不太可能的英雄：模擬光子神經網絡作為內置對抗防御者的非理想性.pdf

《不太可能的英雄：模擬光子神經網絡作為內置對抗防御者的非理想性.pdf》由會員分享，可在線閱讀，更多相關《不太可能的英雄：模擬光子神經網絡作為內置對抗防御者的非理想性.pdf（22頁珍藏版）》請在三個皮匠報告上搜索。

1、The Unlikely Hero:Nonideality in Analog Photonic Neural Networks as Built-in Defender Against Adversarial Attacks1Haotian Lu,Ziang Yin,Partho Bhoumik,Sanmitra Banerjee,Krishnendu Chakrabarty,Jiaqi Gu1Arizona State UniversitySchool of Electrical,Computer and Energy Engineeringjiaqiguasu.edu|scopex-as

2、u.github.ioMarch 7,2025Photonic ML Accelerators2Evolve from electronics to heterogenous electronics-photonicsSource:Mitchell A.Nahmias,Bhavin J.Shastri,Alexander N.Tait,Thomas Ferreira de Lima and Paul R.Prucnal,“Neuromorphic photonics,”Optics&Photonics News,Jan 2018.Optical-electronic hybrid chips(

3、10 TOPS/W)Fully-optical chipsNeuromorphic photonics(1E6 TOPS/W)Energy Efficiency(TOPS/W)Compute Density(TOPS/mm2)Speed-of-light,Massive parallelism,low-powerpotential105Photonic AI System is Booming3Photonic Neural Network Trends in AcademiaSciRep17Nat.Photon17ASP-DAC20DATE20Nature19ASP-DAC19DATE21A

4、PR20Nature21HPCA20PhysRev19Nature21Nat.Comm.22Nat.Comm.22Science24Nanophotonics24Photonic Computing Chip+Optical InterconnectsFoundry/EPDA Support in IndustryElectronic-Photonic Design Automation ToolsPDK/Tape-out/HI/E-O Co-Packaging SupportGaps in Electronic-Photonic AI Eco-systems4EPIC AI ecosyste

5、m is in early stage,many new challengesReliabilityVariations+AttacksAccuracy loss95%60%Area/E-O Cost40200 2Large spatial footprintE-O/A-D conversion01010 01011 E-OO-EReconfigurabilityLack of versatilityfor diverse workloadsLow precision in encodingPrecision?Our concern in this paper Reliability is S

6、everely Challenged by Attack5Security problem is under-explored for AMS photonic AI hardwareSerious reliability concerns with two enemies?Malicious attack Hardware non-ideality+Bit-flip Attack in Photonic AI Hardware6Bit-flip(PBFA)Rakin+,ICCV19 poses great threat to Photonic AI HWWhite-box attack,ar

7、bitrary bit-flip available in model weightsFirst-order Gradient-based,ProgressiveSearch the most vulnerable bit index to flip/iteration largest acc.drop&lossHamming Distance(HD)and Inference Budget(Tinf)constraintHint:Attacks happen on MSB mostlymin;max;.1;#model inf.Threat Model7Prior Defense Metho

8、ds for Photonic AI HWExisting Defense v.s.AttackNATGu+,DATE20BATHe+,CVPR20PruningLi+,DATE21Common ChallengesRequire Training?Training-basedTraining-basedTraining-freeEither Pre-or Post-attack protectionLack of effective while efficient defense framework targeted on photonic AI hardwareNovel defense

9、method needs:Training-free+Pre&Post Protection+High Mem.Efficiency High Acc.RecoveryOccurancePre-attackPre-attackPost-attackMem.Overhead00Relatively HighRecovery PerformanceLowRelatively HighRelatively HighAnalog AI Accel.Nonideality:Double-edged Sword8Security problem is un-explored for photonic AI

10、 hardwareInsight:Hardware nonideality can be built-in defenderNonideality:QuantizationSparsityOn-chip Noiseetc Malicious attack Hardware non-idealityvs.9Proposed Synergistic Defense FrameworkEfficient detection of bit-flipped weightsError correction via weight locking1.Quantize-inspired Pre-attack D

11、efense2.Prune-inspired Post-attack RecoveryFull Protectionnear-ideal acc.recovery(2%drop)marginal memory cost(2%ovhd)Protect via optics-specific encodingMemory efficiency optimization10Proposed Synergistic Defense FrameworkEfficient detection of bit-flipped weightsError correction via weight locking

12、1.Quantize-inspired Pre-attack Defense2.Prune-inspired Post-attack RecoveryFull Protectionnear-ideal acc.recovery(2%drop)marginal memory cost(2%ovhd)Protect via optics-specific encodingMemory efficiency optimizationMinimize Weight Sensitivity by Unary Represent.11Electro-optic DAC:unary encode min s

