Di Gao,Grace Li Zhang,Xunzhao Yin,Bing Li,Ulf Schlichtmann,Cheng Zhuo

DOI: https://doi.org/10.1109/iccad51958.2021.9643468

2021-01-01

Abstract:The memristor crossbar provides a unique opportunity to develop a neuromorphic computing system (NCS) with high scalability and energy efficiency. However, the reliability issues that arise from the immature fabrication process and physical device limitations, i.e., variations and stuck-at-faults (SAF), dramatically prevent its wide application in practice. Specifically, variations make the programmed weights deviate from their expected values. On the other hand, defective mem-ristors cannot even represent the weights effectively. In this work, we propose a variation- and defect-aware framework to improve the reliability of memristor-based NCS while minimizing the inference performance loss. We propose to develop analytical weight models to characterize the non-ideal effects of variations and SAFs, which can then be incorporated into a Bayesian neural network as priori and constraint. We then convert the reliability improvement to the neural network training for optimal weights that can accommodate variations and defects across the chips, which does not require computation-intensive retraining or cost-expensive testing. Extensive experimental results with the proposed framework confirm its effective capability of improving the reliability of NCS, while significantly mitigating the inference accuracy degradation under even severe variations and SAFs.

Wenwen Ye,Grace Li Zhang,Bing Li,Ulf Schlichtmann,Cheng Zhuo,Xunzhao Yin

DOI: https://doi.org/10.1109/ISCAS48785.2022.9937264

2022-01-01

Abstract:Memristor-based crossbars, which can achieve 1-2 orders of magnitude energy efficiency improvement over digital machines, have been introduced to accelerate the neural networks of machine learning tasks. Due to the high voltage pulses repeatedly applied onto memristors during programming and online tuning, the effective resistance ranges of the memristors actually decrease as a result of aging, which eventually impair the inference accuracy of the neural network running on the memristor-based crossbar. In this paper, we propose an algorithmhardware co-design framework combining aging aware retraining and gradient sparsification to mitigate the impact of aging and extend the lifetime of the crossbar. Experimental results show that the proposed method can effectively increase the inference accuracy by up to 16% even with severe aging, while the crossbar lifetime can be extended by up to 2.7 x .

Di Gao,Zeyu Yang,Qingrong Huang,Grace Li Zhang,Xunzhao Yin,Bing Li,Ulf Schlichtmann,Cheng Zhuo

DOI: https://doi.org/10.1109/tcad.2022.3215071

IF: 2.9

2023-01-01

IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems

Abstract:Memristor crossbar arrays are considered to be a promising platform for neuromorphic computing. To deploy a trained neural network (NN) model on memristor crossbars, memristors need to be programmed to the corresponding weight values. In fact, due to device-based process variation and noise, deviations of the stored weights from the trained weights are inevitable, thereby causing the degradation of the actual inference performance. This article proposes a unified Bayesian inference-based framework, BRoCoM, which connects device nonidealities and algorithmic training together for robust computing on memristor crossbars. BRoCoM is able to incorporate different levels of nonidealities into prior weight distribution, and transform robustness optimization to Bayesian NN (BNN) training, the weights of NNs are optimized to accommodate uncertainties and minimize inference degradation. Experimental results confirm the capability of the proposed BRoCoM to achieve stable inference performance while tolerating the nonideal effects of process variation and noise.

Minhui Zou,Junlong Zhou,Xiaotong Cui,Wei Wang,Shahar Kvatinsky

DOI: https://doi.org/10.48550/arXiv.2206.14498

2022-06-29

Emerging Technologies

Abstract:Emerging memristor computing systems have demonstrated great promise in improving the energy efficiency of neural network (NN) algorithms. The NN weights stored in memristor crossbars, however, may face potential theft attacks due to the nonvolatility of the memristor devices. In this paper, we propose to protect the NN weights by mapping selected columns of them in the form of 1's complements and leaving the other columns in their original form, preventing the adversary from knowing the exact representation of each weight. The results show that compared with prior work, our method achieves effectiveness comparable to the best of them and reduces the hardware overhead by more than 18X.

