With deep learning deployed in many security-sensitive areas, machine learning security is becoming progressively important. Recent studies demonstrate attackers can exploit system-level techniques exploiting the RowHammer vulnerability of DRAM to deterministically and precisely flip bits in Deep Neural Networks (DNN) model weights to affect inference accuracy. The existing defense mechanisms are software-based, such as weight reconstruction requiring expensive training overhead or performance degradation. On the other hand, generic hardware-based victim-/aggressor-focused mechanisms impose expensive hardware overheads and preserve the spatial connection between victim and aggressor rows. In this paper, we present the first DRAM-based victim-focused defense mechanism tailored for quantized DNNs, named DNN-Defender that leverages the potential of in-DRAM swapping to withstand the targeted bit-flip attacks. Our results indicate that DNN-Defender can deliver a high level of protection downgrading the performance of targeted RowHammer attacks to a random attack level. In addition, the proposed defense has no accuracy drop on CIFAR-10 and ImageNet datasets without requiring any software training or incurring additional hardware overhead.

翻译：随着深度学习在众多安全敏感领域的部署，机器学习安全正变得日益重要。近期研究表明，攻击者可利用系统级技术，通过DRAM的RowHammer漏洞，确定性且精准地翻转深度神经网络（DNN）模型权重中的比特位，从而影响推理精度。现有防御机制多为软件方法，例如需要高昂训练开销或性能降级的权重重构；另一方面，基于硬件的通用受害者/攻击者聚焦机制会引入昂贵的硬件开销，并保持受害者行与攻击者行之间的空间关联。本文提出首个面向量化DNN、基于DRAM的受害者聚焦防御机制——DNN-Defender，该机制利用DRAM内部交换的潜力来抵御目标性比特翻转攻击。实验结果表明，DNN-Defender能提供高等级保护，将目标性RowHammer攻击的性能降级至随机攻击水平。此外，该防御机制在CIFAR-10和ImageNet数据集上无精度损失，且无需任何软件训练或额外硬件开销。