The execution of deep neural network (DNN) algorithms suffers from significant bottlenecks due to the separation of the processing and memory units in traditional computer systems. Emerging memristive computing systems introduce an in situ approach that overcomes this bottleneck. The non-volatility of memristive devices, however, may expose the DNN weights stored in memristive crossbars to potential theft attacks. Therefore, this paper proposes a two-dimensional permutation-based protection (TDPP) method that thwarts such attacks. We first introduce the underlying concept that motivates the TDPP method: permuting both the rows and columns of the DNN weight matrices. This contrasts with previous methods, which focused solely on permuting a single dimension of the weight matrices, either the rows or columns. While it's possible for an adversary to access the matrix values, the original arrangement of rows and columns in the matrices remains concealed. As a result, the extracted DNN model from the accessed matrix values would fail to operate correctly. We consider two different memristive computing systems (designed for layer-by-layer and layer-parallel processing, respectively) and demonstrate the design of the TDPP method that could be embedded into the two systems. Finally, we present a security analysis. Our experiments demonstrate that TDPP can achieve comparable effectiveness to prior approaches, with a high level of security when appropriately parameterized. In addition, TDPP is more scalable than previous methods and results in reduced area and power overheads. The area and power are reduced by, respectively, 1218$\times$ and 2815$\times$ for the layer-by-layer system and by 178$\times$ and 203$\times$ for the layer-parallel system compared to prior works.

翻译：深度神经网络算法的执行因传统计算机系统中处理单元与存储单元分离而遭受严重性能瓶颈。新兴的忆阻计算系统引入原位计算方法突破了这一瓶颈。然而，忆阻器件的非易失性可能导致存储在忆阻交叉阵列中的DNN权重面临潜在窃取攻击。为此，本文提出一种基于二维置换的保护方法（TDPP）以抵御此类攻击。我们首先阐述激发TDPP方法的核心概念：同时对DNN权重矩阵的行和列进行置换。这与先前仅针对权重矩阵单一维度（行或列）进行置换的方法形成鲜明对比。虽然攻击者可能获取矩阵数值，但矩阵中行与列的原始排列顺序始终被隐藏。因此，从获取的矩阵数值中提取的DNN模型将无法正常运行。我们针对两种不同的忆阻计算系统（分别面向逐层处理与层并行处理）展开研究，并展示了可嵌入这两种系统的TDPP方法设计。最后，我们进行了安全性分析。实验表明，在适当参数化配置下，TDPP能够达到与现有方法相当的有效性，同时具备高水平安全性。此外，TDPP相较于先前方法具有更强的可扩展性，并显著降低了面积与功耗开销。与现有工作相比，在逐层系统中面积与功耗分别降低1218倍与2815倍，在层并行系统中则分别降低178倍与203倍。