Secure Mixed-Signal Neural Networks - SeMSiNN

安全混合信号神经网络 - SeMSiNN

• 批准号: 535473873
• 负责人: Professor Dr.-Ing. Maurits Ortmanns
• 金额: --
• 依托单位: Institut für Mikroelektronik (Mikro)
• 依托单位国家: 德国
• 项目类别: Priority Programmes
• 资助国家: 德国
• 项目状态: 未结题
• 来源: https://gepris.dfg.de/gepris/projekt/535473873?language=en
• 关键词: Secure; Mixed; Signal; Neural; Networks

Artificial intelligence (AI) and especially neural network (NN) inference functionalities are increasingly found in resource-restricted devices, which cannot offload complex computations to remote servers. The “Edge AI” paradigm poses new security challenges, because in addition to known attacks edge devices are physically exposed to potential adversaries and are targets of side-channel and fault-injection attacks. At the same time, such systems often process sensitive data, such as health-related measurements. Moreover, the NN models themselves can have substantial economic value and must be protected against unauthorized extraction. For this reason, there is a thriving new research community focusing on understanding and counteracting security threats specific to NN inference hardware. Project SeMSiNN focuses on security of mixed-signal (MS) NN inference hardware, an approach that is extremely attractive for Edge AI due to radical savings in power demands compared to fully-digital realizations. For the first time, complexities and opportunities of making MS NN inference hardware secure will be explored jointly by an expert in MS technologies and a specialist in protecting hardware against physical attacks. The methodologies developed in this project will enhance the traditional view of MS NN design as a balance between cost and classification accuracy by the third dimension, namely security. The specific work in the project will focus on side-channel and fault-injection attacks. To this end, we will establish an understanding of MS-specific information leakage mechanisms, explore the relevant attack scenarios, and devise and evaluate countermeasures against such attacks. Both non-trivial adaptations of protective techniques originally developed for digital NN hardware (and further classes of circuits, such as cryptographic circuits) and completely new protections that leverage unique properties of MS circuits will be developed and applied on three different levels of abstraction. The work will result in a generic design methodology for for secure MS NN inference hardware, which will be validated by specially optimized simulation procedures and to a limited extent by physical measurements. SeMSiNN creates an inherent synergy within the project, but it also fits well into the matrix structure of the SPP. First communication on possible SPP-wide collaborations (with the group from TU Berlin on optical attacks against MS NN circuits) have been conducted already. We believe that this project will lay the foundation for a new sub-field of security of MS electronics for AI that is currently not covered by state-of-the-art.

人工智能（AI）尤其是神经网络（NN）推理功能越来越多地应用于资源受限的设备中，这些设备无法将复杂的计算任务卸载到远程服务器上。“边缘人工智能”范式带来了新的安全挑战，因为除了已知的攻击之外，边缘设备在物理上暴露给潜在的对手，并且是侧信道和故障注入攻击的目标。同时，这类系统通常会处理敏感数据，比如与健康相关的测量数据。此外，神经网络模型本身可能具有巨大的经济价值，必须防止未经授权的提取。出于这个原因，有一个蓬勃发展的新研究社区专注于理解和应对特定于神经网络推理硬件的安全威胁。SeMSiNN项目专注于混合信号（MS）神经网络推理硬件的安全性，这种方法对边缘人工智能极具吸引力，因为与全数字实现相比，它大大节省了功耗需求。第一次，使MS神经网络推理硬件安全的复杂性和机会将由MS技术专家和保护硬件免受物理攻击的专家共同探讨。在这个项目中开发的方法将通过第三个维度，即安全性，增强MS神经网络设计作为成本和分类准确性之间的平衡的传统观点。该项目的具体工作将集中在侧通道攻击和故障注入攻击上。为此，我们将建立对ms特定信息泄漏机制的理解，探索相关的攻击场景，并设计和评估针对此类攻击的对策。最初为数字神经网络硬件（以及进一步的电路类别，如加密电路）开发的保护技术的重要改编和利用MS电路独特属性的全新保护将在三个不同的抽象级别上开发和应用。这项工作将导致安全的MS神经网络推理硬件的通用设计方法，将通过特别优化的模拟程序和有限程度的物理测量来验证。SeMSiNN在项目中创造了内在的协同作用，但它也很适合SPP的矩阵结构。关于可能的SPP范围内合作（与柏林工业大学的团队进行针对MS NN电路的光学攻击）的首次通信已经进行了。我们相信，这一项目将为目前尚未被最先进技术覆盖的人工智能MS电子安全的新子领域奠定基础。