{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T02:30:05Z","timestamp":1760149805137,"version":"build-2065373602"},"reference-count":49,"publisher":"MDPI AG","issue":"9","license":[{"start":{"date-parts":[[2023,9,19]],"date-time":"2023-09-19T00:00:00Z","timestamp":1695081600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"National Science Foundation","award":["2114200","2214108","2153394"],"award-info":[{"award-number":["2114200","2214108","2153394"]}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Information"],"abstract":"<jats:p>Universal adversarial perturbations are image-agnostic and model-independent noise that, when added to any image, can mislead the trained deep convolutional neural networks into the wrong prediction. Since these universal adversarial perturbations can seriously jeopardize the security and integrity of practical deep learning applications, the existing techniques use additional neural networks to detect the existence of these noises at the input image source. In this paper, we demonstrate an attack strategy that, when activated by rogue means (e.g., malware, trojan), can bypass these existing countermeasures by augmenting the adversarial noise at the AI hardware accelerator stage. We demonstrate the accelerator-level universal adversarial noise attack on several deep learning models using co-simulation of the software kernel of the Conv2D function and the Verilog RTL model of the hardware under the FuseSoC environment.<\/jats:p>","DOI":"10.3390\/info14090516","type":"journal-article","created":{"date-parts":[[2023,9,19]],"date-time":"2023-09-19T23:17:20Z","timestamp":1695165440000},"page":"516","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":1,"title":["Attacking Deep Learning AI Hardware with Universal Adversarial Perturbation"],"prefix":"10.3390","volume":"14","author":[{"given":"Mehdi","family":"Sadi","sequence":"first","affiliation":[{"name":"Department of Electrical and Computer Engineering, Auburn University, Auburn, AL 36849, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Bashir Mohammad Sabquat Bahar","family":"Talukder","sequence":"additional","affiliation":[{"name":"Department of Electrical and Computer Engineering, Florida International University, Miami, FL 33199, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Kaniz","family":"Mishty","sequence":"additional","affiliation":[{"name":"Department of Electrical and Computer Engineering, Auburn University, Auburn, AL 36849, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0010-6388","authenticated-orcid":false,"given":"Md Tauhidur","family":"Rahman","sequence":"additional","affiliation":[{"name":"Department of Electrical and Computer Engineering, Florida International University, Miami, FL 33199, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"1968","published-online":{"date-parts":[[2023,9,19]]},"reference":[{"key":"ref_1","unstructured":"(2023, July 01). Google Deepmind. Available online: https:\/\/www.deepmind.com\/."},{"key":"ref_2","doi-asserted-by":"crossref","first-page":"2295","DOI":"10.1109\/JPROC.2017.2761740","article-title":"Efficient processing of deep neural networks: A tutorial and survey","volume":"105","author":"Sze","year":"2017","journal-title":"Proc. IEEE"},{"key":"ref_3","doi-asserted-by":"crossref","unstructured":"Jouppi, N.P., Young, C., Patil, N., Patterson, D., Agrawal, G., Bajwa, R., Bates, S., Bhatia, S., Boden, N., and Borchers, A. (2017, January 24\u201328). In-datacenter performance analysis of a tensor processing unit. Proceedings of the 44th Annual International Symposium on Computer Architecture, Toronto, ON, Canada.","DOI":"10.1145\/3079856.3080246"},{"key":"ref_4","unstructured":"(2023, July 01). Intel VPUs. Available online: https:\/\/www.intel.com\/content\/www\/ 601 us\/en\/products\/details\/processors\/movidius-vpu.html."