CN110929859B - Memristor computing system security enhancement method - Google Patents

Memristor computing system security enhancement method Download PDF

Info

Publication number
CN110929859B
CN110929859B CN201911015821.1A CN201911015821A CN110929859B CN 110929859 B CN110929859 B CN 110929859B CN 201911015821 A CN201911015821 A CN 201911015821A CN 110929859 B CN110929859 B CN 110929859B
Authority
CN
China
Prior art keywords
rram
crossbar
stealing
negative
positive
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201911015821.1A
Other languages
Chinese (zh)
Other versions
CN110929859A (en
Inventor
邹敏辉
王添
张欢欢
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing University of Science and Technology
Original Assignee
Nanjing University of Science and Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing University of Science and Technology filed Critical Nanjing University of Science and Technology
Priority to CN201911015821.1A priority Critical patent/CN110929859B/en
Publication of CN110929859A publication Critical patent/CN110929859A/en
Application granted granted Critical
Publication of CN110929859B publication Critical patent/CN110929859B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/06Physical realisation, i.e. hardware implementation of neural networks, neurons or parts of neurons
    • G06N3/063Physical realisation, i.e. hardware implementation of neural networks, neurons or parts of neurons using electronic means
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/045Combinations of networks
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Mathematical Physics (AREA)
  • General Engineering & Computer Science (AREA)
  • Biomedical Technology (AREA)
  • Biophysics (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • General Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • Computing Systems (AREA)
  • Molecular Biology (AREA)
  • General Health & Medical Sciences (AREA)
  • Evolutionary Computation (AREA)
  • Artificial Intelligence (AREA)
  • Computational Linguistics (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Neurology (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a security enhancing method of an RRAM computing system, which is used for preventing the attack of stealing the weight of a neural network stored in an RRAM crossbar. Firstly, analyzing a method for mapping the weight of the neural network to the RRAM crossbar and two methods for stealing the weight of the neural network from the RRAM crossbar; then, a prevention method is respectively provided for the two stealing methods; and finally, optimizing the hardware overhead of the second prevention method by using two heuristic algorithms. The method is simple to operate and high in practicability, and can improve the safety of the RRAM computing system.

Description

一种忆阻器计算系统安全性增强方法A security enhancement method for memristor computing system

技术领域technical field

本发明属于新器件忆阻器领域,具体涉及一种忆阻器计算系统安全性增强方法。The invention belongs to the field of new device memristors, in particular to a method for enhancing the security of a memristor computing system.

背景技术Background technique

神经网络(NN)在视觉对象识别和自然语言处理方面取得了巨大的成功,但这种数据密集型的应用需要在计算单元和内存之间进行巨大的数据移动。新兴的忆阻器(RRAM)计算系统通过在存储器中进行矩阵-向量-乘法运算,在避免大数据移动方面显示出巨大的潜力。然而,RRAM设备的非易失性可能会导致存储在交叉开关中的神经网络权值被窃取,攻击者可以从被窃取的权值中提取神经网络模型。通过窃取神经网络权值,攻击者可以从中提取训练好的神经网络模型,这极大地损害了神经网络模型设计者的知识产权。更糟的是,恶意使用提取的神经网络模型可能导致社会危机。Neural networks (NNs) have achieved great success in visual object recognition and natural language processing, but such data-intensive applications require enormous data movement between computational units and memory. Emerging memristor (RRAM) computing systems show great potential in avoiding big data movement by performing matrix-vector-multiplication operations in memory. However, the non-volatility of RRAM devices may lead to the stealing of the neural network weights stored in the crossbar switch, and the attacker can extract the neural network model from the stolen weights. By stealing neural network weights, attackers can extract trained neural network models, which greatly damages the intellectual property rights of neural network model designers. To make matters worse, malicious use of the extracted neural network model could lead to a social crisis.

已有的解决方案是加密NN权值,并在每次使用它们时解密它们。然而这些加密/解密NN参数的方法不可避免地需要频繁地向RRAM设备写入操作。目前,RRAM设备最多只能支持1010个写入周期。因此,NN权值加密/解密方案将缩短RRAM计算系统的生命周期。此外,频繁地对RRAM设备进行写操作也会消耗大量的能耗,给系统带来较长的延迟影响系统性能。The existing solution is to encrypt the NN weights and decrypt them each time they are used. However, these methods of encrypting/decrypting NN parameters inevitably require frequent write operations to the RRAM device. Currently, RRAM devices can only support up to 10 10 write cycles. Therefore, the NN weight encryption/decryption scheme will shorten the life cycle of the RRAM computing system. In addition, frequent write operations to the RRAM device also consume a lot of power consumption, which brings a long delay to the system and affects system performance.

发明内容SUMMARY OF THE INVENTION

本发明的目的在于提供一种RRAM计算系统安全性增强方法,不会影响RRAM计算系统的寿命,也不会带来额外的RRAM写功耗开销与延迟。The purpose of the present invention is to provide a method for enhancing the security of an RRAM computing system, which will not affect the lifespan of the RRAM computing system, and will not bring additional RRAM write power consumption overhead and delay.

实现本发明目的的技术解决方案为:一种通过混淆交叉开关行连接的RRAM计算系统安全性增强方法,包括以下步骤:The technical solution for realizing the object of the present invention is: a method for enhancing the security of an RRAM computing system connected by confusing a crossbar switch row, comprising the following steps:

步骤1、评估RRAM交叉开关映射方法的安全性,并分析数据窃取的两种方法,转入步骤2;Step 1. Evaluate the security of the RRAM crossbar mapping method, and analyze the two methods of data theft, and go to step 2;

步骤2、针对两种窃取方法,分别使用两种不同的防范方法来增强RRAM计算系统的安全性,转入步骤3;Step 2. For the two stealing methods, use two different prevention methods to enhance the security of the RRAM computing system, and go to step 3;

步骤3、利用两种启发式算法来优化混淆模块的硬件开销。Step 3. Use two heuristic algorithms to optimize the hardware overhead of the obfuscation module.

