Collaborative Research: SaTC: CORE: Small: Understanding and Taming Deterministic Model Bit Flip attacks in Deep Neural Networks

协作研究：SaTC：核心：小型：理解和驯服深度神经网络中的确定性模型位翻转攻击

• 批准号: 2019548
• 负责人: Deliang Fan
• 金额: $ 24.95万
• 依托单位: Arizona State University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2020
• 资助国家: 美国
• 起止时间: 2020-10-01 至 2023-10-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2019548&HistoricalAwards=false
• 关键词: Collaborative; Research; SaTC; CORE; Small; Collaborative; Research; SaTC; CORE; Small

Deep neural network (DNN) is widely deployed for a variety of decision-making tasks such as access control, medical diagnostics, and autonomous driving. Compromise of DNN models can severely disrupt inference behavior, leading to catastrophic outcomes for security and safety-sensitive applications. While a tremendous amount of efforts have been made to secure DNNs against external adversaries (e.g., adversarial examples), internal adversaries that tamper DNN model integrity through exploiting hardware threats (i.e., fault injection attacks) can raise unprecedented concerns. This project aims to offer insights into DNN security issues due to hardware-based fault attacks, and explore ways to promote the robustness and security of future deep learning system against such internal adversaries. This project targets one critical research topic, namely securing deep learning systems against hardware-based model tampering. Recent advances in hardware fault attacks (e.g., rowhammer) can deterministically inject faults to DNN models, causing bit flips in key DNN parameters including model weights. Such threats can be extremely dangerous as they could potentially enable malicious manipulation of prediction outcomes in the inference stage by the adversary. The project seeks to systematically understand the practicality and severity of DNN model bit flip attacks in real systems and investigate software/architecture level protection techniques to secure DNNs against internal tampering. The study focuses on quantized DNNs which exhibit higher robustness against model tampering. This project will incorporate the following research efforts: (1) Investigate the vulnerability of quantized DNNs to deterministic bit flipping of model weights concerning various attack objectives; (2) Explore algorithmic approaches to enhance the intrinsic robustness of quantized DNN models; (3) Design effective and efficient system and architecture level defense mechanisms to comprehensively defeat DNN model bit flip attacks. This project will result in the dissemination of shared data, attack artifacts, algorithms and tools to the broader hardware security and AI security community.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

深度神经网络（DNN）被广泛部署，用于各种决策任务，例如访问控制，医疗诊断和自主驾驶。 DNN模型的妥协可以严重破坏推理行为，从而导致对安全性和安全敏感应用的灾难性结果。尽管已经做出了巨大的努力来确保DNN免受外部对手（例如对抗性例子），但内部对手通过利用硬件威胁（即断层注射攻击）来篡改DNN模型的完整性，这可能会引起前所未有的问题。该项目旨在通过基于硬件的故障攻击，对DNN安全问题提供见解，并探索如何促进对这种内部对手的未来深度学习系统的稳健性和安全性。 该项目针对一个关键的研究主题，即确保深度学习系统免受基于硬件的模型篡改。硬件故障攻击（例如Rowhammer）的最新进展可以确定性地将故障注入DNN型号，从而导致关键DNN参数（包括模型权重）中的位翻转。这样的威胁可能非常危险，因为它们有可能使对手在推理阶段对预测结果进行恶意操纵。该项目旨在系统地了解真实系统中DNN模型flip攻击的实用性和严重性，并研究软件/体系结构级别保护技术，以确保DNN免受内部篡改。该研究的重点是量化的DNN，对模型篡改表现出更高的鲁棒性。该项目将纳入以下研究工作：（1）调查量化DNN脆弱性，以确定模型权重的确定性位有关各种攻击目标； （2）探索算法方法，以增强量化DNN模型的内在鲁棒性； （3）设计有效，有效的系统和体系结构级别的防御机制，以全面击败DNN模型flip攻击。该项目将导致传播共享数据，攻击文物，算法和工具，以供更广泛的硬件安全和AI安全社区传播。该奖项反映了NSF的法定任务，并认为值得通过基金会的知识分子优点和更广泛的影响来通过评估来获得支持。