Safeguarding the Intelligence of Neural Networks with Built-in Light-weight Integrity MArks (LIMA)

As Deep Neural Networks (DNNs) are widely adopted in many real-world applications, their integrity becomes critical. Unfortunately, DNN models are not resilient to fault injection attacks. In particular, recent work has shown that Bit-Flip Attack (BFA) can completely destroy the intelligence of DNNs with a few carefully injected bit-flips. To defend against this threat, we propose Light-weight Integrity MArks (LIMA) framework which protects the integrity of the most significant bits (MSBs) of DNN weights - the main target of BFA. Such protection is enabled by embedding specific property into a trained DNN model's weights before deploying it in hardware. LIMA outperforms existing BFA countermeasures as it requires no retraining, imposes no storage overhead, offers full-coverage of all DNN layers, and can be easily verified with Multiply-Accumulate (MAC) operations to detect BFA. Our comprehensive study demonstrates 100% effectiveness in detecting chains of bit-flips and near-zero accuracy loss for embedding LIMA. The eresults also show that even when the attacker has complete knowledge of the proposed defense plan, attacking DNNs with built-in LIMA is extremely difficult, if not completely impossible.