skip to main content
10.1145/3287624.3287695acmconferencesArticle/Chapter ViewAbstractPublication PagesaspdacConference Proceedingsconference-collections
research-article

P3M: a PIM-based neural network model protection scheme for deep learning accelerator

Published: 21 January 2019 Publication History

Abstract

This work is oriented at the edge computing scenario that terminal deep learning accelerators use pre-trained neural network models distributed from third-party providers (e.g. from data center clouds) to process the private data instead of sending it to the cloud. In this scenario, the network model is exposed to the risk of being attacked in the unverified devices if the parameters and hyper-parameters are transmitted and processed in an unencrypted way. Our work tackles this security problem by using on-chip memory Physical Unclonable Functions (PUFs) and Processing-In-Memory (PIM). We allow the model execution only on authorized devices and protect the model from white-box attacks, black-box attacks and model tampering attacks. The proposed PUFs-and-PIM based Protection method for neural Models (P3M), can utilize unstable PUFs to protect the neural models in edge deep learning accelerators with negligible performance overhead. The experimental results show considerable performance improvement over two state-of-the-art solutions we evaluated.

References

[1]
Ross J. Anderson. 2008. Security Engineering: A Guide to Building Dependable Distributed Systems (2 ed.). Wiley Publishing.
[2]
Nicholas Carlini and David Wagner. 2017. Adversarial Examples Are Not Easily Detected: Bypassing Ten Detection Methods. In Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security (AlSec '17). ACM, 3--14.
[3]
Tianshi Chen, Zidong Du, Ninghui Sun, Jia Wang, Chengyong Wu, Yunji Chen, and Olivier Temam. 2014. DianNao: A Small-footprint High-throughput Accelerator for Ubiquitous Machine-learning. In Proceedings of the 19th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS '14). ACM, 269--284.
[4]
Y. Chen, T. Luo, S. Liu, S. Zhang, L. He, J. Wang, L. Li, T. Chen, Z. Xu, N. Sun, and O. Temam. 2014. DaDianNao: A Machine-Learning Supercomputer. In 2014 47th Annual IEEE/ACM International Symposium on Microarchitecture. 609--622.
[5]
Ian J Goodfellow, Jonathon Shlens, and Christian Szegedy. 2014. Explaining and Harnessing Adversarial Examples. Computer Science (2014).
[6]
Tianyu Gu, Brendan Dolan-Gavitt, and Siddharth Garg. 2017. BadNets: Identifying Vulnerabilities in the Machine Learning Model Supply Chain. CoRR abs/1708.06733 (2017). arXiv:1708.06733 http://arxiv.org/abs/1708.06733
[7]
Dongyu Meng and Hao Chen. 2017. Magnet: a two-pronged defense against adversarial examples. In 2017 ACM SIGSAC. ACM, 135--147.
[8]
Nicolas Papernot et al. 2017. Practical Black-Box Attacks Against Machine Learning. In Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security (ASIA CCS '17). ACM, New York, NY, USA, 506--519.
[9]
Nicolas Papernot, Patrick McDaniel, Xi Wu, Somesh Jha, and Ananthram Swami. 2016. Distillation as a Defense to Adversarial Perturbations Against Deep Neural Networks. In 2016 IEEE Symposium on Security and Privacy (SP). 582--597.
[10]
Congzheng Song et al. 2017. Machine Learning Models That Remember Too Much (CCS '17). ACM, 587--601.
[11]
L. Song et al. 2016. C-Brain: A deep learning accelerator that tames the diversity of CNNs through adaptive data-level parallelization. In 2016 53nd ACM/EDAC/IEEE Design Automation Conference (DAC). 1--6.
[12]
Christian Szegedy, Wojciech Zaremba, Ilya Sutskever, Joan Bruna, Dumitru Erhan, Ian J. Goodfellow, and Rob Fergus. 2013. Intriguing properties of neural networks. CoRR abs/1312.6199 (2013). arXiv:1312.6199 http://arxiv.org/abs/1312.6199
[13]
F. Tehranipoor et al. 2017. Investigation of DRAM PUFs reliability under device accelerated aging effects. In 2017 IEEE International Symposium on Circuits and Systems (ISCAS). 1--4.
[14]
Fatemeh Tehranipoor, Nima Karimian, Wei Yan, and John A Chandy. 2017. DRAM-Based Intrinsic Physically Unclonable Functions for System-Level Security and Authentication. IEEE Transactions on Very Large Scale Integration (VLSI) Systems 25, 3 (March 2017), 1085--1097.
[15]
Florian Tramèr et al. 2017. Ensemble adversarial training: Attacks and defenses. arXiv preprint arXiv:1705.07204.
[16]
Fengbin Tu et al. 2018. RANA: Towards Efficient Neural Acceleration with Refresh-Optimized Embedded DRAM. In 2018 ACM/IEEE 45th Annual International Symposium on Computer Architecture (ISCA). 340--352.
[17]
Y. Wang, J. Xu, Y. Han, H. Li, and X. Li. 2016. DeepBurning: Automatic generation of FPGA-based learning accelerators for the Neural Network family. In 2016 53nd ACM/EDAC/IEEE Design Automation Conference (DAC). 1--6.
[18]
K. Zou, Y. Wang, H. Li, and X. Li. 2018. XORiM: A case of in-memory bit-comparator implementation and its performance implications. In 2018 ASP-DAC. 349--354.