本发明与现有技术相比,其显著优点在于:Compared with the prior art, the present invention has the following significant advantages:

(1)不涉及对RRAM计算系统中的RRAM单元进行写操作,因此不会影响RRAM计算系统的寿命,也不会带来额外的RRAM写功耗开销与延迟。(1) It does not involve a write operation to the RRAM unit in the RRAM computing system, so it will not affect the life of the RRAM computing system, nor will it bring additional RRAM write power consumption overhead and delay.

(2)不涉及对RRAM计算系统中的RRAM单元进行写操作,因此也不会带来额外的RRAM写功耗开销与延迟。(2) It does not involve a write operation to the RRAM unit in the RRAM computing system, so it does not bring additional RRAM write power consumption overhead and delay.

附图说明Description of drawings

图1为本发明RRAM计算系统安全性增强方法的流程图。FIG. 1 is a flowchart of a method for enhancing the security of an RRAM computing system according to the present invention.

图2是在RRAM交叉开关中执行矩阵向量乘法,以及在正RRAM交叉开关和负RRAM交叉开关之间插入行混淆模块的示意图。Figure 2 is a schematic diagram of performing matrix-vector multiplication in an RRAM crossbar and inserting a row obfuscation module between a positive RRAM crossbar and a negative RRAM crossbar.

图3是行混淆模块的不同实现方法的示意图,其中(a)为每次连接m个输入和m个输出的实现示意图,(b)为每次连接1个输入和1个输出的实现示意图,(c)为将(a)和(b)组合起来每次连接x个输入和x个输出的示意图。3 is a schematic diagram of different implementation methods of the line obfuscation module, wherein (a) is a schematic diagram of the implementation of connecting m inputs and m outputs each time, (b) is a schematic diagram of the implementation of connecting 1 input and 1 output each time, (c) is a schematic diagram of combining (a) and (b) to connect x inputs and x outputs at a time.

图4为未输入正确密钥提取出的只保护一层的NN模型的分类准确率的结果图。FIG. 4 is a result graph of the classification accuracy of the NN model with only one layer of protection extracted without inputting the correct key.

具体实施方式Detailed ways

本发明公开了一种RRAM计算系统安全性增强方法,以阻止网络权值盗窃攻击。首先分析了神经网络权值的窃取方法;然后,提出了一种基于混淆正交叉开关与负交叉开关之间的行连接的安全增强技术;最后利用两种启发式算法来优化混淆模块的硬件开销。The invention discloses a security enhancement method for an RRAM computing system to prevent network weight theft attacks. Firstly, the stealing method of neural network weights is analyzed; then, a security enhancement technology based on obfuscating the row connections between positive and negative crossbar switches is proposed; finally, two heuristic algorithms are used to optimize the hardware overhead of the obfuscation module .

神经网络(NN)的主要组成部分是完全连接层(FC)和卷积层(Conv)。FC层的计算为矩阵向量乘法(MVM),描述为:The main components of a neural network (NN) are fully connected layers (FC) and convolutional layers (Conv). The computation of the FC layer is a matrix-vector multiplication (MVM), which is described as:

Figure BDA0002245661960000021
Figure BDA0002245661960000021

其中xi(i∈[1,m])是输入特征映射,m为神经网络权值矩阵的行数并且m>1,yj(j∈[1,n])是输出激活,n为神经网络权值矩阵的列数并且n>1,wi,j是神经网络权值矩阵第i行第j列元素。Conv层的计算稍有不同,但可以转化为MVM。where x i (i∈[1,m]) is the input feature map, m is the number of rows in the neural network weight matrix and m>1, yj (j∈[1,n]) is the output activation, and n is the neural network The number of columns of the network weight matrix and n>1, wi ,j is the i-th row and j-th column element of the neural network weight matrix. The computation of the Conv layer is slightly different, but can be translated into MVM.

如图2所示,在RRAM计算系统中,输入为交叉开关字线(WL)上的电压(V),输出为位线(BL)上的累积电流(I)。输入电压、交叉开关单元的电导、输出电流均服从克尔霍夫定律,可视为MVM运算:As shown in Figure 2, in an RRAM computing system, the input is the voltage (V) on the crossbar word line (WL) and the output is the accumulated current (I) on the bit line (BL). The input voltage, the conductance of the crossbar switch unit, and the output current all obey Kerchhoff's law, which can be regarded as the MVM operation:

Figure BDA0002245661960000031
Figure BDA0002245661960000031

其中gi,j是交叉开关的第i行和第j列的单元的电导。where gi ,j are the conductances of the cells in the ith row and jth column of the crossbar.

然而,神经网络权值wij不能直接映射到gij上,因为wij可以是正的、负的或零,而交叉开关的RRAM电导只能是正的。为了解决这个问题,需要一对交叉开关来表示权值矩阵,即一个正交叉开关和一个负交叉开关。输入电压被转换成相反的电压,然后输入到负交叉开关上,然后将正交叉开关和负交叉开关的BL电流相加,得到MVM结果,如图2所示。However, the neural network weights w ij cannot be directly mapped to g ij because w ij can be positive, negative or zero, while the RRAM conductance of the crossbar switch can only be positive. To solve this problem, a pair of crossbars is needed to represent the weight matrix, i.e. a positive crossbar and a negative crossbar. The input voltage is converted to the opposite voltage and then input to the negative crossbar, then the BL currents of the positive and negative crossbars are summed to obtain the MVM result, as shown in Figure 2.

