On the Intrinsic Robustness of NVM Crossbars Against Adversarial Attacks
Deboleena Roy, Indranil Chakraborty, Timur Ibrayev, Kaushik Roy
RRobustness Hidden in Plain Sight: Can AnalogComputing Defend Against Adversarial Attacks?
Deboleena Roy
Department of ECEPurdue UniversityWest Lafayette, IN 47907 [email protected]
Indranil Chakraborty
Department of ECEPurdue UniversityWest Lafayette, IN 47907 [email protected]
Timur Ibrayev
Department of ECEPurdue UniversityWest Lafayette, IN 47907 [email protected]
Kaushik Roy
Department of ECEPurdue UniversityWest Lafayette, IN 47907 [email protected]
Abstract
The ever-increasing computational demand of Deep Learning has propelled re-search in special-purpose inference accelerators based on emerging non-volatilememory (NVM) technologies. Such NVM crossbars promise fast and energy-efficient in-situ matrix vector multiplications (MVM) thus alleviating the long-standing von Neuman bottleneck in today’s digital hardware. However the analognature of computing in these NVM crossbars introduces approximations in theMVM operations. In this paper, we study the impact of these non-idealities onthe performance of DNNs under adversarial attacks. The non-ideal behavior inter-feres with the computation of the exact gradient of the model, which is requiredfor adversarial image generation. In a non-adaptive attack, where the attacker isunaware of the analog hardware, we show that analog computing offers a varyingdegree of intrinsic robustness, with a peak adversarial accuracy improvement of35.34%, 22.69%, and 31.70% for white box PGD ( (cid:15) =1/255, iter=30) for CIFAR-10,CIFAR-100, and ImageNet(top-5) respectively. We also demonstrate "hardware-in-loop" adaptive attacks that circumvent this robustness by utilizing the knowledgeof the NVM model. To our knowledge, this is the first work that explores thenon-idealities of analog computing for adversarial robustness.
Deep Learning [23] is a popular, versatile machine learning methodology that has been applied to awide range of optimization tasks, such as computer vision [31], natural language processing [36],recommender systems [10], etc. Many consumer applications rely on deep neural networks (DNNs)to enhance their user experience, such as smart wearables, smart assistants, etc. As our reliance ondeep learning increases, so does the need to build secure, reliable, efficient frameworks for executingthe intensive computational requirements of DNNs.To accommodate the growing computational needs of DNNs special-purpose accelerators such asGoogleTPU [20], Microsoft BrainWave [11], and NVIDIA V100 [1] have been proposed. Thesesystems operate on the principle of efficiently performing matrix-vector multiplication (MVM)operations, the key computational kernel in DNNs, by co-locating memory and processing elements.Despite their success, the saturating scaling trends of digital CMOS [35] has garnered interest innon-volatile memory (NVM) technologies such as RRAM [32], PCRAM [33] and Spintronics [14].The memory element in these technologies can be arranged in a crossbar fashion to enable efficient
Preprint. Under review. a r X i v : . [ c s . ET ] A ug VM computations in the analog domain inside the memory array. Such an in-memory computingprimitive can significantly lower power and latency compared to digital CMOS [29]. Promises offeredby the NVM crossbars have propelled significant research in designing analog computing basedaccelerators, such as PUMA [3].In an analog computing hardware the output of an MVM operation is sensed as a summation ofcurrents through resistive NVM devices arranged in a crossbar, and hence are prone to errors due tonon-ideal behavior of the crossbar and its peripheral circuits. Such errors are hard to model due to theinterdependence of multiple analog variables (voltages, currents, resistances) in the crossbar. Thesedeviations result in overall performance degradation of the DNN implementation [8]. Several workshave explored various techniques to counteract the impact of these non-idealities [24, 9].On the flip side, even though the changes in DNN activations arising from non-idealities is hard tomodel, it can potentially lead to adversarially robust DNN implementations. Adversarial images aregenerated by estimating the gradients of the model with respect to its input, and carefully perturbingthe images in the direction of maximum change in the classifier output [30, 15]. To counter suchattacks, several techniques that rely on gradient obfuscation have been previously proposed [13, 5, 4].In this work, we explore how non-ideal NVM crossbars have a similar intrinsic effect to gradientobfuscation. We implement DNNs on the PUMA architecture, which is composed of thousands ofMVM units (MVMUs) made of NVM crossbars. The aformentioned errors occur at the output ofthese internal MVMUs, which are practically inaccessible to a third party user, such as the softwaredesigner or even an attacker. Moreover, the nature of the errors depends heavily on the technology,which might not be fully disclosed by the manufacturer. Finally, any scaled technology is prone tochip to chip variations [26] which can further deter an attacker from exactly replicating the DNNactivations. We study two distinct scenarios, one where the attacker does not have access to customNVM hardware and generates attacks based on accurate digital hardware, and the other where theattacker generates attacks with the NVM hardware in loop.The main contributions of this work are as follows: • We demonstrate that adversarial attacks crafted without the knowledge of the hardwareimplementation are less effective in both black box and white box scenarios. • We tested multiple variants of NVM crossbars, and show that the degree of intrinsic robust-ness offered by the analog hardware is in proportion to its degree of non-ideal behavior. • We show that “Hardware-in-Loop” adaptive adversarial attacks are more effective, as theattacker can now account for the non-ideal computations when crafting the adversarialexamples. We show that the degree of success depends on what hardware is available to theattacker and how similar it is to the target model’s hardware.
