label instances into single labels. The methodology also yields CNN models that achieve 50% less MACC operations, 50% reduction in latency and size of generated versions of AlexNet, GoogleNet and SqueezeNet respectively when compared to conventional ways using 2 different single-labelled models to achieve multilabel classification.

show abstract

A Stealthy Hardware Trojan Exploiting the Architectural Vulnerability of Deep Learning Architectures: Input Interception Attack (IIA)

Cited by 3 publications

References 8 publications

Exposing the Robustness and Vulnerability of Hybrid 8T-6T SRAM Memory Architectures to Adversarial Attacks in Deep Neural Networks

Exposing the Robustness and Vulnerability of Hybrid 8T-6T SRAM Memory Architectures to Adversarial Attacks in Deep Neural Networks

2L-3W: 2-Level 3-Way Hardware–Software Co-verification for the Mapping of Convolutional Neural Network (CNN) onto FPGA Boards

A Scalable Multilabel Classification to Deploy Deep Learning Architectures For Edge Devices

Contact Info

Product

Resources

About