Hu-Fu: Hardware and Software Collaborative Attack Framework Against Neural Networks

Li, Wenshuo; Yu, Jincheng; Ning, Xuefei; Wang, Pengjun; Wei, Qi; Wang, Yu; Yang, Huazhong

doi:10.1109/isvlsi.2018.00093

Cited by 44 publications

(29 citation statements)

References 29 publications

(29 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…However this approach has only been tested on small synthetic model and not yet on real DNNs. Clean label attacks [51,58] [19,34] trojans hardware that neural networks are running on. It injects back-door by tampering with the circuits.…”

Section: Related Workmentioning

confidence: 99%

ABS: Scanning Neural Networks for Back-doors by Artificial Brain Stimulation

Liu

Lee

Tao

et al. 2019

Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security

268

345

View full text Add to dashboard Cite

This paper presents a technique to scan neural network based AI models to determine if they are trojaned. Pre-trained AI models may contain back-doors that are injected through training or by transforming inner neuron weights. These trojaned models operate normally when regular inputs are provided, and mis-classify to a specific output label when the input is stamped with some special pattern called trojan trigger. We develop a novel technique that analyzes inner neuron behaviors by determining how output activations change when we introduce different levels of stimulation to a neuron. The neurons that substantially elevate the activation of a particular output label regardless of the provided input is considered potentially compromised. Trojan trigger is then reverse-engineered through an optimization procedure using the stimulation analysis results, to confirm that a neuron is truly compromised. We evaluate our system ABS on 177 trojaned models that are trojaned with various attack methods that target both the input space and the feature space, and have various trojan trigger sizes and shapes, together with 144 benign models that are trained with different data and initial weight values. These models belong to 7 different model structures and 6 different datasets, including some complex ones such as ImageNet, VGG-Face and ResNet110. Our results show that ABS is highly effective, can achieve over 90% detection rate for most cases (and many 100%), when only one input sample is provided for each output label. It substantially out-performs the state-of-the-art technique Neural Cleanse that requires a lot of input samples and small trojan triggers to achieve good performance.

show abstract

Section: Related Workmentioning

confidence: 99%

ABS: Scanning Neural Networks for Back-doors by Artificial Brain Stimulation

Liu

Lee

Tao

et al. 2019

Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security

268

345

View full text Add to dashboard Cite

show abstract

“…They exploit the statistical properties of each layer's output to trigger the HT, which makes the HT extremely stealthy. Li et al [117] proposed a more flexible attack framework on a neural network that combines the hardware and software. Particularly, in addition to the hardware HT circuit, Trojan weights are embedded in neural networks.…”

Section: Future Directionsmentioning

confidence: 99%

“…Particularly, in addition to the hardware HT circuit, Trojan weights are embedded in neural networks. The Trojan is only inserted in a part of the network and does not affect the overall accuracy, thus can ensure stealthy [117]. In the above attacks, the attacker needs to have the knowledge of the model.…”

