TY - GEN
T1 - RADAR
T2 - 2021 Design, Automation and Test in Europe Conference and Exhibition, DATE 2021
AU - Li, Jingtao
AU - Rakin, Adnan Siraj
AU - He, Zhezhi
AU - Fan, Deliang
AU - Chakrabarti, Chaitali
N1 - Publisher Copyright:
© 2021 EDAA.
PY - 2021/2/1
Y1 - 2021/2/1
N2 - Adversarial attacks on Neural Network weights, such as the progressive bit-flip attack (PBFA), can cause a catastrophic degradation in accuracy by flipping a very small number of bits. Furthermore, PBFA can be conducted at run time on the weights stored in DRAM main memory. In this work, we propose RADAR, a Run-time adversarial weight Attack Detection and Accuracy Recovery scheme to protect DNN weights against PBFA. We organize weights that are interspersed in a layer into groups and employ a checksum-based algorithm on weights to derive a 2-bit signature for each group. At run time, the 2-bit signature is computed and compared with the securely stored golden signature to detect the bit-flip attacks in a group. After successful detection, we zero out all the weights in a group to mitigate the accuracy drop caused by malicious bit-flips. The proposed scheme is embedded in the inference computation stage. For the ResNet-18 ImageNet model, our method can detect 9.6 bit-flips out of 10 on average. For this model, the proposed accuracy recovery scheme can restore the accuracy from below 1% caused by 10 bit flips to above 69%. The proposed method has extremely low time and storage overhead. System-level simulation on gem5 shows that RADAR only adds < 1% to the inference time, making this scheme highly suitable for run-time attack detection and mitigation.
AB - Adversarial attacks on Neural Network weights, such as the progressive bit-flip attack (PBFA), can cause a catastrophic degradation in accuracy by flipping a very small number of bits. Furthermore, PBFA can be conducted at run time on the weights stored in DRAM main memory. In this work, we propose RADAR, a Run-time adversarial weight Attack Detection and Accuracy Recovery scheme to protect DNN weights against PBFA. We organize weights that are interspersed in a layer into groups and employ a checksum-based algorithm on weights to derive a 2-bit signature for each group. At run time, the 2-bit signature is computed and compared with the securely stored golden signature to detect the bit-flip attacks in a group. After successful detection, we zero out all the weights in a group to mitigate the accuracy drop caused by malicious bit-flips. The proposed scheme is embedded in the inference computation stage. For the ResNet-18 ImageNet model, our method can detect 9.6 bit-flips out of 10 on average. For this model, the proposed accuracy recovery scheme can restore the accuracy from below 1% caused by 10 bit flips to above 69%. The proposed method has extremely low time and storage overhead. System-level simulation on gem5 shows that RADAR only adds < 1% to the inference time, making this scheme highly suitable for run-time attack detection and mitigation.
KW - Neural networks
KW - protection
KW - run-time detection
KW - weight attack
UR - http://www.scopus.com/inward/record.url?scp=85111011069&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85111011069&partnerID=8YFLogxK
U2 - 10.23919/DATE51398.2021.9474113
DO - 10.23919/DATE51398.2021.9474113
M3 - Conference contribution
AN - SCOPUS:85111011069
T3 - Proceedings -Design, Automation and Test in Europe, DATE
SP - 790
EP - 795
BT - Proceedings of the 2021 Design, Automation and Test in Europe, DATE 2021
PB - Institute of Electrical and Electronics Engineers Inc.
Y2 - 1 February 2021 through 5 February 2021
ER -