Biologically plausible Spiking Neural Networks (SNNs), characterized by spike sparsity, are growing tremendous attention over intellectual edge devices and critical bio-medical applications as compared to artificial neural networks (ANNs). However, there is a considerable risk from malicious attempts to extract white-box information (i.e., weights) from SNNs, as attackers could exploit well-trained SNNs for profit and white-box adversarial concerns. There is a dire need for intellectual property (IP) protective measures. In this paper, we present a novel secure software-hardware co-designed RRAM-based neuromorphic accelerator for protecting the IP of SNNs. Software-wise, we design a tailored genetic algorithm with classic XOR encryption to target the least number of weights that need encryption. From a hardware perspective, we develop a low-energy decryption module, meticulously designed to provide zero decryption latency. Extensive results from various datasets, including NMNIST, DVSGesture, EEGMMIDB, Braille Letter, and SHD, demonstrate that our proposed method effectively secures SNNs by encrypting a minimal fraction of stealthy weights, only 0.00005% to 0.016% weight bits. Additionally, it achieves a substantial reduction in energy consumption, ranging from x59 to x6780, and significantly lowers decryption latency, ranging from x175 to x4250. Moreover, our method requires as little as one sample per class in dataset for encryption and addresses hessian/gradient-based search insensitive problems. This strategy offers a highly efficient and flexible solution for securing SNNs in diverse applications.
翻译:与人工神经网络相比,具有脉冲稀疏性特征的生物可解释脉冲神经网络在智能边缘设备和关键生物医学应用中正受到极大关注。然而,恶意攻击者试图从SNN中提取白盒信息(即权重)存在重大风险,攻击者可能利用训练良好的SNN牟利并引发白盒对抗性威胁。因此,迫切需要采取知识产权保护措施。本文提出一种新颖的软硬件协同设计的基于RRAM的安全神经形态加速器,用于保护SNN的知识产权。在软件层面,我们设计了一种结合经典XOR加密的定制遗传算法,以确定需要加密的最少权重数量。从硬件角度,我们开发了一个低能耗解密模块,经过精心设计以实现零解密延迟。在多个数据集(包括NMNIST、DVSGesture、EEGMMIDB、Braille Letter和SHD)上的广泛实验结果表明,我们提出的方法通过加密极小比例的隐蔽权重(仅需加密0.00005%至0.016%的权重比特)即可有效保护SNN安全。同时,该方法实现了显著的能耗降低(59倍至6780倍),并大幅减少了解密延迟(175倍至4250倍)。此外,我们的方法仅需每类一个样本即可完成加密,并能有效应对基于海森矩阵/梯度的搜索不敏感问题。该策略为不同应用场景中的SNN安全保护提供了一种高效灵活的解决方案。