SNNGX: Securing Spiking Neural Networks with Genetic XOR Encryption on RRAM-based Neuromorphic Accelerator
Kwunhang Wong, Songqi Wang, Wei Huang, Xinyuan Zhang, Yangu He, Karl M. H. Lai, Yuzhong Jiao, Ning Lin, Xiaojuan Qi, Xiaoming Chen, Zhongrui Wang
TL;DR
The paper addresses the risk of white-box IP theft for biologically inspired Spiking Neural Networks (SNNs) deployed on Resistive Random-Access Memory (RRAM) neuromorphic accelerators. It introduces SNNGX, a software-hardware co-design that uses a gradient-free genetic bit search to XOR-encrypt a minimal set of MSB weight bits and a decryptor integrated into the RRAM accelerator to perform zero-latency decryption during inference. Key results show that only a tiny fraction of weight bits (as low as $0.00005\%$ to $0.016\%$) need encryption to thwart IP theft, while achieving substantial energy and latency savings (up to $x59$–$x6780$ energy reduction and $x175$–$x4250$ latency reduction) across NMNIST, DVSGesture, EEGMMIDB, Braille Letter, and SHD datasets; data efficiency is highlighted by requiring as little as one sample per class. The framework demonstrates strong, hardware-efficient protection with broad applicability to neuromorphic AI while maintaining practical performance and enforcing robust security against brute-force and partly recovered-key threats.
Abstract
Biologically plausible Spiking Neural Networks (SNNs), characterized by spike sparsity, are growing tremendous attention over intellectual edge devices and critical bio-medical applications as compared to artificial neural networks (ANNs). However, there is a considerable risk from malicious attempts to extract white-box information (i.e., weights) from SNNs, as attackers could exploit well-trained SNNs for profit and white-box adversarial concerns. There is a dire need for intellectual property (IP) protective measures. In this paper, we present a novel secure software-hardware co-designed RRAM-based neuromorphic accelerator for protecting the IP of SNNs. Software-wise, we design a tailored genetic algorithm with classic XOR encryption to target the least number of weights that need encryption. From a hardware perspective, we develop a low-energy decryption module, meticulously designed to provide zero decryption latency. Extensive results from various datasets, including NMNIST, DVSGesture, EEGMMIDB, Braille Letter, and SHD, demonstrate that our proposed method effectively secures SNNs by encrypting a minimal fraction of stealthy weights, only 0.00005% to 0.016% weight bits. Additionally, it achieves a substantial reduction in energy consumption, ranging from x59 to x6780, and significantly lowers decryption latency, ranging from x175 to x4250. Moreover, our method requires as little as one sample per class in dataset for encryption and addresses hessian/gradient-based search insensitive problems. This strategy offers a highly efficient and flexible solution for securing SNNs in diverse applications.