Hardening Hardware Accelerartor Based CNN Inference Phase Against Adversarial Noises

Recent research has shown that Convolution Neu-ral Networks (CNNs) are vulnerable to adversarial examples. Many defense techniques like gradient masking etc have been proposed against adversarial attacks. However, these techniques are limited to training methods and do not offer generalizability. Similarly, in a Horizontal Collaborative Environment (HCE) where trained CNN models are partitioned into different layers, models deployed are also subjected to attacks by adversarial inputs. In this work, we develop a defense strategy to harden CNNs in an HCE against adversarial examples through the detection of adversarial inputs. We propose the notion that by obtaining model prediction at different layers of the CNN and noting the prediction inconsistency, an adversarial noise could be detected. In this work, adversarial noises are generated using the Fast Gradient Sign Method (FGSM), Salt and Pepper (S&P), and Gaussian Noise perturbation (GNP) methodologies. We compare predictions at different layers of a CNN and obtain final prediction via coherence in predicted class of the CNN model. The hardware synthesis results on FPGA, validated proposed method showing that obtaining such accuracy inconsistency require reasonable hardware overhead.