RRAM具有逐步复位的过程,这意味着RRAM器件可以从低阻状态(LRS)连续调到高阻状态(HRS)。因此,理想的RRAM器件可以调成LRS和HRS之间的任意电导状态。RRAM has a step-by-step reset process, which means that the RRAM device can be continuously adjusted from a low-impedance state (LRS) to a high-impedance state (HRS). Therefore, an ideal RRAM device can be tuned to any conductance state between LRS and HRS.

结合图1,本发明所述的RRAM计算系统安全性增强方法,包括以下步骤:1, the RRAM computing system security enhancement method of the present invention includes the following steps:

步骤1、评估RRAM交叉开关映射方法的安全性,并分析数据窃取方法。Step 1. Evaluate the security of the RRAM crossbar mapping method and analyze the data stealing method.

步骤2、针对两种窃取方法,分别使用两种不同的防范方法来增强RRAM计算系统的安全性。Step 2. For the two stealing methods, use two different prevention methods respectively to enhance the security of the RRAM computing system.

步骤3、利用两种启发式算法来优化行混淆模块的硬件开销。Step 3. Use two heuristic algorithms to optimize the hardware overhead of the line obfuscation module.

进一步地,步骤1所述的评估RRAM交叉开关映射方法的安全性,并分析数据窃取方法,具体如下:Further, evaluating the security of the RRAM crossbar mapping method described in step 1, and analyzing the data theft method, are as follows:

步骤1.1、假设RRAM单元的最大电导为Gon,最小电导为Goff;每个神经网络权值矩阵由一个连接正电压的正RRAM交叉开关和一个连接负电压的负RRAM交叉开关表示;神经网络权值矩阵第i行第j列元素wij由正RRAM交叉开关中的第i行第j列单元

Figure BDA0002245661960000032
和负RRAM交叉开关中的第i行第j列单元
Figure BDA0002245661960000033
表示;Step 1.1. Assume that the maximum conductance of the RRAM cell is G on , and the minimum conductance is G off ; each neural network weight matrix is represented by a positive RRAM crossbar connected to a positive voltage and a negative RRAM crossbar connected to a negative voltage; neural network The element w ij in the i-th row and the j-th column of the weight matrix is determined by the i-th row and the j-th column element in the positive RRAM crossbar switch.
Figure BDA0002245661960000032
and the ith row jth column cell in the negative RRAM crossbar
Figure BDA0002245661960000033
express;

Figure BDA0002245661960000034
have to
Figure BDA0002245661960000034

步骤1.2、RRAM器件的映射方法1:Step 1.2, RRAM device mapping method 1:

Figure BDA0002245661960000035
Figure BDA0002245661960000035

Figure BDA0002245661960000036
Figure BDA0002245661960000036

RRAM器件的映射方法2:Mapping method 2 for RRAM devices:

Figure BDA0002245661960000041
Figure BDA0002245661960000041

Figure BDA0002245661960000042
Figure BDA0002245661960000042

步骤1.3、根据上面的两种映射方法,有两种窃取方式,窃取方法1为访问每个正/负交叉开关对的一个交叉开关,窃取方法2为访问每个正/负交叉开关对的两个交叉开关;再分别推断出相应的wijStep 1.3. According to the above two mapping methods, there are two stealing methods, stealing method 1 is to access one crossbar of each positive/negative crossbar pair, and stealing method 2 is to access two crossbars of each positive/negative crossbar pair. a cross switch; and then infer the corresponding w ij respectively.

进一步地,步骤2所述的使用两种不同的方法来增强RRAM计算系统的安全性,具体如下:Further, in step 2, two different methods are used to enhance the security of the RRAM computing system, as follows:

步骤2.1、针对步骤1.3的窃取方法1防范方法,探索偏置空间,对每个矩阵元素应用不同的偏置;Step 2.1, for the stealing method 1 prevention method of step 1.3, explore the bias space, and apply different biases to each matrix element;

步骤2.2、针对步骤1.3的窃取方法2防范方法,隐藏每对正/负交叉开关的行连接。Step 2.2, for the stealing method 2 defense method of step 1.3, hide the row connection of each pair of positive/negative crossbar switches.

进一步地,步骤3所述的利用两种启发式算法来优化混淆模块的硬件开销,具体如下:Further, the use of two heuristic algorithms described in step 3 to optimize the hardware overhead of the obfuscation module is as follows:

步骤3.1、优化技术1:通过增加一层逆多路复用器来减少多路复用器的数量;Step 3.1, optimization technique 1: reduce the number of multiplexers by adding a layer of inverse multiplexers;

步骤3.2、优化技术2:只保护部分神经网络层。Step 3.2. Optimization technique 2: Only protect some neural network layers.

下面结合附图及具体实施例对本发明作进一步详细说明。The present invention will be further described in detail below with reference to the accompanying drawings and specific embodiments.

实施例Example

结合图1,本实施例公开了一种RRAM计算系统安全性增强方法,具体步骤如下:1, the present embodiment discloses a method for enhancing the security of an RRAM computing system, and the specific steps are as follows:

步骤1、窃取方法分析:评估RRAM交叉开关映射方法的安全性,并分析数据窃取的两种方法。Step 1. Analysis of stealing methods: Evaluate the security of the RRAM crossbar mapping method, and analyze two methods of data stealing.

假设RRAM单元的最大电导为Gon,最小电导为Goff。我们用

Figure BDA0002245661960000043
表示与正电压连接的电池的电导,
Figure BDA0002245661960000044
表示与负电压连接的电池的电导。于是我们能得到:Assume that the maximum conductance of the RRAM cell is Gon and the minimum conductance is Goff . we use
Figure BDA0002245661960000043
represents the conductance of a battery connected to a positive voltage,
Figure BDA0002245661960000044
Indicates the conductance of a battery connected to a negative voltage. So we can get:

Figure BDA0002245661960000045
Figure BDA0002245661960000045

根据文献,模拟RRAM器件的映射方法主要有两种,映射方法1是:According to the literature, there are two main mapping methods for simulating RRAM devices. The mapping method 1 is:

Figure BDA0002245661960000051
Figure BDA0002245661960000051

Figure BDA0002245661960000052
Figure BDA0002245661960000052

其中所有RRAM单元都初始化为偏置

Figure BDA0002245661960000053
然后相应地进行调整。where all RRAM cells are initialized to bias
Figure BDA0002245661960000053
Then adjust accordingly.

