Runtime Detection of Adversarial Attacks in AI Accelerators Using Performance Counters

TL;DR

The paper addresses the vulnerability of AI accelerators to adversarial attacks by proposing SAMURAI, a hardware-based security framework that integrates AI Performance Counters (APC) with an on-chip ML analyzer named TANTO for real-time anomaly detection. By collecting low-level AI operation traces and performing on-device training and inference, SAMURAI avoids data transfer and model integration requirements while enabling responsive protection against misuse. Key contributions include the APC-TANTO architecture, on-device training of the anomaly detector, and extensive evaluation showing up to 97% detection accuracy with modest overhead across multiple models and datasets. The work demonstrates that hardware-level monitoring combined with lightweight on-chip ML can enhance security and regulatory compliance for AI accelerators, with practical implications for safe deployment of AI hardware in diverse environments.

Abstract

Rapid adoption of AI technologies raises several major security concerns, including the risks of adversarial perturbations, which threaten the confidentiality and integrity of AI applications. Protecting AI hardware from misuse and diverse security threats is a challenging task. To address this challenge, we propose SAMURAI, a novel framework for safeguarding against malicious usage of AI hardware and its resilience to attacks. SAMURAI introduces an AI Performance Counter (APC) for tracking dynamic behavior of an AI model coupled with an on-chip Machine Learning (ML) analysis engine, known as TANTO (Trained Anomaly Inspection Through Trace Observation). APC records the runtime profile of the low-level hardware events of different AI operations. Subsequently, the summary information recorded by the APC is processed by TANTO to efficiently identify potential security breaches and ensure secure, responsible use of AI. SAMURAI enables real-time detection of security threats and misuse without relying on traditional software-based solutions that require model integration. Experimental results demonstrate that SAMURAI achieves up to 97% accuracy in detecting adversarial attacks with moderate overhead on various AI models, significantly outperforming conventional software-based approaches. It enhances security and regulatory compliance, providing a comprehensive solution for safeguarding AI against emergent threats.

Figures (6)

• Figure 1: An example of deep-fool attack on an ML model.
• Figure 2: Block Diagram of the SAMURAI Framework illustrating the integration of the AI Performance Counter (APC) and the TANTO analysis engine, where APC captures AI hardware activity and TANTO processes the data in real time to detect adversarial attacks and unauthorized usage.
• Figure 3: AI Performance Counter (APC) in an AI Accelerator illustrating the architecture of the APC module, which consists of a Finite State Machine (FSM) and a secure APC memory block that records operational metrics during AI inference and securely transmits the data to TANTO for real-time analysis.
• Figure 4: Adversarial Image Detection Process in SAMURAI showing how the SAMURAI framework detects adversarial images by collecting AI Performance Counter (APC) traces, analyzing them in real time, and identifying adversarial inputs during inference.
• Figure 5: Comparison of Different ML Models for Adversarial Image Detection presenting the accuracy of various machine learning models, including Logistic Regression, SVM, XGBoost, Random Forest, DNN, and LSTM, in distinguishing between adversarial and non-adversarial inputs.