Pub Date : 2024-12-13DOI: 10.1109/JETCAS.2024.3502893
{"title":"IEEE Journal on Emerging and Selected Topics in Circuits and Systems Information for Authors","authors":"","doi":"10.1109/JETCAS.2024.3502893","DOIUrl":"https://doi.org/10.1109/JETCAS.2024.3502893","url":null,"abstract":"","PeriodicalId":48827,"journal":{"name":"IEEE Journal on Emerging and Selected Topics in Circuits and Systems","volume":"14 4","pages":"835-835"},"PeriodicalIF":3.7,"publicationDate":"2024-12-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=10799918","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142821275","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"工程技术","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-12-13DOI: 10.1109/JETCAS.2024.3502897
{"title":"IEEE Journal on Emerging and Selected Topics in Circuits and Systems Publication Information","authors":"","doi":"10.1109/JETCAS.2024.3502897","DOIUrl":"https://doi.org/10.1109/JETCAS.2024.3502897","url":null,"abstract":"","PeriodicalId":48827,"journal":{"name":"IEEE Journal on Emerging and Selected Topics in Circuits and Systems","volume":"14 4","pages":"C2-C2"},"PeriodicalIF":3.7,"publicationDate":"2024-12-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=10799919","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142821235","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"工程技术","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Presents corrections to the paper, (Erratum to “A Reconfigurable Spatial Architecture for Energy-Efficient Inception Neural Networks”).
提出对论文的更正("A Reconfigurable Spatial Architecture for Energy-Efficient Inception Neural Networks "的勘误)。
{"title":"Erratum to “A Reconfigurable Spatial Architecture for Energy-Efficient Inception Neural Networks”","authors":"Lichuan Luo;Wang Kang;Junzhan Liu;He Zhang;Youguang Zhang;Dijun Liu;Peng Ouyang","doi":"10.1109/JETCAS.2024.3464190","DOIUrl":"https://doi.org/10.1109/JETCAS.2024.3464190","url":null,"abstract":"Presents corrections to the paper, (Erratum to “A Reconfigurable Spatial Architecture for Energy-Efficient Inception Neural Networks”).","PeriodicalId":48827,"journal":{"name":"IEEE Journal on Emerging and Selected Topics in Circuits and Systems","volume":"14 4","pages":"834-834"},"PeriodicalIF":3.7,"publicationDate":"2024-12-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=10799921","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142821167","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"工程技术","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-12-13DOI: 10.1109/JETCAS.2024.3502895
{"title":"IEEE Circuits and Systems Society Information","authors":"","doi":"10.1109/JETCAS.2024.3502895","DOIUrl":"https://doi.org/10.1109/JETCAS.2024.3502895","url":null,"abstract":"","PeriodicalId":48827,"journal":{"name":"IEEE Journal on Emerging and Selected Topics in Circuits and Systems","volume":"14 4","pages":"C3-C3"},"PeriodicalIF":3.7,"publicationDate":"2024-12-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=10799541","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142821271","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"工程技术","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Guest Editorial: Toward Trustworthy AI: Advances in Circuits, Systems, and Applications","authors":"Shih-Hsu Huang;Pin-Yu Chen;Stjepan Picek;Chip-Hong Chang","doi":"10.1109/JETCAS.2024.3497232","DOIUrl":"https://doi.org/10.1109/JETCAS.2024.3497232","url":null,"abstract":"","PeriodicalId":48827,"journal":{"name":"IEEE Journal on Emerging and Selected Topics in Circuits and Systems","volume":"14 4","pages":"577-581"},"PeriodicalIF":3.7,"publicationDate":"2024-12-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=10799920","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142821168","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"工程技术","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Adversarial examples make Deep Learning (DL) models vulnerable to safe deployment in practical systems. Although several techniques have been proposed in the literature, defending against adversarial attacks is still challenging. The current work identifies weaknesses of traditional strategies in detecting and classifying adversarial examples. To overcome these limitations, we carefully analyze techniques like binary detector and ensemble method, and compose them in a manner which mitigates the limitations. We also effectively develop a re-attack strategy, a randomization technique called RRP (Random Resizing and Patch-removing), and a rule-based decision method. Our proposed method, BEARR (Binary detector with Ensemble and re-Attacking scheme including Randomization and Rule-based decision technique) detects adversarial examples as well as classifies those examples with a higher accuracy compared to contemporary methods. We evaluate BEARR on standard image classification datasets: CIFAR-10, CIFAR-100, and tiny-imagenet as well as two real-world datasets: plantvillage and chest X-ray in the presence of state-of-the-art adversarial attack techniques. We have also validated BEARR against a more potent attacker who has perfect knowledge of the protection mechanism. We observe that BEARR is significantly better than existing methods in the context of detection and classification accuracy of adversarial examples.
