Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Input-Triggered Hardware Trojan Attack on Spiking Neural Networks

Spyridon Raptis, Paul Kling, Ioannis Kaskampas, Ihsen Alouani, Haralampos-G. Stratigopoulos

TL;DR

Spiking neural networks offer energy-efficient neuromorphic computation but pose security risks in hardware implementations. The authors propose an input-triggered hardware Trojan localized to a single Trojan neuron, whose payload saturates the neuron to emit continuous spikes and mislead the network, triggered by a crafted spike-pattern input generated via gradient-based optimization. They validate the concept through simulations on NMNIST, IBM DVS128 Gesture, and SHD datasets, and demonstrate hardware feasibility with analog and digital HT designs and a low-footprint FPGA implementation. They also discuss defense strategies ranging from generic ATPG-like spiking analyses to neuron monitoring and input filtering, highlighting the need for countermeasures such as spiking-domain ATPG and online filtering to mitigate such covert HTs in neuromorphic hardware.

Abstract

Neuromorphic computing based on spiking neural networks (SNNs) is emerging as a promising alternative to traditional artificial neural networks (ANNs), offering unique advantages in terms of low power consumption. However, the security aspect of SNNs is under-explored compared to their ANN counterparts. As the increasing reliance on AI systems comes with unique security risks and challenges, understanding the vulnerabilities and threat landscape is essential as neuromorphic computing matures. In this effort, we propose a novel input-triggered Hardware Trojan (HT) attack for SNNs. The HT mechanism is condensed in the area of one neuron. The trigger mechanism is an input message crafted in the spiking domain such that a selected neuron produces a malicious spike train that is not met in normal settings. This spike train triggers a malicious modification in the neuron that forces it to saturate, firing permanently and failing to recover to its resting state even when the input activity stops. The excessive spikes pollute the network and produce misleading decisions. We propose a methodology to select an appropriate neuron and to generate the input pattern that triggers the HT payload. The attack is illustrated by simulation on three popular benchmarks in the neuromorphic community. We also propose a hardware implementation for an analog spiking neuron and a digital SNN accelerator, demonstrating that the HT has a negligible area and power footprint and, thereby, can easily evade detection.

Input-Triggered Hardware Trojan Attack on Spiking Neural Networks

TL;DR

Spiking neural networks offer energy-efficient neuromorphic computation but pose security risks in hardware implementations. The authors propose an input-triggered hardware Trojan localized to a single Trojan neuron, whose payload saturates the neuron to emit continuous spikes and mislead the network, triggered by a crafted spike-pattern input generated via gradient-based optimization. They validate the concept through simulations on NMNIST, IBM DVS128 Gesture, and SHD datasets, and demonstrate hardware feasibility with analog and digital HT designs and a low-footprint FPGA implementation. They also discuss defense strategies ranging from generic ATPG-like spiking analyses to neuron monitoring and input filtering, highlighting the need for countermeasures such as spiking-domain ATPG and online filtering to mitigate such covert HTs in neuromorphic hardware.

Abstract

Neuromorphic computing based on spiking neural networks (SNNs) is emerging as a promising alternative to traditional artificial neural networks (ANNs), offering unique advantages in terms of low power consumption. However, the security aspect of SNNs is under-explored compared to their ANN counterparts. As the increasing reliance on AI systems comes with unique security risks and challenges, understanding the vulnerabilities and threat landscape is essential as neuromorphic computing matures. In this effort, we propose a novel input-triggered Hardware Trojan (HT) attack for SNNs. The HT mechanism is condensed in the area of one neuron. The trigger mechanism is an input message crafted in the spiking domain such that a selected neuron produces a malicious spike train that is not met in normal settings. This spike train triggers a malicious modification in the neuron that forces it to saturate, firing permanently and failing to recover to its resting state even when the input activity stops. The excessive spikes pollute the network and produce misleading decisions. We propose a methodology to select an appropriate neuron and to generate the input pattern that triggers the HT payload. The attack is illustrated by simulation on three popular benchmarks in the neuromorphic community. We also propose a hardware implementation for an analog spiking neuron and a digital SNN accelerator, demonstrating that the HT has a negligible area and power footprint and, thereby, can easily evade detection.

Paper Structure

This paper contains 27 sections, 7 equations, 15 figures, 4 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Threat model
  3. Proposed Attack
  4. Principle of operation
  5. Critical Neuron Identification
  6. Input Trigger Generation
  7. Spike pattern trigger selection
  8. Input trigger generation algorithm
  9. Simulation results
  10. Case studies
  11. Trojan neuron selection
  12. Input-trigger generation and payload
  13. Hardware Implementations
  14. HT Trigger mechanism
  15. HT Payload mechanism for analog designs
  16. ...and 12 more sections

Figures (15)

  • Figure 1: Operating principle of proposed attack.
  • Figure 2: SNN architecture for the NMNIST dataset.
  • Figure 3: SNN architecture for the IBM DVS128 Gesture dataset.
  • Figure 4: SNN architecture for the SHD dataset.
  • Figure 5: Accuracy drop per neuron per layer for saturated and dead neuron faults.
  • ...and 10 more figures