映射方法2是:Mapping method 2 is:

Figure BDA0002245661960000054
Figure BDA0002245661960000054

类似地,其中所有RRAM单元都初始化为偏置Goff,然后相应地进行调整。Similarly, where all RRAM cells are initialized with bias G off , and then adjusted accordingly.

窃取方法1:访问每个正/负交叉开关对的一个交叉开关;在上述两种映射方法中,RRAM电导都随权值线性地变化。攻击者可以很容易地从

Figure BDA0002245661960000055
Figure BDA0002245661960000056
中推断出wij。Stealing method 1: Access one crossbar for each positive/negative crossbar pair; in both mapping methods above, the RRAM conductance varies linearly with the weight. An attacker can easily
Figure BDA0002245661960000055
or
Figure BDA0002245661960000056
w ij is inferred from .

窃取方法2:访问每个正/负交叉开关对的两个交叉开关;攻击者既可以得到

Figure BDA0002245661960000057
又可以得到
Figure BDA0002245661960000058
因此很容易通过简单的减法来推断出相应的wij。Steal method 2: Access both crossbars of each positive/negative crossbar pair; attacker can either get
Figure BDA0002245661960000057
also get
Figure BDA0002245661960000058
Therefore it is easy to deduce the corresponding w ij by simple subtraction.

步骤2、针对两种窃取方法,分别使用两种不同的防范方法来增强RRAM计算系统的安全性。Step 2. For the two stealing methods, use two different prevention methods respectively to enhance the security of the RRAM computing system.

窃取方法1的防范方法:探索偏置空间,对每个矩阵元素应用不同的偏置。A defense against stealing method 1: Explore the bias space and apply a different bias to each matrix element.

为了对抗窃取方法1,我们首先证明了映射方法1和映射方法2的偏置具有很大的取值空间。然后,通过对每个矩阵元素施加不同的偏置,窃取方法1将无法利用访问正/负交叉对的单个交叉开关来恢复权值矩阵。To combat stealing method 1, we first prove that the biases of mapping method 1 and mapping method 2 have a large value space. Then, by applying a different bias to each matrix element, stealing method 1 will not be able to recover the weight matrix with a single crossbar that accesses the positive/negative crossover pair.

1)偏置空间探究:假设1) Bias Space Exploration: Hypothesis

Gon=ηGoff (5)G on = ηG off (5)

其中,η是Gon/Goff的比值,η>1000。where η is the ratio of G on /G off , and η > 1000.

从理论上讲,理想的RRAM单元可以调整成Goff和Gon之间的任意电导状态。然后,RRAM器件的权值映射方法可以描述为:Theoretically, an ideal RRAM cell can be tuned to any conductance state between G off and G on . Then, the weight mapping method for RRAM devices can be described as:

Figure BDA0002245661960000061
Figure BDA0002245661960000061

其中对于w≥0时,偏置值b1∈[Goff,Gon];对于w<0时,偏置值b2∈[Goff,Gon];x1和x2均为中间变量。Where for w≥0, the bias value b 1 ∈ [G off , G on ]; for w < 0, the bias value b 2 ∈ [G off , G on ]; both x 1 and x 2 are intermediate variables .

为了保证

Figure BDA0002245661960000062
Figure BDA0002245661960000063
在其范围内连续,
Figure BDA0002245661960000064
Figure BDA0002245661960000065
必须分别满足
Figure BDA0002245661960000066
Figure BDA0002245661960000067
Figure BDA0002245661960000068
因此,我们可以得到b1=b2。假设b1=λGoff,其中λ(λ∈[1,η])是偏置缩放值,由式(6)可知,
Figure BDA0002245661960000069
Figure BDA00022456619600000610
随着wij单调递增或递减。to ensure that
Figure BDA0002245661960000062
and
Figure BDA0002245661960000063
continuous in its range,
Figure BDA0002245661960000064
and
Figure BDA0002245661960000065
must be satisfied
Figure BDA0002245661960000066
Figure BDA0002245661960000067
and
Figure BDA0002245661960000068
Therefore, we can get b 1 =b 2 . Assuming b 1 =λG off , where λ(λ∈[1, η]) is the offset scaling value, it can be known from equation (6) that,
Figure BDA0002245661960000069
and
Figure BDA00022456619600000610
Monotonically increasing or decreasing with w ij .

因此,只有当wij位于其值范围两端之一时,RRAM才能达到最大电导或最小电导。即,Therefore, an RRAM can only reach maximum or minimum conductance when w ij is at one of the ends of its range of values. which is,

Figure BDA00022456619600000611
Figure BDA00022456619600000611

由式(5)(6)(7)可知,From equations (5) (6) (7), it can be known that,

Figure BDA00022456619600000612
Figure BDA00022456619600000612

式(6)可改写为Equation (6) can be rewritten as

Figure BDA00022456619600000613
Figure BDA00022456619600000613

对于可以调整到Goff和Gon之间的任何电导值状态的模拟RRAM单元,偏置缩放值λ可以是1和η之间的任意随机值。虽然外围电路的精度限制了偏置b1(或b2)的精度,但本专利认为λ的取值范围相当大。For an analog RRAM cell that can be tuned to any conductance value state between G off and G on , the bias scaling value λ can be any random value between 1 and η. Although the precision of the peripheral circuits limits the precision of the bias b 1 (or b 2 ), this patent considers that the range of values for λ is quite large.

