The RRAM-based neuromorphic computing system has amassed explosive interests for its superior data processing capability and energy efficiency than traditional architectures, and thus being widely used in many data-centric applications. The reliability and security issues of the NCS therefore become an essential problem. In this paper, we systematically investigated the adversarial threats to the RRAM-based NCS and observed that the RRAM hardware feature can be leveraged to strengthen the attack effect, which has not been granted sufficient attention by previous algorithmic attack methods. Thus, we proposed two types of hardware-aware attack methods with respect to different attack scenarios and objectives. The first is adversarial attack, VADER, which perturbs the input samples to mislead the prediction of neural networks. The second is fault injection attack, EFI, which perturbs the network parameter space such that a specified sample will be classified to a target label, while maintaining the prediction accuracy on other samples. Both attack methods leverage the RRAM properties to improve the performance compared with the conventional attack methods. Experimental results show that our hardware-aware attack methods can achieve nearly 100% attack success rate with extremely low operational cost, while maintaining the attack stealthiness.

翻译：基于RRAM的神经形态计算系统因其相较于传统架构的卓越数据处理能力和能效优势而引发广泛关注，已广泛应用于诸多数据密集型应用场景。此类系统的可靠性与安全性问题因此成为关键研究课题。本文系统研究了面向RRAM神经形态计算系统的对抗性威胁，发现RRAM硬件特性可被利用以增强攻击效果，而这一特性此前未获得算法攻击方法的充分重视。据此，我们针对不同攻击场景与目标提出两类硬件感知攻击方法：第一类为对抗性攻击方法VADER，通过扰动输入样本误导神经网络预测结果；第二类为故障注入攻击方法EFI，通过扰动网络参数空间使指定样本被分类为目标标签，同时保持其他样本的预测精度。两类攻击方法均利用RRAM特性提升攻击效能。实验结果表明，与常规攻击方法相比，我们的硬件感知攻击方法能以极低运行代价实现近100%的攻击成功率，同时保持攻击的隐蔽性。