The Inherent Adversarial Robustness of Analog In-Memory Computing

TL;DR

The paper investigates whether analog in-memory computing (AIMC) substrates inherently resist adversarial DNN attacks. It combines hardware experiments on a PCM-based AIMC chip with simulations that dissect stochastic noise sources, using a ResNet CNN on CIFAR-10 and a RoBERTa transformer on MNLI, evaluated under multiple attack types with an adversarial success rate metric. The results show that AIMC's intrinsic stochasticity yields increased robustness, particularly when weight noise and output noise play dominant roles, and that this robustness persists in hardware-in-loop attacks and in larger NLP models. These findings suggest leveraging inherent hardware noise as an efficient defense mechanism and provide a methodology for assessing adversarial robustness across AIMC platforms and modalities.

Abstract

A key challenge for Deep Neural Network (DNN) algorithms is their vulnerability to adversarial attacks. Inherently non-deterministic compute substrates, such as those based on Analog In-Memory Computing (AIMC), have been speculated to provide significant adversarial robustness when performing DNN inference. In this paper, we experimentally validate this conjecture for the first time on an AIMC chip based on Phase Change Memory (PCM) devices. We demonstrate higher adversarial robustness against different types of adversarial attacks when implementing an image classification network. Additional robustness is also observed when performing hardware-in-the-loop attacks, for which the attacker is assumed to have full access to the hardware. A careful study of the various noise sources indicate that a combination of stochastic noise sources (both recurrent and non-recurrent) are responsible for the adversarial robustness and that their type and magnitude disproportionately effects this property. Finally, it is demonstrated, via simulations, that when a much larger transformer network is used to implement a Natural Language Processing (NLP) task, additional robustness is still observed.

Figures (10)

• Figure 1: Adversarial robustness of analog in-memory computing. (a) An augmented (adversarial) image of a stop sign, intercepted and replaced by a malicious attacker, intended to be mis-categorized as a speed sign, is fed into a (i) deterministic and (ii) stochastic DNN accelerator residing in an autonomous vehicle. The deterministic system incorrectly identifies the input as a speed sign, whereas the stochastic system correctly identifies the input as a stop sign. (b) Analog in-memory computing chips which can be used to execute DNN inference workloads, are inherently stochastic. The circuits and devices they are constructed of introduce many different linear and non-linear noise sources, including, but not limited to: quantization noise, weight programming noise, weight read noise, circuit noise, and temporal weight drift. (c) Noise sources have a number of distinct properties. The recurrence property determines whether a noise source is "non-recurrent" or "recurrent". Non-recurrent noise sources introduce noise once (usually when the system is configured), while recurrent noise sources introduce noise at different frequencies during normal system operation. The type property determines whether the noise magnitude is determined as a function of the input. As depicted, programming noise is non-recurrent and its magnitude is input dependent. Read noise is recurrent and its magnitude is input dependent. We model output noise such that it is recurrent and its magnitude is input-independent.
• Figure 1: AIMC chip model. Match for the (a) weight noise, (b) read noise, (c) output noise, and (d) matrix-vector multiply operation. For weight noise, a third-order polynomial fit is used. For read noise, experimental data is interpolated and a look-up table is used. For output noise, a fixed standard deviation is used (assumed to be independent of the total column conductance). One ADC unit corresponds to approximately 0.115 $\mu$S. (e) Mean of the drift coefficient as a function of normalized (to Gmax) ADC unit value. (d) Standard deviation of the drift coefficient as a function of the normalized (to Gmax) ADC unit value.
• Figure 2: Experimental validation of adversarial robustness. (a-c) Adversarial inputs generated using the PGD, Square, and OnePixel adversarial attacks for different values of both attack parameters. The attacks are evaluated using the ASR metric for the AIMC chip evaluation platform. (d-f) For different configurations, denoted using distinct marker and line styles, the ASR envelope (from the dashed lines in (a-c)) of each evaluation space is compared. For non-deterministic evaluation platforms, evaluation experiments are repeated $n=10$ times. Mean and standard deviation values are reported.
• Figure 2: Adversarial robustness of the Resnet-based CNN to varying degrees of stochasticity. (a-c) The ASR for the PGD, Square, and OnePixel attacks for the AIMC model, where output noise is disabled and recurrent weight noise is modelled, resulting in test set accuracy drop values between 1 and 20%. The adversarial robustness of the deterministic noise sources is also evaluated. Evaluation experiments are repeated $n=10$ times. Mean and standard deviation values are reported.
• Figure 3: The source of adversarial robustness.(a) The test set accuracy for AIMC models where only output or weight noise is considered, when the noise magnitude is set to result in test set accuracy drops (compared to the original floating-point model) of 5% and 10%. The test accuracy is evaluated for $n$=1,000 repetitions and mean and standard deviation values are reported (b) For PGD, the robustness of both non-recurrent and recurrent output and weight noise that result in a 5% test set accuracy drop is evaluated. (c-e) The ASR for the PGD, Square, and OnePixel attacks are compared for the AIMC models with only output and weight noise (both recurrent), the AIMC model, and the AIMC chip. For non-deterministic evaluation platforms, evaluation experiments are repeated $n=10$ times. Mean and standard deviation values are reported.