Tuomin Tao,Hanzhi Ma,Quankun Chen,Zhe-Ming Gu,Hang Jin,Manareldeen Ahmed,Shurun Tan,Aili Wang,En-Xiao Liu,Er-Ping Li

DOI: https://doi.org/10.1109/tcsi.2021.3060798

2021-01-01

Abstract:This article presents a novel circuit modeling method for online training and testing process of the neuromorphic chip crossbar array based on the resistive random access memory (RRAM). A modified RRAM compact model is developed to realize the fast and accurate update of multiple conductance levels. Two training mechanisms with and without write-verify scheme are modeled and investigated for classifying MNIST handwritten digits and both achieve a good recognition accuracy of more than 96%. The parasitic model of the unit cell of interconnects is constructed by the domain decomposition method (DDM) and the partial equivalent element circuit (PEEC) method, which is suitable to build up a crossbar array of any size. The impact of parasitic effects of interconnects on the recognition accuracy with and without write-verify scheme is analyzed and compared. The weights trained with write-verify scheme show better robustness to parasitic noises but training with write-verify scheme spends a longer time processing the same amount of data.

Lidan Fang,Yan Li,Erping Li

DOI: https://doi.org/10.1109/mape53743.2022.9935156

2022-01-01

Abstract:This paper presents a complete equivalent circuit model of a large memristor crossbar array, including parasitic capacitance, inductance, and resistance. By changing the rise time of the input signal and monitoring the output voltage of different output ports, signal integrity (SI) problems such as crosstalk, and IR voltage drop in the memristor crossbar array are analyzed. The simulation results show that with the decrease of the rise time, the electromagnetic effect will become obvious, which will lead to the crosstalk ripple and distortion of the output signal becoming serious. And as the output port moves away from the input, the IR voltage drop increases with the increase of the coupling elements. This will point the direction for improving the performance of memristor crossbar arrays. Furthermore, different from conventional signals, we propose to simulate spiking signals using the Izhikevich neuron model for more accurate analysis.

Minhui Zou,Nan Du,Shahar Kvatinsky

DOI: https://doi.org/10.48550/arXiv.2212.09347

2022-12-19

Cryptography and Security

Abstract:Neural network (NN) algorithms have become the dominant tool in visual object recognition, natural language processing, and robotics. To enhance the computational efficiency of these algorithms, in comparison to the traditional von Neuman computing architectures, researchers have been focusing on memristor computing systems. A major drawback when using memristor computing systems today is that, in the artificial intelligence (AI) era, well-trained NN models are intellectual property and, when loaded in the memristor computing systems, face theft threats, especially when running in edge devices. An adversary may steal the well-trained NN models through advanced attacks such as learning attacks and side-channel analysis. In this paper, we review different security techniques for protecting memristor computing systems. Two threat models are described based on their assumptions regarding the adversary's capabilities: a black-box (BB) model and a white-box (WB) model. We categorize the existing security techniques into five classes in the context of these threat models: thwarting learning attacks (BB), thwarting side-channel attacks (BB), NN model encryption (WB), NN weight transformation (WB), and fingerprint embedding (WB). We also present a cross-comparison of the limitations of the security techniques. This paper could serve as an aid when designing secure memristor computing systems.

Minhui Zou,Zhenhua Zhu,Tzofnat Greenberg-Toledo,Orian Leitersdorf,Jiang Li,Junlong Zhou,Yu Wang,Nan Du,Shahar Kvatinsky

