Towards Hardware Trojan Resilient Convolutional Neural Network Accelerators

Abstract

Abstract Convolutional neural network accelerators are increasingly used in safety–critical applications, including autonomous vehicles. Therefore, they are particularly vulnerable to hardware Trojan insertion, a security attack that takes place during the development of integrated circuits. This work presents for the first time a large-scale study of the impact of hardware Trojan insertion on convolutional neural network accelerators, focusing on those that use approximate commuting techniques, prevalent in embedded applications. We investigate three types of such networks, MobileNet V2, ShuffleNet V2, and GhostNet, trained in datasets of grayscale speed limit sign images and GTSRB. Our results show that certain parts of these architectures are more susceptible to hardware Trojan attacks, specifically a specific set of processing elements, referred to as “important” in the classification, ReLU6, and Max pooling layers, respectively. These findings are subsequently used to develop two countermeasures; the first relies on selective hardware redundancy (SHR), and the second uses a combination of hardware and time redundancy (SHTR). The proposed defenses are experimentally validated. Our results show that the SHR provides speedy recovery from an attack while incurring between 6 and 10% area overheads, whereas SHTR requires more time to detect the Trojan, and its area overhead is much smaller (~ 0.3%).