A Novel Two-Level Protection Scheme against Hardware Trojans on a Reconfigurable CNN Accelerator
Abstract
:1. Introduction
- PE Space Randomization (PSR) Solution: This solution is designed to prevent the triggering of hardware Trojans by randomizing the PE space. Simulation results demonstrate that PSR can effectively prevent over 90% of potential hardware Trojans from being triggered.
- Voting Solution: This solution detects and corrects incorrect configuration words resulting from hardware Trojan attacks. Operating in real-time and without the need for golden elements, the voting solution demonstrates 100% effectiveness in detecting hardware Trojans in the reconfigurable interconnect (RI) and eliminates 100% of the harm caused by these Trojans under attack severities ranging from 1% to 5%.
- Input–Output Relationship Detection (IORD) Solution: This real-time solution detects the triggering of hardware Trojans inside PE without requiring golden elements. Simulation results indicate that IORD can successfully detect the presence of hardware Trojans in PE with 100% accuracy under attack severities from 1% to 5%.
- PE Collaboration Correction (PCC) Solution: Developed to eliminate the harm caused by hardware Trojans in PE, this real-time solution demonstrates a probability of at least 95.3% in eliminating harm and ensuring correct accelerator functionality under hardware Trojan attack severities from 1% to 5%.
- The proposed hardware Trojan prevention scheme is implemented on a reconfigurable CNN accelerator deployed on a Xilinx Zynq XC7Z100 platform. The effectiveness of the protection scheme is validated through experimental evaluation.
2. Background and Motivation
2.1. Reconfigure PE Array on CNN Accelerators
2.2. Targeting Hardware Trojans Models
2.3. Related Work and Motivation
2.3.1. Related Work
2.3.2. Motivation
3. The Novel Two-Level Protection Scheme
3.1. Overview
3.2. PE Space Randomization
3.3. Voting
Algorithm 1 Voting solution against hardware Trojan in RI |
Input: N configuration words: ∼; |
K possible values of m: ∼ |
Output: voting result ; detect[0:N − 1] |
1: for (i = 0; i < K; i = i + 1) do |
2: = 0 |
3: for (j = 0; j < K; j = j + 1) do |
4: if( == ) = +1 |
5: else = |
6: end for |
7: end for |
8: result = max(, , …,, …,) |
9: = |
10: for (j = 0; j < N; j = j + 1) do |
11: if(! = ) detect[j] = 1 |
12: else detect[j] = 0 |
13: end for |
14: return and detect[0:N − 1] |
3.4. Input–Output Relationship Detection
3.5. PE Collaboration Correction
- When a group of PEs is free from any hardware Trojan triggers, corresponds to the input of , and represents the computation result of .
- In the event of a hardware Trojan implantation in triggering its operation, the other modules of the accelerator stall for one clock cycle. During this stalling period, serves as the input for , where x is determined by the equation x = (i + 1)mod4, and denotes the computation result of . Other output values remain unchanged from their states before the accelerator stall.
- In scenarios where two PEs in a group triggered hardware Trojans, resulting in their activation, the accelerator’s other modules stall for one cycle. The input data designated for these two PEs are processed by the remaining two normal PEs, and the corresponding out will be changed to the output of the other two normal PEs. The out values of the two normal PEs remain unaltered from their states before the accelerator stall.
- When three or more PEs within a group have been inserted with hardware Trojans and subsequently triggered, the effectiveness of the “PE Co-Correction” scheme diminishes, rendering it unable to rectify the issue. Nonetheless, given the stealthy nature of hardware Trojans, the attacker typically implants only a small number of them. As a result, instances where three or more PEs within a group are both inserted with hardware Trojans and triggered are exceedingly rare.
4. Experimental Results
4.1. Experimental Setup
4.1.1. Benchmark
4.1.2. Experiment Procedure
- Train AlexNet in TensorFlow: Classify the Cat VS Dog Dataset using AlexNet in TensorFlow.
