The Unlikely Hero: Nonideality in Analog Photonic Neural Networks as Built-in Defender Against Adversarial Attacks
Abstract.
Electronic-photonic computing systems have emerged as a promising platform for accelerating deep neural network (DNN) workloads. Major efforts have been focused on countering hardware non-idealities and boosting efficiency with various hardware/algorithm co-design methods. However, the adversarial robustness of such photonic analog mixed-signal AI hardware remains unexplored. Though the hardware variations can be mitigated with robustness-driven optimization methods, malicious attacks on the hardware show distinct behaviors from noises, which requires a customized protection method tailored to optical analog hardware. In this work, we rethink the role of conventionally undesired non-idealities in photonic analog accelerators and claim their surprising effects on defending against adversarial weight attacks. Inspired by the protection effects from DNN quantization and pruning, we propose a synergistic defense framework tailored for optical analog hardware that proactively protects sensitive weights via pre-attack unary weight encoding and post-attack vulnerability-aware weight locking. Efficiency-reliability trade-offs are formulated as constrained optimization problems and efficiently solved offline without model re-training costs. Extensive evaluation of various DNN benchmarks with a multi-core photonic accelerator shows that our framework maintains near-ideal on-chip inference accuracy under adversarial bit-flip attacks with merely 3% memory overhead. Our codes are open-sourced at link.
1. Introduction
In recent years, analog optical neural networks (ONNs) stand out for their ability to deliver unparalleled speed and efficiency, presenting a promising avenue for artificial intelligence (AI) applications (NP_NATURE2017_Shen, ; NP_PIEEE2020_Cheng, ; NP_NaturePhotonics2021_Shastri, ; NP_ACS2022_Feng, ; NP_Science2024_Xu, ; NP_SciRep2017_Tait, ; NP_Nature2021_Xu, ; NP_Nature2021_Feldmann, ; NP_NatureComm2022_Zhu, ). However, deploying photonic accelerators is impeded by various non-idealities, e.g., low-precision control, hardware noises, and crosstalk, that increase the design complexity to ensure robust deployment. Extensive prior work has focused on suppressing the physical non-ideality and improving the system robustness via cross-layer hardware/algorithm co-design (NP_DATE2020_Gu, ; NP_ICCAD2019_Zhao, ; NP_ICCAD2020_Zhu, ; NP_TCAD2022_Mirza, ). Besides the built-in variations/noises, photonic accelerators are exposed to adversarial attacks (BFADefense_ICCAD2017_Liu, ; BFA_ICCV2019_Rakin, ; TBFA_TPAMI22_Rakin, ) in real-world deployment, raising hardware security concerns. Like digital AI accelerators, we envision that malicious attacks, e.g., bit-flip attacks in stored NN weights, will quickly become another potential roadblock for emerging optical analog neural accelerators. Only tens of bit-flips on the most significant bits (MSB) of critical weights severely degrade the accuracy. Effective pre-attack protection and post-attack accuracy recovery schemes that leverage the unique properties of analog optical hardware remain unexplored.
Prior work in neural network defense has explored various training-based and training-free defense methods (NP_DATE2020_Gu, ; DefendBFA_CVPR2020_He, ; BFADefense_DAC2020_Li, ; RADAR_DATE21_Li, ). For example, noise-aware training (NAT) (NP_DATE2020_Gu, ) and adversarial training have been proposed to smooth the NN loss landscape and increase attack tolerance. Among various defense methods, a class that exploits model compression techniques is particularly interesting in the analog NN context. Quantization, a common model compression method, has been applied for defense. Binarization-aware training (BAT) (DefendBFA_CVPR2020_He, ), as a training-based method, has been proposed to provide pre-attack protection by reducing weight sensitivity via 1-bit weights. However, training-based methods usually suffer from huge model re-training costs and encounter practical concerns in data access, privacy, etc. As a pre-attack protection conducted offline, training-based defense maximizes the average performance across arbitrary attacks, which usually lack precise protection at the cost of task performance degradation. Training-free methods usually occur post-attack as a complementary protection mechanism, detecting/localizing the victim weights (BFADetection_ICCAD2020_Liu, ) and resuming accuracy by error mitigation/correction. A representative training-free defense method is pruning-based accuracy recovery (RADAR_DATE21_Li, ). It detects victim weight groups via MSB checksum verification and prunes detected weights to 0 to partially reduce the bit-flip induced error. Since low-bit precision and sparsity naturally exist as built-in primitives in optical AI hardware mainly for efficiency-accuracy trade-offs, it inspires us to explore their novel usages in defense.
ONNs’ non-idealities have been treated as undesired hardware restrictions compared to digital computers, while in this work, we revisit their role as intrinsic low-cost defenders, adding reliability as a new dimension in the hardware/software co-design space. In this work, for the first time, we propose a synergistic defense framework for photonic AI hardware that provides pre-attack protection via an optics-inspired unary weight representation and post-attack accuracy recovery via a sensitivity-aware on-chip weight locking technique. Memory efficiency and adversarial robustness are co-optimized to provide near-ideal accuracy protection at marginal memory overhead.
The major contributions of this paper are as follows:
-
We investigate the adversarial robustness of optical analog neural networks under malicious weight attacks and explore the built-in protection of the photonic accelerator non-idealities.
-
We propose a quantization-inspired truncated complementary unary weight encoding to minimize the ONN weight sensitivity with optimized efficiency-robustness trade-offs.
