IEEE Journal on Emerging and Selected Topics in Circuits and Systems最新文献

{"title":"Systematical Evasion From Learning-Based Microarchitectural Attack Detection Tools","authors":"Debopriya Roy Dipta;Jonathan Tan;Berk Gulmezoglu","doi":"10.1109/JETCAS.2024.3491497","DOIUrl":"https://doi.org/10.1109/JETCAS.2024.3491497","url":null,"abstract":"Microarchitectural attacks threaten the security of individuals in a diverse set of platforms, such as personal computers, mobile phones, cloud environments, and AR/VR devices. Chip vendors are struggling to patch every hardware vulnerability in a timely manner, leaving billions of people’s private information under threat. Hence, dynamic attack detection tools which utilize hardware performance counters and machine learning (ML) models, have become popular for detecting ongoing attacks. In this study, we evaluate the robustness of various ML-based detection models with a sophisticated fuzzing framework. The framework manipulates hardware performance counters in a controlled manner using individual fuzzing blocks. Later, the framework is leveraged to modify the microarchitecture attack source code and to evade the detection tools. We evaluate our fuzzing framework with time overhead, achieved leakage rate, and the number of trials to successfully evade the detection.","PeriodicalId":48827,"journal":{"name":"IEEE Journal on Emerging and Selected Topics in Circuits and Systems","volume":"14 4","pages":"823-833"},"PeriodicalIF":3.7,"publicationDate":"2024-11-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142821230","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"工程技术","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"SecureComm: A Secure Data Transfer Framework for Neural Network Inference on CPU-FPGA Heterogeneous Edge Devices","authors":"Tian Chen;Yu-An Tan;Chunying Li;Zheng Zhang;Weizhi Meng;Yuanzhang Li","doi":"10.1109/JETCAS.2024.3491169","DOIUrl":"https://doi.org/10.1109/JETCAS.2024.3491169","url":null,"abstract":"With the increasing popularity of heterogeneous computing systems in Artificial Intelligence (AI) applications, ensuring the confidentiality and integrity of sensitive data transferred between different elements has become a critical challenge. In this paper, we propose an enhanced security framework called SecureComm to protect data transfer between ARM CPU and FPGA through Double Data Rate (DDR) memory on CPU-FPGA heterogeneous platforms. SecureComm extends the SM4 crypto module by incorporating a proposed Message Authentication Code (MAC) to ensure data confidentiality and integrity. It also constructs smart queues in the shared memory of DDR, which work in conjunction with the designed protocols to help schedule data flow and facilitate flexible adaptation to various AI tasks with different data scales. Furthermore, some of the hardware modules of SecureComm are improved and encapsulated as independent IPs to increase their versatility beyond the scope of this paper. We implemented several ARM CPU-FPGA collaborative AI applications to justify the security and evaluate the timing overhead of SecureComm. We also deployed SecureComm to non-AI tasks to demonstrate its versatility, ultimately offering suggestions for its use in tasks of varying data scales.","PeriodicalId":48827,"journal":{"name":"IEEE Journal on Emerging and Selected Topics in Circuits and Systems","volume":"14 4","pages":"811-822"},"PeriodicalIF":3.7,"publicationDate":"2024-11-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142821274","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"工程技术","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Variable Resolution Pixel Quantization for Low Power Machine Vision Application on Edge","authors":"Senorita Deb;Sai Sanjeet;Prabir Kumar Biswas;Bibhu Datta Sahoo","doi":"10.1109/JETCAS.2024.3490504","DOIUrl":"https://doi.org/10.1109/JETCAS.2024.3490504","url":null,"abstract":"This work describes an approach towards pixel quantization using variable resolution which is made feasible using image transformation in the analog domain. The main aim is to reduce the average bits-per-pixel (BPP) necessary for representing an image while maintaining the classification accuracy of a Convolutional Neural Network (CNN) that is trained for image classification. The proposed algorithm is based on the Hadamard transform that leads to a low-resolution variable quantization by the analog-to-digital converter (ADC) thus reducing the power dissipation in hardware at the sensor node. Despite the trade-offs inherent in image transformation, the proposed algorithm achieves competitive accuracy levels across various image sizes and ADC configurations, highlighting the importance of considering both accuracy and power consumption in edge computing applications. The schematic of a novel 1.5 bit ADC that incorporates the Hadamard transform is also proposed. A hardware implementation of the analog transformation followed by software-based variable quantization is done for the CIFAR-10 test dataset. The digitized data shows that the network can still identify transformed images with a remarkable 90% accuracy for 3-BPP transformed images following the proposed method.","PeriodicalId":48827,"journal":{"name":"IEEE Journal on Emerging and Selected Topics in Circuits and Systems","volume":"15 1","pages":"58-71"},"PeriodicalIF":3.7,"publicationDate":"2024-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143601937","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"工程技术","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Extracting DNN Architectures