The Inherent Adversarial Robustness of Analog In-Memory Computing

TL;DR

This paper experimentally validates that Analog In-Memory Computing (AIMC) based on Phase Change Memory devices inherently provides increased adversarial robustness for neural network inference, due to stochastic noise sources.

Contribution

First experimental validation showing AIMC's inherent adversarial robustness for DNN inference on PCM-based hardware.

Findings

AIMC exhibits higher robustness against various adversarial attacks.

Robustness is influenced by stochastic noise sources in the hardware.

Larger transformer models in NLP also benefit from this robustness.

Abstract

A key challenge for Deep Neural Network (DNN) algorithms is their vulnerability to adversarial attacks. Inherently non-deterministic compute substrates, such as those based on Analog In-Memory Computing (AIMC), have been speculated to provide significant adversarial robustness when performing DNN inference. In this paper, we experimentally validate this conjecture for the first time on an AIMC chip based on Phase Change Memory (PCM) devices. We demonstrate higher adversarial robustness against different types of adversarial attacks when implementing an image classification network. Additional robustness is also observed when performing hardware-in-the-loop attacks, for which the attacker is assumed to have full access to the hardware. A careful study of the various noise sources indicate that a combination of stochastic noise sources (both recurrent and non-recurrent) are responsible for the adversarial robustness and that their type and magnitude disproportionately effects this property. Finally, it is demonstrated, via simulations, that when a much larger transformer network is used to implement a Natural Language Processing (NLP) task, additional robustness is still observed.