Cited By

View all
  • (2025)Secure Machine Learning Hardware: Challenges and Progress [Feature]IEEE Circuits and Systems Magazine10.1109/MCAS.2024.350937625:1(8-34)Online publication date: Sep-2026
  • (2024)YOLOv7-BW: 基于遥感图像的密集小目标高效检测器智能机器人10.52810/JIR.2024.0041:1(39-54)Online publication date: 30-May-2024
  • (2024)机器学习模型在心血管疾病中的应用智能机器人10.52810/JIR.2024.0031:1(26-38)Online publication date: 7-May-2024
  • Show More Cited By
  1. P3M: a PIM-based neural network model protection scheme for deep learning accelerator

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    ASPDAC '19: Proceedings of the 24th Asia and South Pacific Design Automation Conference
    January 2019
    794 pages
    ISBN:9781450360074
    DOI:10.1145/3287624
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

    Sponsors

    In-Cooperation

    • IEICE ESS: Institute of Electronics, Information and Communication Engineers, Engineering Sciences Society
    • IEEE CAS
    • IEEE CEDA
    • IPSJ SIG-SLDM: Information Processing Society of Japan, SIG System LSI Design Methodology

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 21 January 2019

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. deep learning
    2. edge computing
    3. physical unclonable functions
    4. processing in memory
    5. security and privacy

    Qualifiers

    • Research-article

    Funding Sources

    • National Natural Science Foundation of China

    Conference

    ASPDAC '19
    Sponsor:

    Acceptance Rates

    Overall Acceptance Rate 466 of 1,454 submissions, 32%

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)54
    • Downloads (Last 6 weeks)7
    Reflects downloads up to 15 Feb 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2025)Secure Machine Learning Hardware: Challenges and Progress [Feature]IEEE Circuits and Systems Magazine10.1109/MCAS.2024.350937625:1(8-34)Online publication date: Sep-2026
    • (2024)YOLOv7-BW: 基于遥感图像的密集小目标高效检测器智能机器人10.52810/JIR.2024.0041:1(39-54)Online publication date: 30-May-2024
    • (2024)机器学习模型在心血管疾病中的应用智能机器人10.52810/JIR.2024.0031:1(26-38)Online publication date: 7-May-2024
    • (2024)基于机器学习和深度学习的抗菌肽预测研究进展人工智能前沿与应用10.52810/FAAI.2024.0051:1(54-68)Online publication date: 15-Jun-2024
    • (2024)基于拮抗特性模型的夜视微光图像与红外图像彩色融合人工智能前沿与应用10.52810/FAAI.2024.0041:1(45-53)Online publication date: 28-May-2024
    • (2024)基于机器学习和深度学习的蛋白质结构预测研究进展人工智能前沿与应用10.52810/FAAI.2024.0031:1(32-44)Online publication date: 20-May-2024
    • (2024)基于GPS的堆叠串行LSTM组合神经网络目标跟踪方法人工智能前沿与应用10.52810/FAAI.2024.0021:1(16-31)Online publication date: 18-Apr-2024
    • (2024)滚动轴承故障诊断研究综述人工智能前沿与应用10.52810/FAAI.2024.0011:1(1-15)Online publication date: 12-Apr-2024
    • (2024)EdgePro: Edge Deep Learning Model Protection via Neuron AuthorizationIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2024.3365730(1-15)Online publication date: 2024
    • (2023)On-Line Fault Protection for ReRAM-Based Neural NetworksIEEE Transactions on Computers10.1109/TC.2022.316034572:2(423-437)Online publication date: 1-Feb-2023
    • Show More Cited By

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Figures

    Tables

    Media

    Share

    Share

    Share this Publication link

    Share on social media