via Runtime Profiling on Mobile GPUs","authors":"Dong Hyub Kim;Jonah O’Brien Weiss;Sandip Kundu","doi":"10.1109/JETCAS.2024.3488597","DOIUrl":"https://doi.org/10.1109/JETCAS.2024.3488597","url":null,"abstract":"Deep Neural Networks (DNNs) have become invaluable intellectual property for AI providers due to advancements fueled by a decade of research and development. However, recent studies have demonstrated the effectiveness of model extraction attacks, which threaten this value by stealing DNN models. These attacks can lead to misuse of personal data, safety risks in critical systems, and the spread of misinformation. This paper explores model extraction attacks on DNN models deployed on mobile devices, using runtime profiles as a side-channel. Since mobile devices are resource constrained, DNN deployments require optimization efforts to reduce latency. The main hurdle in extracting DNN architectures in this scenario is that optimization techniques, such as operator-level and graph-level fusion, can obfuscate the association between runtime profile operators and their corresponding DNN layers, posing challenges for adversaries to accurately predict the computation performed. To overcome this, we propose a novel method analyzing GPU call profiles to identify the original DNN architecture. Our approach achieves full accuracy in extracting DNN architectures from a predefined set, even when layer information is obscured. For unseen architectures, a layer-by-layer hyperparameter extraction method guided by sub-layer patterns is introduced, also achieving high accuracy. This research achieves two firsts: 1) targeting mobile GPUs for DNN architecture extraction and 2) successfully extracting architectures from optimized models with fused layers.","PeriodicalId":48827,"journal":{"name":"IEEE Journal on Emerging and Selected Topics in Circuits and Systems","volume":"14 4","pages":"620-633"},"PeriodicalIF":3.7,"publicationDate":"2024-10-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142821286","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"工程技术","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"On Function-Coupled Watermarks for Deep Neural Networks","authors":"Xiangyu Wen;Yu Li;Wei Jiang;Qiang Xu","doi":"10.1109/JETCAS.2024.3476386","DOIUrl":"https://doi.org/10.1109/JETCAS.2024.3476386","url":null,"abstract":"Well-performed deep neural networks (DNNs) generally require massive labeled data and computational resources for training. Various watermarking techniques are proposed to protect such intellectual properties (IPs), wherein the DNN providers can claim IP ownership by retrieving their embedded watermarks. While promising results are reported in the literature, existing solutions suffer from watermark removal attacks, such as model fine-tuning, model pruning, and model extraction. In this paper, we propose a novel DNN watermarking solution that can effectively defend against the above attacks. Our key insight is to enhance the coupling of the watermark and model functionalities such that removing the watermark would inevitably degrade the model’s performance on normal inputs. Specifically, on one hand, we sample inputs from the original training dataset and fuse them as watermark images. On the other hand, we randomly mask model weights during training to distribute the watermark information in the network. Our method can successfully defend against common watermark removal attacks, watermark ambiguity attacks, and existing widely used backdoor detection methods, outperforming existing solutions as demonstrated by evaluation results on various benchmarks. Our code is available at: \u0000<uri>https://github.com/cure-lab/Function-Coupled-Watermark</uri>\u0000.","PeriodicalId":48827,"journal":{"name":"IEEE Journal on Emerging and Selected Topics in Circuits and Systems","volume":"14 4","pages":"608-619"},"PeriodicalIF":3.7,"publicationDate":"2024-10-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=10738841","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142821233","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"工程技术","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Model Agnostic Contrastive Explanations for Classification Models","authors":"Amit Dhurandhar;Tejaswini Pedapati;Avinash Balakrishnan;Pin-Yu Chen;Karthikeyan Shanmugam;Ruchir Puri","doi":"10.1109/JETCAS.2024.3486114","DOIUrl":"https://doi.org/10.1109/JETCAS.2024.3486114","url":null,"abstract":"Extensive surveys on explanations that are suitable for humans, claims that an explanation being contrastive is one of its most important traits. A few methods have been proposed to generate contrastive explanations for differentiable models such as deep neural networks, where one has complete access to the model. In this work, we propose a method, Model Agnostic Contrastive Explanations Method (MACEM), that can generate contrastive explanations for any classification model where one is able to only query the class probabilities for a desired input. This allows us to generate contrastive explanations for not only neural networks, but also models such as random forests, boosted trees and even arbitrary ensembles that are still amongst the state-of-the-art when learning on tabular data. Our method is also applicable to the scenarios where only the black-box access of the model is provided, implying that we can only obtain the predictions and prediction probabilities. With the advent of larger models, it is increasingly prevalent to be working in the black-box scenario, where the user will not necessarily have access to the model