Neuromorphic computing based on spiking neural networks (SNNs) is emerging as a promising alternative to traditional artificial neural networks (ANNs), offering unique advantages in terms of low power consumption. However, the security aspect of SNNs is under-explored compared to their ANN counterparts. As the increasing reliance on AI systems comes with unique security risks and challenges, understanding the vulnerabilities and threat landscape is essential as neuromorphic computing matures. In this effort, we propose a novel input-triggered Hardware Trojan (HT) attack for SNNs. The HT mechanism is condensed in the area of one neuron. The trigger mechanism is an input message crafted in the spiking domain such that a selected neuron produces a malicious spike train that is not met in normal settings. This spike train triggers a malicious modification in the neuron that forces it to saturate, firing permanently and failing to recover to its resting state even when the input activity stops. The excessive spikes pollute the network and produce misleading decisions. We propose a methodology to select an appropriate neuron and to generate the input pattern that triggers the HT payload. The attack is illustrated by simulation on three popular benchmarks in the neuromorphic community. We also propose a hardware implementation for an analog spiking neuron and a digital SNN accelerator, demonstrating that the HT has a negligible area and power footprint and, thereby, can easily evade detection.
翻译:基于脉冲神经网络(SNNs)的神经形态计算正在成为传统人工神经网络(ANNs)的一种有前景的替代方案,在低功耗方面具有独特优势。然而,与人工神经网络相比,脉冲神经网络的安全性研究尚不充分。随着对人工智能系统的依赖日益加深,带来了独特的安全风险和挑战,在神经形态计算发展成熟之际,理解其脆弱性和威胁态势至关重要。为此,我们提出了一种针对脉冲神经网络的新型输入触发硬件木马(HT)攻击。该硬件木马机制被压缩在一个神经元的区域内。其触发机制是一个在脉冲域精心设计的输入消息,使得选定的神经元产生在正常设置下不会出现的恶意脉冲序列。该脉冲序列触发神经元内部的恶意修改,迫使其达到饱和状态,持续放电,即使在输入活动停止后也无法恢复到静息状态。过量的脉冲污染了整个网络,并导致误导性的决策。我们提出了一种方法来选择合适的神经元,并生成能触发硬件木马有效载荷的输入模式。通过在神经形态计算领域三个常用基准上的仿真,我们展示了该攻击的效果。我们还提出了针对模拟脉冲神经元和数字脉冲神经网络加速器的硬件实现方案,证明该硬件木马在面积和功耗上的开销可忽略不计,因此可以轻易规避检测。