- Setup Trigger:
- a
- The trigger setup, proposed by [21], involves assessing the statistical properties of the output feature maps of the first convolution layer of AlexNet to establish a trigger. Select a specific output feature map pixel of the first convolution layer randomly as the trigger signal. Set the trigger interval based on the data characteristics of the pixel to achieve a triggering probability of 2/10,000 in ordinary scenes.
- b
- Modify the input photographs to ensure that the value of the output pixel selected as the trigger signal falls within the Trojan trigger interval.
- Randomly Inject Hardware Trojan:
- a
- Under varying hardware Trojan attack severities, randomly inject RI hardware Trojans proposed by Chen Yang [18] in RIs of RNA.
- b
- Configure Defense Schemes: Configure all the defense schemes proposed in Section 2.
- Conduct Hardware Trojan Attacks: Under varying hardware Trojan attack severities, perform 1000 hardware Trojan attacks. In cases where there is no protection, assume that the hardware Trojan in every attack is 100% triggered. Record whether each hardware Trojan in each experiment was triggered, discovered, and whether the harm caused was eliminated.
- Evaluate Protection Scheme Effectiveness: Based on the experimental results, evaluate the effectiveness of each protection scheme proposed in Section 2 under different hardware Trojan attack severities. In our experiment, hardware Trojans are randomly injected, and the severity of the attack refers to the proportion of PEs or RIs affected by hardware Trojans to the total number of PEs or RIs.
4.2. Evaluation
4.2.1. Protection Effectiveness
- 1.
- PSR Protection Effectiveness:
- 2.
- Voting Protection Effectiveness:
- 3.
- Voting Protection Effectiveness:
- 4.
- Overall Scheme Results:
4.2.2. Hardware Overhead
4.2.3. Comparison with Other Existing Schemes
5. Discussion
Author Contributions
Funding
Data Availability Statement
Conflicts of Interest
References
- Krizhevsky, A.; Sutskever, I.; Hinton, G.E. ImageNet classification with deep convolutional neural networks. Commun. ACM 2017, 60, 84–90. [Google Scholar] [CrossRef]
- He, K.; Zhang, X.; Ren, S.; Sun, J. Deep residual learning for image recognition. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, Las Vegas, NV, USA, 27–30 June 2016; pp. 770–778. [Google Scholar]
- He, R.; Wu, X.; Sun, Z.; Tan, T. Wasserstein CNN: Learning invariant features for NIR-VIS face recognition. IEEE Trans. Pattern Anal. Mach. Intell. 2018, 41, 1761–1773. [Google Scholar] [CrossRef] [PubMed]
- Miao, G. Application of CNN-based Face Recognition Technology in Smart Logistics System. In Proceedings of the 2021 20th International Symposium on Distributed Computing and Applications for Business Engineering and Science (DCABES), Nanning, China, 10–12 December 2021; pp. 100–103. [Google Scholar]
- Shen, D.; Wu, G.; Suk, H.I. Deep learning in medical image analysis. Annu. Rev. Biomed. Eng. 2017, 19, 221–248. [Google Scholar] [CrossRef] [PubMed]
- Li, F.; Liu, Z.; Chen, H.; Jiang, M.; Zhang, X.; Wu, Z. Automatic detection of diabetic retinopathy in retinal fundus photographs based on deep learning algorithm. Transl. Vis. Sci. Technol. 2019, 8, 4. [Google Scholar] [CrossRef] [PubMed]
- Liu, L.; Zhu, J.; Li, Z.; Lu, Y.; Deng, Y.; Han, J.; Yin, S.; Wei, S. A survey of coarse-grained reconfigurable architecture and design: Taxonomy, challenges, and applications. ACM Comput. Surv. (CSUR) 2019, 52, 1–39. [Google Scholar] [CrossRef]