Ideal NVM Crossbar Non-Ideal NVM Crossbar I N V V ... ...G G G G G G G G N1 G N2 G N3 G NN I I I ...... ... G V N R source R sink R wire Bit-Line (BL)Source-Line (SL)Word-Line (WL)
Peripheral and Parasitic Resistances G ij = Conductance of NVM device at position (i,j) V i = Voltage to the i th row I j = Current at j th column Figure 1: (Left) Illustration of NVM crossbar which produces output current I j , as a dot-productof voltage vector, V i and NVM device conductance, G ij . (Right) Various peripheral and parasiticresistances modify the dot-product computations into an interdependent function of the analogvariables (voltage, conductance and resistances) in a non-ideal NVM crossbar.2 .1 In-memory Analog Computing Hardware In-memory analog computing with NVM technologies are being extensively studied for machinelearning (ML) workloads [6, 2, 7] because of their inherent ability to perform efficient matrix-vector multiplications, the key computational kernel in DNNs. The basic compute fabric in NVMtechnologies is a two-dimensional cross-point memory, known as a crossbar, shown in Fig. 1. Thememory devices lie at the intersection of horizontally (source-line) and vertically (bit-line) runningmetal lines. The conductance of each memory device can be programmed to a discrete number oflevels [19]. By simultaneously applying inputs, in the form of voltages, V i , at the source-lines, themultiplications are performed between the voltages, V i and conductances, G ij , by each NVM deviceusing the principle of Ohm’s law. Finally, the product, which is the resulting current, I ij , from eachNVM device, is summed up using Kirchoff’s current law to produce a dot-product output, I j at eachcolumn: I j = (cid:88) i I ij = (cid:88) i V i G ij (1)Such parallelized dot-products across all columns enable efficient multiplication of the input voltagevector, V , and the crossbar conductance matrix, G , resulting in an output vector, I = V G . A few keyaspects of the design of NVM crossbars are the following parameters: • Crossbar Size: The number of rows and columns in the crossbar matrix. • ON Resistance ( R ON ): The minimum resistance level of the NVM device.Typically, in a convolutional neural network (CNN), the convolution operation between the inputand the weight tensor can be represented in the form of a series of MVM operations, which can besubdivided into smaller MVM operations to conform to the technological restrictions of the size ofthe NVM crossbar. Floating point inputs and weights in DNNs are converted to fixed point precisionto make them compatible with NVM crossbar based computations.The analog nature of computing in NVM crossbars introduces functional errors in the MVM com-putations due to several non-idealities arising from the NVM devices and peripheral resistances.The aforementioned crossbar design parameters, such as Crossbar Size, and ON Resistance havevarying impact on the degree of functional errors introduced by the non-idealities [8] by affecting theeffective resistance of a crossbar column. Larger crossbar size lowers the effective resistance, makingthe crossbar more prone to non-ideal effects, while higher ON resistance increases it, resulting in acrossbar less affected by non-idealities.Due to the non-idealities, the resulting output current, I ni is a function of volatge vector V , conduc-tance matrix G ( V ) , which is now dependent on V , and several non-ideal factors: I ni = f ( V, G ( V ) , R source , R sink , R wire ) (2)To study the impact of such non-ideal behavior of NVM crossbars on DNNs, researchers havepreviously proposed techniques to model the non-ideal function in Equation 2. One such technique isGENIEx [8] where the authors use a neural network to model the aforementioned non-ideal function.DNNs typically consist of thousands of MVM operations at every layer. The NVM crossbar non-idealities cause the activations at every layer to deviate from their expected value, and this deviationpropagates through the network. This results in a degradation of DNN accuracy at inference (withoutany adversary). Interestingly, the same deviation in activation imparts adversarial robustness whenunder attack, which is further analyzed in this paper. In 2013, the authors of [30] demonstrated that a classifier can be forced to make an error by addingsmall perturbations to the data which are almost imperceptible to the human eye. They coined theterm "adversarial examples" to define such data designed specifically to fool the classifier. Since then,several methods have been developed to generate such data, which are known as "adversarial attacks".In principle, these attacks try to solve the following optimization problem [27]: x ∗ = x + argmin { z : F ( x + z ) (cid:54) = F ( θ, x ) } = x + δ x (3)where x is the original data, x ∗ is the perturbed adversarial data, F ( x ) is the classifier function,mapping inputs to labels, and the objective of the adversary is to misclassify, i.e. F ( x ∗ ) (cid:54) = F ( x ) .Most attacks use gradient-based optimization to solve for eq.3, and the attack’s success relies on howaccurately one can estimate ∇ x L ( θ, x, y ) , the derivative of the cost function ( L ( θ, x, y ) ) with respectto x , where θ is the target model parameters, and the inputs and labels are x and y respectively [15].3 Adversarial Robustness of NVM Crossbar based Analog Computing
In recent years, several adversarial defenses have been proposed that disrupt the gradient computationof the model by adding an extra computational element to the network, such as a randomization layerat the beginning [34], or adaptive dropout after every layer [13]. When a DNN model is implementedon an NVM crossbar architecture, the non-idealities have a similar effect of changing the layer-wiseactivations of the DNNs. There is no simple differentiable function to model these deviations, andone cannot determine them without probing the analog hardware. Thus, such an implementation,could potentially increase the robustness of the neural network. In this section we describe themethodology to emulate DNNs on the PUMA architecture, and set up different threat models basedon the attacker’s knowledge of both the software and the hardware.