DOI: https://doi.org/10.1109/tcad.2023.3322351

IF: 2.9

2024-01-01

IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems

Abstract:The execution of deep neural network (DNN) algorithms suffers from significant bottlenecks due to the separation of the processing and memory units in traditional computer systems. Emerging memristive computing systems introduce an in situ approach that overcomes this bottleneck. The non-volatility of memristive devices, however, may expose the DNN weights stored in memristive crossbars to potential theft attacks. Therefore, this paper proposes a two-dimensional permutation-based protection (TDPP) method that thwarts such attacks. We first introduce the underlying concept that motivates the TDPP method: permuting both the rows and columns of the DNN weight matrices. This contrasts with previous methods, which focused solely on permuting a single dimension of the weight matrices, either the rows or columns. While it's possible for an adversary to access the matrix values, the original arrangement of rows and columns in the matrices remains concealed. As a result, the extracted DNN model from the accessed matrix values would fail to operate correctly. We consider two different memristive computing systems (designed for layer-by-layer and layer-parallel processing, respectively) and demonstrate the design of the TDPP method that could be embedded into the two systems. Finally, we present a security analysis. Our experiments demonstrate that TDPP can achieve comparable effectiveness to prior approaches, with a high level of security when appropriately parameterized. In addition, TDPP is more scalable than previous methods and results in reduced area and power overheads. The area and power are reduced by, respectively, 1218× and 2815× for the layer-by-layer system and by 178× and 203× for the layer-parallel system compared to prior works.

Haoqiang Guo,Lu Peng,Jian Zhang,Fang Qi,Lide Duan

DOI: https://doi.org/10.48550/arXiv.2008.01219

IF: 4.729

2020-08-03

Signal Processing

Abstract:Recent studies identify that Deep learning Neural Networks (DNNs) are vulnerable to subtle perturbations, which are not perceptible to human visual system but can fool the DNN models and lead to wrong outputs. A class of adversarial attack network algorithms has been proposed to generate robust physical perturbations under different circumstances. These algorithms are the first efforts to move forward secure deep learning by providing an avenue to train future defense networks, however, the intrinsic complexity of them prevents their broader usage. In this paper, we propose the first hardware accelerator for adversarial attacks based on memristor crossbar arrays. Our design significantly improves the throughput of a visual adversarial perturbation system, which can further improve the robustness and security of future deep learning systems. Based on the algorithm uniqueness, we propose four implementations for the adversarial attack accelerator ($A^3$) to improve the throughput, energy efficiency, and computational efficiency.

Qi Xu,Junpeng Wang,Bo Yuan,Qi Sun,Song Chen,Bei Yu,Yi Kang,Feng Wu

DOI: https://doi.org/10.1109/tase.2021.3125065

IF: 6.636

2021-01-01

IEEE Transactions on Automation Science and Engineering

Abstract:In recent years, memristive crossbar-based neuromorphic computing systems (NCS) have provided a promising solution to the acceleration of neural networks. However, stuck-at faults (SAFs) in the memristor devices significantly degrade the computing accuracy of NCS. Besides, the memristor suffers from the process variations, causing deviation of the actual programming resistance from its target resistance. In this paper, we propose a reliability-driven design framework for a memristive crossbar-based NCS in combination with general and chip-specific design optimizations. First, we design a general reliability-aware training scheme to enhance the robustness of NCS to SAFs and device variations; a dropconnect-inspired approach is developed to alleviate the impact of SAFs; a new weighted error function, including cross-entropy error (CEE), the $l_{2}$ -norm of weights, and the sum of squares of first-order derivatives of CEE with respect to weights, is proposed to obtain a smooth error curve, where the effects of variations are suppressed. Second, given the neural network model generated by the reliability-aware training scheme, we exploit chip-specific mapping and re- training to further improve computation accuracy loss incurred by SAFs. Experimental results show that the proposed method can boost the computation accuracy of NCS and improve the NCS robustness. Note to Practitioners—This work is motivated by the manufacturing reliability problem in a memristive crossbar-based NCS. To enhance the robustness of an NCS to SAFs and device variations, this paper presents a reliability-driven design framework with taking account of both general and chip-specific design optimizations. The experimental results have demonstrated that the proposed framework is superior to the prior arts, and can be easily integrated with existing industrial hardware-based fault tolerance solutions for higher accuracy at lower overhead. Memristive crossbar-based computing system gives hope for the anticipated efficient implementation of artificial neuromorphic networks. With the help of the reliability-driven designs, the computation accuracy is restored, and hence we can expect the wide use of memristive crossbar-based computing system in neuromorphic computing applications.

