RBNN: Memory-Efficient Reconfigurable Deep Binary Neural Network with IP Protection for Internet of Things

Though deep neural network (DNN) models exhibit outstanding performance for various applications, their large model size and extensive floating-point operations (FLOPS) render deployment on mobile computing platforms a major challenge, and, in particular, on Internet of Things (IoT) devices. One appealing solution is model quantization that reduces the model size and uses integer operations commonly supported by microcontrollers (MCUs usually do not support FLOPS). To this end, a 1-bit quantized DNN model or deep binary neural network (BNN) maximizes the memory efficiency, where each parameter in a BNN model has only 1-bit. In this paper, we propose a reconfigurable BNN (RBNN) to further amplify the memory efficiency for resource-constrained IoT devices. Generally, the RBNN can be reconfigured on demand to achieve any one of M (M > 1) distinct tasks with the same parameter set, thus only a single task determines the memory requirements. In other words, the memory utilization is improved by ×M . Our extensive experiments corroborate that up to seven commonly used tasks (M = 7, 6 of these tasks are image related and the last one is audio) can co-exist (the value of M can be larger). These tasks with a varying number of classes have no or negligible accuracy drop-off (i.e., within 1%) on three binarized popular DNN architectures including VGG, ResNet, and ReActNet. The tasks span across different domains, e.g., computer vision and audio domains validated herein, with the prerequisite that the model architecture can serve those cross-domain tasks. To protect the intellectual property (IP) of an RBNN model, the reconfiguration can be controlled by both a user key and a device-unique root key generated by the intrinsic hardware fingerprint (e.g., SRAM memory power-up pattern). By doing so, an RBNN model can only be used per paid user per authorized device, thus benefiting both the user and the model provider.

[1]  Jian Sun,et al.  Deep Residual Learning for Image Recognition , 2015, 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR).

[2]  Forrest N. Iandola,et al.  SqueezeNet: AlexNet-level accuracy with 50x fewer parameters and <1MB model size , 2016, ArXiv.

[3]  Roland Vollgraf,et al.  Fashion-MNIST: a Novel Image Dataset for Benchmarking Machine Learning Algorithms , 2017, ArXiv.

[4]  Geoffrey E. Hinton,et al.  Distilling the Knowledge in a Neural Network , 2015, ArXiv.

[5]  Faisal Zaman,et al.  What is TensorFlow Lite , 2020 .

[6]  Jishen Zhao,et al.  DeepInspect: A Black-box Trojan Detection and Mitigation Framework for Deep Neural Networks , 2019, IJCAI.

[7]  Song Han,et al.  Deep Compression: Compressing Deep Neural Network with Pruning, Trained Quantization and Huffman Coding , 2015, ICLR.

[8]  Kilian Q. Weinberger,et al.  TrojanNet: Exposing the Danger of Trojan Horse Attack on Neural Networks , 2019 .

[9]  Sebastian Ruder,et al.  An Overview of Multi-Task Learning in Deep Neural Networks , 2017, ArXiv.

[10]  Han Zhang,et al.  Self-Attention Generative Adversarial Networks , 2018, ICML.

[11]  Yoshua Bengio,et al.  Gradient-based learning applied to document recognition , 1998, Proc. IEEE.

[12]  Georgios Tzimiropoulos,et al.  Training Binary Neural Networks with Real-to-Binary Convolutions , 2020, ICLR.

[13]  V. Reddi,et al.  TensorFlow Lite Micro: Embedded Machine Learning on TinyML Systems , 2020, MLSys.

[14]  Vitaly Shmatikov,et al.  Blind Backdoors in Deep Learning Models , 2020, USENIX Security Symposium.

[15]  Zhiru Zhang,et al.  FracBNN: Accurate and FPGA-Efficient Binary Neural Networks with Fractional Activations , 2020, FPGA.

[16]  Ben Y. Zhao,et al.  Neural Cleanse: Identifying and Mitigating Backdoor Attacks in Neural Networks , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[17]  Luca Benini,et al.  XNOR Neural Engine: A Hardware Accelerator IP for 21.6-fJ/op Binary Neural Network Inference , 2018, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[18]  Parul Parashar,et al.  Neural Networks in Machine Learning , 2014 .

[19]  Andrew Y. Ng,et al.  Reading Digits in Natural Images with Unsupervised Feature Learning , 2011 .

[20]  Xiangyu Zhang,et al.  ShuffleNet: An Extremely Efficient Convolutional Neural Network for Mobile Devices , 2017, 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition.

[21]  Lukas Geiger,et al.  Larq: An Open-Source Library for Training Binarized Neural Networks , 2020, J. Open Source Softw..

[22]  Dustin Tran,et al.  Image Transformer , 2018, ICML.

[23]  Georgios Tzimiropoulos,et al.  BATS: Binary ArchitecTure Search , 2020, ECCV.

[24]  Yang Su,et al.  Lightweight (Reverse) Fuzzy Extractor With Multiple Reference PUF Responses , 2019, IEEE Transactions on Information Forensics and Security.

[25]  Georgios Tzimiropoulos,et al.  XNOR-Net++: Improved binary neural networks , 2019, BMVC.

[26]  Dan Alistarh,et al.  Model compression via distillation and quantization , 2018, ICLR.

[27]  Geoffrey E. Hinton,et al.  ImageNet classification with deep convolutional neural networks , 2012, Commun. ACM.

[28]  Kwang-Ting Cheng,et al.  ReActNet: Towards Precise Binary Neural Network with Generalized Activation Functions , 2020, ECCV.

[29]  Pete Warden,et al.  Speech Commands: A Dataset for Limited-Vocabulary Speech Recognition , 2018, ArXiv.

[30]  Damith Chinthana Ranasinghe,et al.  STRIP: a defence against trojan attacks on deep neural networks , 2019, ACSAC.

[31]  Ran El-Yaniv,et al.  Binarized Neural Networks , 2016, ArXiv.

[32]  Andrew Zisserman,et al.  Very Deep Convolutional Networks for Large-Scale Image Recognition , 2014, ICLR.

[33]  Luca Benini,et al.  YodaNN: An Architecture for Ultralow Power Binary-Weight CNN Acceleration , 2016, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[34]  Xiaogang Wang,et al.  Deep Learning Face Attributes in the Wild , 2014, 2015 IEEE International Conference on Computer Vision (ICCV).

[35]  Bao Gia Doan,et al.  Backdoor Attacks and Countermeasures on Deep Learning: A Comprehensive Review , 2020, ArXiv.

[36]  Nicu Sebe,et al.  Binary Neural Networks: A Survey , 2020, Pattern Recognit..

[37]  Benny Pinkas,et al.  Turning Your Weakness Into a Strength: Watermarking Deep Neural Networks by Backdooring , 2018, USENIX Security Symposium.

[38]  Farinaz Koushanfar,et al.  DeepSigns: An End-to-End Watermarking Framework for Ownership Protection of Deep Neural Networks , 2019, ASPLOS.

[39]  Georg Sigl,et al.  Physical Unclonable Functions , 2012, Datenschutz und Datensicherheit - DuD.

[40]  Vitaly Shmatikov,et al.  How To Backdoor Federated Learning , 2018, AISTATS.

[41]  Ali Farhadi,et al.  XNOR-Net: ImageNet Classification Using Binary Convolutional Neural Networks , 2016, ECCV.

[42]  Alex Krizhevsky,et al.  Learning Multiple Layers of Features from Tiny Images , 2009 .

[43]  Jianyuan Guo,et al.  GhostNet: More Features From Cheap Operations , 2019, 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[44]  David M. Sommer,et al.  Towards Probabilistic Verification of Machine Unlearning , 2020, ArXiv.

[45]  Ben Y. Zhao,et al.  Gotta Catch'Em All: Using Honeypots to Catch Adversarial Attacks on Neural Networks , 2019, CCS.

[46]  Xiaoming Chen,et al.  Chaotic Weights: A Novel Approach to Protect Intellectual Property of Deep Neural Networks , 2021, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[47]  Fabrizio Lombardi,et al.  A Flip-Flop Based Arbiter Physical Unclonable Function (APUF) Design with High Entropy and Uniqueness for FPGA Implementation , 2019 .