weights or parameters, and will only be able to interact with the model using an API. As such, to obtain meaningful explanations we propose a principled and scalable approach to handle real and categorical features leading to novel formulations for computing pertinent positives and negatives that form the essence of a contrastive explanation. A detailed treatment of this nature where we focus on scalability and handle different data types was not performed in the previous work, which assumed all features to be positive real valued with zero being indicative of the least interesting value. We part with this strong implicit assumption and generalize these methods so as to be applicable across a much wider range of problem settings. We quantitatively as well as qualitatively validate our approach over public datasets covering diverse domains.","PeriodicalId":48827,"journal":{"name":"IEEE Journal on Emerging and Selected Topics in Circuits and Systems","volume":"14 4","pages":"789-798"},"PeriodicalIF":3.7,"publicationDate":"2024-10-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142821287","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"工程技术","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Stealing the Invisible: Unveiling Pre-Trained CNN Models Through Adversarial Examples and Timing Side-Channels","authors":"Shubhi Shukla;Manaar Alam;Pabitra Mitra;Debdeep Mukhopadhyay","doi":"10.1109/JETCAS.2024.3485133","DOIUrl":"https://doi.org/10.1109/JETCAS.2024.3485133","url":null,"abstract":"Machine learning, with its myriad applications, has become an integral component of numerous AI systems. A common practice in this domain is the use of transfer learning, where a pre-trained model’s architecture, readily available to the public, is fine-tuned to suit specific tasks. As Machine Learning as a Service (MLaaS) platforms increasingly use pre-trained models in their backends, it is crucial to safeguard these architectures and understand their vulnerabilities. In this work, we present \u0000<monospace>ArchWhisperer</monospace>\u0000, a model fingerprinting attack approach based on the novel observation that the classification patterns of adversarial images can be used as a means to steal the models. Furthermore, the adversarial image classifications in conjunction with model inference times is used to further enhance our attack in terms of attack effectiveness as well as query budget. \u0000<monospace>ArchWhisperer</monospace>\u0000 is designed for typical user-level access in remote MLaaS environments and it exploits varying misclassifications of adversarial images across different models to fingerprint several renowned Convolutional Neural Network (CNN) and Vision Transformer (ViT) architectures. We utilize the profiling of remote model inference times to reduce the necessary adversarial images, subsequently decreasing the number of queries required. We have presented our results over 27 pre-trained models of different CNN and ViT architectures using CIFAR-10 dataset and demonstrate a high accuracy of 88.8% while keeping the query budget under 20. This is a marked improvement compared to state-of-the-art works.","PeriodicalId":48827,"journal":{"name":"IEEE Journal on Emerging and Selected Topics in Circuits and Systems","volume":"14 4","pages":"634-646"},"PeriodicalIF":3.7,"publicationDate":"2024-10-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142821169","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"工程技术","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"RLFL: A Reinforcement Learning Aggregation Approach for Hybrid Federated Learning Systems Using Full and Ternary Precision","authors":"HamidReza Imani;Jeff Anderson;Samuel Farid;Abdolah Amirany;Tarek El-Ghazawi","doi":"10.1109/JETCAS.2024.3483554","DOIUrl":"https://doi.org/10.1109/JETCAS.2024.3483554","url":null,"abstract":"Federated Learning (FL) has emerged as an approach to provide a privacy-preserving and communication-efficient Machine Learning (ML) framework in mobile-edge environments which are likely to be resource-constrained and heterogeneous. Therefore, the required precision level and performance from each of the devices may vary depending upon the circumstances, giving rise to designs containing mixed-precision and quantized models. Among the various quantization schemes, binary and ternary representations are significant since they enable arrangements that can strike effective balances between performance and precision. In this paper, we propose RLFL, a hybrid ternary/full-precision FL system along with a Reinforcement Learning (RL) aggregation method with the goal of improved performance comparing to a homogeneous ternary environment. This system consists a mix of clients with full-precision and resource-constrained clients with ternary ML models. However, aggregating models with ternary and full-precision weights using traditional aggregation approaches present a challenge due to the disparity in weight magnitudes. In order to obtain an improved accuracy, we use a deep RL model to explore and optimize the amount of contribution assigned to each client’s model for aggregation in each iteration. We evaluate and compare accuracy and communication overhead of the proposed approach against the prior work for the classification of MNIST, FMNIST, and CIFAR10 datasets. Evaluation results show that the proposed RLFL system, along with its aggregation technique, outperforms the existing FL approaches in accuracy ranging from 5% to 19% while imposing negligible computation overhead.","PeriodicalId":48827,"journal":{"name":"IEEE