Defensive Approximation: Securing CNNs using Approximate Computing

Published in ASPLOS, 2021


Key Idea

Approximate computing is not just a constraint — it can be used as a security primitive to disrupt adversarial attacks.


Motivation: Why Are Neural Networks Vulnerable?

Adversarial attacks exploit the deterministic and precise nature of neural network computations.
Small, carefully crafted perturbations propagate consistently through layers, enabling reliable attack transferability across models and settings.

Deterministic computations enable adversarial perturbations to propagate consistently


Insight: Approximation Disrupts Adversarial Consistency

Approximate computing introduces input-dependent, non-deterministic perturbations inside neural computations.
These perturbations break the precise propagation patterns that adversarial attacks rely on, reducing their effectiveness and transferability.

Approximate computation injects noise that disrupts adversarial propagation


Method: Defensive Approximation (DA)

We propose Defensive Approximation (DA), a hardware-level defense that integrates approximate computing directly into CNN operations.

Instead of modifying training or preprocessing inputs, DA:

  • replaces exact multipliers with approximate arithmetic units
  • injects data-dependent perturbations during computation
  • disrupts adversarial signal propagation across layers

This enables robustness without retraining or architectural changes, while simultaneously improving efficiency.

DA integrates approximate multipliers into CNN computations to inject controlled noise


Positioning

Unlike traditional defenses that operate in input space (preprocessing) or model space (training), DA operates at the hardware level, directly modifying the computation itself.

This reframes approximate computing from a performance optimization tool into a robustness and security mechanism, bridging hardware design and adversarial machine learning.


Abstract

Adversarial attacks pose a serious threat to machine learning systems deployed in safety- and security-critical domains.
We propose Defensive Approximation (DA), a novel defense mechanism that leverages approximate computing at the hardware level to improve the robustness of convolutional neural networks (CNNs) against adversarial attacks.

By replacing exact floating-point multipliers with aggressively approximate ones, DA introduces input-dependent perturbations throughout the computation pipeline, disrupting adversarial signal propagation and reducing attack transferability in gray-box, black-box, and even white-box settings.

Importantly, this robustness is achieved without retraining, while also reducing energy consumption and latency.

Extensive experiments on MNIST and CIFAR-10 demonstrate robustness improvements of up to 99% against strong transferability-based attacks, along with up to 50% energy savings.


Key Contributions

  • We show that approximate computing can act as a security primitive against adversarial attacks.
  • We introduce Defensive Approximation (DA), a hardware-level defense integrated into CNN computations.
  • We demonstrate strong robustness across white-box, black-box, and transfer-based attacks.
  • We achieve robustness without retraining or architectural modification.
  • We provide simultaneous gains in energy efficiency and latency reduction.

Mechanism: How DA Improves Robustness

DA injects controlled perturbations into intermediate computations, disrupting the alignment and propagation of adversarial signals across layers.

Approximation disrupts adversarial signal propagation across layers


Results: Robustness Meets Efficiency

DA achieves strong adversarial robustness while improving system efficiency:

  • Up to 99% reduction in attack success rate
  • Robustness across multiple threat models
  • Up to 50% energy savings
  • Minimal impact on clean accuracy

DA improves robustness while reducing energy and latency


Impact and Research Directions

This work established a new perspective on robustness at the intersection of hardware and machine learning, enabling:

  • Robustness in quantized and approximate neural networks
  • Hardware–software co-design for AI security
  • Transferability disruption via non-deterministic computation

Citation

@inproceedings{guesmi2021defensive,
  title={Defensive approximation: securing cnns using approximate computing},
  author={Guesmi, Amira and Alouani, Ihsen and Khasawneh, Khaled N and Baklouti, Mouna and Frikha, Tarek and Abid, Mohamed and Abu-Ghazaleh, Nael},
  booktitle={Proceedings of the 26th ACM international conference on architectural support for programming languages and operating systems},
  pages={990--1003},
  year={2021}
}