Investigation on the Impact of Practical Fault Model for Commercial Edge Machine Learning Devices
摘要
Fault Injection Attacks (FIAs) are well-studied in information security and have proven capable of breaking even highly secure cryptographic implementations. However, their application to other targets, such as edge machine learning (ML) systems on commercial devices, has not received much attention. Edge ML, where pretrained models are deployed on resource-constrained embedded devices for Internet-of-Things (IoT) and critical infrastructure applications, presents new security challenges. Recent work demonstrated practical electromagnetic (EM) pulse-based FIA on a commercial edge ML device (Intel Neural Compute Stick 2), achieving misclassification by inducing faults in a small, toy Convolutional Neural Network (CNN) model. To our knowledge, there is no other work that targets explicitly a commercial edge ML product using Laser or EM FIAs. In this work, we extend this investigation by evaluating the applicability and generalizability of these fault models across a range of publicly available, more complex neural network architectures. By observing and mapping practical fault behaviors, we validate the fault models across different types of layers and analyze their overall impact on neural network accuracy. Our experiments reveal that faults injected at the Fully-Connected layer can cause an average 80.7% reduction in classification accuracy, highlighting the significant security risks FIA poses to real-world edge ML deployments.