-
We propose a pruning-inspired clustering-based weight locking technique that co-optimizes detection precision, accuracy recovery, and memory efficiency.
-
Our synergistic framework with integrated pre-attack unary protection and post-attack weight locking has shown near-ideal resumed accuracy with a marginal 3% memory overhead.
2. Preliminaries
2.1. Photonic AI Accelerators and Optical DAC
Various photonic AI accelerators have been demonstrated (NP_NATURE2017_Shen, ; NP_PIEEE2020_Cheng, ; NP_NaturePhotonics2021_Shastri, ; NP_ACS2022_Feng, ; NP_DATE2019_Liu, ; NP_HPCA2024_Zhu, ). As a case study, we focus on one multi-core photonic AI accelerator architecture based on dynamic photonic tensor cores (PTC) (NP_HPCA2024_Zhu, ). Each PTC takes two optically-encoded matrices and performs speed-of-light matrix-matrix multiplication. The input signals are quantized to reduce the digital-analog conversion (DAC) cost. The inputs are quantized to 8-bit fixed-point numbers, while the weights are quantized to -bit, e.g., ranging from 4-bit to 8-bit. A recent trend to reduce the electrical DAC (eDAC) power bottleneck is to employ optical DAC (oDAC) modules, which encode discretized values to light magnitude with segmented modulators (NP_OE2017_Samani, ; NP_JSSC2017_Moazeni, ), as shown in Fig. 1.
The controller in segmented oDAC is partitioned into 2 equal-length segments, each contributing to 1 least-significant bit (LSB) of the encoded value. In this setting, the binary weight value needs to be converted to a unary representation where a ’1’ applies a voltage to that bit without the need for high-power eDAC. Thus, the number of leading 1’s can represent the original binary-coded digit (BCD), i.e.,
(1) |
where is a signed integer value. For example, (11110000)U=(4)B. Compared to PTCs with high-speed eDACs, oDAC-enhanced designs show significant power reduction. This unique hardware architecture and property inspire us to explore intrinsic unary encoding as an effective protection mechanism that brings minimum weight sensitivity without extra BCD-to-Unary conversion cost, as unary coding is the built-in primitive.
3. Proposed Defense Framework
We will introduce the threat model and investigate built-in defense mechanisms in non-ideal analog photonic accelerators. As shown in the overview Fig. 2, two key techniques will be introduced to provide both pre-attack weight protection and post-attack accuracy recovery with optimized memory-robustness trade-offs.
3.1. Threat Model and Attacker Settings
As a case study, we assume a widely employed attacker model: gradient-based attacker BFA (BFA_ICCV2019_Rakin, ). Important assumptions on the threat model are given in Table 1. We follow the standard white-box attack threat model assumptions as previous work (BFA_ICCV2019_Rakin, ; TBFA_TPAMI22_Rakin, ; DefendBFA_CVPR2020_He, ; BFADefense_TC2022_Liu, ).
Access Required | Access NOT Requied |
---|---|
DNN model and parameters | Training Configurations |
A mini-batch of attack dataset | Modify scaling factors in quantization & Norm. |
On-chip forward/backward prop. | Modify address mapping/look-up tables |
Eq. (2) describes the target of an on-chip adversarial attacker under Hamming Distance (HD) and inference budget () constraint.
(2) | ||||
where is the selected bits to attack, is the attacked weights, and is the attack dataset, usually a small batch of examples. The minimization of post-attack test accuracy is often estimated by maximizing the loss function on a small attack dataset.
Gradient-based Attacker (BFA). The gradient-based attacker has access to the gradient information of a mini-batch of data via on-chip backpropagation and attacks the most sensitive bits. Specifically, we adopt the attacker algorithm BFA (BFA_ICCV2019_Rakin, ) that progressively searches for the most sensitive bits indicated by the largest absolute gradient if the flip direction aligns with the gradient. The gradients of all weights will be re-evaluated every time it flips one bit. Each bit-flip requires forward and backward propagation, equivalently consuming three inference budgets. If the attacker consumes all inference budget but still has an extra hamming distance budget left unused, it will directly select the most sensitive but unattacked weights to flip their MSB to make sure it always uses up the hamming distance budget. We conduct all the experiments under the condition.
3.2. Efficient Built-in Pre-Attack Defense via Unary Weight Representation
For efficiency and control complexity consideration, the weights of photonic analog AI hardware are often quantized to low-bitwidth fixed-point numbers (NP_DATE2020_Gu, ; NP_HPCA2024_Zhu, ), usually represented as binary-coded decimal (BCD) format with 2’s complement encoding. The weights are fetched from electrical memory, converted to voltage signals via DACs, and encoded in the optical domain for computing. To investigate the role of quantized weight encoding in the adversarial robustness of analog hardware, we first raise several critical questions: ➊ How does quantization impact the adversarial robustness against bit-flip attack? ➋ How can we leverage the natural unary representation inspired by optical DAC as an effective defense? ➌ What is the robustness-memory trade-off of unary representation and how to avoid the exponential memory cost?
3.2.1. Protection Effects of Quantization
To answer the question ➊, we investigate how sensitivity changes with various bitwidth in quantization. In Fig. 3(a), we observe that low-bit quantization can reduce the overall weight sensitivity defined later in Eq. (5). Hence, in Fig. 3(b), we observe a clear protection effect from low-bit quantization against bit-flip attack, which lays the foundation for our further study in memory-efficient unary representation.