2)对权值矩阵应用随机偏置:基于上述取值范围大的偏置b1(或b2),本发明提出对权值矩阵中每个元素选择的偏置进行随机化。偏置选择的个数表示为Nb,交叉开关中单元的个数表示为Nc。因此,从一个模拟交叉开关中推断其对应的矩阵权值的时间复杂度为

Figure BDA0002245661960000071
假设Nb=1000,Nc=256,则使用蛮力从一个模拟RRAM交叉开关中恢复其对于的权矩阵的试验次数为1000256。2) Apply random bias to the weight matrix: Based on the above-mentioned bias b 1 (or b 2 ) with a large value range, the present invention proposes to randomize the bias selected for each element in the weight matrix. The number of bias selections is denoted as N b , and the number of cells in the crossbar is denoted as N c . Therefore, the time complexity of inferring the corresponding matrix weights from an analog crossbar is
Figure BDA0002245661960000071
Assuming Nb = 1000 and Nc = 256, the number of trials to recover its corresponding weight matrix from an analog RRAM crossbar using brute force is 1000 256 .

因此,本发明可以通过给每个权值随机分配偏置来抵御窃取方法1。Therefore, the present invention can defend against stealing method 1 by randomly assigning a bias to each weight.

窃取方法2的防范方法:隐藏每对正/负交叉开关的行连接。A defense against stealing method 2: Hide the row connections for each pair of positive/negative crossbars.

通过对正、负交叉开关的访问,并进行减法运算,攻击者可以很容易地推断出其所存储的神经网络权值。在这一部分中,我们提出了隐藏正交叉开关和负交叉开关之间的连接,这样即使攻击者可以同时访问两个交叉开关,也无法推断神经网络的权值。By accessing the positive and negative crossbars and performing subtraction operations, an attacker can easily deduce the neural network weights stored. In this section, we propose to hide the connections between positive and negative crossbars so that even if an attacker has access to both crossbars, the neural network weights cannot be inferred.

例,表I显示了同时应用防范方法1和防范方法2之后,错误提取出的NN模型和原NN模型的分类准确率对比。NN模型为LeNet、AlexNet和VGG16。For example, Table I shows the comparison of the classification accuracy of the NN model extracted by mistake and the original NN model after applying the prevention method 1 and the prevention method 2 at the same time. The NN models are LeNet, AlexNet and VGG16.

表I原NN模型和错误提取出的NN模型的分类准确率对比Table I Comparison of the classification accuracy of the original NN model and the wrongly extracted NN model

NN模型NN model 原NN模型Original NN model 错误提取的NN模型Incorrectly extracted NN model LeNetLeNet 65.13%65.13% 11.82%11.82% AlexNetAlexNet 73.57%73.57% 9·81%9.81% VGG16VGG16 90.07%90.07% 9·61%9.61%

步骤3、利用两种启发式算法来优化混淆模块的硬件开销,具体如下:Step 3. Use two heuristic algorithms to optimize the hardware overhead of the obfuscation module, as follows:

为了隐藏交叉开关行连接,我们设计了一个行连接混淆模块,并将其插入正交叉开关和负交叉开关之间,该混淆模块基于多路复用器(如图2和图3所示)。插入的混淆模块的输入和输出都是模拟信号,用由一对MOSFET晶体管组成的模拟开关来代替,而不是使用数字多路复用器,使得图3(a)适用于我们的情况,混淆模块隐藏了交叉开关行之间的连接。除非知道具体的连接关系(key),否则直接使用错误提取的存储在RRAM中的神经网络权值进行计算会大大降低神经网络的准确率。To hide the crossbar row connections, we design and insert a row connection obfuscation module between the positive and negative crossbars, which is based on a multiplexer (as shown in Figures 2 and 3). The input and output of the inserted obfuscation module are both analog signals, replaced by an analog switch consisting of a pair of MOSFET transistors instead of using a digital multiplexer, making Figure 3(a) applicable to our case, the obfuscated module Hides the connections between the crossbar rows. Unless the specific connection relationship (key) is known, directly using the wrongly extracted neural network weights stored in RRAM for calculation will greatly reduce the accuracy of the neural network.

对于一个m:m混淆模块,有m!输入和输出之间可能的连接组合。以m=64为例,m!是2295,利用蛮力攻击是非常难以打破的。For an m:m obfuscation module, there is m! Possible connection combinations between input and output. Taking m=64 as an example, m! It's 2 295 , which is very hard to break with a brute force attack.

但是,为了实现图3(a)中的混淆模块,它需要m个m:1个多路复用器。将这种混淆模块应用于RRAM计算系统中的每个交叉开关对将带来不可忽略的额外面积开销。为了解决这个问题,我们提出了两种技术来减少基于多路复用器的混淆模块的开销:However, in order to implement the obfuscation module in Fig. 3(a), it requires m m:1 multiplexers. Applying this obfuscation module to each crossbar pair in an RRAM computing system would introduce a non-negligible additional area overhead. To address this issue, we propose two techniques to reduce the overhead of multiplexer-based obfuscation modules:

(1)优化技术1:通过增加一层逆多路复用器来减少多路复用器的数量。(1) Optimization technique 1: Reduce the number of multiplexers by adding one layer of inverse multiplexers.

为了降低图3(a)中混淆模块的面积成本,我们可以使用一个m:1多路复用器和一个1:m逆多路复用器,如图3(b)所示。然而,该解决方案的结果是,对于每个时钟周期,只有一行正交叉开关及其对应的一行负交叉开关参与计算,这将导致不可接受的延迟成本。To reduce the area cost of the obfuscation module in Figure 3(a), we can use an m:1 multiplexer and a 1:m inverse multiplexer, as shown in Figure 3(b). However, the result of this solution is that for each clock cycle, only one row of positive crossbars and its corresponding row of negative crossbars are involved in the computation, which would result in unacceptable latency costs.

