Conferences >2023 IEEE 66th International ...

Securing AI Hardware: Challenges in Detecting and Mitigating Hardware Trojans in ML Accelerators

Download PDF
Download References
Request Permissions
Save to
Alerts

Abstract:

Artificial Intelligence (AI) has transformed multiple industries, creating specialized hardware for AI/Machine Learning (ML) workloads. These hardware accelerators have b...Show More

Metadata

Abstract:

Artificial Intelligence (AI) has transformed multiple industries, creating specialized hardware for AI/Machine Learning (ML) workloads. These hardware accelerators have become prevalent in healthcare, scientific computing, space ex-ploration, the military, and consumer electronics. However, using AI hardware in critical systems can pose a significant risk due to potential attack vectors that malicious entities can exploit. One such vulnerability is the insertion of Hardware Trojans (HT) into an Integrated Circuit (IC), which can result in catastrophic consequences. Detecting and mitigating HTs in AI hardware can be a challenge due to the complexity of the hardware and ML algorithms. Moreover, adversarial HT attacks can also degrade model accuracy, and detecting the cause of model accuracy loss is difficult. Thus, developing effective techniques to detect and mitigate HT attacks in AI hardware is crucial. With the added risk of HT insertion by unknown attack vectors, addressing the challenge of mitigating HTs in AI hardware is vital. This paper presents a comprehensive review of the potential threat of Hardware Trojans (HTs) in AI/ML hardware accelerators, provides potential mitigation approaches for securing AI/ML accelerators, and highlights open challenges in this field.

Published in: 2023 IEEE 66th International Midwest Symposium on Circuits and Systems (MWSCAS)

Date of Conference: 06-09 August 2023

Date Added to IEEE Xplore: 31 January 2024

ISBN Information:

ISSN Information:

DOI: 10.1109/MWSCAS57524.2023.10406065

Conference Location: Tempe, AZ, USA

Citations are not available for this document.

Contents

I. Introduction

IC supply chain globalization allows design companies, also known as design houses, to design and fabricate state-of-the-art hardware without owning a fabrication facility. However, this lack of control of the supply chain leads to a multitude of hardware security vulnerabilities. Amongst these security issues, Hardware Trojan (HT) insertion has been a significant concern for design houses that offshore their fabrication. This concern of modifications to the design netlist is multiplied when the hardware in question is intended for use in mission-critical or sensitive applications like the military, healthcare, and aerospace, to name a few. Mitigation against Artificial Intelligence (AI) or Machine Learning (ML) HTs is a multi-layered challenge. HTs are malicious, unwanted, and intentional modifications to Integrated Circuits (ICs). These modifications can potentially lead to various effects, from leaking information to altering the intended functionality of the IC [1]. ML accelerators are susceptible to HT attacks due to their complex and interconnected nature. The malicious alterations caused by HTs on Neural Networks (NNs) cause the model to intentionally produce false outputs. HTs could be added to the IC using either hardware or software. During training, software trojans are typically incorporated into the NN parameters by data poisoning, creating a back door that only functions as intended when inputs contain the appropriate software Trojan triggers. HTs can be inserted into ML accelerators at various stages of their design, fabrication, testing, or assembly, as shown in Figure 2 [1], [2]. A meticulously designed trigger and payload are typically included in an HT that is injected into NN in order to jeopardize the integrity of the network. Adversaries can exploit the complex nature of ML accelerator designs to introduce subtle malicious modifications that can go undetected during manufacturing tests [3]–[6]. For instance, they can modify the design of a functional block to include additional circuits that perform malicious activities, such as leaking sensitive data or disrupting the normal functioning of the accelerator. Another way of introducing HTs is through the supply chain. Adversaries can tamper with the hardware at any point in manufacturing and testing, making it difficult to trace the attack's origin. Furthermore, insiders with access to the design or manufacturing process can also introduce HTs, making detecting malicious modifications to the original design even more challenging. Therefore, it is crucial to implement robust security measures and thorough testing to detect and mitigate HTs in ML accelerators. These accelerators may later be used in safety-critical systems like self-driving cars, as shown in Figure 1. One of the primary factors for the stealthiness of HTs is their ability to maintain the original functionality of the hardware without noticeable modifications. HTs are designed to remain dormant until a specific trigger event occurs, such as a particular input pattern or signal. Once activated, the Trojan can perform various malicious actions, including leaking sensitive data or manipulating the system's output, without being detected by pre-silicon and post-silicon verification and testing methodologies [1]. Furthermore, ML hardware is often complex and contains many interconnected components, making it difficult to isolate and analyze individual design sections. The hardware may also use proprietary architectures, designs, and Intellectual Properties (IPs), making it difficult to develop standardized testing methods for detecting Trojans. Therefore, detecting and mitigating HTs in ML accelerators is very challenging. This highlights the need for a multi-faceted approach that involves implementing robust security measures throughout the design, manufacturing, and supply chain processes to ensure the integrity of the hardware system. In this paper, the threat of HTs in ML hardware accelerators is discussed, insights into the hardware security vulnerabilities in ML hardware are given, and potential mitigation methods are discussed with an understanding of state-of-the-art HTs. This paper uses the term “Machine Learning Hardware Accelerators” to describe ASIC IPs that allow faster ML model processing. We do not investigate ML acceleration using GPUs, FPGAs, TPUs, or DSP platforms. Fig. 1.

