Attacking Deep Learning AI Hardware with Universal Adversarial Perturbation

TL;DR

This paper presents a novel hardware-level attack method that introduces universal adversarial noise directly into AI hardware accelerators, bypassing existing detection techniques and threatening the security of deep learning systems.

Contribution

It introduces an attack strategy that embeds adversarial noise at the hardware level, demonstrating its effectiveness across multiple deep learning models in a co-simulation environment.

Findings

Successfully bypassed existing adversarial noise detection methods.

Demonstrated attack on various deep learning models using hardware co-simulation.

Showed feasibility of hardware-level adversarial attacks in practical settings.

Abstract

Universal Adversarial Perturbations are image-agnostic and model-independent noise that when added with any image can mislead the trained Deep Convolutional Neural Networks into the wrong prediction. Since these Universal Adversarial Perturbations can seriously jeopardize the security and integrity of practical Deep Learning applications, existing techniques use additional neural networks to detect the existence of these noises at the input image source. In this paper, we demonstrate an attack strategy that when activated by rogue means (e.g., malware, trojan) can bypass these existing countermeasures by augmenting the adversarial noise at the AI hardware accelerator stage. We demonstrate the accelerator-level universal adversarial noise attack on several deep Learning models using co-simulation of the software kernel of Conv2D function and the Verilog RTL model of the hardware under the FuseSoC environment.