SoWaF: Shuffling of Weights and Feature Maps: A Novel Hardware Intrinsic Attack (HIA) on Convolutional Neural Network (CNN)

TL;DR

This paper introduces a novel hardware intrinsic attack (HIA) on CNNs deployed in resource-constrained embedded systems, demonstrating its effectiveness and low overhead even when initial and final layers are secured.

Contribution

It presents the first hardware intrinsic attack method on CNNs that does not require knowledge of the full network, highlighting vulnerabilities in secure FPGA deployments.

Findings

Attack causes misclassification by propagating errors through CNN layers.

Overhead resources for the attack are minimal, with less than 0.61% latency increase.

Three attack scenarios do not require additional BRAM resources.

Abstract

Security of inference phase deployment of Convolutional neural network (CNN) into resource constrained embedded systems (e.g. low end FPGAs) is a growing research area. Using secure practices, third party FPGA designers can be provided with no knowledge of initial and final classification layers. In this work, we demonstrate that hardware intrinsic attack (HIA) in such a "secure" design is still possible. Proposed HIA is inserted inside mathematical operations of individual layers of CNN, which propagates erroneous operations in all the subsequent CNN layers that lead to misclassification. The attack is non-periodic and completely random, hence it becomes difficult to detect. Five different attack scenarios with respect to each CNN layer are designed and evaluated based on the overhead resources and the rate of triggering in comparison to the original implementation. Our results for two CNN architectures show that in all the attack scenarios, additional latency is negligible (<0.61%), increment in DSP, LUT, FF is also less than 2.36%. Three attack scenarios do not require any additional BRAM resources, while in two scenarios BRAM increases, which compensates with the corresponding decrease in FF and LUTs. To the authors' best knowledge this work is the first to address the hardware intrinsic CNN attack with the attacker does not have knowledge of the full CNN.