3.2.2. Unary Representation as Built-in Protection
BCD-format is compact in storage but sensitive to bit-flip attack since the MSB flip can cause significant deviation by half of the weight range, which casts a serious reliability threat to the hardware. An intuitive solution is to leverage the built-in unary representation to minimize the bit-flip sensitivity as all bits in unary-coded weight are LSB. With a predefined protection rate , i.e., the percentage of weights protected by unary representation, the protected weights can be searched by maximizing the post-attack accuracy, which reflects the protection effectiveness,
(3) |
where is the selected indices for unary protection to maximize the validation accuracy after attack, represents the attacked weights. We denote the number of weights protected as .
For the original unary representation, the memory overhead is exponential, which limits protection efficiency, as shown in Eq. (4).
(4) |
Given the memory overhead budget, we can roughly derive the maximum number of weights we can protect. Then, the next phase is to determine the weights to protect. The overall pre-attack protection algorithm with unary representation is detailed in Alg. 1. To maximize the protection effectiveness, we prefer to protect vulnerable weights that show the largest bit-flip sensitivity .
Bit-flip-Aware Weight Sensitivity Evaluation. A widely used weight sensitivity is the magnitude of the first-order gradient or second-order gradient in the literature. Those metrics are designed for small random perturbations in a neighbor region where the gradient and curvature information can capture the sensitivity. However, the bit-flip attack is not a random perturbation that has a determined direction, i.e., from 0/1 to 1/0; meanwhile, the large deviation from the MSB flip breaks the assumption of small local perturbation. Therefore, we employ a bit-flip-aware sensitivity score based on Taylor expansion of the loss on the validation dataset,
(5) |
where the Hessian matrix is approximated by its diagonal entries , and is the perturbation caused by MSB-1 flip. A larger sensitivity represents a higher vulnerability to bit-flip. This score is aware of the alignment of the bit-flip direction with the gradients. Only bit-flips leading to larger S will be considered for protection.
Sensitivity-Guided Memory Overhead Assignment. Once we obtain the sensitivity scores for all weights, we need to further determine how to leverage the scores as guidance to distribute the memory overhead budget to all neural network layers. We propose Top-Sensitive-Layer Assignment that ranks layers based on their overall sensitivity and allocates all memory budgets to the most sensitive layers. As shown in Fig. 5(a), layer sensitivity is estimated by the averaged 50%-quantile and 75%-quantile of sensitivity of all weights, i.e., . The sorted layer indices from most sensitive to least sensitive are . Formally, the layer-wise overhead budgets are , where only the top- sensitive layers can have weight protection.
Attack-injected Search for Weight Selection. Based on the sensitivity-weighted guidance, we can select a certain number of vulnerable weights to protect for each layer. However, solely relying on weight sensitivity ranking to select weights to protect does not directly optimize toward the true objective, i.e., maximization of post-attack accuracy . Since the selection procedure is pre-deployment (offline), we can afford to search by sampling weights with sensitivity-weighted probability and select the group that brings the best protection based on bit-flip attack emulation and validation accuracy.
3.2.3. Memory-Efficient Truncated Complementary Unary Representation
To answer question ➌, we propose a memory-efficient truncated complementary unary (TCU) representation. An important observation is that in the original unary representation, the large number of trailing zeros for small values are only for bitwidth alignment purposes without any expressiveness. Hence, an intuitive compression method is to truncate the trailing zeros to reduce bitwidth from to . For example, if , we can compress numbers smaller than 4 by using only 4-bit in truncated unary-format instead of -bit, e.g., , without changing its actual encoded value of .
How to select optimal truncation bitwidth ? – If is too large, not many zeros can be truncated. On the other hand, if is overly small, only a few weights with small values can be expressed by the truncated bitwidth. Both cases give unsatisfactory memory saving.
We first illustrate a truncated version of unary format (TU) by clustering weights into exponentially-spaced bins and assigning a truncation bitwidth to cover the largest value in each bin, as shown in Fig. 4. For small positive values, such a method can significantly trim the redundant trailing zeros for memory reduction. But it is not very efficient for the largest bin. Moreover, since most sensitive weights have small absolute values (RADAR_DATE21_Li, ), a large proportion of negative weights, unfortunately, fall into the largest bin.
Aware of the Gaussian-like weight distribution in real neural networks and the important property of unary representation, i.e., counting 0’s is equivalent to counting 1’s, we propose a complementary unary format (TCU) that stores trailing 0’s and trims leading 1’s for negative values. For instance, the required bitwidth for -3 can be reduced from 15-bit in TU-format to 3-bit in TCU-format, as illustrated in Fig. 4. Similar to logarithmic quantization, the exponentially-sized bins in TCU-format reduce the bin count while minimizing memory overhead by holding a large number of small-value yet sensitive weights in the lowest-bitwidth bins, shown in Fig. 5(b).
The memory overhead ratio of TCU-format and indexing overhead is formulated in Eq.(6).
(6) |
3.3. Post-attack Accuracy Recovery via Sensitivity-aware Weight Locking
Pre-attack unary protection is unaware of the actual attacked bits as it is performed offline before deployment. This lack of precise targets makes the coverage of pre-attack protection insufficient if only a small percentage () of weights can be converted to TCU format. It is necessary to employ post-attack detection and recovery mechanisms to compensate for this inevitable protection miss.
