Deep Neural Networks (DNNs) are employed in an increasing number of applications, some of which are safety critical. Unfortunately, DNNs are known to be vulnerable to so-called adversarial attacks that manipulate inputs to cause incorrect results that can be beneficial to an attacker or damaging to the victim. Multiple defenses have been proposed to increase the robustness of DNNs. In general, these defenses have high overhead, some require attack-specific re-training of the model or careful tuning to adapt to different attacks. This paper presents HASI, a hardware-accelerated defense that uses a process we call stochastic inference to detect adversarial inputs. We show that by carefully injecting noise into the model at inference time, we can differentiate adversarial inputs from benign ones. HASI uses the output distribution characteristics of noisy inference compared to a non-noisy reference to detect adversarial inputs. We show an adversarial detection rate of 86% when applied to VGG16 and 93% when applied to ResNet50, which exceeds the detection rate of the state of the art approaches, with a much lower overhead. We demonstrate two software/hardware-accelerated co-designs, which reduces the performance impact of stochastic inference to 1.58X-2X relative to the unprotected baseline, compared to 15X-20X overhead for a software-only GPU implementation.

翻译：深神经网络(DNNS)被用于越来越多的应用,其中一些应用是安全的关键。 不幸的是,DNNS已知容易受到所谓的对抗性攻击,这种攻击操纵投入造成有利于攻击者或损害受害者的结果不正确的结果。为了提高DNNS的稳健性,提出了多种防御建议。一般而言,这些防御具有高压,有些需要针对攻击的重新培训模型或仔细调整,以适应不同的攻击。本文展示了HASI,一种硬件加速防御,我们称之为对对抗性投入的诊断。我们表明,通过在推断时间将声音仔细注入模型,我们可以将对抗性投入与良性投入区分开来。HASI使用了噪音的分布特征,而不是无噪音的引用来探测对抗性投入。我们在VGG16和ResNet50应用时的对抗性检测率分别为86%和93%,这超过了艺术方法的检测率,比GGG16和ResNet50低得多的检测率。我们显示,我们通过仔细的输入模型,我们可以区分对抗性投入。我们用两种软件/软件,比GVGV16和SVX的软软件降低了15度。