Journal on Emerging and Selected Topics in Circuits and Systems","volume":"14 4","pages":"673-687"},"PeriodicalIF":3.7,"publicationDate":"2024-10-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142821201","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"工程技术","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"A Reinforcement Learning-Based ELF Adversarial Malicious Sample Generation Method","authors":"Mingfu Xue;Jinlong Fu;Zhiyuan Li;Shifeng Ni;Heyi Wu;Leo Yu Zhang;Yushu Zhang;Weiqiang Liu","doi":"10.1109/JETCAS.2024.3481273","DOIUrl":"https://doi.org/10.1109/JETCAS.2024.3481273","url":null,"abstract":"In recent years, domestic Linux operating systems have developed rapidly, but the threat of ELF viruses has become increasingly prominent. Currently, domestic antivirus software for information technology application innovation (ITAI) operating systems shows insufficient capability in detecting ELF viruses. At the same time, research on generating malicious samples in ELF format is scarce. In order to fill this gap at home and abroad and meet the growing application needs of domestic antivirus software companies, this paper proposes an automatic ELF adversarial malicious samples generation technique based on reinforcement learning. Based on reinforcement learning framework, after being processed by cycles of feature extraction, malicious detection, agent decision-making, and evade-detection operation, the sample can evade the detection of antivirus engines. Specifically, nine feature extractor subclasses are used to extract features in multiple aspects. The PPO algorithm is used as the agent algorithm. The action table in the evade-detection module contains 11 evade-detection operations for ELF malicious samples. This method is experimentally verified on the ITAI operating system, and the ELF malicious sample set on the Linux x86 platform is used as the original sample set. The detection rate of this sample set by ClamAV before processing is 98%, and the detection rate drops to 25% after processing. The detection rate of this sample set by 360 Security before processing is 4%, and the detection rate drops to 1% after processing. Furthermore, after processing, the average number of engines on VirusTotal that could detect the maliciousness of the samples decreases from 39 to 15. Many malicious samples were detected by \u0000<inline-formula> <tex-math>$41sim 43$ </tex-math></inline-formula>\u0000 engines on VirusTotal before processing, while after the evade-detection processing, only \u0000<inline-formula> <tex-math>$8sim 9$ </tex-math></inline-formula>\u0000 engines on VirusTotal can detect the malware. In terms of executability and malicious function consistency, the processed samples can still run normally and the malicious functions remain consistent with those before processing. Overall, the proposed method in this paper can effectively generate adversarial ELF malware samples. Using this method to generate malicious samples to test and train the anti-virus software can promote and improve anti-virus software’s detection and defense capability against malware.","PeriodicalId":48827,"journal":{"name":"IEEE Journal on Emerging and Selected Topics in Circuits and Systems","volume":"14 4","pages":"743-757"},"PeriodicalIF":3.7,"publicationDate":"2024-10-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142821272","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"工程技术","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"RobustDA: Lightweight Robust Domain Adaptation for Evolving Data at Edge","authors":"Xinyu Guo;Xiaojiang Zuo;Rui Han;Junyan Ouyang;Jing Xie;Chi Harold Liu;Qinglong Zhang;Ying Guo;Jing Chen;Lydia Y. Chen","doi":"10.1109/JETCAS.2024.3478359","DOIUrl":"https://doi.org/10.1109/JETCAS.2024.3478359","url":null,"abstract":"AI applications powered by deep learning models are increasingly run natively at edge. A deployed model not only encounters continuously evolving input distributions (domains) but also faces adversarial attacks from third-party. This necessitates adapting the model to shifting domains to maintain high natural accuracy, while avoiding degrading the model’s robust accuracy. However, existing domain adaptation and adversarial attack preventation techniques often have conflicting optimization objectives and they rely on time-consuming training process. This paper presents RobustDA, an on-device lightweight approach that co-optimizes natural and robust accuracies in model retraining. It uses a set of low-rank adapters to retain all learned domains’ knowledge with small overheads. In each model retraining, RobustDA constructs an adapter to separate domain-related and robust-related model parameters to avoid their conflicts in updating. Based on the retained knowledge, it quickly generates adversarial examples with high-quality pseudo-labels and uses them to accelerate the retraining process. We demonstrate that, comparing against 14 state-of-the-art DA techniques under 7 prevalent adversarial attacks on edge devices, the proposed co-optimization approach improves natural and robust accuracies by 6.34% and 11.41% simultaneously. Under the same accuracy, RobustDA also speeds up the retraining process by 4.09x.","PeriodicalId":48827,"journal":{"name":"IEEE Journal on Emerging and Selected Topics in Circuits and Systems","volume":"14 4","pages":"688-704"},"PeriodicalIF":3.7,"publicationDate":"2024-10-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142821199","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"工程技术","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}