Pruning is widely used in analog ONNs to improve energy efficiency (NP_TCAD2020_Gu, ; NP_JSTPE2023_Banerjee, ; NP_ICCAD2024_Yin, ; NP_isvlsi2022_banerjee2022pruning, ; NP_OFC2022_banerjee2022champ, ). We ask two critical questions: ➊ how to leverage the natural hardware sparsity for defense? and ➋ how to trade off pruning-induced accuracy loss and protection effects?
In previous work (RADAR_DATE21_Li, ), pruning is utilized to force detected under-attack weight groups to zero to partially cancel out the bit-flip errors. This method is intuitive due to two facts. (1) First, the MSB flip creates a deviation of half of the weight range, which always changes the sign of the weight, e.g., for a 4-bit weight. Hence, forcing it to 0 always reduces the error , at least on the weight itself. (2) Second, weight distribution shown in Fig. 5(b) shows that many sensitive weights under attack have small magnitudes (RADAR_DATE21_Li, ), which further justifies that pruning is a promising built-in mechanism for accuracy recovery, which answers question ➊.
However, simple weight pruning fails to resume accuracy in practice because many of the pruned weights are either still far away from 0 or not real victim weights due to inevitable false alarms in group-wise detection. In other words, pruning fake victims to 0 turns out to be a self-attack.
To answer question ➋, we propose sensitivity-aware weight locking, which generalizes prior pruning-based method and significantly boosts the protection effectiveness with optimal clustering and locking.
Post-attack accuracy recovery generally follows two steps: detection (localization) and resume. We assume the same detection technique based on group-wise MSB checksum verification (RADAR_DATE21_Li, ). A mismatch in checksum will mark the entire group of size as the victim weight group. All weights in victim groups will be resumed in the second step. Shown in Fig. 6, unlike the prior pruning method that forces victim weights to 0, we propose sensitivity-aware weight locking that intelligently finds centroids before deployment and locks detected victim weights to their centroids to maximize recovery effectiveness. Key trade-offs here include detection group size , which impacts detection accuracy and memory, and cluster number , which impacts both the centroid storage cost and resumed accuracy.
For the -th layer, we formulate it as an accuracy-constrained memory overhead minimization problem as follows in Eq.(7),
(7) |
where is the -bit centroid for the -th cluster, is the assigned cluster IDs for weights, and is the threshold of the gap between ideal and resumed accuracy. The above optimization is performed independently for each layer. For the memory overhead : 1) denotes the number of bits required to store the cluster ID for each weight. 2) or denotes the memory required to store the golden signature used in checksum-based detection (RADAR_DATE21_Li, ).
The algorithm to solve this optimization problem for layer- is illustrated in Fig. 7. To prioritize the lowest-memory solution, we initialize it to the largest group size =512 and minimum cluster count =1, and gradually search feasible solutions by halving and double increasing . To find the cluster centroids that minimize locking-induced accuracy loss, we augment conventional K-Means clustering to a locking-aware variant. We first perform single-cluster (=1) K-Means within each group. The distance from weight to centroid of -th detection group is redefined as in Eq.(8)
(8) |
We then obtain group centroids aware of locking errors . Since , we further perform a standard K-Means clustering to the obtained centroids and get .
3.4. Synergistic Protection with Integrated TCU Encoding and Weight Locking
To provide double protection against bit-flip attacks, we leverage both pre-attack unary protection and post-attack weight locking with co-optimized memory overhead. Before deployment, given a protection rate , we first perform pre-attack unary protection in Alg. 1 to find the weight indices and protect them by converting them to TCU-format, effectively reducing the sensitivity of vulnerable weights from MSB to LSB. Meanwhile, we prepare the locking solutions for each layer using the procedure in Fig. 7 given a target accuracy drop threshold . After the attack happens, checksum-based detection is applied to pinpoint potential victim weight groups under adversarial attack. Then, all weights in the detected groups will be locked to their pre-assigned centroid for post-attack accuracy recovery. A carefully selected setting gives the best post-attack accuracy and lowest memory overhead. Since the memory overhead tends to become very large in two extreme cases, i.e., pure unary protection or pure locking, the optimal solution in the middle range can be simply found by greedy search. We gradually reduce the unary protection rate , e.g., from 2% to 0.25%, and for each , we evaluate the overall memory cost and resumed accuracy for all candidates, e.g., . The search is stopped when the memory overhead increases, and the most efficient solution can be selected.
