HASHTAG: Hash Signatures for Online Detection of Fault-Injection Attacks on Deep Neural Networks

TL;DR

HASHTAG introduces a novel hash-based framework for real-time detection of fault-injection attacks on DNNs, providing high accuracy and provable bounds with low overhead, enhancing security in embedded AI systems.

Contribution

The paper presents the first hash signature-based method for detecting fault-injection attacks on DNNs with provable performance guarantees.

Findings

High detection accuracy against bit-flip attacks

Low overhead suitable for embedded platforms

Effective identification of vulnerable DNN layers

Abstract

We propose HASHTAG, the first framework that enables high-accuracy detection of fault-injection attacks on Deep Neural Networks (DNNs) with provable bounds on detection performance. Recent literature in fault-injection attacks shows the severe DNN accuracy degradation caused by bit flips. In this scenario, the attacker changes a few weight bits during DNN execution by tampering with the program's DRAM memory. To detect runtime bit flips, HASHTAG extracts a unique signature from the benign DNN prior to deployment. The signature is later used to validate the integrity of the DNN and verify the inference output on the fly. We propose a novel sensitivity analysis scheme that accurately identifies the most vulnerable DNN layers to the fault-injection attack. The DNN signature is then constructed by encoding the underlying weights in the vulnerable layers using a low-collision hash function. When the DNN is deployed, new hashes are extracted from the target layers during inference and compared against the ground-truth signatures. HASHTAG incorporates a lightweight methodology that ensures a low-overhead and real-time fault detection on embedded platforms. Extensive evaluations with the state-of-the-art bit-flip attack on various DNNs demonstrate the competitive advantage of HASHTAG in terms of both attack detection and execution overhead.