Fault injection attack on deep neural network

Liu, Yannan; Wei, Lingxiao; Luo, Bo; Xu, Qiang

doi:10.1109/iccad.2017.8203770

Cited by 166 publications

(169 citation statements)

References 17 publications

Supporting

Mentioning

169

Contrasting

Order By: Relevance

“…The authors explore both active and passive attackers, i.e., attackers that can actively input their own images to the accelerator and attackers that can only observe user inputs. Another line of attacks attempts to induce faults in order to cause misclasifications [52], [53] and relies on a microarchitectural or device-level attacks, such as RowHammer [54]. Probing attacks: Probing attacks assume that an attacker is able to access the individual components of the device, e.g., the CPU/GPU/ASIC, the RAM memory, non-volatile storage, or busses, but is not able to perform invasive attacks that access the internals of the chips.…”

Section: Attacks On Deployed Neural Networkmentioning

confidence: 99%

Survey of Attacks and Defenses on Edge-Deployed Neural Networks

Isakov¹,

Gadepally

Gettings

et al. 2019

2019 IEEE High Performance Extreme Computing Conference (HPEC)

View full text Add to dashboard Cite

Deep Neural Network (DNN) workloads are quickly moving from datacenters onto edge devices, for latency, privacy, or energy reasons. While datacenter networks can be protected using conventional cybersecurity measures, edge neural networks bring a host of new security challenges. Unlike classic IoT applications, edge neural networks are typically very compute and memory intensive, their execution is data-independent, and they are robust to noise and faults. Neural network models may be very expensive to develop, and can potentially reveal information about the private data they were trained on, requiring special care in distribution. The hidden states and outputs of the network can also be used in reconstructing user inputs, potentially violating users' privacy. Furthermore, neural networks are vulnerable to adversarial attacks, which may cause misclassifications and violate the integrity of the output. These properties add challenges when securing edge-deployed DNNs, requiring new considerations, threat models, priorities, and approaches in securely and privately deploying DNNs to the edge. In this work, we cover the landscape of attacks on, and defenses, of neural networks deployed in edge devices and provide a taxonomy of attacks and defenses targeting edge DNNs.

show abstract

Section: Attacks On Deployed Neural Networkmentioning

confidence: 99%

Survey of Attacks and Defenses on Edge-Deployed Neural Networks

Isakov¹,

Gadepally

Gettings

et al. 2019

2019 IEEE High Performance Extreme Computing Conference (HPEC)

View full text Add to dashboard Cite

show abstract

“…Past work has introduced several ways to inject faults into DNNs themselves for compromising their functionality. In [5], attackers fool DNNs to make mistakes by modifying their parameters through fault injection, in which single bias attack modifies one parameter with a large perturbation for misclassification and gradient descent attack considers stealthiness by adding small perturbations on a number of parameters. Reverse-engineering attacks [6] can identify model parameters in the off-chip memory, which may be stealthily replaced by attackers.…”

Section: B Related Work and Motivationmentioning

confidence: 99%

“…In this section, we evaluate the performance of the proposed validation scheme considering its detection rate under malicious and random parameter perturbations. The malicious perturbations are generated according to the attacks proposed in [5] and the random perturbations are to add gaussian noises. We implement each kind of parameter perturbation 10000 times against the MNIST and CIFAR-10 models, and then calculate the detection rate by observing whether the perturbations will change the DNN outputs of the generated functional tests.…”

Section: Perturbation Detection Ratementioning

confidence: 99%

“…It should be noted that hardware testing cannot be used in this case as users have no access to intermediate DNN results . Table II and III show the detection rates for MNIST and CIFAR-10 under single bias attack (SBA), gradient descent attack (GDA) [5] and random perturbations, respectively. We can see that our combined test generation method achieves 87.2% and 89.0% detection rates under SBA and GDA respectively with only 20 functional tests for the CIFAR-10 model.…”

Section: Perturbation Detection Ratementioning

confidence: 99%

“…Recently, there is an increasing number of attacks that target at DNNs themselves instead of their input data. Liu et al [5] first proposes to attack DNN parameters for misclassifications based on two fault injection methods: single bias attack and gradient descent attack. Reverse-engineering attacks [6], [7] on hardware DNN accelerators can identify the model parameters in the off-chip memory and then attackers may stealthily substitute original parameters with malicious ones.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

On Functional Test Generation for Deep Neural Network IPs

Luo

Wei

et al. 2019

2019 Design, Automation &Amp; Test in Europe Conference &Amp; Exhibition (DATE)

Self Cite

View full text Add to dashboard Cite

Machine learning systems based on deep neural networks (DNNs) produce state-of-the-art results in many applications. Considering the large amount of training data and know-how required to generate the network, it is more practical to use third-party DNN intellectual property (IP) cores for many designs. No doubt to say, it is essential for DNN IP vendors to provide test cases for functional validation without leaking their parameters to IP users. To satisfy this requirement, we propose to effectively generate test cases that activate parameters as many as possible and propagate their perturbations to outputs. Then the functionality of DNN IPs can be validated by only checking their outputs. However, it is difficult considering large numbers of parameters and highly non-linearity of DNNs. In this paper, we tackle this problem by judiciously selecting samples from the DNN training set and applying a gradient-based method to generate new test cases. Experimental results demonstrate the efficacy of our proposed solution.

show abstract