4. Experimental Results
4.1. Experiment Setup
Inference Budget | |||||||
---|---|---|---|---|---|---|---|
Batch Size | 20 | 40 | 80 | 160 | 320 | 640 | 1280 |
8 | 61.28 | 60.47 | \cellcolor[HTML]F898A238.15 | \cellcolor[HTML]F1BDA638.81 | \cellcolor[HTML]F5DBA439.39 | \cellcolor[HTML]FFFAB932.84 | \cellcolor[HTML]C0F1C835.75 |
16 | 53.62 | \cellcolor[HTML]F898A252.45 | \cellcolor[HTML]F1BDA635.64 | \cellcolor[HTML]F5DBA440.30 | \cellcolor[HTML]FFFAB920.49 | \cellcolor[HTML]C0F1C814.68 | \cellcolor[HTML]94DCF816.72 |
32 | \cellcolor[HTML]F898A262.91 | \cellcolor[HTML]F1BDA650.76 | \cellcolor[HTML]F5DBA446.01 | \cellcolor[HTML]FFFAB928.12 | \cellcolor[HTML]C0F1C817.50 | \cellcolor[HTML]94DCF815.28 | \cellcolor[HTML]A6C9EC13.06 |
64 | \cellcolor[HTML]F1BDA664.43 | \cellcolor[HTML]F5DBA449.26 | \cellcolor[HTML]FFFAB936.24 | \cellcolor[HTML]C0F1C822.27 | \cellcolor[HTML]94DCF816.84 | \cellcolor[HTML]A6C9EC13.39 | 28.04 |
128 | \cellcolor[HTML]F5DBA465.35 | \cellcolor[HTML]FFFAB950.16 | \cellcolor[HTML]C0F1C842.74 | \cellcolor[HTML]94DCF826.87 | \cellcolor[HTML]A6C9EC17.49 | 12.42 | 11.08 |
Method | Memory Overhead | Protected Weight Percentage | Worst Acc. | Mean Acc. |
---|---|---|---|---|
Even Assignment | 3.34% | 0.10% | 19.65 | 39.21 |
8.51% | 0.25% | 53.48 | 69.69 | |
33.90% | 1.00% | 79.59 | 83.12 | |
309.08% | 9.00% | 87.16 | 87.31 | |
Top-Sensitive-Layer Assignment | 3.34% | 0.10% | 75.43 | 80.06 |
6.70% | 0.20% | 78.86 | 83.27 | |
16.96% | 0.50% | 80.02 | 84.03 | |
67.90% | 2.00% | 87.14 | 87.27 |
Dataset and NN Models. We evaluate our method on VGG-8 CIFAR-10 and ResNet-18 CIFAR-100 for image classification. We choose 4-bit, 6-bit, and 8-bit for weight quantization. Input activations are 8-bit.
Training Settings. We pre-train all models for 200 epochs with an Adam optimizer with a 2E-3 learning rate, a cosine decay scheduler, 1E-4 weight decay, and data augmentation (random crop and flip). BatchNorm layers are all frozen after pretraining.
Benchmarks and Metrics. We adopt the strongest attacker setting shown in Section 4.2.1 with =100. To cover different attack budget scenarios, we sweep over budgets such that the number of bits flipped ranges from 2 to 100. We show averaged/worst/best inference accuracy on 5 attack datasets across all budgets. Gaussian weight noises (std.=0.005) are injected into all on-chip computations for attackers. We compare ours to two types of defense baselines.
(1) Training-based Defense – Binarization-aware Training (BAT) (DefendBFA_CVPR2020_He, ) quantized all weights to 1-bit to reduce bit-flip sensitivity. Also, we compare ours to noise-aware training (NAT) (NP_DATE2020_Gu, ), which is usually used to boost ONN robustness.
(2) Other Training-free Defense – We use a previous pruning-based protection method (RADAR_DATE21_Li, ) as another training-free baseline representing a special case in our weight locking, i.e., centroids are fixed to 0.
4.2. Ablation Study
4.2.1. Batch Size and Inference Budget
To make sure we evaluate our method against the strongest attacker model, we first evaluate the most efficient batch size settings across different inference budgets in Table 2. We can conclude that 16 images are enough for the attacker to get informative sensitivity scores via stochastic gradient calculation to perform an effective bit-flip attack, which leads to the lowest post-attack accuracy given the same hardware cost (). An overly small gives inaccurate gradients, while too many images consume the inference budget rapidly, helping the attacker marginally.
Protected Weight Percent | 0.05% | 0.10% | 0.20% | 1.00% | 2.00% | 4.00% |
---|---|---|---|---|---|---|
Unary Encoding: | 1.66% | 3.34% | 6.70% | 33.90% | 67.90% | 136.39% |
Proposed TCU: | 0.17% | 0.51% | 1.07% | 3.39% | 6.03% | 12.70% |
Reduction () | 9.86 | 6.51 | 6.24 | 9.99 | 11.26 | 10.74 |
(%) | Layer-wise Weight Locking Solutions | Mem. OV | Inference Budget | Mean Acc. | ||||
20 | 80 | 160 | 400 | 900 | ||||
- | w/o locking | 0.00% | 53.62 | 35.64 | 40.30 | 18.59 | 13.52 | 32.33 |
1 | G=[1, 1, 4, 16, 128, 2] | 1.29% | 83.49 | 80.77 | 78.36 | 84.60 | 86.59 | 82.76 |
K=[8, 2, 1, 1, 2, 16] | ||||||||
1.5 | G=[1, 1, 8, 16, 128, 2] | 1.15% | 79.82 | 80.96 | 76.67 | 72.01 | 86.59 | 79.21 |
K=[4, 1, 1, 1, 2, 1] | ||||||||
