Rethinking Non-idealities in Memristive Crossbars for Adversarial Robustness in Neural Networks
This addresses adversarial robustness for neural networks deployed on hardware, offering a novel hardware-based defense that is incremental but leverages existing non-idealities.
The paper tackles the problem of adversarial attacks on deep neural networks by showing that intrinsic hardware non-idealities in memristive crossbars, typically considered detrimental, can enhance adversarial robustness without extra optimization. It reports significant robustness gains of over 10-20% compared to baseline software DNNs on benchmark datasets.
Deep Neural Networks (DNNs) have been shown to be prone to adversarial attacks. Memristive crossbars, being able to perform Matrix-Vector-Multiplications (MVMs) efficiently, are used to realize DNNs on hardware. However, crossbar non-idealities have always been devalued since they cause errors in performing MVMs, leading to computational accuracy losses in DNNs. Several software-based defenses have been proposed to make DNNs adversarially robust. However, no previous work has demonstrated the advantage conferred by the crossbar non-idealities in unleashing adversarial robustness. We show that the intrinsic hardware non-idealities yield adversarial robustness to the mapped DNNs without any additional optimization. We evaluate the adversarial resilience of state-of-the-art DNNs (VGG8 & VGG16 networks) using benchmark datasets (CIFAR-10, CIFAR-100 & Tiny Imagenet) across various crossbar sizes. We find that crossbar non-idealities unleash significantly greater adversarial robustness (>10-20%) in crossbar-mapped DNNs than baseline software DNNs. We further assess the performance of our approach with other state-of-the-art efficiency-driven adversarial defenses and find that our approach performs significantly well in terms of reducing adversarial loss.