},{"key":"ref_5","unstructured":"Szegedy, C., Zaremba, W., Sutskever, I., Bruna, J., Erhan, D., Goodfellow, I., and Fergus, R. (2014). Intriguing properties of neural networks. arXiv."},{"key":"ref_6","unstructured":"Goodfellow, I.J., Shlens, J., and Szegedy, C. (2015, January 7\u20139). Explaining and Harnessing Adversarial Examples. Proceedings of the ICLR, San Diego, CA, USA."},{"key":"ref_7","unstructured":"Tram\u00e8r, F., Kurakin, A., Papernot, N., Goodfellow, I., Boneh, D., and McDaniel, P. (May, January 30). Ensemble Adversarial Training: Attacks and Defenses. Proceedings of the ICLR, Vancouver, BC, Canada."},{"key":"ref_8","doi-asserted-by":"crossref","unstructured":"Moosavi-Dezfooli, S.M., Fawzi, A., Fawzi, O., and Frossard, P. (2017, January 21\u201326). Universal Adversarial Perturbations. Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (CVPR), Honolulu, HI, USA.","DOI":"10.1109\/CVPR.2017.17"},{"key":"ref_9","doi-asserted-by":"crossref","unstructured":"Truong, L., Jones, C., Hutchinson, B., August, A., Praggastis, B., Jasper, R., Nichols, N., and Tuor, A. (2020, January 14\u201319). Systematic Evaluation of Backdoor Data Poisoning Attacks on Image Classifiers. Proceedings of the IEEE\/CVF Conference on Computer Vision and Pattern Recognition (CVPR) Workshops, Seattle, WA, USA.","DOI":"10.1109\/CVPRW50498.2020.00402"},{"key":"ref_10","unstructured":"Gu, T., Dolan-Gavitt, B., and Garg, S. (2017). Badnets: Identifying vulnerabilities in the machine learning model supply chain. arXiv."},{"key":"ref_11","doi-asserted-by":"crossref","unstructured":"Papernot, N., McDaniel, P., Goodfellow, I., Jha, S., Celik, Z.B., and Swami, A. (2017, January 2\u20136). Practical Black-Box Attacks against Machine Learning. Proceedings of the ACM Asia Conference on Computer and Communications Security, Abu Dhabi, United Arab Emirates.","DOI":"10.1145\/3052973.3053009"},{"key":"ref_12","doi-asserted-by":"crossref","first-page":"2805","DOI":"10.1109\/TNNLS.2018.2886017","article-title":"Adversarial examples: Attacks and defenses for deep learning","volume":"30","author":"Yuan","year":"2019","journal-title":"IEEE Trans. Neural Netw. Learn. Syst."},{"key":"ref_13","doi-asserted-by":"crossref","first-page":"1207","DOI":"10.1109\/JPROC.2014.2332291","article-title":"Counterfeit integrated circuits: A rising threat in the global semiconductor supply chain","volume":"102","author":"Guin","year":"2014","journal-title":"Proc. IEEE"},{"key":"ref_14","doi-asserted-by":"crossref","unstructured":"Contreras, G.K., Rahman, M.T., and Tehranipoor, M. (2013, January 2\u20134). Secure split-test for preventing IC piracy by untrusted foundry and assembly. Proceedings of the 2013 IEEE International Symposium on Defect and Fault Tolerance in VLSI and Nanotechnology Systems (DFTS), New York, NY, USA.","DOI":"10.1109\/DFT.2013.6653606"},{"key":"ref_15","unstructured":"Symantec (2023, July 01). Internet Security Threat Report (ISTR). Available online: https:\/\/docs.broadcom.com\/doc\/istr-24-executive-summary-en."