We propose HARDeNN, a low-overhead end-to-end inference accelerator methodology to armor the underlying pre-trained neural network architecture against black-box non-input adversarial attacks. In order to find the most vulnerable neural network architectures parameters, a hardware-assisted fault injection tool and a statistical stress model have been proposed to synergy uniform fault assessment across layers and targeted in-layer fault assessment to realize a holistic, rigorous fault evaluation in NN topologies susceptible to non-input adversarial black-box attacks. The key observation from the assessment shows that the weights and activation functions are the most vulnerable neural network parameters that are susceptible to both single-bit and multiple-bit flip attacks. Concerning the aforementioned parameters, a multi-objective design space exploration is conducted to find a superior design under different resource constraints. The error-resiliency magnitude offered by HARDeNN can be adjusted based on the given boundaries. The experimental results show that HARDeNN methodology enhances the error-resiliency magnitude of cnvW1A1 by 17.19% and 96.15% for 100 multi-bit upsets that target weight and activation layers, respectively, during CIFAR-10 classification.© 2017 Elsevier Inc. All rights reserved.
Navid Khoshavi, Mohammad Maghsoudloo, Arman Roohi, Saman Sargolzaei, Yu Bi