automation & control systems

Minhui Zou,Zhenhua Zhu,Yi Cai,Junlong Zhou,Chengliang Wang,Yu Wang

DOI: https://doi.org/10.23919/DATE48585.2020.9116549

2020-01-01

Abstract:Neural networks (NN) have gained great success in visual object recognition and natural language processing, but this kind of data-intensive applications requires huge data movements between computing units and memory. Emerging resistive random-access memory (RRAM) computing systems have demonstrated great potential in avoiding the huge data movements by performing matrix-vector-multiplications in memory. However, the nonvolatility of the RRAM devices may lead to potential stealing of the NN weights stored in crossbars and the adversary could extract the NN models from the stolen weights. This paper proposes an effective security enhancing method for RRAM computing systems to thwart this sort of piracy attack. We first analyze the theft methods of the NN weights. Then we propose an efficient security enhancing technique based on obfuscating the row connections between positive crossbars and their pairing negative crossbars. Two heuristic techniques are also presented to optimize the hardware overhead of the obfuscation module. Compared with existing NN security work, our method eliminates the additional RRAM writing operations used for encryption/decryption, without shortening the lifetime of RRAM computing systems. The experiment results show that the proposed methods ensure the trial times of brute-force attack are more than (16!)(17) and the classification accuracy of the incorrectly extracted NN models is less than 20%, with minimal area overhead.

Jiaming Mu,Binghui Wang,Qi Li,Kun Sun,Mingwei Xu,Zhuotao Liu

DOI: https://doi.org/10.1145/3460120.3484796

2021-01-01

Abstract:Graph Neural Networks (GNNs) have achieved state-of-the-art performance in various graph structure related tasks such as node classification and graph classification. However, GNNs are vulnerable to adversarial attacks. Existing works mainly focus on attacking GNNs for node classification; nevertheless, the attacks against GNNs for graph classification have not been well explored. In this work, we conduct a systematic study on adversarial attacks against GNNs for graph classification via perturbing the graph structure. In particular, we focus on the most challenging attack, i.e., hard label black-box attack, where an attacker has no knowledge about the target GNN model and can only obtain predicted labels through querying the target model.To achieve this goal, we formulate our attack as an optimization problem, whose objective is to minimize the number of edges to be perturbed in a graph while maintaining the high attack success rate. The original optimization problem is intractable to solve, and we relax the optimization problem to be a tractable one, which is solved with theoretical convergence guarantee. We also design a coarse-grained searching algorithm and a query-efficient gradient computation algorithm to decrease the number of queries to the target GNN model. Our experimental results on three real-world datasets demonstrate that our attack can effectively attack representative GNNs for graph classification with less queries and perturbations. We also evaluate the effectiveness of our attack under two defenses: one is well-designed adversarial graph detector and the other is that the target GNN model itself is equipped with a defense to prevent adversarial graph generation. Our experimental results show that such defenses are not effective enough, which highlights more advanced defenses.

Binghui Wang,Meng Pang,Yun Dong

DOI: https://doi.org/10.48550/arXiv.2303.06199

2023-03-11

Abstract:Graph neural networks (GNNs) have achieved state-of-the-art performance in many graph learning tasks. However, recent studies show that GNNs are vulnerable to both test-time evasion and training-time poisoning attacks that perturb the graph structure. While existing attack methods have shown promising attack performance, we would like to design an attack framework to further enhance the performance. In particular, our attack framework is inspired by certified robustness, which was originally used by defenders to defend against adversarial attacks. We are the first, from the attacker perspective, to leverage its properties to better attack GNNs. Specifically, we first derive nodes' certified perturbation sizes against graph evasion and poisoning attacks based on randomized smoothing, respectively. A larger certified perturbation size of a node indicates this node is theoretically more robust to graph perturbations. Such a property motivates us to focus more on nodes with smaller certified perturbation sizes, as they are easier to be attacked after graph perturbations. Accordingly, we design a certified robustness inspired attack loss, when incorporated into (any) existing attacks, produces our certified robustness inspired attack counterpart. We apply our framework to the existing attacks and results show it can significantly enhance the existing base attacks' performance.

