Addressing securiTy Threats to artIficiaL intelligence in Approximate computing systems – ATTILA

We are witnessing unprecedented Cyber-Physical Systems deployments to monitor and control the environment, including critical infrastructures. The Internet of Things federates these edge computing systems with the cloud, all of which make increasing use of Artificial Intelligence to provide high inference quality and autonomous decision-making capabilities. As a result, there is an enormous network composed of billions of highly heterogeneous computing systems with high exposure to cyber attacks which require unprecedented amounts of energy to operate. We have never witnessed before as many and as varied attacks at all levels of computer systems. And neither have we ever before required as much energy as several times the lifetime emissions of one car to train an AI model, clearly posing severe sustainability challenges. After decades focused on performance, this has awakened the community to seriously address the security and energy efficiency of computing systems, which largely drives research today.

There is a large body of work focused on improving the performance and energy efficiency of AI systems. Approximate computing (AxC) is an emerging paradigm that proposes to relax the accuracy requirements of computing systems, tolerating errors in computations to trade-off quality of results with a reduced usage of computational resources. The reduced computational complexity allows building faster, simpler and less power-hungry computing systems. In parallel, with the accessibility and connectivity of CPS unveiling an enormous attack surface, cybersecurity is a major concern and security is embraced as a key design goal. Renowned cyber attacks to critical infrastructures in recent years have shown large potential to cause major impacts on security, safety and privacy of personal and corporate data. Research on hardware security has largely focused on providing side-channel resistant cryptographic systems. However, we are seeing how increasing numbers of attacks are now directed to AI systems, compromising private data and secret corporate IP models.

In this scenario, where ubiquitous deployments of AI-enabled CPS are increasingly making autonomous decisions and operating without human intervention, it is of paramount importance to secure our cyberinfrastructures to protect the upcoming smart society we are heading into. This is the ultimate objective ATTILA aims to contribute to: to secure AI.

ATTILA addresses this challenge by focusing on the security of hardware implementations of AI-enabled edge CPS that use AxC, present in increasingly large shares of systems to reduce energy consumption. With the interplay between AxC and security only starting to be considered, we are largely unaware of its resulting impact. To the best of our knowledge, ATTILA is the first work studying side-channel vulnerabilities associated with AxC techniques like extreme voltage overscaling and quantization in approximate Deep Neural Networks (DNN) accelerators running in reconfigurable devices, uniquely suited for AxC. We focus initially on power side-channels and build an experimental SCA set-up to study the impact of approximations on leakage behavior and SCA resistance. To contribute to building more secure implementations, we perform a design space exploration of DNN implementations with configurable approximation levels, building pareto fronts that facilitate trading-off SCA resistance with inference quality. ATTILA also addresses countermeasures through an intelligent run-time manager that leverages on AxC to render attacks more difficult, enabling self-adaptation of the system approximation level to modify side-channels leakage behavior at run time. We initially consider standard SCA techniques to shed light on the impact of AxC in SCA resistance of approximate DNNs, and then move to study ML-based techniques and consider EM side-channels to study the applicability and generalizability of our previous findings.