- Chen, Y.H.; Krishna, T.; Emer, J.S.; Sze, V. Eyeriss: An energy-efficient reconfigurable accelerator for deep convolutional neural networks. IEEE J.-Solid-State Circuits 2016, 52, 127–138. [Google Scholar] [CrossRef]
- Yin, S.; Ouyang, P.; Tang, S.; Tu, F.; Li, X.; Zheng, S.; Lu, T.; Gu, J.; Liu, L.; Wei, S. A high energy efficient reconfigurable hybrid neural network processor for deep learning applications. IEEE J. -Solid-State Circuits 2017, 53, 968–982. [Google Scholar] [CrossRef]
- Yang, C.; Hou, J.; Wang, Y.; Zhang, H.; Wang, X.; Geng, L. RNA: A Flexible and Efficient Accelerator Based on Dynamically Reconfigurable Computing for Multiple Convolutional Neural Networks. J. Circuits Syst. Comput. 2022, 31, 2250289. [Google Scholar] [CrossRef]
- Yang, C.; Wang, Y.; Wang, X.; Geng, L. WRA: A 2.2-to-6.3 TOPS highly unified dynamically reconfigurable accelerator using a novel Winograd decomposition algorithm for convolutional neural networks. IEEE Trans. Circuits Syst. Regul. Pap. 2019, 66, 3480–3493. [Google Scholar] [CrossRef]
- Fujii, T.; Toi, T.; Tanaka, T.; Togawa, K.; Kitaoka, T.; Nishino, K.; Nakamura, N.; Nakahara, H.; Motomura, M. New generation dynamically reconfigurable processor technology for accelerating embedded AI applications. In Proceedings of the 2018 IEEE Symposium on VLSI Circuits, Honolulu, HI, USA, 18–22 June 2018; pp. 41–42. [Google Scholar]
- Liu, L.; Li, Z.; Yang, C.; Deng, C.; Yin, S.; Wei, S. HReA: An energy-efficient embedded dynamically reconfigurable fabric for 13-dwarfs processing. IEEE Trans. Circuits Syst. Express Briefs 2017, 65, 381–385. [Google Scholar] [CrossRef]
- Halak, B. Cist: A threat modelling approach for hardware supply chain security. In Hardware Supply Chain Security: Threat Modelling, Emerging Attacks and Countermeasures; Springer: Cham, Switzerland, 2021; pp. 3–65. [Google Scholar]
- Odetola, T.A.; Mohammed, H.R.; Hasan, S.R. A stealthy hardware trojan exploiting the architectural vulnerability of deep learning architectures: Input interception attack (iia). arXiv 2019, arXiv:1911.00783. [Google Scholar]
- Li, W.; Yu, J.; Ning, X.; Wang, P.; Wei, Q.; Wang, Y.; Yang, H. Hu-fu: Hardware and software collaborative attack framework against neural networks. In Proceedings of the 2018 IEEE Computer Society Annual Symposium on VLSI (ISVLSI), Hong Kong, China, 8–11 July 2018; pp. 482–487. [Google Scholar]
- Clements, J.; Lao, Y. Hardware trojan design on neural networks. In Proceedings of the 2019 IEEE International Symposium on Circuits and Systems (ISCAS), Sapporo, Japan, 26–29 May 2019; pp. 1–5. [Google Scholar]
- Yang, C.; Hou, J.; Wu, M.; Mei, K.; Geng, L. Hardware trojan attacks on the reconfigurable interconnections of convolutional neural networks accelerators. In Proceedings of the 2020 IEEE 15th International Conference on Solid-State & Integrated Circuit Technology (ICSICT), Kunming, China, 3–6 November 2020; pp. 1–3. [Google Scholar]
- Ye, J.; Hu, Y.; Li, X. Hardware trojan in fpga cnn accelerator. In Proceedings of the 2018 IEEE 27th Asian Test Symposium (ATS), Hefei, China, 15–18 October 2018; pp. 68–73. [Google Scholar]
- Liu, Z.; Ye, J.; Hu, X.; Li, H.; Li, X.; Hu, Y. Sequence triggered hardware trojan in neural network accelerator. In Proceedings of the 2020 IEEE 38th VLSI Test Symposium (VTS), San Diego, CA, USA, 5–8 April 2020; pp. 1–6. [Google Scholar]
