Neuromorphic architectures are widely used in many applications for advanced data processing, and often implements proprietary algorithms. In this work, we prevent an attacker with physical access from learning the proprietary algorithm implemented by the neuromorphic hardware. For this purpose, we leverage the obsolescence effect in memristors to judiciously reduce the accuracy of outputs for any unauthorized user. For a legitimate user, we regulate the obsolescence effect, thereby controlling the accuracy of outputs. We also analyze the security vs. cost trade-offs for different applications. Our methodology is compatible with mainstream classification applications, memristor devices, and security and performance constraints.
INTRODUCTION 1.1 Motivation
On one hand, machine learning has been widely used in data processing to help users understand the underlying property of the data [1] . As a popular type of machine learning model, neural network processes input data by multiplying them with layers of weighted connections. Many embedded hardware engines, including FPGA and System-on-Chip (SoC), have been developed to implement neural networks with high speed and efficiency, e.g., Qualcomm's cognitive computing platform [17] .
On the other hand, memristor has been discovered as a device whose resistance depends on the history of the voltage applied across it. The similarity between the programmable resistance state of memristors and the variable weight connection in neural networks simplifies the structure of circuit realization of a neural network. The compact structure, high energy-efficiency, and low power consumption of memristor-based learning systems greatly improve the data scale and computation capacity of learning applications in embedded systems [4] .
Running learning models on an embedded device, though advantageous because of reduced processing times and high energyefficiency, introduces security challenges. The learning model is exposed to the risk of being attacked by malicious users who have physical access to the device. Consider the following scenario: Assuming there is a drone carrying an image processing system, which is being used for its navigation and guidance systems. This system implements the proprietary learning algorithms on a memristor-based neuromorphic computing system (MNCS). If the drone is captured by an unauthorized third party, say, an attacker, he/she may apply inputs to the system, observe the outputs, and "learn" the proprietary algorithm implemented by the system [18] . Consequently, they can design a pirated system.
This work
In this paper, we demonstrate how an attacker can learn and replicate the proprietary algorithm. Our analysis is independent of the learning model (e.g., support vector machine (SVM), random forest, K-nearest neighbors). We then propose a secure MNCS design to thwart such replication attacks by leveraging memristor's obsolescence effect. A naïve implementation of this idea will incur performance overhead. Hence, we develop device-and circuit-level techniques to balance security and performance overhead. Experimental results show that our design provides better usability as well as resilience to replication attack of the MNCS, without increasing calibration overhead.
PRELIMINARY 2.1 Memristors
The resistance of a memristor can be programmed by applying appropriate current or voltage pulses. Figure 1 (a) depicts the programming behavior of a metal oxide memristor: With proper combinations of programming voltage amplitude and duration, the resistance of the memristor can be programmed to an arbitrary state between the low resistance state (LRS) and the high resistance state (HRS). The resistance of a memristor can be read (sensed) by a small current or voltage pulse. However, for most types of memristors, even a small read signal can disturb the resistance of the memristor, since the only difference between the read and write operations is the amplitude and/or the duration of the applied signal.
Obsolescence effect in memristors
The resistance of a memristor gradually changes on applying voltage pulses, eventually leading to either the ON state or the OFF state. We call this effect as the obsolescence effect of a memristor, as the original resistance value "vanishes" on applying a voltage pulse. The obsolescence effect happens because of two phenomena: 1) the intrinsic retention property of the device [3] and 2) the read-induced change in resistance. The first type of resistance change is hard to control since it is related to the material relaxing mechanism. The read-induced change is depicted in Figure 1 (b). A memristor is constantly stimulated by short minor voltage pulses, and its resistance change (reflected by the sensed current) is recorded for every input pulse. This experiment is designed to mimic the impact of the small sensing signal applied to the memristor during read operations. It shows that the resistance of the memristor keeps increasing with stimulation. Therefore, the obsolescence rate (i.e., changing rate of its resistance) can be controlled by choosing the amplitude and duration of the sensing current/voltage. In general, the resistance (or conductance) change of a memristor is a continuous procedure that can be described as:
∆R=f (v,t) .
