{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,19]],"date-time":"2026-06-19T16:37:27Z","timestamp":1781887047654,"version":"3.54.5"},"reference-count":58,"publisher":"Association for Computing Machinery (ACM)","issue":"3","content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Cyber-Phys. Syst."],"published-print":{"date-parts":[[2025,7,31]]},"abstract":"<jats:p>Hardware attacks present a new and easy way for malicious actors to compromise model parameters in machine learning (ML) enabled cyber-physical systems (CPS). This can have severe consequences for many safety-critical cyber-physical applications such as power systems, self-driving cars, healthcare, security, and so on. Prior works have proposed several pre-emptive mitigation approaches for hardware attacks that can be adopted. However, adversarial attacks can bypass existing pre-emptive attack detection methods. Existing defense setups offer no further protection once the detection is bypassed. The attacker can then cause damage without getting noticed easily. In this work, we propose a new diagnosis method to search for compromised weights in real-time even when detection is bypassed considering fault-injection attacks. The proposed methodology provides an additional level of protection, which can rapidly identify and localize more than 99% of affected weights in ML models, even when thousands of model parameters are affected simultaneously, with low power, performance, and area (PPA) overheads. In addition, we also propose a method to ensure that the CPS remains functional, even when undergoing attack diagnosis.<\/jats:p>","DOI":"10.1145\/3744749","type":"journal-article","created":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T13:49:40Z","timestamp":1750168180000},"page":"1-24","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":3,"title":["Localization of Data Compromised by Hardware Attacks in Machine Learning Enabled Cyber-Physical Edge Devices"],"prefix":"10.1145","volume":"9","author":[{"ORCID":"https:\/\/orcid.org\/0009-0002-4364-8010","authenticated-orcid":false,"given":"Pravineeth","family":"Edara","sequence":"first","affiliation":[{"name":"University of Houston, Houston, Texas, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-1136-9220","authenticated-orcid":false,"given":"Sanmitra","family":"Banerjee","sequence":"additional","affiliation":[{"name":"NVIDIA Corp, Santa Clara, California, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7668-2824","authenticated-orcid":false,"given":"Biresh Kumar","family":"Joardar","sequence":"additional","affiliation":[{"name":"University of Houston, Houston, Texas, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"320","published-online":{"date-parts":[[2025,8,4]]},"reference":[{"key":"e_1_3_1_2_2","unstructured":"Dianlei Xu Tong Li Yong Li Senior Member Xiang Su Sasu Tarkoma Tao Jiang Jon Crowcroft and Pan Hui. 2020. Edge intelligence: Architectures challenges and applications. arXiv: 2003.12172v2. Retrieved from https:\/\/arxiv.org\/abs\/2003.12172"},{"key":"e_1_3_1_3_2","unstructured":"Californians for Consumer Privacy. 2020. California Privacy Rights Act. Retrieved July 16 2024 from https:\/\/www.caprivacy.org\/"},{"key":"e_1_3_1_4_2","unstructured":"Federated Learning: Collaborative Machine Learning without Centralized Training. 2024. Retrieved July 16 2024 from https:\/\/research.google\/blog\/federated-learning-collaborative-machine-learning-without-centralized-training-data\/"},{"key":"e_1_3_1_5_2","doi-asserted-by":"publisher","DOI":"10.1145\/3355300"},{"key":"e_1_3_1_6_2","doi-asserted-by":"publisher","DOI":"10.1145\/3639570"},{"key":"e_1_3_1_7_2","doi-asserted-by":"publisher","DOI":"10.1145\/3539662"},{"key":"e_1_3_1_8_2","doi-asserted-by":"publisher","unstructured":"Hong Chen. 2017. Applications of cyber-physical system: A literature review. Journal of Industrial Integration and Management 2 3 (2017) 1750012. DOI:10.1142\/S2424862217500129","DOI":"10.1142\/S2424862217500129"},{"key":"e_1_3_1_9_2","unstructured":"Qian Xu Md Tanvir Arafin and Gang Qu. 2024. Security of Neural Networks from Hardware Perspective: A Survey and Beyond. In Proceedings of 2021 26th Asia and South Pacific Design Automation Conference (ASP-DAC). Retrieved July 16 2024 from https:\/\/ieeexplore-ieee-org.ezproxy.lib.uh.edu\/document\/9371637"},{"key":"e_1_3_1_10_2","doi-asserted-by":"publisher","DOI":"10.1145\/3596221\/SUPPL_FILE\/3596221-SUPP.PDF"},{"key":"e_1_3_1_11_2","doi-asserted-by":"publisher","DOI":"10.1109\/TCAD.2022.3206729"},{"key":"e_1_3_1_12_2","doi-asserted-by":"publisher","unstructured":"Sanghyun Hong Pietro Frigo Yi\u011fitcan Kaya Cristiano Giuffrida and Tudor Dumitras. 2019. Terminal brain damage: Exposing the graceless degradation in deep neural networks under hardware fault attacks. In Proceedings of the 28th USENIX Conference on Security Symposium (SEC\u201919). USENIX Association USA 497\u2013514. DOI: 10.48550\/ARXIV.1906.01017","DOI":"10.48550\/ARXIV.1906.01017"},{"key":"e_1_3_1_13_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833743"},{"key":"e_1_3_1_14_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICCD56317.2022.00044"},{"key":"e_1_3_1_15_2","doi-asserted-by":"publisher","DOI":"10.1109\/MC.2010.299"},{"key":"e_1_3_1_16_2","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2020.2975016"},{"key":"e_1_3_1_17_2","doi-asserted-by":"publisher","DOI":"10.1109\/MDAT.2022.3156016"},{"key":"e_1_3_1_18_2","doi-asserted-by":"publisher","DOI":"10.1109\/ATS47505.2019.000-8"},{"key":"e_1_3_1_19_2","doi-asserted-by":"publisher","DOI":"10.1145\/3359789.3359831"},{"key":"e_1_3_1_20_2","doi-asserted-by":"publisher","DOI":"10.1145\/2678373.2665726"},{"key":"e_1_3_1_21_2","doi-asserted-by":"publisher","DOI":"10.3390\/s24020592"},{"key":"e_1_3_1_22_2","unstructured":"Wikipedia. Retrieved from https:\/\/en.wikipedia.org\/wiki\/Row_hammer"},{"key":"e_1_3_1_23_2","volume-title":"Proceedings of the 2021 IEEE International Symposium on Hardware Oriented Security and Trust (HOST)","author":"Jiang Y.","year":"2021","unstructured":"Y. Jiang, H. Zhu, H. Shan, X. Guo, X. Zhang, and Y. Jin. 2021. TRRScope: Understanding target row refresh mechanism for modern DDR protection. In Proceedings of the 2021 IEEE International Symposium on Hardware Oriented Security and Trust (HOST)."},{"key":"e_1_3_1_24_2","first-page":"747","volume-title":"Proceedings of the IEEE Symposium on Security and Privacy","author":"Frigo P.","unstructured":"P. Frigo, Emanuele Vannacc, Hasan Hassan, Victor van der Veen, Onur Mutlu, Cristiano Giuffrida, Herbert Bos, and Kaveh Razavi. TRRespass: Exploiting the many sides of target row refresh. In Proceedings of the IEEE Symposium on Security and Privacy, 747\u2013762."},{"key":"e_1_3_1_25_2","unstructured":"DRAM-Related Faults Red Hat Customer Portal. 2024. DRAM-Related Faults (Rowhammer ZenHammer SPOILER RAMBleed TRRespass including Blacksmith Half-Double). Retrieved from https:\/\/access.redhat.com\/articles\/1377393"},{"key":"e_1_3_1_26_2","unstructured":"Anker Solix. 2024. Watt\u2019s Up: How Much Wattage Does My PC Need. Retrieved from https:\/\/www.anker.com\/blogs\/chargers\/how-much-wattage-does-my-pc-need"},{"key":"e_1_3_1_27_2","doi-asserted-by":"publisher","DOI":"10.1109\/HPCA51647.2021.00037"},{"key":"e_1_3_1_28_2","volume-title":"Proceedings of the International Symposium on Computer Architecture (ISCA)","author":"Seyedzadeh S. M.","unstructured":"S. M. Seyedzadeh, A. K. Jones, and R. Melhem. Mitigating wordline crosstalk using adaptive trees of counters. In Proceedings of the International Symposium on Computer Architecture (ISCA)."},{"key":"e_1_3_1_29_2","volume-title":"Proceedings of the International Symposium on Computer Architecture (ISCA)","author":"Lee E.","unstructured":"E. Lee, I. Kang, S. Lee, G. E. Suh, and J. H. Ahn. TWiCe: Preventing row-hammering by exploiting time window counters. In Proceedings of the International Symposium on Computer Architecture (ISCA)."},{"key":"e_1_3_1_30_2","doi-asserted-by":"publisher","DOI":"10.23919\/DATE51398.2021.9474113"},{"key":"e_1_3_1_31_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICCAD51958.2021.9643556"},{"key":"e_1_3_1_32_2","doi-asserted-by":"publisher","DOI":"10.3390\/SU15075930"},{"key":"e_1_3_1_33_2","doi-asserted-by":"publisher","DOI":"10.1145\/3465220"},{"key":"e_1_3_1_34_2","doi-asserted-by":"publisher","DOI":"10.1145\/3061639.3062281"},{"issue":"4","key":"e_1_3_1_35_2","doi-asserted-by":"crossref","first-page":"862","DOI":"10.46586\/tches.v2022.i4.862-885","article-title":"On the application of two-photon absorption for laser fault injection attacks","volume":"2022","author":"Selmke Bodo","year":"2022","unstructured":"Bodo Selmke, Maximilian Pollanka, Andreas Duensing, Emanuele Strieder, Hayden Wen, Michael Mittermair, Reinhard Kienberger, and Georg Sigl. 2022. On the application of two-photon absorption for laser fault injection attacks. Transactions on Cryptographic Hardware and Embedded Systems 2022, 4 (2022), 862\u2013885. Retrieved July 16, 2024 from https:\/\/doaj.org\/article\/2945554398c949dfaa6c8325bdd5a1f8","journal-title":"Transactions on Cryptographic Hardware and Embedded Systems"},{"key":"e_1_3_1_36_2","doi-asserted-by":"publisher","DOI":"10.1109\/SIOT.2015.15"},{"key":"e_1_3_1_37_2","doi-asserted-by":"publisher","DOI":"10.1109\/ISVLSI.2018.00093"},{"key":"e_1_3_1_38_2","doi-asserted-by":"publisher","DOI":"10.1109\/ISCAS.2019.8702382"},{"key":"e_1_3_1_39_2","doi-asserted-by":"publisher","DOI":"10.23919\/FPL.2017.8056840"},{"key":"e_1_3_1_40_2","doi-asserted-by":"publisher","DOI":"10.1109\/IVSW.2019.8854391"},{"key":"e_1_3_1_41_2","unstructured":"Sergei P. Skorobogatov and Ross J. Anderson. Optical Fault Induction Attacks."},{"key":"e_1_3_1_42_2","doi-asserted-by":"publisher","DOI":"10.1109\/JPROC.2012.2188769"},{"key":"e_1_3_1_43_2","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2022.3175930"},{"key":"e_1_3_1_44_2","doi-asserted-by":"publisher","DOI":"10.1109\/TCAD.2020.3047976"},{"key":"e_1_3_1_45_2","doi-asserted-by":"publisher","DOI":"10.1145\/3079856.3080222"},{"key":"e_1_3_1_46_2","doi-asserted-by":"publisher","DOI":"10.1109\/ISVLSI.2019.00122"},{"key":"e_1_3_1_47_2","doi-asserted-by":"publisher","DOI":"10.23919\/DATE48585.2020.9116571"},{"key":"e_1_3_1_48_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833664"},{"key":"e_1_3_1_49_2","doi-asserted-by":"publisher","DOI":"10.1109\/TCAD.2021.3124763"},{"key":"e_1_3_1_50_2","doi-asserted-by":"publisher","DOI":"10.1109\/TCAD.2020.3013194"},{"key":"e_1_3_1_51_2","unstructured":"IBM. 2025. IBM Cloud Hardware Security Module 7.0. Retrieved from https:\/\/www.ibm.com\/products\/hardware-security-module"},{"key":"e_1_3_1_52_2","unstructured":"IBM. 2025. IBM TSS for TPM 2.0. Retrieved from https:\/\/ibmswtpm.sourceforge.net\/ibmtss2.html"},{"key":"e_1_3_1_53_2","unstructured":"National Security Agency\/Central Security Service. 2024. NSA Issues Guidance for using Trusted Platform Modules (TPMs). Retrieved from https:\/\/www.nsa.gov\/Press-Room\/Press-Releases-Statements\/Press-Release-View\/Article\/3959033\/nsa-issues-guidance-for-using-trusted-platform-modules-tpms\/#:\\sim:text=The%20TPM%20protects%20keys%20%E2%80%93%20associated user%20credentials%20and%20stored%20data"},{"key":"e_1_3_1_54_2","unstructured":"Learn. 2023. Retrieved from https:\/\/learn.microsoft.com\/en-us\/azure\/confidential-computing\/virtual-tpms-in-azure-confidential-vm"},{"key":"e_1_3_1_55_2","unstructured":"Red Hat Emerging Technologies. 2021. Red Hat Emerging Technologies. Retrieved from https:\/\/next.redhat.com\/2021\/05\/13\/what-can-you-do-with-a-tpm\/"},{"key":"e_1_3_1_56_2","volume-title":"Proceedings of the 3rd International Conference on Learning Representations (ICLR \u201915)","author":"Simonyan Karen","year":"2014","unstructured":"Karen Simonyan and Andrew Zisserman. 2014. Very deep convolutional networks for large-scale image recognition. In Proceedings of the 3rd International Conference on Learning Representations (ICLR \u201915). Retrieved July 16, 2024 from https:\/\/arxiv.org\/abs\/1409.1556v6"},{"key":"e_1_3_1_57_2","unstructured":"Forrest N. Iandola Song Han Matthew W. Moskewicz Khalid Ashraf William J. Dally and Kurt Keutzer. 2016. SqueezeNet: AlexNet-level accuracy with 50x fewer parameters and <0.5MB model size. arXiv:1602.07360v4. Retrieved from https:\/\/arxiv.org\/abs\/1602.07360v4"},{"key":"e_1_3_1_58_2","unstructured":"Joseph Redmon and Ali Farhadi. 2018. YOLOv3: An incremental improvement. arXiv:1804.02767v1. Retrieved from https:\/\/arxiv.org\/abs\/1804.02767v1"},{"key":"e_1_3_1_59_2","doi-asserted-by":"publisher","DOI":"10.1109\/TVLSI.2020.3048829"}],"container-title":["ACM Transactions on Cyber-Physical Systems"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3744749","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,8,4]],"date-time":"2025-08-04T15:54:21Z","timestamp":1754322861000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3744749"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,7,31]]},"references-count":58,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2025,7,31]]}},"alternative-id":["10.1145\/3744749"],"URL":"https:\/\/doi.org\/10.1145\/3744749","relation":{},"ISSN":["2378-962X","2378-9638"],"issn-type":[{"value":"2378-962X","type":"print"},{"value":"2378-9638","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,7,31]]},"assertion":[{"value":"2024-08-10","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-05-30","order":2,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-08-04","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}