{"title":"Decision Guided Robust DL Classification of Adversarial Images Combining Weaker Defenses","authors":"Shubhajit Datta;Manaar Alam;Arijit Mondal;Debdeep Mukhopadhyay;Partha Pratim Chakrabarti","doi":"10.1109/JETCAS.2024.3497295","DOIUrl":"https://doi.org/10.1109/JETCAS.2024.3497295","url":null,"abstract":"Adversarial examples make Deep Learning (DL) models vulnerable to safe deployment in practical systems. Although several techniques have been proposed in the literature, defending against adversarial attacks is still challenging. The current work identifies weaknesses of traditional strategies in detecting and classifying adversarial examples. To overcome these limitations, we carefully analyze techniques like binary detector and ensemble method, and compose them in a manner which mitigates the limitations. We also effectively develop a re-attack strategy, a randomization technique called RRP (Random Resizing and Patch-removing), and a rule-based decision method. Our proposed method, BEARR (Binary detector with Ensemble and re-Attacking scheme including Randomization and Rule-based decision technique) detects adversarial examples as well as classifies those examples with a higher accuracy compared to contemporary methods. We evaluate BEARR on standard image classification datasets: CIFAR-10, CIFAR-100, and tiny-imagenet as well as two real-world datasets: plantvillage and chest X-ray in the presence of state-of-the-art adversarial attack techniques. We have also validated BEARR against a more potent attacker who has perfect knowledge of the protection mechanism. We observe that BEARR is significantly better than existing methods in the context of detection and classification accuracy of adversarial examples.","PeriodicalId":48827,"journal":{"name":"IEEE Journal on Emerging and Selected Topics in Circuits and Systems","volume":"14 4","pages":"758-772"},"PeriodicalIF":3.7,"publicationDate":"2024-11-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142821198","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"工程技术","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-11-04DOI: 10.1109/JETCAS.2024.3491497
Debopriya Roy Dipta;Jonathan Tan;Berk Gulmezoglu
Microarchitectural attacks threaten the security of individuals in a diverse set of platforms, such as personal computers, mobile phones, cloud environments, and AR/VR devices. Chip vendors are struggling to patch every hardware vulnerability in a timely manner, leaving billions of people’s private information under threat. Hence, dynamic attack detection tools which utilize hardware performance counters and machine learning (ML) models, have become popular for detecting ongoing attacks. In this study, we evaluate the robustness of various ML-based detection models with a sophisticated fuzzing framework. The framework manipulates hardware performance counters in a controlled manner using individual fuzzing blocks. Later, the framework is leveraged to modify the microarchitecture attack source code and to evade the detection tools. We evaluate our fuzzing framework with time overhead, achieved leakage rate, and the number of trials to successfully evade the detection.
{"title":"Systematical Evasion From Learning-Based Microarchitectural Attack Detection Tools","authors":"Debopriya Roy Dipta;Jonathan Tan;Berk Gulmezoglu","doi":"10.1109/JETCAS.2024.3491497","DOIUrl":"https://doi.org/10.1109/JETCAS.2024.3491497","url":null,"abstract":"Microarchitectural attacks threaten the security of individuals in a diverse set of platforms, such as personal computers, mobile phones, cloud environments, and AR/VR devices. Chip vendors are struggling to patch every hardware vulnerability in a timely manner, leaving billions of people’s private information under threat. Hence, dynamic attack detection tools which utilize hardware performance counters and machine learning (ML) models, have become popular for detecting ongoing attacks. In this study, we evaluate the robustness of various ML-based detection models with a sophisticated fuzzing framework. The framework manipulates hardware performance counters in a controlled manner using individual fuzzing blocks. Later, the framework is leveraged to modify the microarchitecture attack source code and to evade the detection tools. We evaluate our fuzzing framework with time overhead, achieved leakage rate, and the number of trials to successfully evade the detection.","PeriodicalId":48827,"journal":{"name":"IEEE Journal on Emerging and Selected Topics in Circuits and Systems","volume":"14 4","pages":"823-833"},"PeriodicalIF":3.7,"publicationDate":"2024-11-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142821230","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"工程技术","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-11-04DOI: 10.1109/JETCAS.2024.3491169
Tian Chen;Yu-An Tan;Chunying Li;Zheng Zhang;Weizhi Meng;Yuanzhang Li
With the increasing popularity of heterogeneous computing systems in Artificial Intelligence (AI) applications, ensuring the confidentiality and integrity of sensitive data transferred between different elements has become a critical challenge. In this paper, we propose an enhanced security framework called SecureComm to protect data transfer between ARM CPU and FPGA through Double Data Rate (DDR) memory on CPU-FPGA heterogeneous platforms. SecureComm extends the SM4 crypto module by incorporating a proposed Message Authentication Code (MAC) to ensure data confidentiality and integrity. It also constructs smart queues in the shared memory of DDR, which work in conjunction with the designed protocols to help schedule data flow and facilitate flexible adaptation to various AI tasks with different data scales. Furthermore, some of the hardware modules of SecureComm are improved and encapsulated as independent IPs to increase their versatility beyond the scope of this paper. We implemented several ARM CPU-FPGA collaborative AI applications to justify the security and evaluate the timing overhead of SecureComm. We also deployed SecureComm to non-AI tasks to demonstrate its versatility, ultimately offering suggestions for its use in tasks of varying data scales.