为了减少图3(a)、图3(b)中的面积/延迟开销,我们将这两个解决方案组合在一起,如图3(c)所示。假设m=xk,(x,k∈Z),组合解决方案使用2x个k:1多路复用器和x个1:k逆多路复用器。一个m:m组合混淆模块的安全性是x!·(k!)x。该方案中,每次计算x行正交叉开关和负交叉开关。然而,在RRAM计算系统中,由于目前交叉开关BL的限制,每次只激活部分WL。因此,如果x等于每个循环中启用的WL的数量,则组合解决方案不会带来任何额外的延迟开销。To reduce the area/delay overhead in Figure 3(a), Figure 3(b), we combine these two solutions as shown in Figure 3(c). Assuming m=xk, (x, k∈Z), the combined solution uses 2x k:1 multiplexers and x 1:k inverse multiplexers. The security of an m:m combination obfuscated module is x! ·(k!) x . In this scheme, x rows of positive crossbars and negative crossbars are calculated each time. However, in the RRAM computing system, due to the limitation of the current crossbar BL, only part of the WL is activated at a time. Therefore, if x is equal to the number of WLs enabled in each loop, the combined solution does not incur any additional latency overhead.

例,表II显示了256:256行混淆模块的这三种实现方法的面积/延迟开销比较。假设每个时钟周期打开16个WL,x=16,与图3(a)相比,图3(c)带来了16倍的延迟开销。但是,在启用16个WL的情况下,图3(c)带来的额外延迟开销与图3(a)带来的延迟开销相同,图3(c)的面积开销仅为图3(a)的1.10%。For example, Table II shows the area/latency overhead comparison of these three implementations of the 256:256 line obfuscation module. Assuming that 16 WLs are turned on per clock cycle, x=16, compared with Fig. 3(a), Fig. 3(c) brings 16 times the delay overhead. However, when 16 WLs are enabled, the additional delay overhead brought by Figure 3(c) is the same as that brought by Figure 3(a), and the area overhead of Figure 3(c) is only Figure 3(a) 1.10%.

表II图3的延迟/区域开销比较Table II Latency/Area Overhead Comparison for Figure 3

实现accomplish 图3(a)Figure 3(a) 图3(b)Figure 3(b) 图3(c)Figure 3(c) 归一化延迟normalized delay 256×256× 16×16× 归一化区域normalized area 0.0078×0.0078× 0.0110×0.0110×

(2)优化技术2:只保护神经网络的部分层。(2) Optimization technique 2: Only some layers of the neural network are protected.

为了进一步降低行混淆模块的面积开销,同时又保证了系统的安全性,本专利研究了混淆各层对应的交叉开关行连接时对神经网络分类准确率的敏感性。在实验中,分别混淆了每一层网络对应的交叉开关行连接,并测试了错误提取的神经网络模型的分类准确率。低分类准确率保证了混淆方法的安全性。结果如图4所示,本发明在LeNet、AlexNet和VGG16这三个神经网络上进行了测试。可以注意到混淆每一层对神经网络分类精度有不同的影响。将混淆后导致精度较低的层称为显著层,最显著层为MSL。我们可以看到,靠近模型输入的层是显著层,因为保护方法引起的误差会通过其余层进行传播。例如,当我们混淆第一层的交叉开关的行连接时,所有错误提取的NN的分类准确率都小于45%。此外,该混淆方法对模型输出附近的层影响较小,仅混淆FC层几乎不会影响模型的分类精度。In order to further reduce the area overhead of the row obfuscation module and at the same time ensure the security of the system, this patent studies the sensitivity of the neural network classification accuracy when the row connections of the crossbar corresponding to each layer are obfuscated. In the experiments, the crossbar row connections corresponding to each layer of the network were confounded separately, and the classification accuracy of the wrongly extracted neural network model was tested. The low classification accuracy guarantees the security of the obfuscation method. The results are shown in Figure 4. The present invention was tested on three neural networks, LeNet, AlexNet and VGG16. It can be noticed that obfuscating each layer has a different effect on the classification accuracy of the neural network. The layer with lower accuracy after obfuscation is called the saliency layer, and the most salient layer is MSL. We can see that the layer close to the model input is the saliency layer because the error caused by the protection method propagates through the rest of the layers. For example, when we obfuscate the row connections of the crossbars of the first layer, all mis-extracted NNs have less than 45% classification accuracy. In addition, the obfuscation method has little effect on the layers near the model output, and only obfuscating the FC layer hardly affects the classification accuracy of the model.

例,表III显示了只混淆神经网络的部分层,攻击者错误提出出来后的NN模型的分类准确率。可以看到仅混淆NN模型的两层最显著层,就可以将错误提取的NN模型的分类准确率降至17%以下。For example, Table III shows the classification accuracy of the NN model after only some layers of the neural network are obfuscated and the attacker incorrectly proposes it. It can be seen that just obfuscating the two most salient layers of the NN model reduces the classification accuracy of the erroneously extracted NN model to below 17%.

表III错误提取的只保护NN的部分层的NN模型的分类准确率Table III The classification accuracy of the NN model that only protects some layers of the NN extracted incorrectly

NN模型NN model 2MSLs2MSLs 3MSLs3MSLs LeNetLeNet 14.89%14.89% 13.08%13.08% AlexNetAlexNet 10.01%10.01% 9.34%9.34% VGG16VGG16 16.44%16.44% 10.44%10.44%

同时使用优化技术1和优化技术2之后,可以将行混淆模块的硬件开销显著降低。例,表IV显示了为了将错误提出的NN模型的分类准确率降低至阈值α,使用优化技术相比与不使用优化技术硬件开销降低的比例。可以看到,使用优化技术后,行混淆模块的硬件开销最多能减小97.45%,最少能减少33.33%。After using the optimization technique 1 and the optimization technique 2 at the same time, the hardware overhead of the row obfuscation module can be significantly reduced. For example, Table IV shows the proportion of hardware overhead reduction using optimization techniques compared to not using optimization techniques in order to reduce the classification accuracy of incorrectly proposed NN models to a threshold α. It can be seen that after using the optimization technique, the hardware overhead of the line obfuscation module can be reduced by 97.45% at most and 33.33% at least.

