Home Blog Security Highlight Security Highlight: Understanding Fault Injection in Neural Networks for Edge Devices

Security Highlight: Understanding Fault Injection in Neural Networks for Edge Devices

Author: Jasper van Woudenberg

In the realm of device security, ensuring the robustness of neural networks is becoming increasingly critical. AI technologies now permeate various aspects of our daily lives, from biometric authorization to autonomous vehicles, and are increasingly deployed on edge devices. This raises a pertinent question: what about hardware attacks on these devices, specifically fault injection attacks?

Understanding Fault Injection in Neural Networks

Neural networks (NNs) are compute-heavy systems designed to be resistant to natural variations in input data. An NN consists of layers through which data flows, and at each layer, numerous matrix multiplications are performed based on the model’s weights.

However, NNs are prone to attacks. Adversarial machine learning, for instance, is a field studying logical attacks where intentionally crafted inputs cause the NN to make incorrect predictions. These inputs may appear normal to humans but can deceive an NN into making entirely different predictions.

Beyond logical attacks, NNs running on edge AI chips are susceptible to physical attacks, such as fault injection, which can alter their behavior by inducing errors at the hardware level. Essentially, this allows an attacker to corrupt weights and/or matrix multiplications.

At Riscure, we see an increasing number of NN accelerator ASICs or SoC IP blocks in the lab, reflecting the broader adoption of AI hardware. Like any ASIC, these accelerators are susceptible to faults, highlighting the need for hardware countermeasures. Traditional redundancy measures like Triple Modular Redundancy (TMR) or repeated inferences have clear area and performance costs.

Fault Simulations and Predictions in Edge Neural Networks

Fortunately, not all weights in a neural network are equally sensitive to faults. Layers near the input are typically trained with some noise, making them more resilient to faults, whereas output layers tend to be more error-prone. Additionally, in floating-point or integer representations, certain bit faults have a more significant impact than others. In a recent publication in the ACM Journal, researchers from the University of California San Diego and Fermi National Accelerator Laboratory investigated faults in edge devices exposed to high-radiation environments. They developed a tool called FKeras, which aids in designing fault-tolerant edge neural networks by providing sensitivity metrics to rank neural network weights based on their susceptibility to faults.

A notable application of FKeras is in environments like the Large Hadron Collider (LHC), where high radiation levels pose significant risks of transient errors. FKeras leverages sensitivity metrics to guide efficient fault injection campaigns, facilitating a thorough evaluation of a network’s robustness. Their findings show that by focusing on the most sensitive weights, designers can implement targeted fault protection measures, such as selective TMR, optimizing both area and fault tolerance without sacrificing accuracy. Interestingly, due to their compact size, edge neural network models are generally more susceptible to faults than their larger, server-side counterparts.

Although this approach does not consider an active attacker but rather a ‘natural’ fault-heavy environment, many principles are transferable. This method is promising for countermeasures as they can be selectively applied to the most sensitive weights. It also enhances simulation strategies by focusing on the most impactful faults.

However, if the network is extracted or public, it provides attackers with a map of weak points. Fault injection remains a numbers game, and determining the optimal amount of redundancy in the network or hardware to reduce fault sensitivity to acceptable levels is still an open question.

Conclusion

Fault injection in neural networks is a crucial area of research for ensuring edge AI security, and NN specific countermeasures are in their infancy. This emphasizes the need for validating designs and testing devices and chips. Riscure has world-renowned expertise in both pre-silicon and post-silicon fault security, and is ready to help you secure your products.

Share This