A Low Cost Weight Obfuscation Scheme for Security Enhancement of ReRAM Based Neural Network Accelerators

The resistive random-access memory (ReRAM) based accelerator can execute the large scale neural network (NN) applications in an extremely energy efficient way. However, the non-volatile feature of the ReRAM introduces some security vulnerabilities. The weight parameters of a well-trained NN model deployed on the ReRAM based accelerator are persisted even after the chip is powered off. The adversaries who have the physical access to the accelerator can hence launch the model stealing attack and extract these weights by some micro-probing methods. Run time encryption of the weights is intuitive to protect the NN model but degrades execution performance and device endurance largely. While obfuscation of the weight rows needs to pay the tremendous hardware area overhead in order to achieve the high security. In view of above mentioned problems, in this paper we propose a low cost weight obfuscation scheme to secure the NN model deployed on the ReRAM based accelerators from the model stealing attack. We partition the crossbar into many virtual operation units (VOUs) and perform full permutation on the weights of the VOUs along the column dimension. Without the keys, the attacker cannot perform the correct NN computations even if they have obtained the obfuscated model. Compared with the weight rows based obfuscation, our scheme can achieve the same level of security with less an order of magnitude in the hardware area and power overheads.

Automated summary

A ReRAM-based accelerator can efficiently execute large scale NN applications, but the non-volatile feature introduces security vulnerabilities. A proposed low-cost weight obfuscation scheme aims to protect NN models from model stealing attacks with less hardware and power overheads compared to traditional methods.