Adversarial Defense Techniques for AI Accelerators: A Comparative Study

In this paper, the authors explore a new approach to defending against power side-channel attacks in deep learning models. These attacks exploit the power consumption of a model during inference to extract sensitive information, such as the model’s parameters or activations. The proposed defense technique, called "Model Utility Reduction," manipulates the model’s output to reduce its accuracy, making it more difficult for attackers to extract meaningful information.
The authors explain that traditional defenses against side-channel attacks often rely on adding noise to the model’s output, which can lower the signal-to-noise ratio (SNR) and make it harder for attackers to obtain useful information. However, these defenses are not always effective, as attackers can use various signal processing techniques to remove noise and extract the desired information.
To overcome this limitation, the authors propose a different approach based on model utility reduction. This technique involves intentionally degrading the accuracy of the model during inference, making it less useful for attackers to exploit. The authors demonstrate that by reducing the utility of the model, they can significantly reduce the effectiveness of power side-channel attacks.
The proposed defense mechanism is based on a distance function that measures the difference between the original and manipulated models. The distance metric is used to calculate the amount of noise needed to reduce the model’s accuracy without compromising its utility for legitimate users. The authors show that by adjusting this distance metric, they can achieve a balance between defense effectiveness and model utility preservation.
The authors evaluate their proposed defense mechanism through extensive simulations and compare it with existing defenses. They demonstrate that their approach provides better protection against power side-channel attacks while maintaining acceptable performance for legitimate users.
In summary, this paper presents a practical defense against power side-channel attacks in deep learning models by manipulating the model’s utility rather than its noise level. The proposed defense mechanism is effective in reducing the effectiveness of these attacks without significantly impacting the model’s accuracy for legitimate users.