{"title":"SecureComm: A Secure Data Transfer Framework for Neural Network Inference on CPU-FPGA Heterogeneous Edge Devices","authors":"Tian Chen;Yu-An Tan;Chunying Li;Zheng Zhang;Weizhi Meng;Yuanzhang Li","doi":"10.1109/JETCAS.2024.3491169","DOIUrl":"https://doi.org/10.1109/JETCAS.2024.3491169","url":null,"abstract":"With the increasing popularity of heterogeneous computing systems in Artificial Intelligence (AI) applications, ensuring the confidentiality and integrity of sensitive data transferred between different elements has become a critical challenge. In this paper, we propose an enhanced security framework called SecureComm to protect data transfer between ARM CPU and FPGA through Double Data Rate (DDR) memory on CPU-FPGA heterogeneous platforms. SecureComm extends the SM4 crypto module by incorporating a proposed Message Authentication Code (MAC) to ensure data confidentiality and integrity. It also constructs smart queues in the shared memory of DDR, which work in conjunction with the designed protocols to help schedule data flow and facilitate flexible adaptation to various AI tasks with different data scales. Furthermore, some of the hardware modules of SecureComm are improved and encapsulated as independent IPs to increase their versatility beyond the scope of this paper. We implemented several ARM CPU-FPGA collaborative AI applications to justify the security and evaluate the timing overhead of SecureComm. We also deployed SecureComm to non-AI tasks to demonstrate its versatility, ultimately offering suggestions for its use in tasks of varying data scales.","PeriodicalId":48827,"journal":{"name":"IEEE Journal on Emerging and Selected Topics in Circuits and Systems","volume":"14 4","pages":"811-822"},"PeriodicalIF":3.7,"publicationDate":"2024-11-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142821274","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"工程技术","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-10-30DOI: 10.1109/JETCAS.2024.3488597
Dong Hyub Kim;Jonah O’Brien Weiss;Sandip Kundu
Deep Neural Networks (DNNs) have become invaluable intellectual property for AI providers due to advancements fueled by a decade of research and development. However, recent studies have demonstrated the effectiveness of model extraction attacks, which threaten this value by stealing DNN models. These attacks can lead to misuse of personal data, safety risks in critical systems, and the spread of misinformation. This paper explores model extraction attacks on DNN models deployed on mobile devices, using runtime profiles as a side-channel. Since mobile devices are resource constrained, DNN deployments require optimization efforts to reduce latency. The main hurdle in extracting DNN architectures in this scenario is that optimization techniques, such as operator-level and graph-level fusion, can obfuscate the association between runtime profile operators and their corresponding DNN layers, posing challenges for adversaries to accurately predict the computation performed. To overcome this, we propose a novel method analyzing GPU call profiles to identify the original DNN architecture. Our approach achieves full accuracy in extracting DNN architectures from a predefined set, even when layer information is obscured. For unseen architectures, a layer-by-layer hyperparameter extraction method guided by sub-layer patterns is introduced, also achieving high accuracy. This research achieves two firsts: 1) targeting mobile GPUs for DNN architecture extraction and 2) successfully extracting architectures from optimized models with fused layers.