Cryptography and Security

Amirali Amirsoleimani,Tony Liu,Fabien Alibart,Serge Eccofey,Yao-Feng Chang,Dominique Drouin,Roman Genov

DOI: https://doi.org/10.5772/intechopen.100246

2021-11-17

Abstract:In this Chapter, we review the recent progress on resistance drift mitigation techniques for resistive switching memory devices (specifically memristors) and its impact on the accuracy in deep neural network applications. In the first section of the chapter, we investigate the importance of soft errors and their detrimental impact on memristor-based vector–matrix multiplication (VMM) platforms performance specially the memristance state-drift induced by long-term recurring inference operations with sub-threshold stress voltage. Also, we briefly review some currently developed state-drift mitigation methods. In the next section of the chapter, we will discuss an adaptive inference technique with low hardware overhead to mitigate the memristance drift in memristive VMM platform by using optimization techniques to adjust the inference voltage characteristic associated with different network layers. Also, we present simulation results and performance improvements achieved by applying the proposed inference technique by considering non-idealities for various deep network applications on memristor crossbar arrays. This chapter suggests that a simple low overhead inference technique can revive the functionality, enhance the performance of memristor-based VMM arrays and significantly increases their lifetime which can be a very important factor toward making this technology as a main stream player in future in-memory computing platforms.

Dovydas Joksas,Luis Muñoz-González,Emil Lupu,Adnan Mehonic

2024-09-29

Abstract:Neural networks are now deployed in a wide number of areas from object classification to natural language systems. Implementations using analog devices like memristors promise better power efficiency, potentially bringing these applications to a greater number of environments. However, such systems suffer from more frequent device faults and overall, their exposure to adversarial attacks has not been studied extensively. In this work, we investigate how nonideality-aware training - a common technique to deal with physical nonidealities - affects adversarial robustness. We find that adversarial robustness is significantly improved, even with limited knowledge of what nonidealities will be encountered during test time.

Emerging Technologies,Cryptography and Security,Machine Learning

Wenbin Chen,Lekai Song,Shengbo Wang,Zhiyuan Zhang,Guanyu Wang,Guohua Hu,Shuo Gao

DOI: https://doi.org/10.1002/aelm.202200833

IF: 6.2

2022-10-27

Advanced Electronic Materials

Abstract:Neuromorphic computing (NC) is approaching, and memristor technology is treated as powerful support during the journey. In this article, for a deeper understanding of how to implement NC by memristors, the authors first review and explain essential characteristics of memristors from mechanisms to applications, and then discuss current challenges preventing achieving expected NC. The memristor is a resistive switch where its resistive state is programable based on the applied voltage or current. Memristive devices are thus capable of storing and computing information simultaneously, breaking the Von Neumann bottleneck. Since the first nanomemristor made by Hewlett‐Packard in 2008, advances so far have enabled nanostructured, low‐power, high‐durability devices that exhibit superior performance over conventional CMOS devices. Herein, the development of memristors based on different physical mechanisms is reviewed. In particular, device stability, integration density, power consumption, switching speed, retention, and endurance of memristors, that are crucial for neuromorphic computing, are discussed in detail. An overview of various neural networks with a focus on building a memristor‐based spike neural network neuromorphic computing system is then provided. Finally, the existing issues and challenges in implementing such neuromorphic computing systems are analyzed, and an outlook for brain‐like computing is proposed.

materials science, multidisciplinary,physics, applied,nanoscience & nanotechnology

Yihong Chen,Zhen Fan,Shuai Dong,Minghui Qin,Min Zeng,Xubing Lu,Gougu Zhou,Xingsen Gao,Jun-Ming Liu

