-
Relaxed Multi-Tx DDM Online Calibration
Authors:
Mayeul Jeannin,
Oliver Lang,
Farhan Bin Khalid,
Dian Tresna Nugraha,
Mario Huemer
Abstract:
In multiple-input and multiple-output (MIMO) radar systems based on Doppler-division multiplexing (DDM), phase shifters are employed in the transmit paths and require calibration strategies to maintain optimal performance all along the radar system's life cycle. In this paper, we propose a novel family of DDM codes that enable an online calibration of the phase shifters that scale realistically to…
▽ More
In multiple-input and multiple-output (MIMO) radar systems based on Doppler-division multiplexing (DDM), phase shifters are employed in the transmit paths and require calibration strategies to maintain optimal performance all along the radar system's life cycle. In this paper, we propose a novel family of DDM codes that enable an online calibration of the phase shifters that scale realistically to any number of simultaneously activated transmit (Tx)-channels during the calibration frames. To achieve this goal we employ the previously developed odd-DDM (ODDM) sequences to design calibration DDM codes with reduced inter-Tx leakage. The proposed calibration sequence is applied to an automotive radar data set modulated with erroneous phase shifters.
△ Less
Submitted 25 June, 2024;
originally announced June 2024.
-
Transcending Controlled Environments Assessing the Transferability of ASRRobust NLU Models to Real-World Applications
Authors:
Hania Khan,
Aleena Fatima Khalid,
Zaryab Hassan
Abstract:
This research investigates the transferability of Automatic Speech Recognition (ASR)-robust Natural Language Understanding (NLU) models from controlled experimental conditions to practical, real-world applications. Focused on smart home automation commands in Urdu, the study assesses model performance under diverse noise profiles, linguistic variations, and ASR error scenarios. Leveraging the Urdu…
▽ More
This research investigates the transferability of Automatic Speech Recognition (ASR)-robust Natural Language Understanding (NLU) models from controlled experimental conditions to practical, real-world applications. Focused on smart home automation commands in Urdu, the study assesses model performance under diverse noise profiles, linguistic variations, and ASR error scenarios. Leveraging the UrduBERT model, the research employs a systematic methodology involving real-world data collection, cross-validation, transfer learning, noise variation studies, and domain adaptation. Evaluation metrics encompass task-specific accuracy, latency, user satisfaction, and robustness to ASR errors. The findings contribute insights into the challenges and adaptability of ASR-robust NLU models in transcending controlled environments.
△ Less
Submitted 12 January, 2024;
originally announced January 2024.
-
DeMiST: Detection and Mitigation of Stealthy Analog Hardware Trojans
Authors:
Enahoro Oriero,
Faiq Khalid,
Syed Rafay Hasan
Abstract:
The global semiconductor supply chain involves design and fabrication at various locations, which leads to multiple security vulnerabilities, e.g., Hardware Trojan (HT) insertion. Although most HTs target digital circuits, HTs can be inserted in analog circuits. Therefore, several techniques have been developed for HT insertions in analog circuits. Capacitance-based Analog Hardware Trojan (AHT) is…
▽ More
The global semiconductor supply chain involves design and fabrication at various locations, which leads to multiple security vulnerabilities, e.g., Hardware Trojan (HT) insertion. Although most HTs target digital circuits, HTs can be inserted in analog circuits. Therefore, several techniques have been developed for HT insertions in analog circuits. Capacitance-based Analog Hardware Trojan (AHT) is one of the stealthiest HT that can bypass most existing HT detection techniques because it uses negligible charge accumulation in the capacitor to generate stealthy triggers. To address the charge sharing and accumulation issues, we propose a novel way to detect such capacitance-based AHT in this paper. Secondly, we critically analyzed existing AHTs to highlight their respective limitations. We proposed a stealthier capacitor-based AHT (fortified AHT) that can bypass our novel AHT detection technique by addressing these limitations. Finally, by critically analyzing the proposed fortified AHT and existing AHTs, we developed a robust two-phase framework (DeMiST) in which a synchronous system can mitigate the effects of capacitance-based stealthy AHTs by turning off the triggering capability of AHT. In the first phase, we demonstrate how the synchronous system can avoid the AHT during run-time by controlling the supply voltage of the intermediate combinational circuits. In the second phase, we proposed a supply voltage duty cycle-based validation technique to detect capacitance-based AHTs. Furthermore, DeMiST amplified the switching activity for charge accumulation to such a degree that it can be easily detectable using existing switching activity-based HT detection techniques.
△ Less
Submitted 5 October, 2023;
originally announced October 2023.
-
SHIELD: An Adaptive and Lightweight Defense against the Remote Power Side-Channel Attacks on Multi-tenant FPGAs
Authors:
Mahya Morid Ahmadi,
Faiq Khalid,
Radha Vaidya,
Florian Kriebel,
Andreas Steininger,
Muhammad Shafique
Abstract:
Dynamic partial reconfiguration enables multi-tenancy in cloud-based FPGAs, which presents security challenges for tenants, IPs, and data. Malicious users can exploit FPGAs for remote side-channel attacks (SCAs), and shared on-chip resources can be used for attacks. Logical separation can ensure design integrity, but on-chip resources can still be exploited. Conventional SCA mitigation can help, b…
▽ More
Dynamic partial reconfiguration enables multi-tenancy in cloud-based FPGAs, which presents security challenges for tenants, IPs, and data. Malicious users can exploit FPGAs for remote side-channel attacks (SCAs), and shared on-chip resources can be used for attacks. Logical separation can ensure design integrity, but on-chip resources can still be exploited. Conventional SCA mitigation can help, but it requires significant effort, and bitstream checking techniques are not highly accurate. An active on-chip defense mechanism is needed for tenant confidentiality. Toward this, we propose a lightweight shielding technique utilizing ring oscillators (ROs) to protect applications against remote power SCA. Unlike existing RO-based approaches, in our methodology, an offline pre-processing stage is proposed to carefully configure power monitors and an obfuscating circuit concerning the resource constraints of the board. Detection of power fluctuations due to application execution enables the obfuscating circuit to flatten the power consumption trace. To evaluate the effectiveness of the proposed SHIELD, we implemented it on a Xilinx Zynq-7000 FPGA board executing an RSA encryption algorithm. Due to the SHIELD, the number of traces required to extract the encryption key is increased by 166x, making an attack extremely hard at run-time. Note that the proposed SHIELD does not require any modification in the target application. Our methodology also shows up to 54% less power consumption and up to 26% less area overhead than the state-of-the-art random noise-addition-based defense.
△ Less
Submitted 11 March, 2023;
originally announced March 2023.
-
Security Analysis of Capsule Network Inference using Horizontal Collaboration
Authors:
Adewale Adeyemo,
Faiq Khalid,
Tolulope A. Odetola,
Syed Rafay Hasan
Abstract:
The traditional convolution neural networks (CNN) have several drawbacks like the Picasso effect and the loss of information by the pooling layer. The Capsule network (CapsNet) was proposed to address these challenges because its architecture can encode and preserve the spatial orientation of input images. Similar to traditional CNNs, CapsNet is also vulnerable to several malicious attacks, as stu…
▽ More
The traditional convolution neural networks (CNN) have several drawbacks like the Picasso effect and the loss of information by the pooling layer. The Capsule network (CapsNet) was proposed to address these challenges because its architecture can encode and preserve the spatial orientation of input images. Similar to traditional CNNs, CapsNet is also vulnerable to several malicious attacks, as studied by several researchers in the literature. However, most of these studies focus on single-device-based inference, but horizontally collaborative inference in state-of-the-art systems, like intelligent edge services in self-driving cars, voice controllable systems, and drones, nullify most of these analyses. Horizontal collaboration implies partitioning the trained CNN models or CNN tasks to multiple end devices or edge nodes. Therefore, it is imperative to examine the robustness of the CapsNet against malicious attacks when deployed in horizontally collaborative environments. Towards this, we examine the robustness of the CapsNet when subjected to noise-based inference attacks in a horizontal collaborative environment. In this analysis, we perturbed the feature maps of the different layers of four DNN models, i.e., CapsNet, Mini-VGG, LeNet, and an in-house designed CNN (ConvNet) with the same number of parameters as CapsNet, using two types of noised-based attacks, i.e., Gaussian Noise Attack and FGSM noise attack. The experimental results show that similar to the traditional CNNs, depending upon the access of the attacker to the DNN layer, the classification accuracy of the CapsNet drops significantly. For example, when Gaussian Noise Attack classification is performed at the DigitCap layer of the CapsNet, the maximum classification accuracy drop is approximately 97%.
△ Less
Submitted 22 September, 2021;
originally announced September 2021.
-
Side-Channel Attacks on RISC-V Processors: Current Progress, Challenges, and Opportunities
Authors:
Mahya Morid Ahmadi,
Faiq Khalid,
Muhammad Shafique
Abstract:
Side-channel attacks on microprocessors, like the RISC-V, exhibit security vulnerabilities that lead to several design challenges. Hence, it is imperative to study and analyze these security vulnerabilities comprehensively. In this paper, we present a brief yet comprehensive study of the security vulnerabilities in modern microprocessors with respect to side-channel attacks and their respective mi…
▽ More
Side-channel attacks on microprocessors, like the RISC-V, exhibit security vulnerabilities that lead to several design challenges. Hence, it is imperative to study and analyze these security vulnerabilities comprehensively. In this paper, we present a brief yet comprehensive study of the security vulnerabilities in modern microprocessors with respect to side-channel attacks and their respective mitigation techniques. The focus of this paper is to analyze the hardware-exploitable side-channel attack using power consumption and software-exploitable side-channel attacks to manipulate cache. Towards this, we perform an in-depth analysis of the applicability and practical implications of cache attacks on RISC-V microprocessors and their associated challenges. Finally, based on the comparative study and our analysis, we highlight some key research directions to develop robust RISC-V microprocessors that are resilient to side-channel attacks.
△ Less
Submitted 16 June, 2021;
originally announced June 2021.
-
FeSHI: Feature Map Based Stealthy Hardware Intrinsic Attack
Authors:
Tolulope Odetola,
Faiq Khalid,
Travis Sandefur,
Hawzhin Mohammed,
Syed Rafay Hasan
Abstract:
To reduce the time-to-market and access to state-of-the-art techniques, CNN hardware map** and deployment on embedded accelerators are often outsourced to untrusted third parties, which is going to be more prevalent in futuristic artificial intelligence of things (AIoT) systems. These AIoT systems anticipate horizontal collaboration among different resource-constrained AIoT node devices, where C…
▽ More
To reduce the time-to-market and access to state-of-the-art techniques, CNN hardware map** and deployment on embedded accelerators are often outsourced to untrusted third parties, which is going to be more prevalent in futuristic artificial intelligence of things (AIoT) systems. These AIoT systems anticipate horizontal collaboration among different resource-constrained AIoT node devices, where CNN layers are partitioned and these devices collaboratively compute complex CNN tasks. This horizontal collaboration opens another attack surface to the CNN-based application, like inserting the hardware Trojans (HT) into the embedded accelerators designed for the CNN. Therefore, there is a dire need to explore this attack surface for designing secure embedded hardware accelerators for CNNs. Towards this goal, in this paper, we exploited this attack surface to propose an HT-based attack called FeSHI. Since in horizontal collaboration of RC AIoT devices different sections of CNN architectures are outsourced to different untrusted third parties, the attacker may not know the input image, but it has access to the layer-by-layer output feature maps information for the assigned sections of the CNN architecture. This attack exploits the statistical distribution, i.e., Gaussian distribution, of the layer-by-layer feature maps of the CNN to design two triggers for stealthy HT with a very low probability of triggering. Also, three different novel, stealthy and effective trigger designs are proposed.
△ Less
Submitted 25 August, 2021; v1 submitted 12 June, 2021;
originally announced June 2021.
-
Exploiting Vulnerabilities in Deep Neural Networks: Adversarial and Fault-Injection Attacks
Authors:
Faiq Khalid,
Muhammad Abdullah Hanif,
Muhammad Shafique
Abstract:
From tiny pacemaker chips to aircraft collision avoidance systems, the state-of-the-art Cyber-Physical Systems (CPS) have increasingly started to rely on Deep Neural Networks (DNNs). However, as concluded in various studies, DNNs are highly susceptible to security threats, including adversarial attacks. In this paper, we first discuss different vulnerabilities that can be exploited for generating…
▽ More
From tiny pacemaker chips to aircraft collision avoidance systems, the state-of-the-art Cyber-Physical Systems (CPS) have increasingly started to rely on Deep Neural Networks (DNNs). However, as concluded in various studies, DNNs are highly susceptible to security threats, including adversarial attacks. In this paper, we first discuss different vulnerabilities that can be exploited for generating security attacks for neural network-based systems. We then provide an overview of existing adversarial and fault-injection-based attacks on DNNs. We also present a brief analysis to highlight different challenges in the practical implementation of adversarial attacks. Finally, we also discuss various prospective ways to develop robust DNN-based systems that are resilient to adversarial and fault-injection attacks.
△ Less
Submitted 5 May, 2021;
originally announced May 2021.
-
Deep Learning based Joint Precoder Design and Antenna Selection for Partially Connected Hybrid Massive MIMO Systems
Authors:
Salman Khalid,
Waqas bin Abbas,
Farhan Khalid
Abstract:
Efficient resource allocation with hybrid precoder design is essential for massive MIMO systems operating in millimeter wave (mmW) domain. Owing to a higher energy efficiency and a lower complexity of a partially connected hybrid architecture, in this letter, we propose a joint deep convolutional neural network (CNN) based scheme for precoder design and antenna selection of a partially connected m…
▽ More
Efficient resource allocation with hybrid precoder design is essential for massive MIMO systems operating in millimeter wave (mmW) domain. Owing to a higher energy efficiency and a lower complexity of a partially connected hybrid architecture, in this letter, we propose a joint deep convolutional neural network (CNN) based scheme for precoder design and antenna selection of a partially connected massive MIMO hybrid system. Precoder design and antenna selection is formulated as a regression and classification problem, respectively, for CNN. The channel data is fed to the first CNN network which outputs a subset of selected antennas having the optimal spectral efficiency. This subset is again fed to the second CNN to obtain the block diagonal precoder for a partially connected architecture. Simulation results verifies the superiority of CNN based approach over conventional iterative and alternating minimization (alt-min) algorithms. Moreover, the proposed scheme is computationally efficient and is not very sensitive to channel irregularities.
△ Less
Submitted 2 February, 2021;
originally announced February 2021.
-
PANDA Phase One
Authors:
G. Barucca,
F. Davì,
G. Lancioni,
P. Mengucci,
L. Montalto,
P. P. Natali,
N. Paone,
D. Rinaldi,
L. Scalise,
B. Krusche,
M. Steinacher,
Z. Liu,
C. Liu,
B. Liu,
X. Shen,
S. Sun,
G. Zhao,
J. Zhao,
M. Albrecht,
W. Alkakhi,
S. Bökelmann,
S. Coen,
F. Feldbauer,
M. Fink,
J. Frech
, et al. (399 additional authors not shown)
Abstract:
The Facility for Antiproton and Ion Research (FAIR) in Darmstadt, Germany, provides unique possibilities for a new generation of hadron-, nuclear- and atomic physics experiments. The future antiProton ANnihilations at DArmstadt (PANDA or $\overline{\rm P}$ANDA) experiment at FAIR will offer a broad physics programme, covering different aspects of the strong interaction. Understanding the latter in…
▽ More
The Facility for Antiproton and Ion Research (FAIR) in Darmstadt, Germany, provides unique possibilities for a new generation of hadron-, nuclear- and atomic physics experiments. The future antiProton ANnihilations at DArmstadt (PANDA or $\overline{\rm P}$ANDA) experiment at FAIR will offer a broad physics programme, covering different aspects of the strong interaction. Understanding the latter in the non-perturbative regime remains one of the greatest challenges in contemporary physics. The antiproton-nucleon interaction studied with PANDA provides crucial tests in this area. Furthermore, the high-intensity, low-energy domain of PANDA allows for searches for physics beyond the Standard Model, e.g. through high precision symmetry tests. This paper takes into account a staged approach for the detector setup and for the delivered luminosity from the accelerator. The available detector setup at the time of the delivery of the first antiproton beams in the HESR storage ring is referred to as the \textit{Phase One} setup. The physics programme that is achievable during Phase One is outlined in this paper.
△ Less
Submitted 9 June, 2021; v1 submitted 28 January, 2021;
originally announced January 2021.
-
GNNUnlock: Graph Neural Networks-based Oracle-less Unlocking Scheme for Provably Secure Logic Locking
Authors:
Lilas Alrahis,
Satwik Patnaik,
Faiq Khalid,
Muhammad Abdullah Hanif,
Hani Saleh,
Muhammad Shafique,
Ozgur Sinanoglu
Abstract:
In this paper, we propose GNNUnlock, the first-of-its-kind oracle-less machine learning-based attack on provably secure logic locking that can identify any desired protection logic without focusing on a specific syntactic topology. The key is to leverage a well-trained graph neural network (GNN) to identify all the gates in a given locked netlist that belong to the targeted protection logic, witho…
▽ More
In this paper, we propose GNNUnlock, the first-of-its-kind oracle-less machine learning-based attack on provably secure logic locking that can identify any desired protection logic without focusing on a specific syntactic topology. The key is to leverage a well-trained graph neural network (GNN) to identify all the gates in a given locked netlist that belong to the targeted protection logic, without requiring an oracle. This approach fits perfectly with the targeted problem since a circuit is a graph with an inherent structure and the protection logic is a sub-graph of nodes (gates) with specific and common characteristics. GNNs are powerful in capturing the nodes' neighborhood properties, facilitating the detection of the protection logic. To rectify any misclassifications induced by the GNN, we additionally propose a connectivity analysis-based post-processing algorithm to successfully remove the predicted protection logic, thereby retrieving the original design. Our extensive experimental evaluation demonstrates that GNNUnlock is 99.24%-100% successful in breaking various benchmarks locked using stripped-functionality logic locking, tenacious and traceless logic locking, and Anti-SAT. Our proposed post-processing enhances the detection accuracy, reaching 100% for all of our tested locked benchmarks. Analysis of the results corroborates that GNNUnlock is powerful enough to break the considered schemes under different parameters, synthesis settings, and technology nodes. The evaluation further shows that GNNUnlock successfully breaks corner cases where even the most advanced state-of-the-art attacks fail.
△ Less
Submitted 10 December, 2020;
originally announced December 2020.
-
MacLeR: Machine Learning-based Run-Time Hardware Trojan Detection in Resource-Constrained IoT Edge Devices
Authors:
Faiq Khalid,
Syed Rafay Hasan,
Sara Zia,
Osman Hasan,
Falah Awwad,
Muhammad Shafique
Abstract:
Traditional learning-based approaches for run-time Hardware Trojan detection require complex and expensive on-chip data acquisition frameworks and thus incur high area and power overhead. To address these challenges, we propose to leverage the power correlation between the executing instructions of a microprocessor to establish a machine learning-based run-time Hardware Trojan (HT) detection frame…
▽ More
Traditional learning-based approaches for run-time Hardware Trojan detection require complex and expensive on-chip data acquisition frameworks and thus incur high area and power overhead. To address these challenges, we propose to leverage the power correlation between the executing instructions of a microprocessor to establish a machine learning-based run-time Hardware Trojan (HT) detection framework, called MacLeR. To reduce the overhead of data acquisition, we propose a single power-port current acquisition block using current sensors in time-division multiplexing, which increases accuracy while incurring reduced area overhead. We have implemented a practical solution by analyzing multiple HT benchmarks inserted in the RTL of a system-on-chip (SoC) consisting of four LEON3 processors integrated with other IPs like vga_lcd, RSA, AES, Ethernet, and memory controllers. Our experimental results show that compared to state-of-the-art HT detection techniques, MacLeR achieves 10\% better HT detection accuracy (i.e., 96.256%) while incurring a 7x reduction in area and power overhead (i.e., 0.025% of the area of the SoC and <0.07% of the power of the SoC). In addition, we also analyze the impact of process variation and aging on the extracted power profiles and the HT detection accuracy of MacLeR. Our analysis shows that variations in fine-grained power profiles due to the HTs are significantly higher compared to the variations in fine-grained power profiles caused by the process variations (PV) and aging effects. Moreover, our analysis demonstrates that, on average, the HT detection accuracy drop in MacLeR is less than 1% and 9% when considering only PV and PV with worst-case aging, respectively, which is ~10x less than in the case of the state-of-the-art ML-based HT detection technique.
△ Less
Submitted 20 November, 2020;
originally announced November 2020.
-
User Selection in Millimeter Wave Massive MIMO System using Convolutional Neural Networks
Authors:
Salman Khalid,
Waqas bin Abbas,
Farhan Khalid,
Michele Zorzi
Abstract:
A hybrid architecture for millimeter wave (mmW) massive MIMO systems is considered practically implementable due to low power consumption and high energy efficiency. However, due to the limited number of RF chains, user selection becomes necessary for such architecture. Traditional user selection algorithms suffer from high computational complexity and, therefore, may not be scalable in 5G and bey…
▽ More
A hybrid architecture for millimeter wave (mmW) massive MIMO systems is considered practically implementable due to low power consumption and high energy efficiency. However, due to the limited number of RF chains, user selection becomes necessary for such architecture. Traditional user selection algorithms suffer from high computational complexity and, therefore, may not be scalable in 5G and beyond wireless mobile communications. To address this issue, in this letter we propose a low complexity CNN framework for user selection. The proposed CNN accepts as input the channel matrix and gives as output the selected users. Simulation results show that the proposed CNN performs close to optimal exhaustive search in terms of achievable rate, with negligible computational complexity. In addition, CNN based user selection outperforms the evolutionary algorithm and the greedy algorithm in terms of both achievable rate and computational complexity. Finally, simulation results also show that the proposed CNN based user selection scheme is robust to channel imperfections.
△ Less
Submitted 30 June, 2020;
originally announced June 2020.
-
FANNet: Formal Analysis of Noise Tolerance, Training Bias and Input Sensitivity in Neural Networks
Authors:
Mahum Naseer,
Mishal Fatima Minhas,
Faiq Khalid,
Muhammad Abdullah Hanif,
Osman Hasan,
Muhammad Shafique
Abstract:
With a constant improvement in the network architectures and training methodologies, Neural Networks (NNs) are increasingly being deployed in real-world Machine Learning systems. However, despite their impressive performance on "known inputs", these NNs can fail absurdly on the "unseen inputs", especially if these real-time inputs deviate from the training dataset distributions, or contain certain…
▽ More
With a constant improvement in the network architectures and training methodologies, Neural Networks (NNs) are increasingly being deployed in real-world Machine Learning systems. However, despite their impressive performance on "known inputs", these NNs can fail absurdly on the "unseen inputs", especially if these real-time inputs deviate from the training dataset distributions, or contain certain types of input noise. This indicates the low noise tolerance of NNs, which is a major reason for the recent increase of adversarial attacks. This is a serious concern, particularly for safety-critical applications, where inaccurate results lead to dire consequences. We propose a novel methodology that leverages model checking for the Formal Analysis of Neural Network (FANNet) under different input noise ranges. Our methodology allows us to rigorously analyze the noise tolerance of NNs, their input node sensitivity, and the effects of training bias on their performance, e.g., in terms of classification accuracy. For evaluation, we use a feed-forward fully-connected NN architecture trained for the Leukemia classification. Our experimental results show $\pm 11\%$ noise tolerance for the given trained network, identify the most sensitive input nodes, and confirm the biasness of the available training dataset.
△ Less
Submitted 14 May, 2020; v1 submitted 3 December, 2019;
originally announced December 2019.
-
Learning scale-variant features for robust iris authentication with deep learning based ensemble framework
Authors:
Siming Zheng,
Rahmita Wirza O. K. Rahmat,
Fatimah Khalid,
Nurul Amelina Nasharuddin
Abstract:
In recent years, mobile Internet has accelerated the proliferation of smart mobile development. The mobile payment, mobile security and privacy protection have become the focus of widespread attention. Iris recognition becomes a high-security authentication technology in these fields, it is widely used in distinct science fields in biometric authentication fields. The Convolutional Neural Network…
▽ More
In recent years, mobile Internet has accelerated the proliferation of smart mobile development. The mobile payment, mobile security and privacy protection have become the focus of widespread attention. Iris recognition becomes a high-security authentication technology in these fields, it is widely used in distinct science fields in biometric authentication fields. The Convolutional Neural Network (CNN) is one of the mainstream deep learning approaches for image recognition, whereas its anti-noise ability is weak and needs a certain amount of memory to train in image classification tasks. Under these conditions we put forward a fine-tuning neural network model based on the Mask R-CNN and Inception V4 neural network model, which integrates every component in an overall system that combines the iris detection, extraction, and recognition function as an iris recognition system. The proposed framework has the characteristics of scalability and high availability; it not only can learn part-whole relationships of the iris image but also enhancing the robustness of the whole framework. Importantly, the proposed model can be trained using the different spectrum of samples, such as Visible Wavelength (VW) and Near Infrared (NIR) iris biometric databases. The recognition average accuracy of 99.10% is achieved while executing in the mobile edge calculation device of the Jetson Nano.
△ Less
Submitted 13 June, 2020; v1 submitted 2 December, 2019;
originally announced December 2019.
-
Is Spiking Secure? A Comparative Study on the Security Vulnerabilities of Spiking and Deep Neural Networks
Authors:
Alberto Marchisio,
Giorgio Nanfa,
Faiq Khalid,
Muhammad Abdullah Hanif,
Maurizio Martina,
Muhammad Shafique
Abstract:
Spiking Neural Networks (SNNs) claim to present many advantages in terms of biological plausibility and energy efficiency compared to standard Deep Neural Networks (DNNs). Recent works have shown that DNNs are vulnerable to adversarial attacks, i.e., small perturbations added to the input data can lead to targeted or random misclassifications. In this paper, we aim at investigating the key researc…
▽ More
Spiking Neural Networks (SNNs) claim to present many advantages in terms of biological plausibility and energy efficiency compared to standard Deep Neural Networks (DNNs). Recent works have shown that DNNs are vulnerable to adversarial attacks, i.e., small perturbations added to the input data can lead to targeted or random misclassifications. In this paper, we aim at investigating the key research question: ``Are SNNs secure?'' Towards this, we perform a comparative study of the security vulnerabilities in SNNs and DNNs w.r.t. the adversarial noise. Afterwards, we propose a novel black-box attack methodology, i.e., without the knowledge of the internal structure of the SNN, which employs a greedy heuristic to automatically generate imperceptible and robust adversarial examples (i.e., attack images) for the given SNN. We perform an in-depth evaluation for a Spiking Deep Belief Network (SDBN) and a DNN having the same number of layers and neurons (to obtain a fair comparison), in order to study the efficiency of our methodology and to understand the differences between SNNs and DNNs w.r.t. the adversarial examples. Our work opens new avenues of research towards the robustness of the SNNs, considering their similarities to the human brain's functionality.
△ Less
Submitted 18 May, 2020; v1 submitted 4 February, 2019;
originally announced February 2019.
-
RED-Attack: Resource Efficient Decision based Attack for Machine Learning
Authors:
Faiq Khalid,
Hassan Ali,
Muhammad Abdullah Hanif,
Semeen Rehman,
Rehan Ahmed,
Muhammad Shafique
Abstract:
Due to data dependency and model leakage properties, Deep Neural Networks (DNNs) exhibit several security vulnerabilities. Several security attacks exploited them but most of them require the output probability vector. These attacks can be mitigated by concealing the output probability vector. To address this limitation, decision-based attacks have been proposed which can estimate the model but th…
▽ More
Due to data dependency and model leakage properties, Deep Neural Networks (DNNs) exhibit several security vulnerabilities. Several security attacks exploited them but most of them require the output probability vector. These attacks can be mitigated by concealing the output probability vector. To address this limitation, decision-based attacks have been proposed which can estimate the model but they require several thousand queries to generate a single untargeted attack image. However, in real-time attacks, resources and attack time are very crucial parameters. Therefore, in resource-constrained systems, e.g., autonomous vehicles where an untargeted attack can have a catastrophic effect, these attacks may not work efficiently. To address this limitation, we propose a resource efficient decision-based methodology which generates the imperceptible attack, i.e., the RED-Attack, for a given black-box model. The proposed methodology follows two main steps to generate the imperceptible attack, i.e., classification boundary estimation and adversarial noise optimization. Firstly, we propose a half-interval search-based algorithm for estimating a sample on the classification boundary using a target image and a randomly selected image from another class. Secondly, we propose an optimization algorithm which first, introduces a small perturbation in some randomly selected pixels of the estimated sample. Then to ensure imperceptibility, it optimizes the distance between the perturbed and target samples. For illustration, we evaluate it for CFAR-10 and German Traffic Sign Recognition (GTSR) using state-of-the-art networks.
△ Less
Submitted 30 January, 2019; v1 submitted 29 January, 2019;
originally announced January 2019.
-
CapsAttacks: Robust and Imperceptible Adversarial Attacks on Capsule Networks
Authors:
Alberto Marchisio,
Giorgio Nanfa,
Faiq Khalid,
Muhammad Abdullah Hanif,
Maurizio Martina,
Muhammad Shafique
Abstract:
Capsule Networks preserve the hierarchical spatial relationships between objects, and thereby bears a potential to surpass the performance of traditional Convolutional Neural Networks (CNNs) in performing tasks like image classification. A large body of work has explored adversarial examples for CNNs, but their effectiveness on Capsule Networks has not yet been well studied. In our work, we perfor…
▽ More
Capsule Networks preserve the hierarchical spatial relationships between objects, and thereby bears a potential to surpass the performance of traditional Convolutional Neural Networks (CNNs) in performing tasks like image classification. A large body of work has explored adversarial examples for CNNs, but their effectiveness on Capsule Networks has not yet been well studied. In our work, we perform an analysis to study the vulnerabilities in Capsule Networks to adversarial attacks. These perturbations, added to the test inputs, are small and imperceptible to humans, but can fool the network to mispredict. We propose a greedy algorithm to automatically generate targeted imperceptible adversarial examples in a black-box attack scenario. We show that this kind of attacks, when applied to the German Traffic Sign Recognition Benchmark (GTSRB), mislead Capsule Networks. Moreover, we apply the same kind of adversarial attacks to a 5-layer CNN and a 9-layer CNN, and analyze the outcome, compared to the Capsule Networks to study differences in their behavior.
△ Less
Submitted 24 May, 2019; v1 submitted 28 January, 2019;
originally announced January 2019.
-
SIMCom: Statistical Sniffing of Inter-Module Communications for Run-time Hardware Trojan Detection
Authors:
Faiq Khalid,
Syed Rafay Hasan,
Osman Hasan,
Muhammad Shafique
Abstract:
Timely detection of Hardware Trojans (HTs) has become a major challenge for secure integrated circuits. We present a run-time methodology for HT detection that employs a multi-parameter statistical traffic modeling of the communication channel in a given System-on-Chip (SoC), named as SIMCom. The main idea is to model the communication using multiple side-channel information like the Hurst exponen…
▽ More
Timely detection of Hardware Trojans (HTs) has become a major challenge for secure integrated circuits. We present a run-time methodology for HT detection that employs a multi-parameter statistical traffic modeling of the communication channel in a given System-on-Chip (SoC), named as SIMCom. The main idea is to model the communication using multiple side-channel information like the Hurst exponent, the standard deviation of the injection distribution, and the hop distribution jointly to accurately identify HT-based online anomalies (that affects the communication without affecting the protocols or control signals). At design time, our methodology employs a "property specification language" to define and embed assertions in the RTL, specifying the correct communication behavior of a given SoC. At run-time, it monitors the anomalies in the communication behavior by checking the execution patterns against these assertions. For illustration, we evaluate SIMCom for three SoCs, i.e., SoC1 ( four single-core MC8051 and UART modules), SoC2 (four single-core MC8051, AES, ethernet, memctrl, BasicRSA, RS232 modules), and SoC3 (four single-core LEON3 connected with each other and AES, ethernet, memctrl, BasicRSA, RS23s modules microcontrollers). The experimental results show that with the combined analysis of multiple statistical parameters, SIMCom is able to detect all the benchmark Trojans (available on trust-hub) with less than 1% area and power overhead.
△ Less
Submitted 23 May, 2020; v1 submitted 4 November, 2018;
originally announced January 2019.
-
ForASec: Formal Analysis of Security Vulnerabilities in Sequential Circuits
Authors:
Faiq Khalid,
Imran Hafeez Abbassi,
Semeen Rehman,
Awais Mehmood Kamboh,
Osman Hasan,
Muhammad Shafique
Abstract:
Security vulnerability analysis of Integrated Circuits using conventional design-time validation and verification techniques (like simulations, emulations, etc.) is generally a computationally intensive task and incomplete by nature, especially under limited resources and time constraints. To overcome this limitation, we propose a novel methodology based on model checking to formally analyze secur…
▽ More
Security vulnerability analysis of Integrated Circuits using conventional design-time validation and verification techniques (like simulations, emulations, etc.) is generally a computationally intensive task and incomplete by nature, especially under limited resources and time constraints. To overcome this limitation, we propose a novel methodology based on model checking to formally analyze security vulnerabilities in sequential circuits while considering side-channel parameters like propagation delay, switching power, and leakage power. In particular, we present a novel algorithm to efficiently partition the state-space into corresponding smaller state-spaces to enable distributed security analysis of complex sequential circuits and thereby mitigating the associated state-space explosion due to their feedback loops. We analyze multiple ISCAS89 and trust-hub benchmarks to demonstrate the efficacy of our framework in identifying security vulnerabilities. The experimental results show that ForASec successfully performs the complete analysis of the given complex and large sequential circuits, and provides approximately 11x to 16x speedup in analysis time compared to state-of-the-art model checking-based techniques. Moreover, it also identifies the number of gates required by an HT that can go undetected for a given design and variability conditions.
△ Less
Submitted 21 April, 2021; v1 submitted 4 November, 2018;
originally announced December 2018.
-
TrojanZero: Switching Activity-Aware Design of Undetectable Hardware Trojans with Zero Power and Area Footprint
Authors:
Imran Hafeez Abbassi,
Faiq Khalid,
Semeen Rehman,
Awais Mehmood Kamboh,
Axel Jantsch,
Siddharth Garg,
Muhammad Shafique
Abstract:
Conventional Hardware Trojan (HT) detection techniques are based on the validation of integrated circuits to determine changes in their functionality, and on non-invasive side-channel analysis to identify the variations in their physical parameters. In particular, almost all the proposed side-channel power-based detection techniques presume that HTs are detectable because they only add gates to th…
▽ More
Conventional Hardware Trojan (HT) detection techniques are based on the validation of integrated circuits to determine changes in their functionality, and on non-invasive side-channel analysis to identify the variations in their physical parameters. In particular, almost all the proposed side-channel power-based detection techniques presume that HTs are detectable because they only add gates to the original circuit with a noticeable increase in power consumption. This paper demonstrates how undetectable HTs can be realized with zero impact on the power and area footprint of the original circuit. Towards this, we propose a novel concept of TrojanZero and a systematic methodology for designing undetectable HTs in the circuits, which conceals their existence by gate-level modifications. The crux is to salvage the cost of the HT from the original circuit without being detected using standard testing techniques. Our methodology leverages the knowledge of transition probabilities of the circuit nodes to identify and safely remove expendable gates, and embeds malicious circuitry at the appropriate locations with zero power and area overheads when compared to the original circuit. We synthesize these designs and then embed in multiple ISCAS85 benchmarks using a 65nm technology library, and perform a comprehensive power and area characterization. Our experimental results demonstrate that the proposed TrojanZero designs are undetectable by the state-of-the-art power-based detection methods.
△ Less
Submitted 5 November, 2018;
originally announced December 2018.
-
ApproxCS: Near-Sensor Approximate Compressed Sensing for IoT-Healthcare Systems
Authors:
Ayesha Siddique,
Osman Hasan,
Faiq Khalid,
Muhammad Shafique
Abstract:
Internet of Things (IoTs) is an emerging trend that has enabled an upgrade in the design of wearable healthcare monitoring systems through the (integrated) edge, fog, and cloud computing paradigm. Energy efficiency is one of the most important design metrics in such IoT-healthcare systems especially, for the edge and fog nodes. Due to the sensing noise and inherent redundancy in the input data, ev…
▽ More
Internet of Things (IoTs) is an emerging trend that has enabled an upgrade in the design of wearable healthcare monitoring systems through the (integrated) edge, fog, and cloud computing paradigm. Energy efficiency is one of the most important design metrics in such IoT-healthcare systems especially, for the edge and fog nodes. Due to the sensing noise and inherent redundancy in the input data, even the most safety-critical biomedical applications can sometimes afford a slight degradation in the output quality. Hence, such inherent error tolerance in the bio-signals can be exploited to achieve high energy savings through the emerging trends like, the Approximate Computing which is applicable at both software and hardware levels. In this paper, we propose to leverage the approximate computing in digital Compressed Sensing (CS), through low-power approximate adders (LPAA) in an accurate Bernoulli sensing-based CS acquisition (BCS). We demonstrate that approximations can indeed be safely employed in IoT healthcare without affecting the detection of critical events in the biomedical signals. Towards this, we explored the trade-of between energy efficiency and output quality using the state-of-the-art lp2d RLS reconstruction algorithm. The proposed framework is validated with the MIT-BIH Arrhythmia database. Our results demonstrated approximately 59% energy savings as compared to the accurate design.
△ Less
Submitted 18 November, 2018;
originally announced November 2018.
-
Security for Machine Learning-based Systems: Attacks and Challenges during Training and Inference
Authors:
Faiq Khalid,
Muhammad Abdullah Hanif,
Semeen Rehman,
Muhammad Shafique
Abstract:
The exponential increase in dependencies between the cyber and physical world leads to an enormous amount of data which must be efficiently processed and stored. Therefore, computing paradigms are evolving towards machine learning (ML)-based systems because of their ability to efficiently and accurately process the enormous amount of data. Although ML-based solutions address the efficient computin…
▽ More
The exponential increase in dependencies between the cyber and physical world leads to an enormous amount of data which must be efficiently processed and stored. Therefore, computing paradigms are evolving towards machine learning (ML)-based systems because of their ability to efficiently and accurately process the enormous amount of data. Although ML-based solutions address the efficient computing requirements of big data, they introduce (new) security vulnerabilities into the systems, which cannot be addressed by traditional monitoring-based security measures. Therefore, this paper first presents a brief overview of various security threats in machine learning, their respective threat models and associated research challenges to develop robust security measures. To illustrate the security vulnerabilities of ML during training, inferencing and hardware implementation, we demonstrate some key security threats on ML using LeNet and VGGNet for MNIST and German Traffic Sign Recognition Benchmarks (GTSRB), respectively. Moreover, based on the security analysis of ML-training, we also propose an attack that has a very less impact on the inference accuracy. Towards the end, we highlight the associated research challenges in develo** security measures and provide a brief overview of the techniques used to mitigate such security threats.
△ Less
Submitted 4 November, 2018;
originally announced November 2018.
-
FAdeML: Understanding the Impact of Pre-Processing Noise Filtering on Adversarial Machine Learning
Authors:
Faiq Khalid,
Muhammmad Abdullah Hanif,
Semeen Rehman,
Junaid Qadir,
Muhammad Shafique
Abstract:
Deep neural networks (DNN)-based machine learning (ML) algorithms have recently emerged as the leading ML paradigm particularly for the task of classification due to their superior capability of learning efficiently from large datasets. The discovery of a number of well-known attacks such as dataset poisoning, adversarial examples, and network manipulation (through the addition of malicious nodes)…
▽ More
Deep neural networks (DNN)-based machine learning (ML) algorithms have recently emerged as the leading ML paradigm particularly for the task of classification due to their superior capability of learning efficiently from large datasets. The discovery of a number of well-known attacks such as dataset poisoning, adversarial examples, and network manipulation (through the addition of malicious nodes) has, however, put the spotlight squarely on the lack of security in DNN-based ML systems. In particular, malicious actors can use these well-known attacks to cause random/targeted misclassification, or cause a change in the prediction confidence, by only slightly but systematically manipulating the environmental parameters, inference data, or the data acquisition block. Most of the prior adversarial attacks have, however, not accounted for the pre-processing noise filters commonly integrated with the ML-inference module. Our contribution in this work is to show that this is a major omission since these noise filters can render ineffective the majority of the existing attacks, which rely essentially on introducing adversarial noise. Apart from this, we also extend the state of the art by proposing a novel pre-processing noise Filter-aware Adversarial ML attack called FAdeML. To demonstrate the effectiveness of the proposed methodology, we generate an adversarial attack image by exploiting the "VGGNet" DNN trained for the "German Traffic Sign Recognition Benchmarks (GTSRB" dataset, which despite having no visual noise, can cause a classifier to misclassify even in the presence of pre-processing noise filters.
△ Less
Submitted 4 November, 2018;
originally announced November 2018.
-
SSCNets: Robustifying DNNs using Secure Selective Convolutional Filters
Authors:
Hassan Ali,
Faiq Khalid,
Hammad Tariq,
Muhammad Abdullah Hanif,
Semeen Rehman,
Rehan Ahmed,
Muhammad Shafique
Abstract:
In this paper, we introduce a novel technique based on the Secure Selective Convolutional (SSC) techniques in the training loop that increases the robustness of a given DNN by allowing it to learn the data distribution based on the important edges in the input image. We validate our technique on Convolutional DNNs against the state-of-the-art attacks from the open-source Cleverhans library using t…
▽ More
In this paper, we introduce a novel technique based on the Secure Selective Convolutional (SSC) techniques in the training loop that increases the robustness of a given DNN by allowing it to learn the data distribution based on the important edges in the input image. We validate our technique on Convolutional DNNs against the state-of-the-art attacks from the open-source Cleverhans library using the MNIST, the CIFAR-10, and the CIFAR-100 datasets. Our experimental results show that the attack success rate, as well as the imperceptibility of the adversarial images, can be significantly reduced by adding effective pre-processing functions, i.e., Sobel filtering.
△ Less
Submitted 14 May, 2020; v1 submitted 4 November, 2018;
originally announced November 2018.
-
QuSecNets: Quantization-based Defense Mechanism for Securing Deep Neural Network against Adversarial Attacks
Authors:
Faiq Khalid,
Hassan Ali,
Hammad Tariq,
Muhammad Abdullah Hanif,
Semeen Rehman,
Rehan Ahmed,
Muhammad Shafique
Abstract:
Adversarial examples have emerged as a significant threat to machine learning algorithms, especially to the convolutional neural networks (CNNs). In this paper, we propose two quantization-based defense mechanisms, Constant Quantization (CQ) and Trainable Quantization (TQ), to increase the robustness of CNNs against adversarial examples. CQ quantizes input pixel intensities based on a "fixed" numb…
▽ More
Adversarial examples have emerged as a significant threat to machine learning algorithms, especially to the convolutional neural networks (CNNs). In this paper, we propose two quantization-based defense mechanisms, Constant Quantization (CQ) and Trainable Quantization (TQ), to increase the robustness of CNNs against adversarial examples. CQ quantizes input pixel intensities based on a "fixed" number of quantization levels, while in TQ, the quantization levels are "iteratively learned during the training phase", thereby providing a stronger defense mechanism. We apply the proposed techniques on undefended CNNs against different state-of-the-art adversarial attacks from the open-source \textit{Cleverhans} library. The experimental results demonstrate 50%-96% and 10%-50% increase in the classification accuracy of the perturbed images generated from the MNIST and the CIFAR-10 datasets, respectively, on commonly used CNN (Conv2D(64, 8x8) - Conv2D(128, 6x6) - Conv2D(128, 5x5) - Dense(10) - Softmax()) available in \textit{Cleverhans} library.
△ Less
Submitted 14 May, 2020; v1 submitted 4 November, 2018;
originally announced November 2018.
-
TrISec: Training Data-Unaware Imperceptible Security Attacks on Deep Neural Networks
Authors:
Faiq Khalid,
Muhammad Abdullah Hanif,
Semeen Rehman,
Rehan Ahmed,
Muhammad Shafique
Abstract:
Most of the data manipulation attacks on deep neural networks (DNNs) during the training stage introduce a perceptible noise that can be catered by preprocessing during inference or can be identified during the validation phase. Therefore, data poisoning attacks during inference (e.g., adversarial attacks) are becoming more popular. However, many of them do not consider the imperceptibility factor…
▽ More
Most of the data manipulation attacks on deep neural networks (DNNs) during the training stage introduce a perceptible noise that can be catered by preprocessing during inference or can be identified during the validation phase. Therefore, data poisoning attacks during inference (e.g., adversarial attacks) are becoming more popular. However, many of them do not consider the imperceptibility factor in their optimization algorithms, and can be detected by correlation and structural similarity analysis, or noticeable (e.g., by humans) in a multi-level security system. Moreover, the majority of the inference attack relies on some knowledge about the training dataset. In this paper, we propose a novel methodology which automatically generates imperceptible attack images by using the back-propagation algorithm on pre-trained DNNs, without requiring any information about the training dataset (i.e., completely training data-unaware). We present a case study on traffic sign detection using the VGGNet trained on the German Traffic Sign Recognition Benchmarks dataset in an autonomous driving use case. Our results demonstrate that the generated attack images successfully perform misclassification while remaining imperceptible in both "subjective" and "objective" quality tests.
△ Less
Submitted 14 May, 2020; v1 submitted 2 November, 2018;
originally announced November 2018.
-
A Roadmap Towards Resilient Internet of Things for Cyber-Physical Systems
Authors:
Denise Ratasich,
Faiq Khalid,
Florian Geissler,
Radu Grosu,
Muhammad Shafique,
Ezio Bartocci
Abstract:
The Internet of Things (IoT) is a ubiquitous system connecting many different devices - the things - which can be accessed from the distance. The cyber-physical systems (CPS) monitor and control the things from the distance. As a result, the concepts of dependability and security get deeply intertwined. The increasing level of dynamicity, heterogeneity, and complexity adds to the system's vulnerab…
▽ More
The Internet of Things (IoT) is a ubiquitous system connecting many different devices - the things - which can be accessed from the distance. The cyber-physical systems (CPS) monitor and control the things from the distance. As a result, the concepts of dependability and security get deeply intertwined. The increasing level of dynamicity, heterogeneity, and complexity adds to the system's vulnerability, and challenges its ability to react to faults. This paper summarizes state-of-the-art of existing work on anomaly detection, fault-tolerance and self-healing, and adds a number of other methods applicable to achieve resilience in an IoT. We particularly focus on non-intrusive methods ensuring data integrity in the network. Furthermore, this paper presents the main challenges in building a resilient IoT for CPS which is crucial in the era of smart CPS with enhanced connectivity (an excellent example of such a system is connected autonomous vehicles). It further summarizes our solutions, work-in-progress and future work to this topic to enable "Trustworthy IoT for CPS". Finally, this framework is illustrated on a selected use case: A smart sensor infrastructure in the transport domain.
△ Less
Submitted 6 November, 2018; v1 submitted 16 October, 2018;
originally announced October 2018.