Protecting deep learning algorithms from model theft

Abstract

The rise of Deep Neural Network architectures deployed on edge Field Programmable Gate Arrays has introduced new security challenges. Such attacks can potentially reverse-engineer models, compromising their confidentiality and integrity. In this report, we present a defence mechanism aimed at protecting DNNs deployed on edge devices against adversarial attacks. Although the initial goal was to address Side-Channel Attacks, the current implementation effectively safeguards against memory confidentiality and integrity attacks. Our work focuses on the integration of a Memory Integrity Tree within the Versatile Tensor Accelerator to secure memory accesses and detect unauthorized modifications during DNN execution. Key modifications were made to the VTA’s runtime code, specifically the LoadBuffer2D and StoreBuffer2D functions, to enforce memory integrity checks through a Binary Merkle Tree. This structure ensures that each memory block is hashed and verified, maintaining a secure execution environment. The implemented defences were evaluated in terms of performance overhead, while the MIT effectively prevents memory attacks, such as replay attacks, by detecting tampering attempts and protects the DNN model hyperparameters. The integration of cryptographic hash calculations introduced a significant performance cost. Our findings highlight the trade-offs between security and computational efficiency, emphasising the importance of continued refinement to minimize overhead while preserving robust protection against SCAs. This project demonstrates the viability of enhancing security for FPGA-based DNN accelerators through memory integrity checks. Future research should explore optimizations to reduce performance overhead and extend protections to side-channel attacks.