表IV使用优化技术相比与不使用优化技术硬件开销降低的比例Table IV The ratio of hardware overhead reduction with optimization techniques compared to without optimization techniques

NN模型NN model a=14%a=14% a=17%a=17% a=20%a=20% LeNetLeNet 33.33%33.33% 50.00%50.00% 50.00%50.00% AlexNetAlexNet 95.49%95.49% 95.49%95.49% 95.49%95.49% VGG16VGG16 96.17%96.17% 97.45%97.45% 97.45%97.45%

例,表V显示了为了将错误提出的NN模型的分类准确率降低至阈值α,使用优化技术后的行混淆模块占RRAM计算系统中RRAM交叉开关的硬件面积比例。可以看到,我们的方法带来的硬件开销非常小。As an example, Table V shows the ratio of the hardware area of the RRAM crossbar in the RRAM computing system to the row obfuscation module after using the optimization technique in order to reduce the classification accuracy of the incorrectly proposed NN model to a threshold α. It can be seen that the hardware overhead brought by our method is very small.

表V使用优化技术后的行混淆模块占RRAM交叉开关的硬件面积比例Table V Row obfuscation module using the optimized technique as a percentage of the hardware area of the RRAM crossbar

NN模型NN model a=14%a=14% a=17%a=17% a=20%a=20% LeNetLeNet 1.6220%1.6220% 1.2166%1.2166% 1.2166%1.2166% AlexNetAlexNet 0.1098%0.1098% 0.1098%0.1098% 0.1098%0.1098% VGG16VGG16 0.0932%0.0932% 0.0622%0.0622% 0.0622%0.0622%

安全增强的RRAM计算系统的总体工作流程:The overall workflow of the security-enhanced RRAM computing system:

对于RRAM计算系统,除了混淆模块外,还嵌入了硬件随机数产生器(HRNG)和防篡改存储器(TPM)。HRNG用来生成随机偏置缩放值λ;TPM用来存储混淆模块的key。在一个未初始化的模拟RRAM计算系统中,授权用户首先将他/她的NN权值加载到片上缓冲区,并将他/她的混淆key加载到TPM。用HRNG产生λ确定每对RRAM的电导g+/g-。然后根据对应矩阵对正交叉开关中的每个RRAM进行调整。然后,根据TPM的混淆key对负交叉开关行进行排列,然后对负交叉开关中的每个RRAM进行调值。设置好后,每次使用RRAM计算系统进行推理计算之前,需要根据TPM中的key对行混淆模块进行配置。For the RRAM computing system, in addition to the obfuscation module, a hardware random number generator (HRNG) and a tamper-resistant memory (TPM) are also embedded. HRNG is used to generate random bias scaling value λ; TPM is used to store the key of obfuscation module. In an uninitialized simulated RRAM computing system, an authorized user first loads his/her NN weights into the on-chip buffer and his/her obfuscation key into the TPM. Use HRNG to generate λ to determine the conductance g + /g of each pair of RRAMs. Each RRAM in the positive crossbar is then adjusted according to the corresponding matrix. Then, the rows of negative crossbars are arranged according to the obfuscated key of the TPM, and then each RRAM in the negative crossbar is tuned. After setting, the line obfuscation module needs to be configured according to the key in the TPM before each inference calculation using the RRAM computing system.

Claims (1)

