TDPP: 2-D Permutation-Based Protection of Memristive Deep Neural Networks

The execution of deep neural network (DNN) algorithms suffers from significant bottlenecks due to the separation of the processing and memory units in traditional computer systems. Emerging memristive computing systems introduce an in situ approach that overcomes this bottleneck. The nonvolatility of memristive devices, however, may expose the DNN weights stored in memristive crossbars to potential theft attacks. Therefore, this article proposes a 2-D permutation-based protection (TDPP) method that thwarts such attacks. We first introduce the underlying concept that motivates the TDPP method: permuting both the rows and columns of the DNN weight matrices. This contrasts with previous methods, which focused solely on permuting a single dimension of the weight matrices, either the rows or columns. While it is possible for an adversary to access the matrix values, the original arrangement of rows and columns in the matrices remains concealed. As a result, the extracted DNN model from the accessed matrix values would fail to operate correctly. We consider two different memristive computing systems (designed for layer-by-layer and layer-parallel processing, respectively), and demonstrate the design of the TDPP method that could be embedded into the two systems. Finally, we present a security analysis. Our experiments demonstrate that TDPP can achieve comparable effectiveness to prior approaches, with a high level of security when appropriately parameterized. In addition, TDPP is more scalable than previous methods and results in reduced area and power overheads. The area and power are reduced by, respectively, <inline-formula> <tex-math notation="LaTeX">$1218\times $ </tex-math></inline-formula> and <inline-formula> <tex-math notation="LaTeX">$2815\times $ </tex-math></inline-formula> for the layer-by-layer system and by <inline-formula> <tex-math notation="LaTeX">$178\times $ </tex-math></inline-formula> and <inline-formula> <tex-math notation="LaTeX">$203\times $ </tex-math></inline-formula> for the layer-parallel system compared to prior works.