Computing systems
AI computing systems (graphical and tensor hardware accelerators, specialized neural processors) are a critical component of the technological foundation of modern AI. They are not only essential for model training and inference of models but also play a vital role in ensuring security.
An international standard has been issued on the role of computing systems in AI security [1]. It emphasizes the importance of developing and using secure hardware solutions that enable the creation of trusted computing environments where AI models can operate in isolated and tamper-proof spaces. This field is currently the focus of active research, yielding very promising results.
Hardware itself can also serve as a vector for attacks on AI systems. The examples below illustrate practical implementations of such attacks.
1. Sponge attack
This attack involves an attacker increasing the power consumption and/or response time of an AI system, rendering it unusable.
To carry out the attack, the attacker synthesizes special input data known as "sponge examples" using optimization algorithms. These inputs maximize the computational cost required by the model to produce a solution [2]. Research shows that this attack has a pronounced impact on large language models and, to a lesser extent, computer vision models. The attack is transferable across different hardware platforms (CPU, GPU, ASIC) and different model architectures, making it a significant threat to ML-as-a-Service solutions.
2. Changing model parameters at the hardware level
This attack targets the random access memory (RAM) of an AI system's computing unit to manipulate the parameters or hyperparameters of the AI model.
The attack exploits a hardware vulnerability in the RAM, where intensive cyclic interference with memory cells causes bit value changes in adjacent cells.
Experiments have demonstrated [3] that several well-known neural network architectures, such as VGG, ResNet, DenseNet, Inception, are susceptible to bit-flip attacks - on average, up to 50% of their parameters are vulnerable to such attacks, where the inversion of the 31st bit in their binary representation leads to performance degradation. These inversions result in a drop in the relative classification accuracy on the ImageNet dataset by more than 10%. Furthermore, in most of the models studied [3], at least one parameter was found where a bit-flip reduced classification accuracy by over 90%.
References
Expand
- 1. https://www.etsi.org/deliver/etsi_gr/SAI/001_099/006/01.01.01_60/gr_SAI006v010101p.pdf
- 2. Shumailov I. et al. Sponge examples: Energy-latency attacks on neural networks //2021 IEEE European symposium on security and privacy (EuroS&P). – IEEE, 2021. – С. 212-231.
- 3. Hong S. et al. Terminal brain damage: Exposing the graceless degradation in deep neural networks under hardware fault attacks //28th USENIX Security Symposium (USENIX Security 19). – 2019. – С. 497-514.