Variation Enhanced Attacks Against RRAM-based Neuromorphic Computing System

TL;DR

This paper explores hardware-aware adversarial attacks on RRAM-based neuromorphic systems, demonstrating methods that exploit hardware features to achieve high success rates with low cost and stealth.

Contribution

It introduces two novel hardware-aware attack methods, VADER and EFI, specifically designed for RRAM-based neuromorphic computing systems, enhancing attack effectiveness.

Findings

Nearly 100% attack success rate achieved

Low operational cost for the attacks

High stealthiness maintained during attacks

Abstract

The RRAM-based neuromorphic computing system has amassed explosive interests for its superior data processing capability and energy efficiency than traditional architectures, and thus being widely used in many data-centric applications. The reliability and security issues of the NCS therefore become an essential problem. In this paper, we systematically investigated the adversarial threats to the RRAM-based NCS and observed that the RRAM hardware feature can be leveraged to strengthen the attack effect, which has not been granted sufficient attention by previous algorithmic attack methods. Thus, we proposed two types of hardware-aware attack methods with respect to different attack scenarios and objectives. The first is adversarial attack, VADER, which perturbs the input samples to mislead the prediction of neural networks. The second is fault injection attack, EFI, which perturbs the network parameter space such that a specified sample will be classified to a target label, while maintaining the prediction accuracy on other samples. Both attack methods leverage the RRAM properties to improve the performance compared with the conventional attack methods. Experimental results show that our hardware-aware attack methods can achieve nearly 100% attack success rate with extremely low operational cost, while maintaining the attack stealthiness.