2 | G=[1, 2, 16, 32, 128, 2] | 0.97% | 78.84 | 80.50 | 76.16 | 71.78 | 86.65 | 78.79 |
K=[4, 4, 1, 1, 1, 1] |
Memory Overhead | |||||||||||
Model + dataset | Category | Quant. Bit | Defense Method | Prior-attack Accuracy | Best Acc. | Worst Acc. | Mean Acc. | Training/Searching Runtime | Pre () | Post () | Total |
4-bit | - | 87.73 | 82.24 | 59.87 | 75.85 | ||||||
6-bit | - | 88.00 | 75.66 | 33.58 | 61.74 | ||||||
w/o Def | 8-bit | - | 88.00 | 53.62 | 13.52 | 32.89 | - | ||||
1-bit | BAT (RADAR_DATE21_Li, ) | 87.09 | 86.12 | 74.62 | 80.39 | 0.33 hrs | |||||
4-bit | NAT (NP_DATE2020_Gu, ) | 87.96 | 83.32 | 66.71 | 77.06 | 2.8 hrs | |||||
6-bit | NAT (NP_DATE2020_Gu, ) | 87.19 | 77.68 | 33.39 | 64.78 | 2.8 hrs | |||||
Training-based | 8-bit | NAT (NP_DATE2020_Gu, ) | 85.91 | 67.74 | 26.14 | 55.88 | 2.8 hrs | - | |||
Pruning (RADAR_DATE21_Li, ) | 87.73 | 80.88 | 57.23 | 70.68 | - | 3.13% (G=16) | |||||
4-bit | Ours | 87.73 | 86.96 | 83.08 | 84.74 | 0.03hrs + 0.33 hrs | 0.84% | 0.000% | 0.84% | ||
Pruning (RADAR_DATE21_Li, ) | 88.00 | 79.91 | 40.74 | 66.14 | - | 4.17% (G=8) | |||||
6-bit | Ours | 88.00 | 86.90 | 86.25 | 86.48 | 0.03hrs + 0.50 hrs | 0.93% | 1.11% | 2.04% | ||
Pruning (RADAR_DATE21_Li, ) | 88.00 | 70.11 | 18.68 | 48.59 | - | 3.13% (G=8) | |||||
VGG-8 + CIFAR10 | Training-free | 8-bit | Ours | 88.00 | 87.21 | 86.08 | 86.73 | 0.03hrs + 0.75 hrs | 1.07% | 1.29% | 2.36% |
4-bit | - | 61.28 | 56.49 | 49.06 | 54.76 | ||||||
6-bit | - | 60.61 | 41.45 | 3.69 | 22.89 | ||||||
w/o Def | 8-bit | - | 60.22 | 38.01 | 2.19 | 9.93 | - | ||||
1-bit | BAT (DefendBFA_CVPR2020_He, ) | 60.03 | 59.69 | 54.01 | 56.84 | 0.4 hrs | |||||
4-bit | NAT (NP_DATE2020_Gu, ) | 61.58 | 58.27 | 46.72 | 51.81 | 8.9 hrs | |||||
6-bit | NAT (NP_DATE2020_Gu, ) | 60.61 | 39.24 | 7.20 | 22.89 | 8.9 hrs | |||||
Training-based | 8-bit | NAT (NP_DATE2020_Gu, ) | 60.22 | 38.98 | 2.19 | 12.99 | 8.9 hrs | - | |||
Pruning (RADAR_DATE21_Li, ) | 61.28 | 57.24 | 42.02 | 47.68 | - | 3.13% (G=16) | |||||
4-bit | Ours | 61.28 | 60.20 | 53.78 | 57.40 | 0.04 hrs + 1.17 hrs | 1.12% | 1.05% | 2.17% | ||
Pruning (RADAR_DATE21_Li, ) | 60.61 | 54.96 | 10.99 | 44.76 | - | 4.17% (G=8) | |||||
6-bit | Ours | 60.61 | 59.46 | 58.21 | 58.88 | 0.04 hrs + 1.62 hrs | 1.06% | 1.20% | 2.26% | ||
Pruning (RADAR_DATE21_Li, ) | 60.22 | 53.62 | 16.33 | 39.72 | - | 3.13% (G=8) | |||||
ResNet-18 + CIFAR100 | Training-free | 8-bit | Ours | 60.22 | 58.82 | 57.21 | 58.10 | 0.04 hrs + 3.01 hrs | 1.26% | 1.77% | 3.03% |
4.2.2. Memory Overhead Assignment in Pre-Attack Unary Protection
We compare Top-Sensitive-Layer Assignment to an Even Assignment baseline, i.e., , in Table 3. With unary-coded pre-attack protection, the even assignment method consumes significantly higher memory overhead than our sensitivity-aware method when reaching the same level of post-attack accuracy.
4.2.3. Truncated Complementary Unary Protection
Table 4 compares the memory storage required by Unary Protection and Truncated Complementary Unary Protection. TCU can significantly reduce the memory overhead by 6-11 than the original unary encoding.
4.2.4. Post-Attack Weight Locking
For weight locking, the accuracy drop threshold is the key parameter to balance resumed accuracy and memory overhead. In Table 5, we show the performance of the proposed Weight Locking on 8-bit VGG-8 and CIFAR-10. Within the layer-wise acceptable accuracy drop , Weight Locking can provide significant post-attack accuracy recovery with only less than 2% of extra memory overhead. However, to achieve lower memory overhead, accuracy recovery will be largely compromised from 87% to 70%. Weight Locking actually employs the accuracy-storage trade-off.
We also compare our method with Weight Pruning proposed in (RADAR_DATE21_Li, ). Fig. 8(a) shows the effectiveness and memory overhead of protection by Weight Pruning under different detection group sizes . Weight Locking can achieve higher accuracy recovery with more than 10 reduction in memory consumption.
4.2.5. Optimal Combination of TCU and Locking
Fig. 8(b) presents the searching process with different combinations of . Pure unary protection will consume high memory overhead to achieve effective protection, while pure locking cannot offer comparable accuracy recovery. will give the optimal solution considering both the accuracy recovery and memory overhead.
