Researchers from MIT and the MIT-IBM Watson AI Lab have designed a machine-learning accelerator that is impervious to the two most common types of cyberattacks. Currently, healthcare apps that monitor chronic diseases or fitness goals are relying on machine learning to operate. However, the voluminous machine-learning models utilized need to be transferred between a smartphone and a central memory server, making the apps slow and energy inefficient.
Hardware that reduces the necessity for these extensive data transfers is typically used to accelerate the process. While accelerators can expedite computation, they also expose secret information to potential attackers. The newly developed machine-learning accelerator minimizes this vulnerability by securely storing sensitive information like health records and financial data while efficiently facilitating the operation of substantial AI models.
The team has introduced several optimizations that offer robust security with only minor impacts on the device speeds. Furthermore, these security enhancements do not affect the accuracy of the calculations. This machine-learning accelerator could have particular utility in demanding AI applications such as AR/VR and autonomous driving.
While the implementation of the chip would make a device slightly more costly and less energy efficient, the security it provides is often worth it. According to the researchers, it is less expensive to incorporate security during the design phase rather than adding it after the system is created.
In terms of combating cyberattacks, the accelerator developed by the researchers splits the data in the IMC into random pieces, which a side-channel attack could not reconstruct. The technology also uses a lightweight cipher to guard against bus-probing attacks by encrypting the model stored in off-chip memory. Lastly, the key that decrypts the cipher is produced directly on the chip, eliminating the need for it to be transferred back and forth with the model.
The team tested the chip by attempting to carry out side-channel and bus-probing cyberattacks. Despite millions of tries, they failed to extract any real information or break the cipher. By contrast, unprotected chips allowed information to be stolen with only about 5,000 samples.
While the addition of security measures affects the energy efficiency of the accelerator and requires more chip area (thus making it more expensive), the team is considering strategies to reduce the energy consumption and size of the future chips.
This research offers significant progress in the realm of secure machine-learning technology and could be integral to future mobile devices. Furthermore, it underscores the need for ongoing exploration of security and cost efficiency trade-offs in the design and implementation process.