CN109918951B - Artificial intelligence processor side channel defense system based on interlayer fusion - Google Patents

Abstract

The invention discloses an artificial intelligence processor side channel defense system based on interlayer fusion, which is composed of a general artificial intelligence processor architecture, a fusion control unit, a global on-chip cache unit, and a stripe fusion unit; On the basis of the artificial intelligence processor, a fusion control unit and a global on-chip cache are added, and the neural network model is fused by combining the strip fusion method and fusion instruction, so that the artificial intelligence processor can achieve higher performance and stronger security; the present invention It has novel structure, strong adaptability, good performance and high security, and can be applied to the security protection of existing artificial intelligence processors, model protection of neural networks, etc., and has wide practical value and application prospects.

Description

An artificial intelligence processor side channel defense system based on inter-layer fusion

technical field

The invention relates to an artificial intelligence processor side channel defense system based on interlayer fusion, which is applied to the defense of an artificial intelligence processor off-chip DRAM side channel, and belongs to the security field of artificial intelligence processors.

Background technique

In recent years, artificial intelligence technology has been widely used in many commercial fields, such as image recognition, speech recognition, image retrieval and other fields. Since deep learning algorithms require powerful computing power, more and more researchers have invested in the research of deep learning accelerators. In order to design a high-performance, low-power, real-time deep learning accelerator, researchers conduct research from various aspects such as micro-architecture, circuits, and materials. In 2014, researcher Chen Yunji of the Institute of Computing Technology of the Chinese Academy of Sciences took the lead in designing the first deep learning accelerator DianNao, which consists of a computing unit, a control unit and a storage unit. In order to design a more general artificial intelligence processor, they released the first set of neural Network instruction set. Compatibility with various deep learning algorithms is achieved through the compilation of instruction sets to achieve better acceleration effects. In 2017, MIT proposed the Eyrriss deep learning accelerator, which uses the row data flow method for deep learning acceleration for acceleration. Google has also launched its neural network tensor processor TPU, which is used in its internal servers. In May 2018, Google launched TPU 3.0, which has an 8-fold increase in computing performance compared to TPU 2.0, up to 1,000 trillion floating-point calculations.

Since the inference of neural network models requires dedicated hardware with high performance and low power consumption, more and more neural network models are deployed to run on artificial intelligence processors to improve operational efficiency and real-time performance. In addition, the neural network model needs to be protected in many application scenarios, including the structure and weight of the neural network model. For example, companies rely on neural networks to provide valuable value-added services, or to provide functional services for neural network models. Then the neural network model is an important intellectual property of the company.

Recently, related literature has shown that AI processors are being subjected to side-channel attacks, including memory side-channel attacks and temporal side-channel attacks. And through this attack method, the structure of the neural network model can be obtained, and then the neural network model usually uses the vulnerability of the pruning technology to steal the weight of the neural network model, and the instruction-based artificial intelligence processor enables the attacker to obtain the instruction from the obtained instruction. It recovers the structure of the neural network model and knows where the neural network model is stored. Artificial intelligence processors face many challenges to be attacked, so a secure defense method is urgently needed to protect artificial intelligence processors.

At present, there have been researches on the fusion processing method between neural network layers at home and abroad, but these researches are only to increase the performance of the artificial intelligence processor, and do not need to be designed from the perspective of security. The strip fusion method is adopted in the present invention. And combined with customized fusion instructions to enhance the security of the AI processor and improve its performance.

SUMMARY OF THE INVENTION

The technology of the present invention solves the problem: overcomes the deficiencies of the prior art, provides an artificial intelligence processor side channel defense system based on inter-layer fusion, reduces the leakage of memory side channel information of the artificial intelligence processor, and reduces the artificial intelligence processor and external memory. The data interaction before DRAM improves the security of artificial intelligence processors, and has the characteristics of high performance, high security and convenience.

The technical solution of the present invention:

An artificial intelligence processor side channel defense system based on inter-layer fusion, comprising: a general artificial intelligence processor architecture, a fusion control unit, a global on-chip cache unit and a stripe fusion unit; adding on the basis of the general artificial intelligence processor architecture The fusion control unit is designed, and the fusion instruction between the neural network layers of the artificial intelligence processor is customized. The fusion control unit combines the fusion instruction to realize the fusion processing of each layer of the neural network; the global on-chip cache unit is added to the general artificial intelligence processor architecture. It is used to cache the intermediate data processed by the artificial intelligence processor, and the intermediate data includes the input feature map and the output feature map; the strip fusion method is used to cooperate with the fusion control unit to fuse each layer of the neural network to reduce the leakage of memory side channel information. , which confuses the attacker to infer the structure of the neural network model and improves the security performance of the artificial intelligence processor.