Table 1: Crossbar Model Description
Crossbar parametersCrossbar Model Size R ON ( Ω ) NF × ×
64 300k 0.0732 × ×
32 100k 0.1464 × ×
64 100k 0.26
To model the non-ideal crossbar, we use GENIEx, a deep learning based crossbar model developedby the authors of [8]. They define a multi-layer perceptron (MLP) which receives V and G as inputsand predicts the output I ni . This MLP is trained on training pairs [( V , G ), I ni ] obtained from circuitsimulations. In this paper, we have replicated the modeling technique of GENIEx to generate 3RRAM based crossbar models (Table 1).The degree of non-ideality has been described by the authors of GENIEx as Non-ideality Factor( N F ) = (Expected output-Actual Output) / Expected Output.
N F is directly (inversely) proportionalto crossbar size (ON Resistance). In our experiments, we have considered different crossbar modelsto study the impact of different degrees of non-idealities, represented by different
N F , on adversarialrobustness, as shown in Table 1.To integrate the NVM crossbar models with the PyTorch framework, we have adopted a functionalsimulator from [8] based on PUMA hardware architecture [3].
For our evaluation we selected 3 image recognition tasks, and trained a ResNet [18] for each task. • CIFAR-10 [21]: A ResNet-20 was trained for 200 epochs, with the learning rate ( lr )schedule [0 . , , . , , . , and achieved test accuracy of . • CIFAR-100 [21]: A ResNet-32 was trained for 200 epochs, with the lr schedule [0 . , , . , , . , , and achieved test accuracy of . • ImageNet [12]: A ResNet-18 was trained for 90 epochs, with the lr schedule [0 . , , . , , . , , and acheived top-1 and top-5 test accuracy of . and . respectively. Table 2: Attacker’s Knowledge for the Threat Scenarios
Accurate Digital Computation Non-Ideal Analog ComputationAttack Type Model Weights Logits Activations Crossbar Model Logits ActivationsNon-Adaptive AttacksTransfer Attacks No No No No No NoBlack Box Attacks No Yes No No No NoWhite Box Attacks Yes Yes Yes No No NoAdaptive AttacksBlack Box Attacks No N/A N/A Yes (may not match) Yes NoWhite Box Attacks Yes N/A N/A Yes (may not match) Yes Yes
4e define 5 different threat scenarios with varying extent of the attacker’s knowledge of the targetmodel and the underlying hardware (Table 2). For each threat scenario there is an attack model (asingle DNN or an ensemble of DNNs) which is used to generate the adversarial images. We useProjected Gradient Descent (PGD) [25] to generate iterative perturbations that are bound by the l ∞ norm, as shown in Eq.4: x t +1 = Π x + S ( x t + αsgn ( ∇ x L ( θ, x t , y )) (4) x t +1 is the adversarial example generated at ( t + 1) th iteration. The model’s cost function is L ( θ, x, y ) , which is a function of the model parameters θ , input x , and labels y . The set of allowedperturbations is given by S . For the l ∞ norm, the attack epsilon ( (cid:15) ) defines the set of perturbations as S = (cid:16) δ | (cid:0) x + δ ≥ max ( x + (cid:15), (cid:1) ∧ (cid:0) x + δ ≤ min ( x + (cid:15), (cid:1)(cid:17) , where x ∈ [0 , . Our first category of threat scenario is "Non-Adaptive Attacks", i.e. the attacker has no knowledgeof the underlying analog hardware and the attacks are generated under the assumption of accuratedigital computation. Under this category, we have 3 varying degrees of attack.