DOI: https://doi.org/10.1002/aisy.202100237

IF: 7.298

2022-01-01

Advanced Intelligent Systems

Abstract:Memristor crossbar is extensively investigated as an energy‐efficient accelerator for neural network (NN) computations. However, hardware implementation of NNs using realistic memristors is challenging due to the ubiquity of faults (mainly classified into hard and soft faults) in memristors. Herein, a hardware‐friendly, low‐power multifault‐tolerant training (MFTT) scheme capable of addressing both hard and soft faults simultaneously for memristive NNs is proposed. The MFTT scheme consists of multifault detection, targeted weight pruning, and in situ training with the Manhattan update rule. Specifically, multifault detection is first conducted to detect both hard and large soft faults. The detected faulty weights are subsequently pruned to prevent them from disturbing the NN. The sparsified NN after pruning is in situ trained so that the hard and large soft faults can be effectively tolerated using the sparsity and self‐adaptivity of NNs. In addition, the remaining small soft faults can be well tolerated by the Manhattan update rule. Experimentally, MFTT demonstrates the lowest accuracy losses among several representative fault‐tolerant schemes not only in the hard fault‐only (when the hard fault ratio exceeds 10%) and soft fault‐only (when the soft faults are large) cases, but also in the case where both types of faults coexist.

Danzhe Song,Fan Yang,Chengxu Wang,Nan Li,Pinfeng Jiang,Bin Gao,Xiangshui Miao,Xingsheng Wang

DOI: https://doi.org/10.1109/led.2023.3285916

IF: 4.8157

2023-01-01

IEEE Electron Device Letters

Abstract:The line resistance (LR) in a large-scale memristor crossbar array can cause serious IR-drop problem, degrading the hardware deployment capability of neural networks (NNs). In this work, two innovation schemes from the level of software are proposed to mitigate the hardware IR-drop problem by intentionally modulating the NN activation function before deploying. The methods are evaluated over typical activation functions and various line resistances on MLP and LeNet-5 for MNIST recognition. Results show the methods can significantly improve the tolerance of NNs to IR-drop and recover the accuracy in some extent. The methods require no extra hardware overhead and reduce the complexity of peripheral circuits, which make them more achievable and attractive.

Felix Mujkanovic,Simon Geisler,Stephan Günnemann,Aleksandar Bojchevski

DOI: https://doi.org/10.48550/arXiv.2301.13694

IF: 5.414

2023-01-31

Machine Learning

Abstract:A cursory reading of the literature suggests that we have made a lot of progress in designing effective adversarial defenses for Graph Neural Networks (GNNs). Yet, the standard methodology has a serious flaw - virtually all of the defenses are evaluated against non-adaptive attacks leading to overly optimistic robustness estimates. We perform a thorough robustness analysis of 7 of the most popular defenses spanning the entire spectrum of strategies, i.e., aimed at improving the graph, the architecture, or the training. The results are sobering - most defenses show no or only marginal improvement compared to an undefended baseline. We advocate using custom adaptive attacks as a gold standard and we outline the lessons we learned from successfully designing such attacks. Moreover, our diverse collection of perturbed graphs forms a (black-box) unit test offering a first glance at a model's robustness.

Yu Chi,Runmiao Li,Xinjiang Zhang,Anping Huang

DOI: https://doi.org/10.5772/INTECHOPEN.69929

2017-12-20

Abstract:Neural network, a powerful learning model, has archived amazing results. However, the current Von Neumann computing system – based implementations of neural networks are suffering from memory wall and communication bottleneck problems ascrib- ing to the Complementary Metal Oxide Semiconductor (CMOS) technology scaling down and communication gap. Memristor, a two terminal nanosolid state nonvolatile resistive switching, can provide energy-efficient neuromorphic computing with its synaptic behavior. Crossbar architecture can be used to perform neural computations because of its high density and parallel computation. Thus, neural networks based on memristor crossbar will perform better in real world applications. In this chapter, the design of different neural network architectures based on memristor is introduced, including spiking neural networks, multilayer neural networks, convolution neural networks, and recurrent neural networks. And the brief introduction, the architecture, the computing circuits, and the training algorithm of each kind of neural networks are presented by instances. The potential applications and the prospects of memristor-based neural network system are discussed.

Computer Science,Engineering