Efficiency-driven Hardware Optimization for Adversarially Robust Neural Networks

TL;DR

This paper explores hardware-based strategies, including hybrid SRAM memories and memristive crossbars, to enhance adversarial robustness of neural networks by leveraging hardware-induced noise and errors.

Contribution

It introduces novel hardware optimization techniques that induce beneficial noise and errors, improving DNN robustness against adversarial attacks.

Findings

Hybrid 6T-8T memories bound noise within limits, reducing adversarial perturbations.

Analog memristive crossbars' non-idealities confer robustness to DNNs.

Hardware-induced errors can be exploited to improve neural network security.

Abstract

With a growing need to enable intelligence in embedded devices in the Internet of Things (IoT) era, secure hardware implementation of Deep Neural Networks (DNNs) has become imperative. We will focus on how to address adversarial robustness for DNNs through efficiency-driven hardware optimizations. Since memory (specifically, dot-product operations) is a key energy-spending component for DNNs, hardware approaches in the past have focused on optimizing the memory. One such approach is approximate digital CMOS memories with hybrid 6T-8T SRAM cells that enable supply voltage (Vdd) scaling yielding low-power operation, without significantly affecting the performance due to read/write failures incurred in the 6T cells. In this paper, we show how the bit-errors in the 6T cells of hybrid 6T-8T memories minimize the adversarial perturbations in a DNN. Essentially, we find that for different configurations of 8T-6T ratios and scaledVdd operation, noise incurred in the hybrid memory architectures is bound within specific limits. This hardware noise can potentially interfere in the creation of adversarial attacks in DNNs yielding robustness. Another memory optimization approach involves using analog memristive crossbars that perform Matrix-Vector-Multiplications (MVMs) efficiently with low energy and area requirements. However, crossbars generally suffer from intrinsic non-idealities that cause errors in performing MVMs, leading to degradation in the accuracy of the DNNs. We will show how the intrinsic hardware variations manifested through crossbar non-idealities yield adversarial robustness to the mapped DNNs without any additional optimization.