The fusion control unit is composed of fusion control logic and fusion instruction parsing logic. The fusion control logic mainly controls the artificial intelligence processor to perform intermediate data fusion operations; the fusion instruction parsing logic is mainly used to parse the fusion instruction and send it to the fusion control logic.

The strip fusion unit is implemented by a strip fusion method and a fusion instruction, and the specific process is as follows: the input feature map is determined by the commonly used strip division method and the size of the convolution kernel to determine the overlapping part of the strip to divide the strip, and then perform the corresponding strip division. The stripe-by-stripe fusion method combines the customized neural network layer-to-layer fusion instructions to perform inter-layer fusion processing on the neural network model to enhance the security of the artificial intelligence processor and improve the performance of the artificial intelligence processor.

When the strip fusion unit implements the strip fusion method, there must be a data overlapping part between adjacent strips; the number of rows of the data overlapping part is determined by the size of the convolution kernel, and the specific formula is as follows :

D=K-1

D is the number of rows in the overlapping part of the data, and K is the size of the convolution kernel.

The advantages of the present invention compared with the prior art are:

(1) The present invention adopts the strategy of inter-layer fusion, which reduces the information leakage of the memory side channel of the artificial intelligence processor and the data interaction between the artificial intelligence processor and the external memory DRAM, and can hide the deep neural network layer between layers. Boundary has effectively defended against the information leakage problem of the DRAM side channel of the off-chip memory of the artificial intelligence processor, which improves the security of the artificial intelligence processor, and has the advantages of high performance, high security and convenience.

(2) The present invention can effectively reduce the data movement between the artificial intelligence processor and the off-chip DRAM, and can eliminate the boundary between the inner layer and the layer of the fusion layer, so that the attack cannot infer the neural network through the information leakage of the memory side channel. The structure of the network model. The invention can be widely used in the fields of artificial intelligence processor security, AIoT security terminal and the like, and has great market benefits and good application prospects. It can be applied to other artificial intelligence processor designs to improve the security performance of artificial intelligence processors and ensure the security of models running in artificial intelligence processors.

(3) The stripe fusion method proposed by the present invention can be applied to an artificial intelligence processor with a certain size of on-chip cache, and enhance its security performance without changing the hardware architecture of the existing artificial intelligence processor.

Description of drawings

Figure 1 is a schematic diagram of a general artificial intelligence processor architecture;

The symbols in the figure are explained as follows:

SoC: system on chip; PE: processing unit; IFmap: input feature map; OFmap: output feature map.

Figure 2 is an artificial intelligence processor side channel defense system based on inter-layer fusion;

The symbols in the figure are explained as follows: SoC: system-on-chip; PE: processing unit; IFmap: input feature map; OFmap: output feature map, Psum: accumulated sum, SNin: weight cache, NBin: input feature map cache, NBout: output feature map Cache, Pool: pooling operation, Relu: nonlinear activation.

Figure 3 shows the relationship between the off-chip DRAM access cycle and the size of the on-chip cache in the AlexNet model.

Figure 4 shows the relationship between the off-chip DRAM access cycle and the size of the on-chip cache in the VGG network model.

Figure 5 is a schematic diagram of the strip fusion method of two convolutional layers. The figure on the left is the input feature map, the figure in the middle is the intermediate data processed by the neural network processor, and the figure on the right is the output feature map after fusion.

Detailed ways

The present invention will be described in detail below with reference to the accompanying drawings and embodiments.

As shown in Figure 1, the hardware architecture of the general artificial intelligence processor includes: CPU (the operating environment of the artificial intelligence processor runs on the CPU), off-chip DRAM, and artificial intelligence processor, of which the artificial intelligence processor includes PCIe controller, memory Controller, array of processing elements, on-chip cache, and on-chip interconnect bus. The artificial intelligence processor also needs the support of the software stack, including the neural network model, the compiler of the artificial intelligence processor, and the CPU (including the running environment of the artificial intelligence processor).

In order to process one layer of the neural network model, the artificial intelligence processor must receive the instructions of this layer from the CPU, read the input feature map and the corresponding weight data from the off-chip DRAM according to the instructions, and then transfer it to the on-chip cache, in the processing unit array. Perform product and accumulation operations, complete nonlinear operations and pooling operations, and write the processed data back to off-chip DRAM to complete the processing of the current layer. After all layers of the neural network model are processed, the artificial intelligence processor Generate the probability that the neural network model corresponds to each class.

In the process of performing neural network inference, the artificial intelligence processor will generate a large amount of intermediate data, that is, feature maps. However, the on-chip cache space of the AI processor is too small to accommodate a large amount of intermediate data. Therefore, in the process of processing data, the AI processor will transfer the intermediate data to the off-chip DRAM. Repeated handling between off-chip DRAMs will cause memory side channel information leakage. Attackers can observe the addresses and read and write types of AI processors interacting with off-chip DRAM, where memory accesses can be observed by physically probing the bus or by inserting hardware Trojans. The structure of neural network layers is inferred from the observed memory access patterns (read-after-write (RAW) - read-write dependency).

In order to reduce the leakage of memory side channel information, appropriate modifications are made in the general artificial intelligence processor architecture to realize the fusion processing method between neural network layers. As shown in FIG. 2 , the structure diagram of the system of the present invention is based on the original general artificial intelligence processor architecture by appropriately adding a global cache unit of a certain size and a fusion control unit.

First, the artificial intelligence processor receives the fusion instructions from the CPU; then, it performs fusion processing operations on specific layers according to these instructions; finally, the fusion processing of the entire network is completed, and the probability of a neural network model is output. Among them, the fusion control unit designs new fusion instructions according to the instruction set designed by the artificial intelligence processor, and performs the inter-layer fusion operation of the neural network according to the fusion instructions, so that the control logic of the original artificial intelligence processor can not be modified. If the instruction set designed by the artificial intelligence processor cannot satisfy the inter-layer fusion strategy, new fusion control logic needs to be added to adapt to the new fusion control instructions.

Through the analysis of each neural network model (including LeNet, AlexNet, GoogLeNet, VGG, ResNet), and the size of the on-chip cache required by the layer fusion strategy of each neural network model, the corresponding statistics are performed. According to the number of fusion strategies (there are more fusion strategies on a certain on-chip cache, for example, there are 6 fusion strategies on the 100-150KB on-chip cache in Figure 4, which means it has better security) and the size of the on-chip cache , to get the size of the global on-chip cache required by the AI processor. Although the larger the global on-chip cache is, the more strategies for fusion between neural network layers, the higher the performance of the AI processor, and the higher the security, but the global on-chip cache on the AI processor cannot be too large. The present invention obtains a suitable global on-chip cache size required by the artificial intelligence processor through a large number of repeated theoretical analysis and experimental statistics.

At the same time, a fusion control unit and a strip fusion method are added. The fusion control unit mainly adds fusion control logic (including fusion execution logic and fusion instruction parsing logic) to the control processor of the general artificial intelligence processor, and customizes fusion instructions; The strip fusion method is to divide the size of the input feature map into strips, and use the divided strips as a unit for fusion processing.

The whole workflow is as follows:

(1) The artificial intelligence processor generates fusion instructions according to the selected fusion strategy;

(2) The artificial intelligence processor receives the fusion instruction, and analyzes the executed instruction through the fusion control unit, and then fuses the neural network model according to the strip fusion method.

(3) After the artificial intelligence processor completes the processing result of the current strip, put the processed fusion result into the off-chip DRAM, and continue to process the remaining strips according to steps (1) and (2) until the entire The fusion processing of the feature map, and the final result is put into the corresponding off-chip DRAM.

(4) According to steps (1)-(3), the layers to be fused by the neural network model are processed, and finally all the layers of the neural network model are completed, and the probability value corresponding to a certain class of the neural network model is output.

The fusion control unit is mainly used to receive and parse the fusion control instructions from the CPU, and control the processing unit array to perform corresponding processing on the fusion layer of the neural network according to the fusion control instructions, and allocate the input feature map and output feature map to the global on-chip cache. storage location.

The global on-chip cache is used to cache the intermediate data processed by the artificial intelligence processor, including input feature maps and input feature maps, so as to reduce the data interaction between the artificial intelligence processor and off-chip DRAM. The size of the global on-chip cache is determined by various existing neural network models and corresponding fusion strategies. Now the size of the on-chip cache of general artificial intelligence processors is limited by the area and power consumption requirements of artificial intelligence processors. Therefore, the current The on-chip cache of general-purpose neural network accelerators is generally small. Figures 3 and 4 show the relationship between the size of the on-chip cache and the number of off-chip DRAM access cycles in the AlexNet and VGG network models. Different fusion strategies determine the size of the on-chip cache and the number of off-chip DRAM access cycles of the AI processor, as shown in the figure It is shown that when the on-chip cache size is between 100KB and 250KB, the AI processor can choose more fusion strategies, which means that the AI processor has better security. Among them, the size of the on-chip cache of the artificial intelligence processor can be selected according to the premise that the artificial intelligence processor has more fusion strategies under a certain on-chip cache.