},{"key":"ref_16","doi-asserted-by":"crossref","first-page":"3886","DOI":"10.1109\/TIFS.2020.3003571","article-title":"Adversarial Deep Ensemble: Evasion Attacks and Defenses for Malware Detection","volume":"15","author":"Li","year":"2020","journal-title":"IEEE Trans. Inf. Forensics Secur."},{"key":"ref_17","doi-asserted-by":"crossref","unstructured":"Sayadi, H., Patel, N., Sasan, A., Rafatirad, S., and Homayoun, H. (2018, January 24\u201328). Ensemble Learning for Effective Run-Time Hardware-Based Malware Detection: A Comprehensive Analysis and Classification. Proceedings of the 2018 55th ACM\/ESDA\/IEEE Design Automation Conference (DAC), San Francisco, CA, USA.","DOI":"10.1109\/DAC.2018.8465828"},{"key":"ref_18","unstructured":"Symantec (2023, July 01). W32.Stuxnet Dossier. Available online: https:\/\/web.archive.org\/web\/20191223000908\/https:\/\/www.symantec.com\/security-center\/writeup\/2010-071400-3123-99\/."},{"key":"ref_19","unstructured":"Liu, H., Ji, R., Li, J., Zhang, B., Gao, Y., Wu, Y., and Huang, F. (November, January 27). Universal Adversarial Perturbation via Prior Driven Uncertainty Approximation. Proceedings of the IEEE\/CVF International Conference on Computer Vision (ICCV), Seoul, Republic of Korea."},{"key":"ref_20","doi-asserted-by":"crossref","unstructured":"Clements, J., and Lao, Y. (2018). Hardware trojan attacks on neural networks. arXiv.","DOI":"10.1109\/ISCAS.2019.8702493"},{"key":"ref_21","unstructured":"Rakin, A.S., He, Z., and Fan, D. (November, January 27). Bit-flip attack: Crushing neural network with progressive bit search. Proceedings of the IEEE International Conference on Computer Vision, Seoul, Republic of Korea."},{"key":"ref_22","doi-asserted-by":"crossref","unstructured":"Hou, X., Breier, J., Jap, D., Ma, L., Bhasin, S., and Liu, Y. (2020, January 20\u201323). Security Evaluation of Deep Neural Network Resistance Against Laser Fault Injection. Proceedings of the 2020 IEEE International Symposium on the Physical and Failure Analysis of Integrated Circuits (IPFA), Singapore.","DOI":"10.1109\/IPFA49335.2020.9261013"},{"key":"ref_23","doi-asserted-by":"crossref","unstructured":"Liu, W., Chang, C.H., Zhang, F., and Lou, X. (2020, January 20\u201324). Imperceptible misclassification attack on deep learning accelerator by glitch injection. Proceedings of the 2020 57th ACM\/IEEE Design Automation Conference (DAC), San Francisco, CA, USA.","DOI":"10.1109\/DAC18072.2020.9218577"},{"key":"ref_24","doi-asserted-by":"crossref","unstructured":"Zhao, P., Wang, S., Gongye, C., Wang, Y., Fei, Y., and Lin, X. (2019, January 2\u20136). Fault sneaking attack: A stealthy framework for misleading deep neural networks. Proceedings of the 2019 56th ACM\/IEEE Design Automation Conference (DAC), Las Vegas, NV, USA.","DOI":"10.1145\/3316781.3317825"},{"key":"ref_25","doi-asserted-by":"crossref","unstructured":"Gao, Y., Xu, C., Wang, D., Chen, S., Ranasinghe, D.C., and Nepal, S. (2019, January 9\u201313). STRIP: A Defence against Trojan Attacks on Deep Neural Networks. Proceedings of the 35th Annual Computer Security Applications Conference, Association for Computing Machinery, San Juan, PR, USA.","DOI":"10.1145\/3359789.3359790"},{"key":"ref_26","doi-asserted-by":"crossref","unstructured":"Chou, E., Tram\u00e8r, F., and Pellegrino, G. (2020, January 21). SentiNet: Detecting Localized Universal Attacks Against Deep Learning Systems. Proceedings of the IEEE Security and Privacy Workshops (SPW), San Francisco, CA, USA.","DOI":"10.1109\/SPW50608.2020.00025"},{"key":"ref_27","unstructured":"Ligh, M., Case, A., Levy, J., and Walters, A. (2014). The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory, Wiley Publishing."