The ever-increasing computational demand of Deep Learning has propelled research in special-purpose inference accelerators based on emerging non-volatile memory (NVM) technologies. Such NVM crossbars promise fast and energy-efficient in-situ matrix vector multiplications (MVM) thus alleviating the long-standing von Neuman bottleneck in today's digital hardware. However the analog nature of computing in these NVM crossbars introduces approximations in the MVM operations. In this paper, we study the impact of these non-idealities on the performance of DNNs under adversarial attacks. The non-ideal behavior interferes with the computation of the exact gradient of the model, which is required for adversarial image generation. In a non-adaptive attack, where the attacker is unaware of the analog hardware, we show that analog computing offers a varying degree of intrinsic robustness, with a peak adversarial accuracy improvement of 35.34%, 22.69%, and 31.70% for white box PGD ($\epsilon$=1/255, iter=30) for CIFAR-10, CIFAR-100, and ImageNet(top-5) respectively. We also demonstrate "hardware-in-loop" adaptive attacks that circumvent this robustness by utilizing the knowledge of the NVM model. To the best of our knowledge, this is the first work that explores the non-idealities of analog computing for adversarial robustness at the time of submission to NeurIPS 2020.

中文翻译：

---

一目了然的鲁棒性：模拟计算能否抵御对抗性攻击？

深度学习不断增长的计算需求推动了基于新兴非易失性存储器 (NVM) 技术的专用推理加速器的研究。这种 NVM 交叉开关有望实现快速且节能的原位矩阵向量乘法 (MVM)，从而缓解当今数字硬件中长期存在的冯诺依曼瓶颈。然而，这些 NVM 交叉开关中计算的模拟性质在 MVM 操作中引入了近似值。在本文中，我们研究了这些非理想性对对抗性攻击下 DNN 性能的影响。非理想行为会干扰模型精确梯度的计算，这是生成对抗性图像所必需的。在非自适应攻击中，攻击者不知道模拟硬件，我们表明，模拟计算提供了不同程度的内在鲁棒性，CIFAR 的白盒 PGD（$\epsilon$=1/255，iter=30）的峰值对抗精度提高了 35.34%、22.69% 和 31.70%。 10、CIFAR-100 和 ImageNet(top-5)。我们还演示了“硬件在环”自适应攻击，该攻击通过利用 NVM 模型的知识来规避这种鲁棒性。据我们所知，这是在提交给 NeurIPS 2020 时探索模拟计算在对抗性鲁棒性方面的非理想性的第一项工作。通过利用 NVM 模型的知识来规避这种鲁棒性的自适应攻击。据我们所知，这是在提交给 NeurIPS 2020 时探索模拟计算在对抗性鲁棒性方面的非理想性的第一项工作。通过利用 NVM 模型的知识来规避这种鲁棒性的自适应攻击。据我们所知，这是在提交给 NeurIPS 2020 时探索模拟计算在对抗性鲁棒性方面的非理想性的第一项工作。