Malicious ML hardware accelerator shown wrongly classifies the label of an object. This misclassification due to the presence of HT(s) in the ML Hardware Accelerator may lead to a crash in Self Driving Cars.

Fig. 2.

Hardware Trojan Threats (red) and potential mitigations (green) for AI/ML hardware accelerators through the IC supply chain

Cites in Papers - |

Cites in Papers - IEEE (7)

Select All

Kyungmi Lee, Maitreyi Ashok, Saurav Maji, Rashmi Agrawal, Ajay Joshi, Mengjia Yan, Joel S. Emer, Anantha P. Chandrakasan, "Secure Machine Learning Hardware: Challenges and Progress [Feature]", IEEE Circuits and Systems Magazine, vol.25, no.1, pp.8-34, 2025.

Show Article

Google Scholar

Anirban Sengupta, Aditya Anshul, Vishal Chourasia, Nabendu Bhui, "Security Vulnerability (Backdoor Trojan) During Machine Learning Accelerator Design Phases", IT Professional, vol.27, no.1, pp.65-72, 2025.

Show Article

Google Scholar

Mohammad Hashemi, Domenic Forte, Fatemeh Ganji, "GuardianMPC: Backdoor-Resilient Neural Network Computation", IEEE Access, vol.13, pp.11029-11048, 2025.

Show Article

Google Scholar

Rijoy Mukherjee, Sneha Swaroopa, Rajat Subhra Chakraborty, "Security Vulnerabilities in AI Hardware: Threats and Countermeasures", 2024 IEEE 33rd Asian Test Symposium (ATS), pp.1-6, 2024.

Show Article

Google Scholar

Banafsheh Saber Latibari, Najmeh Nazari, Muhtasim Alam Chowdhury, Kevin Immanuel Gubbi, Chongzhou Fang, Sujan Ghimire, Elahe Hosseini, Hossein Sayadi, Houman Homayoun, Soheil Salehi, Avesta Sasan, "Transformers: A Security Perspective", IEEE Access, vol.12, pp.181071-181105, 2024.

Show Article

Google Scholar

Ismayil Hasanov, Seppo Virtanen, Antti Hakkala, Jouni Isoaho, "Application of Large Language Models in Cybersecurity: A Systematic Literature Review", IEEE Access, vol.12, pp.176751-176778, 2024.

Show Article

Google Scholar

Mousam Hossain, Muhtasim Alam Chowdhury, Ronald F. DeMara, Soheil Salehi, "Sensitivity Analysis of SOT-MTJs to Manufacturing Process Variation: A Hardware Security Perspective", 2024 25th International Symposium on Quality Electronic Design (ISQED), pp.1-5, 2024.

Show Article

Google Scholar

References is not available for this document.

Securing AI Hardware: Challenges in Detecting and Mitigating Hardware Trojans in ML Accelerators

Abstract:

Metadata

Abstract:

ISSN Information:

I. Introduction

Cites in Papers - |

Cites in Papers - IEEE (7)

References

IEEE Account

Purchase Details

Profile Information

Need Help?

Securing AI Hardware: Challenges in Detecting and Mitigating Hardware Trojans in ML Accelerators

Alerts

Abstract:

Metadata

Abstract:

ISSN Information:

I. Introduction

Cites in Papers - IEEE (7) | Other Publishers (0)

Cites in Papers - IEEE (7)

References

Cites in Papers - |