Section: Future Directionsmentioning

confidence: 99%

Ten years of hardware Trojans: a survey from the attacker's perspective

Xue

Liu

et al. 2020

IET Computers & Digital Techniques

View full text Add to dashboard Cite

In the last decade, hardware Trojan has emerged as a serious concern in integrated circuit (IC) industry. As such, hardware Trojan detection techniques have been studied extensively. However, in order to develop reliable and effective defenses, it is important to figure out how hardware Trojans are implemented in practical scenarios. In this paper, we attempt to make a review of the hardware Trojan design and implementations in the last decade and also provide an outlook. Unlike all previous surveys that discuss Trojans from the defender's perspective, for the first time, we study the Trojans from the attacker's perspective, focusing on the attacker's methods, capabilities and challenges when he designs and implements a hardware Trojan. Particularly, the following questions are explored. What are the current methods and capabilities of attackers after ten years of research and development? By considering more and more sophisticated hardware Trojan detection techniques, what challenges do the attackers face, and vice versa? First, we present adversarial models in terms of the adversary's methods, adversary's capabilities and adversary's challenges in seven practical hardware Trojan implementation scenarios: in-house design team attacks, third-party intellectual property (3PIP) vendor attacks, computer-aided design (CAD) tools attacks, fabrication stage attacks, testing stage attacks, distribution stage attacks, and field programmable gate array (FPGA) Trojan attacks. Second, we analyze the hardware Trojan implementation methods under each adversarial model in terms of seven aspects/metrics: hardware Trojan attack scenarios, the attacker's motivation, feasibility (the practicality of the attacks), detectability (anti-detection capability of that kind of Trojan), protection and prevention suggestions for the designer, overhead analysis, and case studies of Trojan implementations. Finally, future directions on hardware Trojan attacks and defenses are discussed. This paper also presents several new insights and assumptions for the first time, including considering the Trojans not only from the copyright owner's perspective, but also from the users' perspective, and discussing the hardware Trojan attacks in the testing phase and in the distribution phase. This paper can hopefully provide a reference for future works on building effective hardware Trojan defenses.

show abstract

“…One of the most common attacks is to exploit the data-dependency by manipulating/intruding the training dataset [16], [17], [18] or the corresponding labels [19]. Similarly, the baseline ML algorithm and training tools can also be attacked by adding new layers/nodes or manipulating the hyper-parameters [13], [20], [21], [22], as illustrated in Fig C. Motivating Pre-processing Noise Filter-Aware Adversarial ML Although most current adversarial ML security attacks incorporate pre-processing elements (such as shuffling, gray scaling, local histogram utilization and normalization) [23] in their design and assume that an attacker can access the output of the preprocessing noise filtering, getting this access requires hardware manipulations and is practically difficult. If an attacker, on the other hand, does not have hardware access to the pre-processing filters, it becomes very challenging to incorporate the effect of pre-processing along with noise filtering, which raises the following key research questions:…”

Section: B Challenges In Resisting ML Security Attacksmentioning

confidence: 99%

FAdeML: Understanding the Impact of Pre-Processing Noise Filtering on Adversarial Machine Learning

Khalid

Hanif

Rehman

et al. 2019

2019 Design, Automation &Amp; Test in Europe Conference &Amp; Exhibition (DATE)

View full text Add to dashboard Cite

Deep neural networks (DNN)-based machine learning (ML) algorithms have recently emerged as the leading ML paradigm particularly for the task of classification due to their superior capability of learning efficiently from large datasets. The discovery of a number of well-known attacks such as dataset poisoning, adversarial examples, and network manipulation (through the addition of malicious nodes) has, however, put the spotlight squarely on the lack of security in DNN-based ML systems. In particular, malicious actors can use these well-known attacks to cause random/targeted misclassification, or cause a change in the prediction confidence, by only slightly but systematically manipulating the environmental parameters, inference data, or the data acquisition block. Most of the prior adversarial attacks have, however, not accounted for the preprocessing noise filters commonly integrated with the ML-inference module. Our contribution in this work is to show that this is a major omission since these noise filters can render ineffective the majority of the existing attacks, which rely essentially on introducing adversarial noise. Apart from this, we also extend the state of the art by proposing a novel pre-processing noise Filter-aware Adversarial ML attack called FAdeML. To demonstrate the effectiveness of the proposed methodology, we generate an adversarial attack image by exploiting the "VGGNet" DNN trained for the "German Traffic Sign Recognition Benchmarks (GTSRB)" dataset, which despite having no visual noise, can cause a classifier to misclassify even in the presence of pre-processing noise filters.

show abstract

Hu-Fu: Hardware and Software Collaborative Attack Framework Against Neural Networks

Cited by 44 publications

References 29 publications

ABS: Scanning Neural Networks for Back-doors by Artificial Brain Stimulation

ABS: Scanning Neural Networks for Back-doors by Artificial Brain Stimulation

Ten years of hardware Trojans: a survey from the attacker's perspective

FAdeML: Understanding the Impact of Pre-Processing Noise Filtering on Adversarial Machine Learning

Contact Info

Product

Resources

About