Transfer Attacks
This is the weakest threat model where the adversary has no knowledge ofthe model. The attack model is another DNN trained on the same dataset and run on an accuratedigital hardware. The attack model architectures for CIFAR-10/100, and Imagenet are ResNet-10,ResNet-20, and AlexNet [22], respectively. ResNet-10 and ResNet-20 are trained on CIFAR-10/100,respectively, using the same training schedule as the target models. For Imagenet, we used a pretrainedAlexNet available in Pytorch [28].
Black Box Attacks
The attacker queries the model on an accurate digital hardware and reads theoutput of the final layer before softmax (logits) to generate a synthetic dataset of training data andits corresponding logits. This synthetic dataset is used to train 3 different ResNet models, ResNet-10,20,32, which are used to generate adversarial images using the stack parallel ensemble strategy[17].
White Box Attacks
This is the highest threat level where the attacker has full knowledge of themodel weight, thus the attack model is the same as the target model. However, while generatinggradients, the attacker has no knowledge of the underlying analog hardware implementation. Thegradients for the attack are computed assuming accurate digital hardware implementation.
Comparison with Related Work
We have selected 3 defenses that can be applied to a pretrainednetwork as listed below. For a fair comparison, we apply non-adaptive attacks for these defensesas well, i.e. the defenses are not visible to the attacker when they query the model to generate theirsynthetic dataset for Black Box attacks, and when they generate gradients for White Box attacks. • Input Bit Width (BW) Reduction [16]: The input is quantized to 4-bits. • Stochastic Activation Pruning (SAP) [13] (for CIFAR-10/100 only): At inference, afterevery convolution layer, there is an adaptive dropout, that randomly sets the layer outputs to0 with a probability proportional to their absolute value. • Random Padding [34] (for ImageNet only): Two randomization layers are introducedbefore the pretrained model. The first layer scales the input image to a random size NxNwhere N ∈ [299, 331] using nearest-neighbor extrapolation. The second layer randomlypads the image to generate the final image of size 331x331. In this category of attacks, the attacker is aware that the model is implemented on an NVM crossbarhardware. However, the crossbar model available to the attacker may or may not match with thetarget’s implementation. For crafting Black Box Attacks, the attacker queries the DNN modelimplemented on the NVM crossbar based hardware to create the synthetic dataset. In the case ofWhite Box attacks, the attacker generates adversarial images using "Hardware-in-Loop" gradientdescent. Note that the NVM crossbar based hardware is designed for inference tasks and does notsupport backpropagation of gradients. Thus, for "Hardware-in-Loop", the forward pass is performedon NVM crossbar hardware, and all activations are recorded. However, the derivatives are calculatedassuming ideal computations in place of non-ideal MVM operations of the crossbar. As describedin Section 3.1, the NVM crossbar non-idealities vary with crossbar properties. We use 3 differentcrossbar models as defined in Table 1 and we explore scenarios where there is a mismatch in thecrossbar model used by the attacker and the target implementation.5
Results
The first effect of implementing DNNs on a NVM crossbar hardware is the reduction in clean accuracydue to the errors associated with non-ideal computations. Greater the Non-Ideality Factor (NF), moresevere is the accuracy degradation as noted in Table 3 and 4. The clean accuracy of CIFAR-10 dropsfrom 92.44% (accurate digital hardware) to 88.34% on 64x64_100k, the most non-ideal crossbarmodel among the three chosen. Similarly, CIFAR-100 accuracy drops from 71.42% to 55.48% andImageNet accuracy falls from 69.56% to 62.50% on the 64x64_100k NVM crossbar hardware. Ifnon-idealities of NVM hardware had no impact on adversarial robustness, similar degradation wouldhave been observed in model accuracy under attack. However, our findings, as outlined below,indicate a different trend. (a) (b) (c)
Figure 2: Non-Adaptive Transfer Attacks (PGD, iter=30) on CIFAR-10/100 and ImageNet on 3 NVMmodels and 3 defenses, Input BW Reduction (4-bit input) [16], SAP [13], Random Pad [34]
Transfer Attacks
In Fig. 2, we observe the decline in adversarial accuracy with increasing attackepsilon ( (cid:15) ) for CIFAR-10, CIFAR-100, and Imagenet. For CIFAR-10/100, the 64x64_300k modeldid not exhibit any increase in robustness, instead it trailed behind the baseline accuracy. In caseof CIFAR-10, the other two crossbar models, 32x32_100k and 64x64_100k, displayed an absoluteincrease in robustness of 4.2% and 5.9% averaged over (cid:15) = (2,4,6,8)/255, respectively. For CIFAR-100, the average increase in robustness for (cid:15) = (4,6,8)/255 was 1.4% for 32x32_100k and 1.84%for 64x64_100k. The peak improvement in robustness was observed for (cid:15) = 6/255 and has beensummarized in Table 3. For ImageNet, we do not observe any improvement in robustness. A possiblereason could be that the attack is much weaker, as it was generated on a different architecture(AlexNet), instead of a ResNet. The more generic the attack, the less effect the NVM non-idealitiesseem to have on robustness. (a) (b)
Figure 3: Non-Adaptive Black Box Attacks (PGD, iter=30) on CIFAR-10, CIFAR-100 on 3 NVMcrossbar models and the 2 defenses, Input BW Reduction (4-bit input) [16] and SAP [13]
Black Box Attacks
From Fig. 5, we observe similar trends as transfer attacks for CIFAR-10, andCIFAR-100. The 64x64_300k model didn’t exhibit any increase in robustness, instead it trailedbehind the baseline accuracy. The NVM crossbar models, 32x32_100k and 64x64_100k, recordedan absolute increase in robustness of 5.3% and 7.8% averaged over (cid:15) = (2,4,6,8)/255, respectivelyfor CIFAR-10. For CIFAR-100, it was 1.4% and 1.84% respectively. The peak improvement inrobustness was observed for (cid:15) = 4/255 and has been summarized in Table 3.
