Researchers from MIT and the MIT-IBM Watson AI Lab have developed a secure and efficient machine-learning accelerator. This would help avoid common cyber threats and ensure sensitive data, like health records and financial information, remain private while still enabling AI models to run on devices. The development represents a significant step in guaranteeing the security of health-monitoring apps and has potential applications in augmented reality, virtual reality, and autonomous driving.
These applications are typically powered by large machine-learning models that require a considerable amount of data transfer between the application’s server and a user’s smartphone. The data transfer can be slow and energy-inefficient. To speed up this process, engineers use machine-learning accelerators that expedite computation. However, these accelerators are susceptible to cyber-attacks leading to potential theft of confidential information.
To mitigate these risks, the researchers developed a unique machine-learning accelerator that is impervious to two common types of attacks. While the implementation of the chip slightly slows down the device and incurs a marginal energy and cost penalty, the value gain in terms of enhanced security is notable. The balance in security and efficiency was achieved during the preliminary design phase, which otherwise could have been prohibitively expensive if patched on later.
The researchers targeted a form of machine-learning accelerator known as digital in-memory compute, which processes computations within the device’s memory, improving efficiency. However, these are potential targets for hackers who can reverse-engineer data by monitoring the chip’s power consumption or stealing bits of the model and dataset by probing the communication between the accelerator and the off-chip memory. To remove these vulnerabilities, the team adopted a comprehensive approach involving innovative techniques.
Firstly, they parsed the data in the in-memory compute into random fragments, making it difficult for hackers to reconstruct the actual information. Secondly, they employed a lightweight cipher that encrypted the model stored in the off-chip memory, thereby preventing bus-probing attacks. Further, the decryption key was generated on the chip itself rather than transferring it with the model repeatedly. Lastly, they reduced computation by reusing the memory cells on the chip to generate the key instead of creating a new one from scratch.
The researchers tested their innovative chip by attempting to launch side-channel and bus-probing attacks. Following multiple simulations, no meaningful information or model data was revealed. The encrypted cipher also remained intact. However, the additional security measures required a larger chip area, impacting energy efficiency and raising fabrication costs. The team is exploring avenues to balance costs, energy consumption, implementation, and security, which would pave the way for more wide-scale applications. The research was partially funded by the MIT-IBM Watson AI Lab, National Science Foundation, and a Mathworks Engineering Fellowship.