{"title":"Extracting DNN Architectures via Runtime Profiling on Mobile GPUs","authors":"Dong Hyub Kim;Jonah O’Brien Weiss;Sandip Kundu","doi":"10.1109/JETCAS.2024.3488597","DOIUrl":"https://doi.org/10.1109/JETCAS.2024.3488597","url":null,"abstract":"Deep Neural Networks (DNNs) have become invaluable intellectual property for AI providers due to advancements fueled by a decade of research and development. However, recent studies have demonstrated the effectiveness of model extraction attacks, which threaten this value by stealing DNN models. These attacks can lead to misuse of personal data, safety risks in critical systems, and the spread of misinformation. This paper explores model extraction attacks on DNN models deployed on mobile devices, using runtime profiles as a side-channel. Since mobile devices are resource constrained, DNN deployments require optimization efforts to reduce latency. The main hurdle in extracting DNN architectures in this scenario is that optimization techniques, such as operator-level and graph-level fusion, can obfuscate the association between runtime profile operators and their corresponding DNN layers, posing challenges for adversaries to accurately predict the computation performed. To overcome this, we propose a novel method analyzing GPU call profiles to identify the original DNN architecture. Our approach achieves full accuracy in extracting DNN architectures from a predefined set, even when layer information is obscured. For unseen architectures, a layer-by-layer hyperparameter extraction method guided by sub-layer patterns is introduced, also achieving high accuracy. This research achieves two firsts: 1) targeting mobile GPUs for DNN architecture extraction and 2) successfully extracting architectures from optimized models with fused layers.","PeriodicalId":48827,"journal":{"name":"IEEE Journal on Emerging and Selected Topics in Circuits and Systems","volume":"14 4","pages":"620-633"},"PeriodicalIF":3.7,"publicationDate":"2024-10-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142821286","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"工程技术","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-10-30DOI: 10.1109/JETCAS.2024.3476386
Xiangyu Wen;Yu Li;Wei Jiang;Qiang Xu
Well-performed deep neural networks (DNNs) generally require massive labeled data and computational resources for training. Various watermarking techniques are proposed to protect such intellectual properties (IPs), wherein the DNN providers can claim IP ownership by retrieving their embedded watermarks. While promising results are reported in the literature, existing solutions suffer from watermark removal attacks, such as model fine-tuning, model pruning, and model extraction. In this paper, we propose a novel DNN watermarking solution that can effectively defend against the above attacks. Our key insight is to enhance the coupling of the watermark and model functionalities such that removing the watermark would inevitably degrade the model’s performance on normal inputs. Specifically, on one hand, we sample inputs from the original training dataset and fuse them as watermark images. On the other hand, we randomly mask model weights during training to distribute the watermark information in the network. Our method can successfully defend against common watermark removal attacks, watermark ambiguity attacks, and existing widely used backdoor detection methods, outperforming existing solutions as demonstrated by evaluation results on various benchmarks. Our code is available at: �https://github.com/cure-lab/Function-Coupled-Watermark�.
性能良好的深度神经网络(DNN)通常需要大量标注数据和计算资源进行训练。为了保护这些知识产权(IP),人们提出了各种水印技术,DNN 提供商可以通过检索其嵌入的水印来主张 IP 所有权。虽然文献报道的结果很有希望,但现有的解决方案都受到水印去除攻击,如模型微调、模型剪枝和模型提取。在本文中,我们提出了一种新型 DNN 水印解决方案,可有效抵御上述攻击。我们的主要见解是加强水印和模型功能的耦合,这样去除水印就会不可避免地降低模型在正常输入上的性能。具体来说,一方面,我们从原始训练数据集中抽取输入样本,并将其融合为水印图像。另一方面,我们在训练过程中随机屏蔽模型权重,以便在网络中分布水印信息。我们的方法可以成功抵御常见的水印去除攻击、水印模糊攻击和现有的广泛使用的后门检测方法,在各种基准上的评估结果表明,我们的方法优于现有的解决方案。我们的代码可在以下网址获取:https://github.com/cure-lab/Function-Coupled-Watermark。
{"title":"On Function-Coupled Watermarks for Deep Neural Networks","authors":"Xiangyu Wen;Yu Li;Wei Jiang;Qiang Xu","doi":"10.1109/JETCAS.2024.3476386","DOIUrl":"https://doi.org/10.1109/JETCAS.2024.3476386","url":null,"abstract":"Well-performed deep neural networks (DNNs) generally require massive labeled data and computational resources for training. Various watermarking techniques are proposed to protect such intellectual properties (IPs), wherein the DNN providers can claim IP ownership by retrieving their embedded watermarks. While promising results are reported in the literature, existing solutions suffer from watermark removal attacks, such as model fine-tuning, model pruning, and model extraction. In this paper, we propose a novel DNN watermarking solution that can effectively defend against the above attacks. Our key insight is to enhance the coupling of the watermark and model functionalities such that removing the watermark would inevitably degrade the model’s performance on normal inputs. Specifically, on one hand, we sample inputs from the original training dataset and fuse them as watermark images. On the other hand, we randomly mask model weights during training to distribute the watermark information in the network. Our method can successfully defend against common watermark removal attacks, watermark ambiguity attacks, and existing widely used backdoor detection methods, outperforming existing solutions as demonstrated by evaluation results on various benchmarks. Our code is available at: \u0000<uri>https://github.com/cure-lab/Function-Coupled-Watermark</uri>\u0000.","PeriodicalId":48827,"journal":{"name":"IEEE Journal on Emerging and Selected Topics in Circuits and Systems","volume":"14 4","pages":"608-619"},"PeriodicalIF":3.7,"publicationDate":"2024-10-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=10738841","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142821233","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"工程技术","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: