# Defensive Approximation: Enhancing CNNs Security through Approximate Computing ###### tags: `Defense` ###### paper origin: IEEE Symposium on Security and Privacy 2021 ###### papers: [link](https://arxiv.org/pdf/2006.07700.pdf) ###### slides and video: `none` # 1. INTRODUCTION ## Research Problems * Some proposed defenses have been shown to be **vulnerable to alternative attack strategies**. * To solve the problem that in deploying such systems is their **high power** and **computational requirements**, which make them challenging to deploy in embedded systems and latency critical applications. ## Proposed Solutions * A new hardware based approach to improving the robustness of machine learning classifiers. * Specifically, They propose to leverage **Approximate Computing (AC)**, a family of hardware techniques designed to improve the performance and power consumption of logic circuits and processing elements, at the cost of introducing some approximation to their operation. ## Defensive Approximation (DA) * We show that for a variety of attack scenarios, and utilizing a range of algorithms for generating adversarial attacks, DA provides **substantial robustness** even under the assumptions of a powerful attacker (e.g., with full access to the classifier structure). * DA **does not require retraining or fine-tuning**, allowing pre-trained models to benefit from its robustness and performance advantages by simply replacing the exact multiplier implementations with approximate ones. * Resulting in a **less complex design** that is both **faster** and **more energy efficient**. * Black-box attack * the attacker reverse engineers the approximate classifier and constructs a proxy of it that uses exact multipliers. Adversarial examples are generated using this proxy model. While **these examples transfer back to fool the exact classifier, they are not able to fool the approximate classifier**. * White-box attack * the attacker has full access to the approximate classifier, and can use it to generate examples that reliably fool the approximate classifier. In this case, we show that **the amount of injected noise needed to fool the approximate classifier is substantially higher than the noise needed to fool an exact classifier**, for example resulting in around 4db degradation of the adversarial example (and 6x increase in Mean Square Error) for DA relative to the ones that fool the exact classifier. ## Contributions * We build an aggressively approximate floating point multiplier that injects data-dependent noise within the convolution calculation. Based on this approximate multiplier, we **implement an approximate CNN hardware accelerator**. * To the best of our knowledge, we are the first to **leverage AC to enhance CNN robustness to adversarial attacks without the need for re-training, fine-tuning nor input pre-processing**. We investigate the capacity of AC to help defending against adversarial attacks. * We empirically show that the proposed approximate implementation reduces the success rate of adversarial attacks by an average of **87%** and **71.5%** in Lenet-5 and Alexnet CNNs respectively. * We illustrate empirically that **white-box attacks require substantially higher adversarial perturbations** to fool the approximate classifier. * We provide some insights into the impact of DA through a theoretical analysis. * DA is highly practical; it can be deployed without retraining or fine-tuning, achieving comparable classification performance to exact classfiers. In addition to security advantages, DA improves performance by **reducing latency by 4x, energy by 2.5x**, and consequently, the energy delay product by 10x, making it an attractive choice even in Edge device settings. # 2. Implementation ## Approximate Floating Point Multiplier * DA leverages a new approximate 32-bit floating-point multiplier, which we call **approximate floating-point multiplier**. * For most of the floating number range, the normalized format is: * Choose to approximate the **mantissa multiplication unit**: * Approximating the mantissa prevents massive noise injection that can result from perturbing the exponent or sign. * The mantissa multiplication consumes 81% of the overall power of the multiplier. *  * The FAs are aggressively approximated to inject computational noise within the circuit. We describe **Ax-FPM** by first presenting the approximate FA design, and then the approximate mantissa multiplier used to build the Ax-FPM.   * Selected an array multiplier implementation because it is considered one of the **most powerefficient** and **high performing** among conventional multiplier architectures. * Interested in studying its behavior when dealing with small numbers ranging between **-1 and +1** since most of the internal operations within CNNs are in this range. * Three trends can be observed that will be used later to help understanding the impact of the approximation on CNN security: * The data-dependent discontinuity of the approximation-induced errors. * Noticed that in 96% of the cases, the approximate multiplication results in higher absolute values than the exact multiplication: For positive products, the approximate result is higher than the exact result, and for negative product results the approximate result is lower than the exact result. * In general, we notice that the larger the multiplied numbers, the larger the error magnitude added to the approximate result.  ## Approximate Convolution  * Convolution result of the filter and each input image using exact and approximate convolution:  * Using the approximate convolution, the **main features** of the image that are important in the image recognition **are retained** and further highlighted with higher scores that will later help increase the confidence of the classification result. # 3. Result > In this section, we empirically explore the robustness properties of DA under a number of threat models. We first explore the transferability of adversarial attacks where we evaluate whether attacks crafted for exact CNNs transfer to approximate CNNs. We then consider direct attacks against approximate CNNs in both black and white-box settings. ### In this setting, the attacker has full knowledge of the classifier architecture and hyper-parameters, but without knowing that the model uses approximate hardware.  ### Success rate of different attacks under exact to approximate transferability setting for MNIST.  ### Success rate of different attacks under exact to approximate transferability attack setting for CIFAR-10.  ### Black-box attack scenario(CIFAR-10).   ### White-box attack scenario(CIFAR-10).  * In a white box attack, with an unconstrained noise budget, an adversary can always eventually succeed in causing an image to misclassify. Thus, robustness against this type of attack occurs in two ways: * The magnitude of the adversarial noise to be added: if this magnitude is high, this may exceed the ability of the attacker to interfere, or cause the attack to be easily detectable. * The number of iterations, and consequently the time for producing adversarial examples ### L2 values measuring distance between different clean samples from MNIST (White-box makes inference extremely slow, so they use only C&W and DeepFool attacks.) * DeepFool   * C&W   ### Difference in confidence of exact and approximate model for clean image samples from MNIST.  ### Cumulative distribution of confidence.  ### Accuracy results of the LeNet-5 and AlexNet CNNs.  ### Energy, delay and EDP of AMA5-based 24*24 approximate multiplier normalized to a conventional multiplier.  ### Accuracy results when adding Gaussian noise to input images from the MNIST dataset.  # 4. Report ## 結論 : * 此篇論文的特點: It's the first work that proposes the use of hardware-supported approximation as a defense strategy against adversarial attacks for CNNs. * 運用簡單有效的方式提升CNN的抗攻擊能力。 * 由於CNN的執行不需要過於要求精度，因此使用此方法可以得到很好的效果(在他提出的模型中準確度幾乎不會下降)。 * 要對精度較低的硬體做有效攻擊，需要加上更強的雜訊，也因此更容易被判別出來。 * 不需要修改資料集且模型不需要重新訓練，只要換掉硬體就可以執行。 ## 問題 : * 對較強力的雜訊較無抵抗力?(但可以配合其他防禦方式解決) * 在更複雜的模型(如物件偵測或追蹤)上降低精度造成的影響? * 精度的取捨? ## #補充 《Feature Squeezing: Detecting Adversarial Examples in Deep Neural Networks》 使用squeezing減少不必要之feature提升robust，再利用以下流程判斷是否為adv samples(似MagNet)