- Odetola, T.A.; Hasan, S.R. Sowaf: Shuffling of weights and feature maps: A novel hardware intrinsic attack (hia) on convolutional neural network (cnn). In Proceedings of the 2021 IEEE International Symposium on Circuits and Systems (ISCAS), Daegu, Republic of Korea, 22–28 May 2021; pp. 1–5. [Google Scholar]
- Odetola, T.A.; Khalid, F.; Mohammed, H.; Sandefur, T.C.; Hasan, S.R. Feshi: Feature map-based stealthy hardware intrinsic attack. IEEE Access 2021, 9, 115370–115387. [Google Scholar] [CrossRef]
- Liu, L.; Zhou, Z.; Wei, S.; Zhu, M.; Yin, S.; Mao, S. DRMaSV: Enhanced capability against hardware trojans in coarse grained reconfigurable architectures. IEEE Trans.-Comput.-Aided Des. Integr. Circuits Syst. 2017, 37, 782–795. [Google Scholar] [CrossRef]
- Kundu, S.; Banerjee, S.; Raha, A.; Natarajan, S.; Basu, K. Toward functional safety of systolic array-based deep learning hardware accelerators. IEEE Trans. Very Large Scale Integr. (Vlsi) Syst. 2021, 29, 485–498. [Google Scholar] [CrossRef]
- Sun, P.; Halak, B.; Kazmierski, T. Towards Hardware Trojan Resilient Design of Convolutional Neural Networks. In Proceedings of the 2022 IEEE 35th International System-on-Chip Conference (SOCC), Belfast, UK, 5–8 September 2022; pp. 1–6. [Google Scholar]
- Yang, S.; Hoque, T.; Chakraborty, P.; Bhunia, S. Golden-free hardware trojan detection using self-referencing. IEEE Trans. Very Large Scale Integr. (Vlsi) Syst. 2022, 30, 325–338. [Google Scholar] [CrossRef]
- Xu, Q.; Arafin, M.T.; Qu, G. Security of neural networks from hardware perspective: A survey and beyond. In Proceedings of the 26th Asia and South Pacific Design Automation Conference, Tokyo, Japan, 18–21 January 2021; pp. 449–454. [Google Scholar]
Original Accelerator | Protected Accelerator | Overhead Comparison | |
---|---|---|---|
LUT | 86 K | 113.6 K | 32.1% ↑ |
Power | 5.50 W | 6.17 W | 12.2% ↑ |
Scheme | Scheme Proposed | Scheme Proposed | Scheme Proposed | Scheme Proposed | Scheme Proposed |
---|---|---|---|---|---|
Comparison [27] | by Leibo Liu [23] | by Kundu S [24] | by Sun P [25] | by S Yang [26] | by This Paper |
Design for CNN | ✗ | ✓ | ✓ | ✗ | ✓ |
Can prevent triggering | ✗ | ✗ | ✗ | ✗ | ✓ |
Can eliminate harmful effect | ✓ | ✗ | ✗ | ✗ | ✓ |
Work in real-time | ✓ | ✗ | ✓ | ✗ | ✓ |
Do not need golden element | ✓ | ✓ | ✗ | ✓ | ✓ |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2024 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Liu, Z.; Hou, J.; Wang, J.; Yang, C. A Novel Two-Level Protection Scheme against Hardware Trojans on a Reconfigurable CNN Accelerator. Cryptography 2024, 8, 34. https://doi.org/10.3390/cryptography8030034
Liu Z, Hou J, Wang J, Yang C. A Novel Two-Level Protection Scheme against Hardware Trojans on a Reconfigurable CNN Accelerator. Cryptography. 2024; 8(3):34. https://doi.org/10.3390/cryptography8030034
Chicago/Turabian StyleLiu, Zichu, Jia Hou, Jianfei Wang, and Chen Yang. 2024. "A Novel Two-Level Protection Scheme against Hardware Trojans on a Reconfigurable CNN Accelerator" Cryptography 8, no. 3: 34. https://doi.org/10.3390/cryptography8030034
APA StyleLiu, Z., Hou, J., Wang, J., & Yang, C. (2024). A Novel Two-Level Protection Scheme against Hardware Trojans on a Reconfigurable CNN Accelerator. Cryptography, 8(3), 34. https://doi.org/10.3390/cryptography8030034