White Box Attacks
Under this threat model we observe the highest improvement in robustnessas depicted in Fig. 4 for CIFAR-10/100 and Table 4 for ImageNet. The NVM model 64x64_300k6 a) (b)
Figure 4: Non-Adaptive White Box Attacks (PGD, iter=30) on CIFAR-10, CIFAR-100 on 3 NVMmodels and 2 defenses, Input BW Reduction (4-bit input) [16] and SAP [13]Table 3: CIFAR-10/100 accuracy against Non-Adaptive Attacks (PGD, iter=30)
NVM Crossbar Models (Target)Attack Type Baseline 64 × × × (cid:15) = 6/255 12.94 12.24 (-0.70) 18.53 (+5.59) 21.54 (+8.6) 22.43 (+9.49) 30.48 (+17.54)Ensemble Black Box Attack (cid:15) = 4/255 18.91 17.15 (-1.76) 26.6 (+7.69) 30.35 (+11.44) 31.89 (+12.98) 40.19 (+21.28)White Box Attack (cid:15) =1/255 19.64 17.56 (-2.08) 46.12 (+26.48) 54.98 (+35.34) 55.29 (+35.65) 64.26 (+44.62)White Box Attack (cid:15) =2/255 0.51 0.45 (-0.06) 8.51 (+8.00) 17.22 (+16.71) 14.94 (+14.34) 44.85 (+44.34)CIFAR-100 (ResNet-32)Clean 71.42 63.89 (-7.53) 62.44 (-8.98) 55.48 (-15.94) 64.20 (-7.22) 44.41 (-27.01)Transfer Attack (ResNet-20) (cid:15) =6/255 9.61 8.45 (-1.16) 11.14 (+1.53) 11.83 (+2.22) 14.88 (+5.27) 15.76 (+6.15)Ensemble Black Box Attack (cid:15) =4/255 9.88 8.03 (-1.85) 11.95 (+2.07) 12.59 (+2.71) 17.07 (+7.19) 17.60 (+7.72)White Box Attack (cid:15) =1/255 5.78 6.53 (+0.75) 24.22 (+18.44) 28.47 (+22.69) 30.45 (+24.67) 32.4 (+26.62)White Box Attack (cid:15) =2/255 0.24 0.39 (+0.15) 4.55 (+4.31) 8.27 (+8.03) 8.94 (+8.70) 20.14 (+19.9) Table 4: ImageNet Accuracy against Non-Adaptive White Box Attacks (PGD, iter = 30)
NVM Crossbar Models (Target)Attack Type Baseline 64 × × × (cid:15) =1/255 0.40 0.60 (+0.20) 4.50 (+4.10) 10.30 (+9.90) 9.6 (+9.20) 44.3 (+43.90)White Box Attack (cid:15) =2/255 0.10 0.10 (+0.00) 0.20 (+0.10) 0.50 (+0.40) 0.10 (+0.00) 33.50 (+33.40)Top-5 AccuracyClean 89.06 86.3 (-2.76) 86.2 (-2.86) 84.8 (-4.26) 86.5 (-2.56) 85.9 (-3.16)White Box Attack (cid:15) =1/255 18.60 19.30 (+0.70) 42.20 (+23.60) 50.30 (+31.70) 52.00 (+33.40) 73.2 (+54.60)White Box Attack (cid:15) =2/255 4.10 3.70 (-0.40) 13.40 (+9.30) 19.30 (+15.20) 20.60 (+16.50) 64.10 (+60.00) still continues to closely follow baseline accuracy. For all 3 datasets, the baseline accuracy dropssharply to 0 beyond (cid:15) = 2/255. At this level, the NVM models are no longer able to recover anyperformance. For (cid:15) = (1,2)/255, we observe that 64x64_100k, the most non-ideal of the 3 models,offers the highest improvement for all 3 datasets, with absolute increase of 35.34% for CIFAR-10,22.69% for CIFAR-100, and 9.90% (32.70%) for ImageNet top-1 (top-5) at (cid:15) = 1/255.We observe the following trends for all 3 non-adaptive attacks: • More the attacker relies on estimating the target model for attack generation, greater is thebenefit in robustness. We observed an increase in the absolute improvement from baselineaccuracy as we move from Transfer attacks to Black Box to White Box attacks. • The resulting accuracy is a combination of two opposing forces. The errors caused bythe non-idealities try to lower the accuracy, while the intrinsic robustness arising from thesame non-idealities lower the effectiveness of the attack and pushes the accuracy higherthan the baseline. For example, for 64x64_300k (NF = 0.07), the MVM operations areclose to ideal computation for the non-adaptive attacks to transfer successfully. Whereas,the more non-ideal crossbar models, 32x32_100k and 64x64_100k, have greater cleanaccuracy degradation due to functional errors, but have higher adversarial accuracy, as thenon-idealities hinder the transfer of the attacks.7
Overall, the intrinsic robustness of NVM crossbars is often within the ball park of Input BWReduction. However, stronger adversarial defenses such as SAP [13] and Random Padding[34] have performed much better. (a) (b)