},{"key":"ref_28","doi-asserted-by":"crossref","first-page":"S3","DOI":"10.1016\/j.diin.2019.04.008","article-title":"Windows Memory Forensics: Detecting (Un)Intentionally Hidden Injected Code by Examining Page Table Entries","volume":"29","author":"Block","year":"2019","journal-title":"Digit. Investig."},{"key":"ref_29","doi-asserted-by":"crossref","unstructured":"Costales, R., Mao, C., Norwitz, R., Kim, B., and Yang, J. (2020, January 14\u201319). Live Trojan Attacks on Deep Neural Networks. Proceedings of the IEEE\/CVF Conference on Computer Vision and Pattern Recognition (CVPR), Seattle, WA, USA.","DOI":"10.1109\/CVPRW50498.2020.00406"},{"key":"ref_30","unstructured":"Cimpanu, C. (2023, July 01). Microsoft Warns about Astaroth Malware Campaign. Available online: https:\/\/www.zdnet.com\/article\/microsoft-warns-about-astaroth-malware-campaign."},{"key":"ref_31","unstructured":"Rafter, D. What Is a Rootkit? And How to Stop Them. Available online: https:\/\/us.norton.com\/internetsecurity-malware-what-is-a-rootkit-and-how-to-stop-them.html."},{"key":"ref_32","doi-asserted-by":"crossref","unstructured":"Zhao, Y., Hu, X., Li, S., Ye, J., Deng, L., Ji, Y., Xu, J., Wu, D., and Xie, Y. (2019, January 25\u201329). Memory Trojan Attack on Neural Network Accelerators. Proceedings of the Design, Automation Test in Europe Conference Exhibition (DATE), Florence, Italy.","DOI":"10.23919\/DATE.2019.8715027"},{"key":"ref_33","doi-asserted-by":"crossref","unstructured":"Zhang, J., Zhang, Y., Li, H., and Jiang, J. (2020, January 9\u201313). HIT: A Hidden Instruction Trojan Model for Processors. Proceedings of the Design, Automation Test in Europe Conference Exhibition (DATE), Grenoble, France.","DOI":"10.23919\/DATE48585.2020.9116228"},{"key":"ref_34","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/3396521","article-title":"Soft-HaT: Software-Based Silicon Reprogramming for Hardware Trojan Implementation","volume":"25","author":"Alam","year":"2020","journal-title":"ACM Trans. Des. Autom. Electron. Syst."},{"key":"ref_35","unstructured":"Costan, V., and Devadas, S. Intel SGX Explained. Proceedings of the Cryptology ePrint Archive, Available online: http:\/\/css.csail.mit.edu\/6.858\/2020\/readings\/costan-sgx.pdf."},{"key":"ref_36","doi-asserted-by":"crossref","unstructured":"Akhtar, N., Liu, J., and Mian, A. (2018, January 18\u201323). Defense Against Universal Adversarial Perturbations. Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (CVPR), Salt Lake City, UT, USA.","DOI":"10.1109\/CVPR.2018.00357"},{"key":"ref_37","unstructured":"(2023, July 01). PyTorch. Available online: https:\/\/pytorch.org\/."},{"key":"ref_38","unstructured":"(2023, July 01). FuseSoC Platform. Available online: https:\/\/github.com\/olofk\/fusesoc."},{"key":"ref_39","doi-asserted-by":"crossref","first-page":"17322","DOI":"10.1109\/ACCESS.2017.2742698","article-title":"Fault and error tolerance in neural networks: A review","volume":"5","author":"Girau","year":"2017","journal-title":"IEEE Access"},{"key":"ref_40","doi-asserted-by":"crossref","first-page":"1230","DOI":"10.1109\/TCAD.2020.2995347","article-title":"Practical Attacks on Deep Neural Networks by Memory Trojaning","volume":"40","author":"Hu","year":"2021","journal-title":"IEEE Trans. Comput.