Hardware Accelerator for Adversarial Attacks on Deep Learning Neural Networks

Guo, Haoqiang; Peng, Lü; Zhang, Jian; Qi, Fang; Duan, Lide

doi:10.1109/igsc48788.2019.8957192

Cited by 5 publications

(3 citation statements)

References 25 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Integrity attacks often target critical memory locations, e.g., the cryptographic key, program counter and privilege registers. These attacks are usually a first step for performing further malicious activities, e.g., hijacking the control flow [35] and fooling machine learners [36].…”

Section: Integritymentioning

confidence: 99%

“…Adversarial example generation algorithms, such as fast gradient sign method [87], universal perturbations [88] and Carlini and Wagner (C&W) attack [89], have succeeded in subverting the deep learning model output with high success rate. Hardware accelerator for the generation of adversarial examples has also been proposed to improve the attack efficiency [36]. The imperceptibility of the perturbation and generalization ability across models further aggravate the damage of such attacks.…”

Section: ) Trojans Insertion Throughmentioning

confidence: 99%

See 1 more Smart Citation

An Overview of Hardware Security and Trust: Threats, Countermeasures, and Design Tools

Chang

Sengupta

et al. 2021

IEEE Trans. Comput.-Aided Des. Integr. Circuits Syst.

View full text Add to dashboard Cite

show abstract

Section: Integritymentioning

confidence: 99%

Section: ) Trojans Insertion Throughmentioning

confidence: 99%

An Overview of Hardware Security and Trust: Threats, Countermeasures, and Design Tools

Chang

Sengupta

et al. 2021

IEEE Trans. Comput.-Aided Des. Integr. Circuits Syst.

View full text Add to dashboard Cite

show abstract

“…In particular, [62] proposes an end-to-end framework based on the voting results of multiple detectors, in parallel with the execution of the target DNN to detect malicious inputs during inference; [76] proposes an elastic heterogeneous DNN accelerator architecture to orchestrate the simultaneous execution of the target DNN and the detection network for detecting adversarial samples via an elastic management of the on-chip buffer and PE computing resources; [23] builds an algorithm-architecture co-designed system to detect adversarial attacks during inference via a random forest module applied on top of the extracted features from the run-time activations. In addition, [60] builds a robustness-aware accelerator based on BNNs which, however, suffers from the obfuscated gradient problem [4] and [29] strives to speed up the attack generation instead of the defense. Nevertheless, all the existing defensive accelerators rely on additional detection networks/modules to detect adversarial samples at inference time, and thus inevitably introduce additional energy/latency/area overheads that compromise efficiency.…”

Section: Related Workmentioning

confidence: 99%

2-in-1 Accelerator: Enabling Random Precision Switch for Winning Both Adversarial Robustness and Efficiency

Zhao

et al. 2021

MICRO-54: 54th Annual IEEE/ACM International Symposium on Microarchitecture

View full text Add to dashboard Cite

The recent breakthroughs of deep neural networks (DNNs) and the advent of billions of Internet of Things (IoT) devices have excited an explosive demand for intelligent IoT devices equipped with domainspecific DNN accelerators. However, the deployment of DNN accelerator enabled intelligent functionality into real-world IoT devices still remains particularly challenging. First, powerful DNNs often come at prohibitive complexities, whereas IoT devices often suffer from stringent resource constraints. Second, while DNNs are vulnerable to adversarial attacks especially on IoT devices exposed to complex real-world environments, many IoT applications require strict security. Existing DNN accelerators mostly tackle only one of the two aforementioned challenges (i.e., efficiency or adversarial robustness) while neglecting or even sacrificing the other. To this end, we propose a 2-in-1 Accelerator, an integrated algorithm-accelerator co-design framework aiming at winning both the adversarial robustness and efficiency of DNN accelerators. Specifically, we first propose a Random Precision Switch (RPS) algorithm that can effectively defend DNNs against adversarial attacks by enabling random DNN quantization as an in-situ model switch during training and inference. Furthermore, we propose a new precision-scalable accelerator featuring (1) a new precision-scalable MAC unit architecture which spatially tiles the temporal MAC units to boost both the achievable efficiency and flexibility and (2) a systematically optimized dataflow that is searched by our generic accelerator optimizer. Extensive experiments and ablation studies validate that our 2-in-1 Accelerator can not only aggressively boost both the adversarial robustness and efficiency of DNN accelerators under various attacks, but also naturally support instantaneous robustness-efficiency trade-offs adapting to varied resources without the necessity of DNN retraining. We believe our 2-in-1 Accelerator has opened up an exciting perspective for robust and efficient accelerator design. CCS CONCEPTS• Computer systems organization → Neural networks.

show abstract