The schematic diagram of the strip fusion method of the two-layer convolutional neural network is shown in Figure 5. The present invention proposes a strip fusion method to perform fusion processing on each layer of the neural network. The figure on the left is the input feature map, and the size is 6*6; The middle picture is the intermediate data processed by the neural network processor, which needs to be stored in the global on-chip cache, with a size of 4*4; the picture on the right is the output feature map after fusion, with a size of 2*2. The size of the convolution kernel used in the convolution operation is 3*3. It can be seen from Figure 5 that the input feature map is divided into two strips, and the dashed rectangle in the left image is convolved with the convolution kernel. The intermediate data of the dashed rectangular box in the middle picture, and then, the result of convolution of the intermediate data in the dashed rectangular box of the middle picture with the 3*3 convolution kernel is in the picture on the right, in the first picture on the right row data. Doing the same for the lower strip yields the second row of data in the graph on the right.

The choice of stripe size is selected by the user according to the global on-chip cache size and fusion policy of the AI processor. However, there must be overlapping parts of data between adjacent strips, such as the striped data in the middle of the figure; the number of rows in the overlapping part of the data is determined by the size of the convolution kernel. The specific formula is as follows:

D=K-1

D is the number of rows in the overlapping part of the data, and K is the size of the convolution kernel.

In order to quantify the security of the inter-layer fusion method, the current fusion method is considered to be safe by choosing the possibility of generating more fusion strategies under the premise of a fixed global cache size on the AI processor chip.

The stripe fusion method not only allows the user to flexibly select the size of the stripe, but also allows the user to use the on-chip cache to fuse as many layers as possible. The stripe fusion method enables the global on-chip cache to be fully utilized.

Claims (2)

1. An artificial intelligence processor side channel defense system based on interlayer fusion, comprising: the system comprises a general artificial intelligence processor architecture, a fusion control unit, a global on-chip cache unit and a stripe fusion unit; adding a fusion control unit on the basis of a general artificial intelligence processor architecture, customizing an artificial intelligence processor for a fusion instruction between layers of a neural network model, and combining the fusion control unit with the fusion instruction to realize fusion processing of each layer of the neural network model; adding a global on-chip cache unit on a general artificial intelligence processor architecture for caching intermediate data processed by an artificial intelligence processor, wherein the intermediate data comprises an input characteristic diagram and an output characteristic diagram; the method adopts the strip fusion method to cooperate with the fusion control unit and the fusion instruction to perform fusion processing on each layer of the neural network, thereby reducing the information leakage of the channel at the memory side, confusing the structure of the attacker deducing the neural network model and improving the safety performance of the artificial intelligent processor;

the band fusion unit is realized by adopting a band fusion method and a fusion instruction, wherein the fusion control unit is responsible for realizing the analysis and execution of the fusion instruction; the specific process is as follows: determining a strip superposition part of an input characteristic diagram by a common strip division method and a convolution kernel size to carry out strip division, and then carrying out interlayer fusion processing on a neural network model by combining a customized neural network interlayer fusion instruction according to a corresponding strip according to a strip fusion method so as to enhance the safety of an artificial intelligent processor and improve the performance of the artificial intelligent processor;

the whole work flow is as follows:

(1) the artificial intelligence processor generates a fusion instruction according to the selected fusion strategy;

(2) the artificial intelligence processor receives the fusion instruction, analyzes the executed instruction through the fusion control unit, and then performs fusion processing on the neural network model according to a strip fusion method;

(3) after the artificial intelligent processor finishes the processing result of the current stripe, putting the processed fusion result into an off-chip DRAM, continuously processing the rest stripes according to the steps (1) and (2) until the fusion processing of the whole feature map is finished, and finally putting the final result into the corresponding off-chip DRAM;

(4) and (4) processing the layers to be fused of the neural network model according to the steps (1) to (3), finally completing all the layers of the neural network model, and outputting a probability value corresponding to a certain class of the neural network model.

2. The system of claim 1, wherein: when the stripe fusion unit realizes the stripe fusion method, a part of data overlapping between adjacent stripes is necessary; the number of rows of the data overlapping part is determined by the size of the convolution kernel, and the specific formula is as follows:

D＝K-1

d is the number of rows of data overlap and K is the size of the convolution kernel.

Images