Defensive Approximation: Securing CNNs using Approximate Computing
Published in ASPLOS, 2021
Links
- Paper: Link
Key Idea
Approximate computing is not just a constraint — it can be used as a security primitive to disrupt adversarial attacks.
Motivation: Why Are Neural Networks Vulnerable?
Adversarial attacks exploit the deterministic and precise nature of neural network computations.
Small, carefully crafted perturbations propagate consistently through layers, enabling reliable attack transferability across models and settings.

Insight: Approximation Disrupts Adversarial Consistency
Approximate computing introduces input-dependent, non-deterministic perturbations inside neural computations.
These perturbations break the precise propagation patterns that adversarial attacks rely on, reducing their effectiveness and transferability.

Method: Defensive Approximation (DA)
We propose Defensive Approximation (DA), a hardware-level defense that integrates approximate computing directly into CNN operations.
Instead of modifying training or preprocessing inputs, DA:
- replaces exact multipliers with approximate arithmetic units
- injects data-dependent perturbations during computation
- disrupts adversarial signal propagation across layers
This enables robustness without retraining or architectural changes, while simultaneously improving efficiency.

Positioning
Unlike traditional defenses that operate in input space (preprocessing) or model space (training), DA operates at the hardware level, directly modifying the computation itself.
This reframes approximate computing from a performance optimization tool into a robustness and security mechanism, bridging hardware design and adversarial machine learning.
Abstract
Adversarial attacks pose a serious threat to machine learning systems deployed in safety- and security-critical domains.
We propose Defensive Approximation (DA), a novel defense mechanism that leverages approximate computing at the hardware level to improve the robustness of convolutional neural networks (CNNs) against adversarial attacks.
By replacing exact floating-point multipliers with aggressively approximate ones, DA introduces input-dependent perturbations throughout the computation pipeline, disrupting adversarial signal propagation and reducing attack transferability in gray-box, black-box, and even white-box settings.
Importantly, this robustness is achieved without retraining, while also reducing energy consumption and latency.
Extensive experiments on MNIST and CIFAR-10 demonstrate robustness improvements of up to 99% against strong transferability-based attacks, along with up to 50% energy savings.
Key Contributions
- We show that approximate computing can act as a security primitive against adversarial attacks.
- We introduce Defensive Approximation (DA), a hardware-level defense integrated into CNN computations.
- We demonstrate strong robustness across white-box, black-box, and transfer-based attacks.
- We achieve robustness without retraining or architectural modification.
- We provide simultaneous gains in energy efficiency and latency reduction.
Mechanism: How DA Improves Robustness
DA injects controlled perturbations into intermediate computations, disrupting the alignment and propagation of adversarial signals across layers.

Results: Robustness Meets Efficiency
DA achieves strong adversarial robustness while improving system efficiency:
- Up to 99% reduction in attack success rate
- Robustness across multiple threat models
- Up to 50% energy savings
- Minimal impact on clean accuracy

Impact and Research Directions
This work established a new perspective on robustness at the intersection of hardware and machine learning, enabling:
- Robustness in quantized and approximate neural networks
- Hardware–software co-design for AI security
- Transferability disruption via non-deterministic computation
Citation
@inproceedings{guesmi2021defensive,
title={Defensive approximation: securing cnns using approximate computing},
author={Guesmi, Amira and Alouani, Ihsen and Khasawneh, Khaled N and Baklouti, Mouna and Frikha, Tarek and Abid, Mohamed and Abu-Ghazaleh, Nael},
booktitle={Proceedings of the 26th ACM international conference on architectural support for programming languages and operating systems},
pages={990--1003},
year={2021}
}