1.一种忆阻器计算系统安全性增强方法,其特征在于,包括以下步骤:1. A method for enhancing the security of a memristor computing system, comprising the following steps: 步骤1、评估RRAM交叉开关映射方法的安全性,并分析数据窃取的两种方法,具体如下:Step 1. Evaluate the security of the RRAM crossbar mapping method, and analyze the two methods of data theft, as follows: 步骤1.1、假设RRAM单元的最大电导为Gon,最小电导为Goff;每个神经网络权值矩阵由一个连接正电压的正RRAM交叉开关和一个连接负电压的负RRAM交叉开关表示;神经网络权值矩阵第i行第j列元素wij由正RRAM交叉开关中的第i行第j列单元
Figure FDA0003708629890000011
和负RRAM交叉开关中的第i行第j列单元
Figure FDA0003708629890000012
表示;Step 1.1. Assume that the maximum conductance of the RRAM cell is G on , and the minimum conductance is G off ; each neural network weight matrix is represented by a positive RRAM crossbar connected to a positive voltage and a negative RRAM crossbar connected to a negative voltage; neural network The element w ij in the i-th row and the j-th column of the weight matrix is determined by the i-th row and the j-th column element in the positive RRAM crossbar switch.
Figure FDA0003708629890000011
and the ith row jth column cell in the negative RRAM crossbar
Figure FDA0003708629890000012
express;
Figure FDA0003708629890000013
have to
Figure FDA0003708629890000013
 步骤1.2、RRAM器件的映射方法1:Step 1.2, RRAM device mapping method 1:
Figure FDA0003708629890000014
Figure FDA0003708629890000014
Figure FDA0003708629890000015
Figure FDA0003708629890000015
 RRAM器件的映射方法2:Mapping method 2 for RRAM devices:
Figure FDA0003708629890000016
Figure FDA0003708629890000016
Figure FDA0003708629890000017
Figure FDA0003708629890000017
 步骤1.3、根据上面的两种映射方法,有两种窃取方式,窃取方法1为访问每个正/负交叉开关对的一个交叉开关,窃取方法2为访问每个正/负交叉开关对的两个交叉开关;再分别推断出相应的wij,转入步骤2Step 1.3. According to the above two mapping methods, there are two stealing methods, stealing method 1 is to access one crossbar of each positive/negative crossbar pair, and stealing method 2 is to access two crossbars of each positive/negative crossbar pair. and then infer the corresponding w ij respectively, and go to step 2 步骤2、针对两种窃取方法,分别使用两种不同的防范方法来增强RRAM计算系统的安全性,具体如下:Step 2. For the two stealing methods, use two different prevention methods to enhance the security of the RRAM computing system, as follows: 步骤2.1、针对步骤1.3的窃取方法1防范方法,探索偏置空间,对每个神经网络权值矩阵元素应用不同的偏置;Step 2.1, for the stealing method 1 prevention method in step 1.3, explore the bias space, and apply different biases to each neural network weight matrix element; 步骤2.2、针对步骤1.3的窃取方法2防范方法,通过插入行混淆模块隐藏每对正/负交叉开关的行连接,转入步骤3;Step 2.2, for the stealing method 2 of step 1.3, hide the row connection of each pair of positive/negative crossbars by inserting a row obfuscation module, and go to step 3; 步骤3、利用两种启发式算法来优化混淆模块的硬件开销,具体如下:Step 3. Use two heuristic algorithms to optimize the hardware overhead of the obfuscation module, as follows: 步骤3.1、优化技术1:通过增加一层逆多路复用器来减少多路复用器的数量;Step 3.1, optimization technique 1: reduce the number of multiplexers by adding a layer of inverse multiplexers; 步骤3.2、优化技术2:只保护神经网络的部分层。Step 3.2. Optimization technique 2: Only protect some layers of the neural network.
CN201911015821.1A 2019-10-24 2019-10-24 Memristor computing system security enhancement method Active CN110929859B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911015821.1A CN110929859B (en) 2019-10-24 2019-10-24 Memristor computing system security enhancement method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911015821.1A CN110929859B (en) 2019-10-24 2019-10-24 Memristor computing system security enhancement method

Publications (2)

Publication Number Publication Date
CN110929859A CN110929859A (en) 2020-03-27
CN110929859B true CN110929859B (en) 2022-09-06

Family

ID=69849426

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911015821.1A Active CN110929859B (en) 2019-10-24 2019-10-24 Memristor computing system security enhancement method

Country Status (1)

Country Link
CN (1) CN110929859B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113553793B (en) * 2021-06-08 2024-07-09 南京理工大学 Method for improving memory logic calculation efficiency based on memristor
CN114282667B (en) * 2021-12-08 2025-09-09 南京理工大学 Method for enhancing security of memristor computing system through heterogeneous architecture

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107533668A (en) * 2016-03-11 2018-01-02 慧与发展有限责任合伙企业 Hardware accelerators for computing node values for neural networks
CN109657787A (en) * 2018-12-19 2019-04-19 电子科技大学 A kind of neural network chip of two-value memristor

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107533668A (en) * 2016-03-11 2018-01-02 慧与发展有限责任合伙企业 Hardware accelerators for computing node values for neural networks
CN109657787A (en) * 2018-12-19 2019-04-19 电子科技大学 A kind of neural network chip of two-value memristor

Also Published As

Publication number Publication date
CN110929859A (en) 2020-03-27

Similar Documents

Publication Publication Date Title
Masoumi Novel hybrid CMOS/memristor implementation of the AES algorithm robust against differential power analysis attack
Goldstein et al. Preventing DNN model IP theft via hardware obfuscation
Cai et al. Enabling Secure in-Memory Neural Network Computing by Sparse Fast Gradient Encryption.
CN111597551B (en) Protection method for side channel attack aiming at deep learning algorithm
Tol et al. Don't knock! Rowhammer at the backdoor of DNN models
Liu et al. Sequence triggered hardware trojan in neural network accelerator
CN110929859B (en) Memristor computing system security enhancement method
Zou et al. Security Enhancement for RRAM Computing System through Obfuscating Crossbar Row Connections.
Athanasiou et al. Masking feedforward neural networks against power analysis attacks
Zou et al. Review of security techniques for memristor computing systems
Mohseni et al. Protecting the intellectual property of binary deep neural networks with efficient spintronic-based hardware obfuscation
Khedkar et al. Power profile obfuscation using nanoscale memristive devices to counter DPA attacks
Wang et al. Safe, secure and trustworthy compute-in-memory accelerators
Shao et al. IMCE: an in-memory computing and encrypting hardware architecture for robust edge security
US10210350B2 (en) Electronic device against side channel attacks
Rezayati et al. A new paradigm for immunization of deep neural networks against replication attacks based on spintronics
Bhatta et al. Advancing PUF Security Machine Learning Assisted Modeling Attacks
Sapui et al. Side-channel Collision Attacks on Hyper-Dimensional Computing based on Emerging Resistive Memories
CN107689863A (en) A kind of arithmetic addition mask turns the protection circuit of Boolean XOR mask
Khedkar et al. RRAM motifs for mitigating differential power analysis attacks (DPA)
Zou et al. Tdpp: 2-d permutation-based protection of memristive deep neural networks
Ganesan et al. Blackjack: Secure machine learning on iot devices through hardware-based shuffling
Sapui et al. Power Side-Channel Analysis and Mitigation for Neural Network Accelerators based on Memristive Crossbars
Parrini et al. A Lightweight PUF-Based Weights Obfuscation Technique for Secure In-Memory AI Inference
Natarajan et al. Power Attack Vulnerability Assessment of Circuit-Level PRESENT Encryption IP Using Artificial Intelligence Mechanisms

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant