A heart attack patient recently discharged from hospital uses a smartwatch to monitor his EKG signals. The smartwatch may seem secure, but the neural network processing this health information uses private data that could still be stolen by a malicious agent via a side channel attack.
A side-channel attack seeks to gather secret information by indirectly exploiting a system or its hardware. In a type of side-channel attack, a savvy hacker could monitor fluctuations in the device’s power consumption while the neural network operates to extract protected information that “leaks” out of the device.
“In movies, when people want to open locked safes, they listen for the clicks of the lock as they turn it. This reveals that probably turning the lock in that direction will help them get further. That’s what what a side-channel attack is. It just takes unintended information and uses it to predict what’s going on inside the device,” says Saurav Maji, a graduate student in the Department of Electrical Engineering and Computer Science ( EECS) from MIT and lead author of a paper that addresses this issue.
Current methods that can prevent some side-channel attacks are notoriously power-hungry, so they are often not feasible for Internet of Things (IoT) devices like smartwatches, which rely on high-speed computing. weak power.
Now Maji and his collaborators have built an integrated circuit chip that can defend against power side-channel attacks while using far less power than a common security technique. The chip, smaller than a thumbnail, could be embedded in a smartwatch, smartphone or tablet to perform secure machine learning calculations on sensor values.
“The goal of this project is to build an IC that does machine learning at the edge, so that it’s still low-power but can protect against those side-channel attacks so that we don’t lose confidentiality of these models,” says Anantha Chandrakasan, dean of the MIT School of Engineering, Vannevar Bush Professor of Electrical Engineering and Computer Science, and lead author of the paper. “People haven’t paid much attention to the security of these machine learning algorithms, and this proposed hardware effectively addresses that space.”
Co-authors include Utsav Banerjee, a former EECS graduate student who is now an assistant professor in the Department of Electronic Systems Engineering at the Indian Institute of Science, and Samuel Fuller, Visiting Scholar at MIT and Distinguished Fellow at Analog Devices. The research is presented at the International Solid-States Circuit Conference.
The chip developed by the team is based on a special type of calculation known as threshold calculation. Rather than running a neural network on real data, the data is first split into unique, random components. The network operates on these random components individually, in random order, before accumulating the final result.
Using this method, the leak of information from the device is random every time, so it does not reveal any real side channel information, Maji says. But this approach is computationally more expensive because the neural network now has to perform more operations and also requires more memory to store the scrambled information.
So the researchers optimized the process by using a function that reduces the amount of multiplication the neural network needs to process the data, which significantly reduces the computing power required. They also protect the neutral network itself by encrypting the model parameters. By grouping parameters into chunks before encrypting them, they provide more security while reducing the amount of memory needed on the chip.
“Using this special function, we can perform this operation skipping some steps with lesser impacts, which allows us to reduce overhead. We can reduce the cost, but it comes with other costs in terms of neural network accuracy. So we have to make a careful choice of the algorithm and the architectures we choose,” says Maji.
Existing secure computing methods such as homomorphic encryption offer strong security guarantees, but they incur huge overheads in area and power, which limits their use in many applications. The method proposed by the researchers, which aims to provide the same type of security, was able to reduce power consumption by three orders of magnitude. By streamlining the chip architecture, the researchers were also able to use less space on a silicon chip than similar security hardware, an important factor when implementing a chip on devices of this size. personal.
While providing significant security against power side channel attacks, the researchers’ chip requires 5.5 times more power and 1.6 times more silicon area than a basic insecure implementation.
“We are at the point where safety matters. We must be prepared to trade some power consumption to perform a safer calculation. It’s not a free lunch. Future research could focus on how to reduce the amount of overhead to make this calculation more secure,” Chandrakasan said.
They compared their chip to a default implementation that had no security hardware. In the default implementation, they were able to retrieve hidden information after collecting about 1,000 power waveforms (representations of power consumption over time) of the device. With the new hardware, even after collecting 2 million waveforms, they still couldn’t retrieve the data.
They also tested their chip with biomedical signal data to make sure it would work in a real-life implementation. The chip is flexible and can be programmed for any signal a user wants to analyze, Maji says.
In the future, the researchers hope to apply their approach to electromagnetic side-channel attacks. These attacks are harder to defend against because a hacker doesn’t need the physical device to collect hidden information.
This work was funded by Analog Devices, Inc. Chip fabrication assistance was provided by the University Shuttle Program of Taiwan Semiconductor Manufacturing Company.
Written by Adam Zewe, MIT News Office
The title of the article
“A neural network accelerator based on threshold implementation securing model parameters and inputs against power channel attacks”