Using Undervolting as an On-Device Defense Against Adversarial Machine Learning Attacks

TL;DR

This paper introduces a lightweight, hardware-based method using controlled undervolting to detect and correct adversarial attacks on neural network classifiers, enhancing security with minimal overhead.

Contribution

The paper presents a novel undervolting technique that disrupts adversarial inputs, providing an effective on-device defense mechanism for neural network inference.

Findings

Achieves 77% detection rate on one DNN

Achieves 90% detection rate on another DNN

Demonstrates effectiveness on FPGA and software simulation

Abstract

Deep neural network (DNN) classifiers are powerful tools that drive a broad spectrum of important applications, from image recognition to autonomous vehicles. Unfortunately, DNNs are known to be vulnerable to adversarial attacks that affect virtually all state-of-the-art models. These attacks make small imperceptible modifications to inputs that are sufficient to induce the DNNs to produce the wrong classification. In this paper we propose a novel, lightweight adversarial correction and/or detection mechanism for image classifiers that relies on undervolting (running a chip at a voltage that is slightly below its safe margin). We propose using controlled undervolting of the chip running the inference process in order to introduce a limited number of compute errors. We show that these errors disrupt the adversarial input in a way that can be used either to correct the classification or detect the input as adversarial. We evaluate the proposed solution in an FPGA design and through software simulation. We evaluate 10 attacks and show average detection rates of 77% and 90% on two popular DNNs.