Int-Monitor: a model triggered hardware trojan in deep learning accelerators

Deep learning accelerators have domain-specific architectures, this special memory hierarchy and working mode could bring about new crucial security vulnerabilities. Neural network reuse PE resources layer by layer, after a layer finished, accelerator will give an interrupt to inform host processor...

Full description

Saved in:
Bibliographic Details
Published in:The Journal of supercomputing 2023-02, Vol.79 (3), p.3095-3111
Main Authors: Li, Peng, Hou, Rui
Format: Article
Language:English
Subjects:
Accelerators
Artificial neural networks
Bias
Buffers
Compilers
Computer Science
Data encryption
Deep learning
Hardware
Interpreters
Machine learning
Microprocessors
Neural networks
Power consumption
Power management
Processor Architectures
Programming Languages
Signal processing
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Deep learning accelerators have domain-specific architectures, this special memory hierarchy and working mode could bring about new crucial security vulnerabilities. Neural network reuse PE resources layer by layer, after a layer finished, accelerator will give an interrupt to inform host processor dispatch the next layer. By snooping on the interrupt signal patterns, we can capture specific deep neural network (DNN) models and launch hardware trojan attacks. In this paper, we propose Int-Monitor, a novel neural network model triggered hardware trojan in DNN accelerators. By implanting a well-designed interrupt monitor between the host processor and DNN accelerator, this backdoor can capture specific DNN models and trigger the trojan to attack DNN bias buffers. By attacking the global bias buffer, this trojan can prevent the activation of neurons in a DNN model. As result, the network forward propagation will be invalid and the accelerator will deny service. Runtime experiments on LeNet, Resnet, YOLOv2 and YOLOv4tiny DNN models show Int-Monitor can successfully attack the FPGA-based DNN accelerator SoCs. RTL synthesis and implementation show this trojan takes only small hardware overhead and negligible power consumption. It brings 0.5%, 0.2% hardware overhead and 0.622%, 0.187% power consumption on average in the SIMD and NVDLA accelerators. Unlike previous trojan using specially dedicated input data as a trigger, this novel trojan can enable hackers utilize DNN model as a trigger. This mechanism can make its escape from data pre-processing and data encryption.
ISSN:0920-8542
1573-0484
DOI:10.1007/s11227-022-04759-y