Figure 5: Hardware-in-Loop Adaptive Black Box Attacks (PGD, iter=30) on CIFAR-10/100. TargetNVM model is 64x64_100k, and the attacks are generated using 3 different NVM models.Table 5: Hardware-in-Loop Adaptive White Box Attacks (PGD, (cid:15) =1/255, iter=30)
NVM Crossbar Model (Target)Dataset (Attack (cid:15) ) Baseline 64 × × × × (+9.2)CIFAR-100 5.78 28.21 (+22.43) 10.86 (+5.08) (+3.95)ImageNet Top-1 0.40 – – (+0.40)ImageNet Top-5 18.60 – – (+2.10) When the attacker builds their synthetic dataset by querying the NVM crossbarhardware implementation of the DNN, the resulting ensemble Black Box attacks are much moreeffective. The adversarial accuracy of the hardware falls significantly below the baseline, as shownin Fig. 5. Even when the attack is built using a crossbar model different from the target, accuracydegradation is significant. We observe that attacks generated using 32x32_100k (NF = 0.14) arestronger than those generated using 64x64_300k (NF = 0.07) when applied to 64x64_100k (NF=0.26). This implies that the lesser the difference in NF, the more effective are the attacks.
White Box Attacks
The results for hardware in loop White Box attacks are presented in Table5. The values in bold indicate that attacker’s NVM crossbar model is an exact match to the targetmodel’s underlying hardware. Even when the attacker has full knowledge of the hardware, thenon-idealities help improve robustness. We observe that if the attacker’s NVM model is differentfrom the target, the attacks do not transfer well and are weaker than non-adaptive attacks. Forexample, for CIFAR-10, under attack epsilon (cid:15) = 1 / , the accuracy of 64x64_300k NVM modelis . for a non-adaptive attack, but . for an adaptive attack with incorrect NVM model.Thus having an incorrect crossbar model is worse than having no model at all in this case. Non-idealities in NVM crossbars have been a long-standing challenge [8] affecting the feasibilityof analog computing hardware, and several techniques have been proposed to compensate for it[9]. In this work, we study these non-idealities from the new perspective of adversarial robustness.We observed that DNNs implemented on an NVM crossbar hardware exhibit increased adversarialrobustness under varied threat models. While this robustness falls short of other defenses [16, 13, 34],an important point to note is that such robustness is intrinsic to the NVM crossbar hardware, unlikeother defenses which have a computational overhead. Also, any algorithmic defense can be furtherimplemented on the analog hardware for additional robustness. The non-ideality factor (NF) of thecrossbar model determines the degree of robustness, therefore, one can potentially design NVMcrossbars with optimal trade-off between accuracy degradation and increased robustness due to non-idealilties. We have demonstrated "Hardware-in-Loop" attacks where the knowledge of underlyinghardware helps generate stronger attacks. While we have considered NVM crossbar models based8n RRAM technology [32], analog hardware based on other technologies [33, 14] are also possible.This, along with chip to chip variations, may further hinder the transferability of attacks generatedon one analog computing hardware to another. In summary, this work is the first step towardunderstanding the role of non-idealities in NVM crossbar hardware for adversarial robustness. Itopens the possibilities of defenses that leverage the non-ideal computations, and on the other hand,attacks that exploit these non-idealities.
Acknowledgment
This work was supported in part by the Center for Brain Inspired Computing (C-BRIC), one of thesix centers in JUMP, a Semiconductor Research Corporation (SRC) program sponsored by DARPA,the National Science Foundation, Intel Corporation, the DoD Vannevar Bush Fellowship, and bythe U.S. Army Research Laboratory and the U.K. Ministry of Defense under Agreement NumberW911NF-16-3-0001.
Broader Impact
Over the years, deep learning (DL) has shown incredible promise in designing better consumerservices, such as smart assistants, virtual health screening, semi-autonomous vehicles, home security,etc. Building reliable, secure and low cost implementations of these methods is important forincreasing the outreach of such technological advancements. In recent years, adversarial attacks haveexposed the inherent vulnerabilities of deep learning based models and have raised questions abouttheir reliability, especially in mission-critical applications. On the other hand, as deep learning modelsare scaled to tackle increasingly complex challenges, their computational needs also continue to grow.In such a scenario, a low cost hardware, that is fast, reliable and secure, can support widespreadadoption of DL based solutions. In this work, we study how the intrinsic properties of such a low costhardware contribute to the adversarial robustness of DL models. One can possibly design secure andlow cost AI systems of the future by leveraging the interplay between the hardware and algorithm, asdemonstrated in this work.
Acknowledgments and Disclosure of Funding
The research was funded in part by C-BRIC, one of six centers in JUMP, a Semiconductor ResearchCorporation (SRC) program sponsored by DARPA, the National Science Foundation, Sandia NationalLaboratories, Intel Corporation and Vannevar Bush Faculty Fellowship.
References [1] Nvidia tesla v100 gpu architecture, the world’s most advanced data center gpu. Technical report, NVIDIACorporation, 2017.[2] Stefano Ambrogio et al. Equivalent-accuracy accelerated neural-network training using analogue memory.
Nature , 558(7708):60, 2018.[3] Aayush Ankit, Izzat El Hajj, Sai Rahul Chalamalasetti, Geoffrey Ndu, Martin Foltin, R Stanley Williams,Paolo Faraboschi, Wen-mei W Hwu, John Paul Strachan, Kaushik Roy, et al. Puma: A programmableultra-efficient memristor-based accelerator for machine learning inference. In
Proceedings of the Twenty-Fourth International Conference on Architectural Support for Programming Languages and OperatingSystems , pages 715–731, 2019.[4] Anish Athalye, Nicholas Carlini, and David Wagner. Obfuscated gradients give a false sense of security:Circumventing defenses to adversarial examples. arXiv preprint arXiv:1802.00420 , 2018.[5] Jacob Buckman, Aurko Roy, Colin Raffel, and Ian Goodfellow. Thermometer encoding: One hot way toresist adversarial examples. In
International Conference on Learning Representations , 2018.[6] Geoffrey W Burr et al. Experimental demonstration and tolerancing of a large-scale neural network (165000 synapses) using phase-change memory as the synaptic weight element.
IEEE Transactions on ElectronDevices , 62(11):3498–3507, 2015.[7] Fuxi Cai et al. A fully integrated reprogrammable memristor–cmos system for efficient multiply–accumulate operations.
Nature Electronics , 2(7):290–299, 2019.
8] Indranil Chakraborty, Mustafa Fayez Ali, Dong Eun Kim, Aayush Ankit, and Kaushik Roy. Geniex: Ageneralized approach to emulating non-ideality in memristive xbars using neural networks. arXiv preprintarXiv:2003.06902 , 2020.[9] Indranil Chakraborty, Deboleena Roy, and Kaushik Roy. Technology aware training in memristive neuro-morphic systems for nonideal synaptic crossbars.
IEEE Transactions on Emerging Topics in ComputationalIntelligence , 2(5):335–344, 2018.[10] Heng-Tze Cheng, Levent Koc, Jeremiah Harmsen, Tal Shaked, Tushar Chandra, Hrishi Aradhye, GlenAnderson, Greg Corrado, Wei Chai, Mustafa Ispir, et al. Wide & deep learning for recommender systems.In
Proceedings of the 1st workshop on deep learning for recommender systems , pages 7–10, 2016.[11] Eric Chung et al. Serving dnns in real time at datacenter scale with project brainwave.
IEEE Micro ,38(2):8–20, 2018.[12] Jia Deng, Wei Dong, Richard Socher, Li-Jia Li, Kai Li, and Li Fei-Fei. Imagenet: A large-scale hierarchicalimage database. In , pages 248–255.Ieee, 2009.[13] Guneet S Dhillon, Kamyar Azizzadenesheli, Zachary C Lipton, Jeremy Bernstein, Jean Kossaifi, AranKhanna, and Anima Anandkumar. Stochastic activation pruning for robust adversarial defense. arXivpreprint arXiv:1803.01442 , 2018.[14] Xuanyao Fong, Yusung Kim, Karthik Yogendra, Deliang Fan, Abhronil Sengupta, Anand Raghunathan,and Kaushik Roy. Spin-transfer torque devices for logic and memory: Prospects and perspectives.
IEEETransactions on Computer-Aided Design of Integrated Circuits and Systems , 35(1):1–22, 2015.[15] Ian J Goodfellow, Jonathon Shlens, and Christian Szegedy. Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572 , 2014.[16] Chuan Guo, Mayank Rana, Moustapha Cisse, and Laurens Van Der Maaten. Countering adversarial imagesusing input transformations. arXiv preprint arXiv:1711.00117 , 2017.[17] Jie Hang, Keji Han, Hui Chen, and Yun Li. Ensemble adversarial black-box attacks against deep learningsystems.
