Fault injection attacks are a potent threat against embedded implementations of neural network models. Several attack vectors have been proposed, such as misclassification, model extraction, and trojan/backdoor planting. Most of these attacks work by flipping bits in the memory where quantized model parameters are stored. In this paper, we introduce an encoding-based protection method against bit-flip attacks on neural networks, titled DeepNcode. We experimentally evaluate our proposal with several publicly available models and datasets, by using state-of-the-art bit-flip attacks: BFA, T-BFA, and TA-LBF. Our results show an increase in protection margin of up to $7.6\times$ for $4-$bit and $12.4\times$ for $8-$bit quantized networks. Memory overheads start at $50\%$ of the original network size, while the time overheads are negligible. Moreover, DeepNcode does not require retraining and does not change the original accuracy of the model.

翻译：故障注入攻击是对神经网络模型嵌入式实现的严重威胁。目前已提出多种攻击向量，如错误分类、模型提取及木马/后门植入。大多数此类攻击通过翻转存储量化模型参数的内存中的比特位来实现。本文提出一种基于编码的神经网络抗比特翻转攻击防护方法，命名为DeepNcode。我们使用最先进的比特翻转攻击（BFA、T-BFA和TA-LBF）对多个公开模型与数据集进行了实验评估。结果表明，对于$4-$比特量化网络，防护裕度最高提升$7.6\times$；对于$8-$比特量化网络，最高提升$12.4\times$。内存开销最低为原始网络大小的$50\%$，时间开销可忽略不计。此外，DeepNcode无需重新训练且不改变模型的原始准确率。