NANI: Energy-efficient Neuron-Aware hardware Noise Injection for adversarial defense using undervolting

Convolutional Neural Networks (CNNs) are susceptible to adversarial attacks. A recent defense approach involves adding random noise to adversarial images, which can help CNNs mitigate adversarial impact. However, existing noise-injection defenses often reduce accuracy on benign images. Noticing that different neurons tolerate varying noise levels, we propose a neuron-aware noise injection scheme that accounts for neurons’ significance. This approach aims to defend against adversarial attacks while preserving benign accuracy. On the other side, undervolting is one of the techniques to generate noises, and meanwhile achieve energy savings. In this work, we have noticed that different processing elements (PEs) exhibit varying hardware error rates even when subjected to the same undervolting voltage level. By appropriately mapping specific neurons to specific PEs, we not only facilitate the implementation of our neuron-aware noise injection scheme on hardware, but we can also aggressively improve the energy efficiency. Finally, we present our vulnerable PE-enabled Neuron-Aware undervolting Noise Injection (NANI) scheme, which aims to defend against adversarial attacks by identifying and leveraging these vulnerable PEs to produce proper noise to proper neurons. Implementing NANI on FPGA, we achieve a 74% correction rate on adversarial examples and 33% energy savings with negligible accuracy drop on benign images.