Pattern Recognition , 101:107184, 2020.[18] Kaiming He, Xiangyu Zhang, Shaoqing Ren, and Jian Sun. Deep residual learning for image recognition.In
Proceedings of the IEEE conference on computer vision and pattern recognition , pages 770–778, 2016.[19] Miao Hu et al. Dot-product engine for neuromorphic computing: programming 1t1m crossbar to acceleratematrix-vector multiplication. In
Design Automation Conference (DAC), 2016 53nd ACM/EDAC/IEEE ,pages 1–6. IEEE, 2016.[20] Norman P Jouppi et al. In-datacenter performance analysis of a tensor processing unit. In , pages 1–12. IEEE, 2017.[21] Alex Krizhevsky, Geoffrey Hinton, et al. Learning multiple layers of features from tiny images. 2009.[22] Alex Krizhevsky, Ilya Sutskever, and Geoffrey E Hinton. Imagenet classification with deep convolutionalneural networks. In
Advances in neural information processing systems , pages 1097–1105, 2012.[23] Yann LeCun, Yoshua Bengio, and Geoffrey Hinton. Deep learning. nature , 521(7553):436–444, 2015.[24] Chenchen Liu, Miao Hu, John Paul Strachan, and Hai Li. Rescuing memristor-based neuromorphic designwith high defects. In , pages 1–6.IEEE, 2017.[25] Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, and Adrian Vladu. Towardsdeep learning models resistant to adversarial attacks. arXiv preprint arXiv:1706.06083 , 2017.[26] Dimin Niu, Yiran Chen, Cong Xu, and Yuan Xie. Impact of process variations on emerging memristor. In
Proceedings of the 47th Design Automation Conference , pages 877–882, 2010.[27] Nicolas Papernot, Patrick McDaniel, Ian Goodfellow, Somesh Jha, Z Berkay Celik, and Ananthram Swami.Practical black-box attacks against machine learning. In
Proceedings of the 2017 ACM on Asia conferenceon computer and communications security , pages 506–519, 2017.[28] Adam Paszke, Sam Gross, Francisco Massa, Adam Lerer, James Bradbury, Gregory Chanan, TrevorKilleen, Zeming Lin, Natalia Gimelshein, Luca Antiga, Alban Desmaison, Andreas Kopf, Edward Yang,Zachary DeVito, Martin Raison, Alykhan Tejani, Sasank Chilamkurthy, Benoit Steiner, Lu Fang, JunjieBai, and Soumith Chintala. Pytorch: An imperative style, high-performance deep learning library. InH. Wallach, H. Larochelle, A. Beygelzimer, F. d’ Alche-Buc, E. Fox, and R. Garnett, editors,
Advances inNeural Information Processing Systems 32 , pages 8024–8035. Curran Associates, Inc., 2019.[29] Ali Shafiee et al. Isaac: A convolutional neural network accelerator with in-situ analog arithmetic incrossbars.
ACM SIGARCH Computer Architecture News , 44(3):14–26, 2016.[30] Christian Szegedy, Wojciech Zaremba, Ilya Sutskever, Joan Bruna, Dumitru Erhan, Ian Goodfellow, andRob Fergus. Intriguing properties of neural networks. arXiv preprint arXiv:1312.6199 , 2013.
31] Athanasios Voulodimos, Nikolaos Doulamis, Anastasios Doulamis, and Eftychios Protopapadakis. Deeplearning for computer vision: A brief review.
Computational intelligence and neuroscience , 2018, 2018.[32] H-S Philip Wong, Heng-Yuan Lee, Shimeng Yu, Yu-Sheng Chen, Yi Wu, Pang-Shiu Chen, Byoungil Lee,Frederick T Chen, and Ming-Jinn Tsai. Metal–oxide rram.
Proceedings of the IEEE , 100(6):1951–1970,2012.[33] H-S Philip Wong, Simone Raoux, SangBum Kim, Jiale Liang, John P Reifenberg, Bipin Rajendran, MehdiAsheghi, and Kenneth E Goodson. Phase change memory.
Proceedings of the IEEE , 98(12):2201–2227,2010.[34] Cihang Xie, Jianyu Wang, Zhishuai Zhang, Zhou Ren, and Alan Yuille. Mitigating adversarial effectsthrough randomization. arXiv preprint arXiv:1711.01991 , 2017.[35] Xiaowei Xu et al. Scaling for edge inference of deep neural networks.
Nature Electronics , 1(4):216–222,2018.[36] T. Young, D. Hazarika, S. Poria, and E. Cambria. Recent trends in deep learning based natural languageprocessing [review article].
IEEE Computational Intelligence Magazine , 13(3):55–75, 2018., 13(3):55–75, 2018.