FM-ModComp: Feature Map Modification and Hardware–Software Co-Comparison for secure hardware accelerator-based CNN inference

Abstract

Hardware accelerator-based CNNs (HA-CNNs), particularly those based on FPGAs, are becoming increasingly popular for accelerating inference due to their ease of prototyping and flexibility. However, outsourcing hardware accelerators to third-party (3P) design firms can raise concerns about their integrity, as these firms may potentially insert malicious circuitry into the HA-CNN to compromise its performance. To address this issue, we propose a two-phase methodology called Feature Map Modification and Hardware–Software Co-Comparison (FM-ModComp). In the first phase, FM-ModComp exploits the Probability Distribution Function (PDF) of the validation dataset feature maps, modified PDF (ModPDF), to detect the presence of malicious circuitry. ModPDF conceals validation dataset information using Gaussian Distribution Shifting (GDS), Gaussian Distribution Compression (GDC), and Gaussian Distribution Expansion (GDE). In the second phase, FM-ModComp performs Hardware-Software co-Feature-Map Comparison (HSFMComp) to detect malicious circuitry at run time and during testing. We evaluated FM-ModComp on LeNet trained on the MNIST dataset, LeNet-3D trained on the Cifar-10 dataset, and NelsonNet (a custom CNN model developed in-house and inspired by AlexNet for hand gesture recognition) against state-of-the-art attacks implemented on a Xilinx PYNQ-Z1. The experimental results show that ModPDF detects or nullifies up to approximately 90% of attack triggers, and HSFMComp detects approximately 95% of the attacks.