Protecting deep learning algorithms from model theft
The rise of Deep Neural Network architectures deployed on edge Field Programmable Gate Arrays has introduced new security challenges. Such attacks can potentially reverse-engineer models, compromising their confidentiality and integrity. In this report, we present a defence mechanism aimed at...
Saved in:
| Main Author: | |
|---|---|
| Other Authors: | |
| Format: | Final Year Project |
| Language: | English |
| Published: |
Nanyang Technological University
2024
|
| Subjects: | |
| Online Access: | https://hdl.handle.net/10356/181174 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Nanyang Technological University |
| Language: | English |
| Summary: | The rise of Deep Neural Network architectures deployed on edge Field
Programmable Gate Arrays has introduced new security challenges. Such
attacks can potentially reverse-engineer models, compromising their confidentiality
and integrity. In this report, we present a defence mechanism aimed at protecting
DNNs deployed on edge devices against adversarial attacks. Although the initial goal
was to address Side-Channel Attacks, the current implementation effectively
safeguards against memory confidentiality and integrity attacks. Our work focuses on
the integration of a Memory Integrity Tree within the Versatile Tensor
Accelerator to secure memory accesses and detect unauthorized modifications
during DNN execution. Key modifications were made to the VTA’s runtime code,
specifically the LoadBuffer2D and StoreBuffer2D functions, to enforce memory
integrity checks through a Binary Merkle Tree. This structure ensures that each
memory block is hashed and verified, maintaining a secure execution environment.
The implemented defences were evaluated in terms of performance overhead, while
the MIT effectively prevents memory attacks, such as replay attacks, by detecting
tampering attempts and protects the DNN model hyperparameters. The integration of
cryptographic hash calculations introduced a significant performance cost. Our
findings highlight the trade-offs between security and computational efficiency,
emphasising the importance of continued refinement to minimize overhead while
preserving robust protection against SCAs. This project demonstrates the viability of
enhancing security for FPGA-based DNN accelerators through memory integrity
checks. Future research should explore optimizations to reduce performance
overhead and extend protections to side-channel attacks. |
|---|