13、ensitivity(LSB)built-in defenderExponential memory overhead.bit BCD number 2 1 bit Unary number=#:No MSB in,all LSB=2 1 32 OVHD for =8-bitHow to reduce the memory overhead required by Unary Representation?Sol 1:Low-bit quantized modelLow-bit models are robust against attackTrade-off among(mem-effici

14、ency,robustness,expressivity)12Memory-Efficient Unary Enc.:Low-bit QuantMemory-Efficient Unary Enc.:Vulnerable WeightsSol 2:Only protect vulnerable weightsHow to identify vulnerable weights?Weight sensitivity represented by second-order Taylor ExpansionBitflip-injection during sensitive weight searc

15、hHow to assign limited memory budget?Uneven sensitivity distribution in layersTop-Sensitive-Layer Assignment for given mem.budget:Fill most sensitive first!13=+Sol 3:Fold&Truncate the encodingObservation:Sensitive weights have small abs values(Gaussian-like Distribution)Waste to store trailing 0s Tr

16、uncate unnecessary 0s to bins(TU)Negative values still take large#bitsFold symmetric encoding(TCU)pos.:count 1s;neg.:count 0sTruncated Complementary Unary14():2 1 bit ():2log2min ,|2|1 bit():2 1 bit ():2log2|1 bitMemory-Efficient Unary Enc.:Fold&TruncationQuantization-Inspired:Pre-deploy Protection1

17、5Truncated complementary unary(TCU)+protect vulnerable weightsAttack-injected Weight Protection Search for vulnerable weights mem.-efficient&securePre-deploy provides insufficient target-lessprotection.How to compensate for potential protection miss?16Proposed Synergistic Defense FrameworkEfficient

18、detection of bit-flipped weightsError correction via weight locking1.Quantize-inspired Pre-attack Defense2.Prune-inspired Post-attack RecoveryFull Protectionnear-ideal acc.recovery(2%drop)marginal memory cost(2%ovhd)Protect via optics-specific encodingMemory efficiency optimizationGroup-based Detect

19、ion:ChecksumPost-deploy protection:detect correctDetection of Attacked WeightsInterleaving weight group,layer-wiseMSB checksum verification Li+,DATE212-bit checksum for a group of Weights Pinpoint MSB-targeted attacks with high coverage(might miss attacked weights;cannot localize specific weight in

20、a group)How to correct detected weights?No access to original values anymore assign a value to wipe out attacks(prior work prunes it to 0,not good,like self-attack)17Weight groupsWhich values should we assign?(Trade off accuracy vs.robustness)Preparation for Group-based Weight RecoverySmart values t

21、o assign:group centroidSensitivity-aware cluster centroidsTotal K clusters in(cluster size:G)K-Means clustering K centroids Assign one centroid each groupHow to make it attack-aware?Sensitivity-aware distance in K-meansAttack injection to evaluate post-attack acc.How to make it memory-efficient?Pref

22、er larger G and smaller K for lower cost18Proposed Weights Grouping and Vulnerability-aware Clustering=+.Pruning-Inspired:Post-deploy Recovery19Pruning-Inspired protection weight locking Smartly group weights and lock to centroids(vulnerability-aware K-Means)wipe attacked weights&maintain acc&mem-ef

23、ficientInsight“Pruning”wipes out attackLocking generalizes pruningLow overhead but w/acc costLocking provides less“self-attack”compared with Pruning Larger G,less mem.overheadSynergistic Pre-/Post-Deploy Protection20InsightLow-bit model is more robust to attackStatistics-aware unary encoding balance

24、s memory vs.securityInsight“Locking”wipes out attackLow mem.overhead at small acc.dropQuantize-inspired unary encoding(eoDAC)min sensitivity(LSB)built-in defenderPruning-inspired weight locking group&lock attacked weights to centroidsOptimal Mem.budget allocationLarge mem.for TCU+small mem.for Weigh

25、t LockingPure LockingPureTCU:Protect.ratio of TCU:Accep.Acc.Drop of LockingTrain-Free Memory-Efficient Build-in Defender21Prior methods(Noisy train/Quantize/Prune):only 2580%acc w/3 hr train costOur method:8386.7%acc 2%memory overhead w/1 hr searchProvide Near-ideal Accuracy Recovery with Marginal Memory BudgetModel:VGG8,Dataset:Cifar-10Thank you!Q&A?22arXiv PreprintOpen-Source ONN DefenderONN Defender against Adversarial Attacks