-Aided Des. Integr. Circuits Syst."},{"key":"ref_41","doi-asserted-by":"crossref","unstructured":"Liu, T., Wen, W., and Jin, Y. (May, January 30). SIN 2: Stealth infection on neural network\u2014A low-cost agile neural Trojan attack methodology. Proceedings of the 2018 IEEE International Symposium on Hardware Oriented Security and Trust (HOST), Washington, DC, USA.","DOI":"10.1109\/HST.2018.8383920"},{"key":"ref_42","unstructured":"Ji, Y., Liu, Z., Hu, X., Wang, P., and Zhang, Y. (2019). Programmable Neural Network Trojan for Pre-Trained Feature Extractor. arXiv."},{"key":"ref_43","doi-asserted-by":"crossref","unstructured":"Li, W., Yu, J., Ning, X., Wang, P., Wei, Q., Wang, Y., and Yang, H. (2018, January 8\u201311). Hu-fu: Hardware and software collaborative attack framework against neural networks. Proceedings of the 2018 IEEE Computer Society Annual Symposium on VLSI (ISVLSI), Hong Kong, China.","DOI":"10.1109\/ISVLSI.2018.00093"},{"key":"ref_44","doi-asserted-by":"crossref","unstructured":"Liu, Y., Wei, L., Luo, B., and Xu, Q. (2017, January 13\u201316). Fault injection attack on deep neural network. Proceedings of the 2017 IEEE\/ACM International Conference on Computer-Aided Design (ICCAD), Irvine, CA, USA.","DOI":"10.1109\/ICCAD.2017.8203770"},{"key":"ref_45","doi-asserted-by":"crossref","unstructured":"Kim, J.S., Patel, M., Yaglikci, A.G., Hassan, H., Azizi, R., Orosa, L., and Mutlu, O. (2020). Revisiting RowHammer: An Experimental Analysis of Modern DRAM Devices and Mitigation Techniques. arXiv.","DOI":"10.1109\/ISCA45697.2020.00059"},{"key":"ref_46","doi-asserted-by":"crossref","unstructured":"Cojocar, L., Kim, J., Patel, M., Tsai, L., Saroiu, S., Wolman, A., and Mutlu, O. (2020). Are We Susceptible to Rowhammer? An End-to-End Methodology for Cloud Providers. arXiv.","DOI":"10.1109\/SP40000.2020.00085"},{"key":"ref_47","doi-asserted-by":"crossref","first-page":"361","DOI":"10.1145\/2678373.2665726","article-title":"Flipping bits in memory without accessing them: An experimental study of DRAM disturbance errors","volume":"42","author":"Kim","year":"2014","journal-title":"ACM Sigarch Comput. Archit. News"},{"key":"ref_48","unstructured":"(2023, July 01). Mitigations Available for the DRAM Row Hammer Vulnerability, Cisco Blogs. Available online: https:\/\/blogs.cisco.com\/security\/mitigations-available-for-the-dram-row-hammer-vulnerability."},{"key":"ref_49","doi-asserted-by":"crossref","first-page":"1730","DOI":"10.1109\/TVLSI.2021.3105958","article-title":"Designing Efficient and High-Performance AI Accelerators With Customized STT-MRAM","volume":"29","author":"Mishty","year":"2021","journal-title":"IEEE Trans. Very Large Scale Integr. (VLSI) Syst."}],"container-title":["Information"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2078-2489\/14\/9\/516\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,10]],"date-time":"2025-10-10T20:53:58Z","timestamp":1760129638000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2078-2489\/14\/9\/516"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,9,19]]},"references-count":49,"journal-issue":{"issue":"9","published-online":{"date-parts":[[2023,9]]}},"alternative-id":["info14090516"],"URL":"https:\/\/doi.org\/10.3390\/info14090516","relation":{},"ISSN":["2078-2489"],"issn-type":[{"type":"electronic","value":"2078-2489"}],"subject":[],"published":{"date-parts":[[2023,9,19]]}}}