4.3. Main Results
In Table 6, we compare our TCU+Locking scheme with NAT (NP_DATE2020_Gu, ) (std.=0.005 weight noise injection), BAT (DefendBFA_CVPR2020_He, ), and pruning (RADAR_DATE21_Li, ). Our method can resume accuracy with only a 2% drop after BFA attacks at a marginal 3% memory overhead, significantly outperforming all prior arts. Our method is training-free, which also saves significant runtime compared to training-based methods.
4.4. Discussion: Can Noises Become Defender?
Besides low-bit quantization and sparsity, on-chip hardware noises are the main source of non-idealities. While noises often degrade the inference accuracy, they also hinder the attack process by adding uncertainty to loss functions or gradients. To reduce the uncertainty, attackers might need to average over multiple () samples, which equivalently reduces the attack efficiency.
Sample Times | Inference Budget | Mean Acc | ||||
---|---|---|---|---|---|---|
60 | 120 | 240 | 400 | 480 | ||
1 | 44.94 | 34.83 | 20.88 | 16.14 | 13.61 | 26.08 |
2 | 56.24 | 47.32 | 29.79 | 25.19 | 20.14 | 35.74 |
3 | 60.47 | 50.86 | 39.58 | 35.46 | 25.84 | 42.44 |
However, we find that sampling the noisy gradients (noise std.=0.005) once without averaging gives the best attack performance.
noise std. | 0 | 40 | 180 | 400 | 600 | 800 | 900 |
---|---|---|---|---|---|---|---|
0.005 | 87.58 | 52.45 | 35.18 | 18.59 | 17.02 | 15.67 | 13.52 |
0.01 | 86.82 | 59.68 | 34.64 | 18.42 | 16.15 | 31.88 | 21.77 |
0.02 | 83.81 | 54.87 | 32.12 | 21.97 | 17.21 | 34.19 | 14.48 |
0.03 | 74.69 | 41.06 | 25.82 | 20.74 | 17.29 | 20.45 | 18.10 |
We increase the noise intensity in Table 8 to create higher uncertainty for the BFA attacker. Unfortunately, adding larger Gaussian noises to the weights during on-chip computations does not provide clear protection effects but leads to severe accuracy drops. It is worth investigating potential protective noise injection and the trade-offs between noise-induced error and protection effects in the future.
5. Conclusion
In this work, for the first time, we investigate the security issue of analog optical neural networks and present a novel nonideality-enabled built-in defender against adversarial bit-flip attacks. We introduce quantization-inspired pre-attack protection based on truncated complementary unary weight representation to minimize the weight sensitivity with optimized memory overhead. A complementary pruning-inspired weight-locking method is introduced to resume accuracy with precise error correction. Our method outperforms prior defense approaches with near-ideal accuracy recovery under bit-flip attacks with marginal (3%) memory overhead. Our work makes significant strides toward reliable ONN against adversarial weight attacks and unlocking future applications in security-thirst scenarios.
References
- (1) Yichen Shen, Nicholas C. Harris, Scott Skirlo, et al. Deep learning with coherent nanophotonic circuits. Nature Photonics, 2017.
- (2) Q. Cheng, J. Kwon, M. Glick, M. Bahadori, L. P. Carloni, and K. Bergman. Silicon Photonics Codesign for Deep Learning. Proceedings of the IEEE, 2020.
- (3) Bhavin J. Shastri, Alexander N. Tait, et al. Photonics for Artificial Intelligence and Neuromorphic Computing. Nature Photonics, 2021.
- (4) Chenghao Feng, Jiaqi Gu, Hanqing Zhu, Zhoufeng Ying, Zheng Zhao, et al. A compact butterfly-style silicon photonic–electronic neural chip for hardware-efficient deep learning. ACS Photonics, 9(12):3906–3916, 2022.
- (5) Zhihao Xu, Tiankuang Zhou, Muzhou Ma, ChenChen Deng, Qionghai Dai, and Lu Fang. Large-scale photonic chiplet taichi empowers 160-tops/w artificial general intelligence. Science, 384(6692):202–209, 2024.
- (6) Alexander N. Tait, Thomas Ferreira de Lima, Ellen Zhou, et al. Neuromorphic photonic networks using silicon photonic weight banks. Sci. Rep., 2017.
- (7) Xingyuan Xu, Mengxi Tan, Bill Corcoran, Jiayang Wu, Andreas Boes, Thach G. Nguyen, Sai T. Chu, Brent E. Little, Damien G. Hicks, Roberto Morandotti, Arnan Mitchell, and David J. Moss. 11 TOPS photonic convolutional accelerator for optical neural networks. Nature, 2021.
- (8) Johannes Feldmann, Nathan Youngblood, Maxim Karpov, Helge Gehring, Xuan Li, Maik Stappers, Manuel Le Gallo, Xin Fu, Anton Lukashchuk, Arslan Raja, Junqiu Liu, David Wright, Abu Sebastian, Tobias Kippenberg, Wolfram Pernice, and Harish Bhaskaran. Parallel convolutional processing using an integrated photonic tensor core. Nature, 2021.
- (9) H.H. Zhu, J. Zou, H. Zhang, et al. Space-efficient optical computing with an integrated chip diffractive neural network. Nature Commun., 2022.
