Robust and hardware efficient hardware accelerator design for convolutional neural networks
Robust and hardware efficient hardware accelerator design for convolutional neural networks
This thesis investigates the integration of approximate computing (AC) techniques into CNN hardware accelerators while addressing security vulnerabilities associated with hardware Trojans (HTs) and backdoor attacks. A comprehensive literature review highlights the need to mitigate these threats, as backdoors attacks can subtly alter classifications, and HTs can cause targeted errors. Meanwhile, the increasing computational demands of CNNs and the limited processing capabilities of embedded devices necessitate lightweight CNN hardware accelerators. AC has emerged as a key approach to enhancing efficiency. However, a major research gap exists in the lack of methodologies for efficiently designing AC-based CNN accelerators and implementing measurements against HTs and backdoor attacks.
To bridge this gap, this thesis proposes three methods: Error Matrix-based Error Injection (EMEI), Shuffle and Substitute Defence Mechanism (SSDM), and a selective protection scheme for important processing elements (PEs). EMEI enables fast selection of approximate multipliers for each PE in CNNs, optimising hardware efficiency while maintaining classification accuracy, with a predicted-to-actual accuracy difference of less than 3% on MobileNetV2 using CIFAR-10 and GTSRB. SSDM disrupts HT and backdoor activation through pixel-level shuffling, substitution, and bit-level weight shuffling, reducing activation rates of position-specific, value-specific, pattern-specific, and sequence-specific triggered HTs to below 2%, while detecting neuron-specific HTs within 45 images. Stable patch-based backdoor attack activation rates drop below 5%, while random patch-based and warping-based backdoor attack rates fall below 30%, with additional overhead of less than 0.1%. The selective protection scheme identifies and secures vulnerable PEs. Additionally, two runtime detection methods are introduced: Selective Hardware Redundancy (SHR), which reacts to HT-induced errors within one cycle with <10% overhead, and Selective Hardware and Time Redundancy (SHTR), offering low-overhead (<0.3%) detection within 50–150 cycles
CNN, Hardware accelerator, Hardware Trojan, Backdoor attacks, Approximate computing
University of Southampton
Sun, Peiyao
e517faec-75c2-43e4-a45e-90f47e80d195
June 2025
Sun, Peiyao
e517faec-75c2-43e4-a45e-90f47e80d195
Kazmierski, Tomasz
a97d7958-40c3-413f-924d-84545216092a
Halak, Basel
8221f839-0dfd-4f81-9865-37def5f79f33
Sun, Peiyao
(2025)
Robust and hardware efficient hardware accelerator design for convolutional neural networks.
University of Southampton, Doctoral Thesis, 161pp.
Record type:
Thesis
(Doctoral)
Abstract
This thesis investigates the integration of approximate computing (AC) techniques into CNN hardware accelerators while addressing security vulnerabilities associated with hardware Trojans (HTs) and backdoor attacks. A comprehensive literature review highlights the need to mitigate these threats, as backdoors attacks can subtly alter classifications, and HTs can cause targeted errors. Meanwhile, the increasing computational demands of CNNs and the limited processing capabilities of embedded devices necessitate lightweight CNN hardware accelerators. AC has emerged as a key approach to enhancing efficiency. However, a major research gap exists in the lack of methodologies for efficiently designing AC-based CNN accelerators and implementing measurements against HTs and backdoor attacks.
To bridge this gap, this thesis proposes three methods: Error Matrix-based Error Injection (EMEI), Shuffle and Substitute Defence Mechanism (SSDM), and a selective protection scheme for important processing elements (PEs). EMEI enables fast selection of approximate multipliers for each PE in CNNs, optimising hardware efficiency while maintaining classification accuracy, with a predicted-to-actual accuracy difference of less than 3% on MobileNetV2 using CIFAR-10 and GTSRB. SSDM disrupts HT and backdoor activation through pixel-level shuffling, substitution, and bit-level weight shuffling, reducing activation rates of position-specific, value-specific, pattern-specific, and sequence-specific triggered HTs to below 2%, while detecting neuron-specific HTs within 45 images. Stable patch-based backdoor attack activation rates drop below 5%, while random patch-based and warping-based backdoor attack rates fall below 30%, with additional overhead of less than 0.1%. The selective protection scheme identifies and secures vulnerable PEs. Additionally, two runtime detection methods are introduced: Selective Hardware Redundancy (SHR), which reacts to HT-induced errors within one cycle with <10% overhead, and Selective Hardware and Time Redundancy (SHTR), offering low-overhead (<0.3%) detection within 50–150 cycles
Text
Final_thesis_submit_version_a_3u
- Version of Record
Restricted to Repository staff only until 24 June 2026.
Text
Final-thesis-submission-Examination-Mr-Peiyao-Sun
Restricted to Repository staff only
More information
Published date: June 2025
Keywords:
CNN, Hardware accelerator, Hardware Trojan, Backdoor attacks, Approximate computing
Identifiers
Local EPrints ID: 503054
URI: http://eprints.soton.ac.uk/id/eprint/503054
PURE UUID: c01a4540-c122-4fcf-9be0-245023d100e0
Catalogue record
Date deposited: 18 Jul 2025 16:32
Last modified: 11 Sep 2025 03:13
Export record
Contributors
Author:
Peiyao Sun
Thesis advisor:
Tomasz Kazmierski
Thesis advisor:
Basel Halak
Download statistics
Downloads from ePrints over the past year. Other digital versions may also be available to download e.g. from the publisher's website.
View more statistics