- (10) Jiaqi Gu, Zheng Zhao, Chenghao Feng, Hanqing Zhu, Ray T. Chen, and David Z. Pan. ROQ: A noise-aware quantization scheme towards robust optical neural networks with low-bit controls. In Proc. DATE, 2020.
- (11) Zheng Zhao, Jiaqi Gu, Zhoufeng Ying, et al. Design technology for scalable and robust photonic integrated circuits. In Proc. ICCAD, 2019.
- (12) Ying Zhu, Grace Li Zhang, Bing Li, et al. Countering Variations and Thermal Effects for Accurate Optical Neural Networks. In Proc. ICCAD, 2020.
- (13) Asif Mirza, Febin Sunny, et al. Silicon photonic microring resonators: A comprehensive design-space exploration and optimization under fabrication-process variations. IEEE TCAD, 41(10):3359–3372, 2022.
- (14) Yannan Liu, Lingxiao Wei, Bo Luo, and Qiang Xu. Fault injection attack on deep neural network. In Proc. ICCAD, 2017.
- (15) A. Rakin, Z. He, and D. Fan. Bit-flip attack: Crushing neural network with progressive bit search. In 2019 IEEE/CVF International Conference on Computer Vision (ICCV), pages 1211–1220, 2019.
- (16) Adnan Siraj Rakin, Zhezhi He, Jingtao Li, Fan Yao, Chaitali Chakrabarti, and Deliang Fan. T-bfa: Targeted bit-flip adversarial weight attack. IEEE Transactions on Pattern Analysis and Machine Intelligence, 44(11):7928–7939, 2022.
- (17) Zhezhi He, Adnan Siraj Rakin, Jingtao Li, Chaitali Chakrabarti, and Deliang Fan. Defending and harnessing the bit-flip based adversarial weight attack. In 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pages 14083–14091, 2020.
- (18) Jingtao Li, Adnan Siraj Rakin, Yan Xiong, Liangliang Chang, Zhezhi He, Deliang Fan, and Chaitali Chakrabarti. Defending bit-flip attack through dnn weight reconstruction. In Proc. DAC, 2020.
- (19) Jingtao Li, Adnan Siraj Rakin, Zhezhi He, Deliang Fan, and Chaitali Chakrabarti. Radar: Run-time adversarial weight attack detection and accuracy recovery. In 2021 Design, Automation & Test in Europe Conference & Exhibition (DATE), pages 790–795, 2021.
- (20) Qi Liu, Wujie Wen, and Yanzhi Wang. Concurrent weight encoding-based detection for bit-flip attack on neural network accelerators. In Proc. ICCAD, 2020.
- (21) W. Liu, W. Liu, Y. Ye, Q. Lou, Y. Xie, and L. Jiang. Holylight: A nanophotonic accelerator for deep learning in data centers. In Proc. DATE, 2019.
- (22) Hanqing Zhu, Jiaqi Gu, Hanrui Wang, et al. Lightening-transformer: A dynamically-operated optically-interconnected photonic transformer accelerator. In Proc. HPCA, pages 686–703, 2024.
- (23) Alireza Samani, David Patel, Mathieu Chagnon, Eslam El-Fiky, Rui Li, Maxime Jacques, Nicolás Abadía, Venkat Veerasubramanian, and David V. Plant. Experimental parametric study of 128 Gb/s PAM-4 transmission system using a multi-electrode silicon photonic Mach Zehnder modulator. Opt. Express, 25(12):13252, June 2017.
- (24) Sajjad Moazeni, Sen Lin, Mark Wade, Luca Alloatti, Rajeev J. Ram, Milos Popovic, and Vladimir Stojanovic. A 40-Gb/s PAM-4 Transmitter Based on a Ring-Resonator Optical DAC in 45-nm SOI CMOS. IEEE J. Solid-State Circuits, 52(12):3503–3516, December 2017.
- (25) Liang Liu, Yanan Guo, Yueqiang Cheng, Youtao Zhang, and Jun Yang. Generating robust dnn with resistance to bit-flip based adversarial weight attack. IEEE Transactions on Computers, 72(2):401–413, 2023.
- (26) Jiaqi Gu, Zheng Zhao, Chenghao Feng, et al. Towards Hardware-Efficient Optical Neural Networks: Beyond FFT Architecture via Joint Learnability. IEEE TCAD, 2020.
- (27) Sanmitra Banerjee, Mahdi Nikdast, Sudeep Pasricha, and Krishnendu Chakrabarty. Pruning coherent integrated photonic neural networks. IEEE Journal of Selected Topics in Quantum Electronics, 29:1–13, 2023.
- (28) Ziang Yin, Nicholas Gangi, Meng Zhang, Jeff Zhang, Rena Huang, and Jiaqi Gu. Scatter: Algorithm-circuit co-sparse photonic accelerator with thermal-tolerant, power-efficient in-situ light redistribution. In Proc. ICCAD, 2024.
- (29) Sanmitra Banerjee, Mahdi Nikdast, Sudeep Pasricha, and Krishnendu Chakrabarty. Pruning coherent integrated photonic neural networks using the lottery ticket hypothesis. In IEEE Computer Society Annual Symposium on VLSI (ISVLSI), 2022.
- (30) Sanmitra Banerjee, Mahdi Nikdast, Sudeep Pasricha, and Krishnendu Chakrabarty. Champ: Coherent hardware-aware magnitude pruning of integrated photonic neural networks. In Optical Fiber Communication Conference (OFC), 2022.