(1) Here, ∆R is the resistance change. v and t are the sensing voltages and operation time of the memristor, respectively.
Memristor-based Neuromorphic Computing System (MNCS)
In this paper, we define a neuromorphic computing system as the hardware specifically designed to accelerate neural networks or machine learning algorithms. We also constrain our research object to supervised learning systems. Several such systems have been proposed by different research groups: As two major examples, IBM recently released their SRAM based neural chip, namely, TrueNorth [6] , and Micron demonstrated Automata Processor [7] based on CMOS technology. Figure 2 (a) depicts a conceptual overview of a neural network that can be directly mapped onto an MNCS. Here, two layers of neurons are fully connected by one layer of synapses. The output neurons collect the information from the input neurons through a network of synaptic connections and process them with a transfer function. The synapses multiply the signal transferring on them with different synaptic weights. In general, the relationship between the value of the input vector x, and the output vector y can be described by [8] :
y n =f(x m ·W m×n ).
(2) Here, the connection weight matrix Wm×n denotes the synaptic strengths between the two layers of neurons, n and m denotes the neuron number of current layer and previous layer. The matrixvector multiplication in Eq. (2) is one of the fundamental operations in neural network and machine learning algorithms. Due to the structural similarity, memristor crossbars are time-efficient platforms to execute such matrix-vector multiplications [9] .
The operation defined by Eq. (2) is the feedforward "evaluating" operation of a traditional neural network. As shown in Figure  2 (b), during the evaluating process of an MNCS, x is represented as a vector of voltage signals applied to the word-lines (WLs) of the memristor crossbar while the bit-lines (BLs) are grounded. The current sensed from the bottom of each BL will be converted to output voltage vector y by a specially designed sensing circuit. Here the sensing circuit can be a CMOS analog module or a memristive device carrying the necessary transformation function. The matrix Wm×n is often implemented by two memristor crossbars, which represent the positive and negative elements of Wm×n, respectively.
"Training" on this system denotes the process of programming the memristors to the conductance states representing Wm×n. Open-loop and close-loop are two major training schemes. The former directly applies a programming pulse on the targeted memristor. The latter updates the Wm×n iteratively based on the discrepancy between the generated and the expected outputs.
Thwarting Learning attacks 3.1 Target system
An MNCS consists of the following two proprietary information:
• Training data denotes the sample set used for training the MNCS. Each sample normally contains a vector of features and a label. The feature vector serves as the input of the learning model, and the label describes a property.
• Learning model denotes the model that has been trained for the proprietary application using the training data. It includes two parts: 1) the model info, say, the type (e.g., Hopfield or Naïve Bayes models) and the topology, and 2) the model parameters, e.g., the weight on each synapse; Without losing generality, we assume the function of the original learning model g w,x is data classification, which can be described as:
Here, w is a vector of the parameters of the original model. x is the input vector of features. yi is the i-th target class that a sample can be assigned to. The probability function p(y=y i |w,x) is defined by the structure of the original model, e.g., a neural network. After the training completes, the original model "g w,x " is ready to classify new evaluating data. Figure 3 shows a conceptual view of the concerned embedded system and its usage model. A proprietary (classification) algorithm is running on the hardware, e.g., an MNCS. The model is first trained for an application, and then the drone can submit the collected data for processing (evaluating), e.g., pattern recognition or classification.
Threat model
We assume that the attacker has the following capabilities: • The attacker can apply inputs, e.g., images, body data from patients, finger prints, to the originally trained model and obtain the corresponding outputs without any constraints, i.e., being granted with the same privilege as a normal user or being able to physically get access to it; • The attacker does not have access to the original training set;
• The attacker has no knowledge about the parameters of the original model. • An attacker can reverse engineer to understand the hardware implementation of the system. The objective of the attacker is to replicate the function of the original model g w,x by constructing a new model h w ' ,x , such that the h w ' ,x =g w,x . To achieve this goal, an attacker can perform the following attacks: i) Eavesdropping attack. An attacker can listen to the communication channel to obtain the training set. This attack is not possible, because the training set is encrypted and sent across the channel, as stated in Step 3 of the protocol. ii) Spoofing attack. An attacker can impersonate as a drone and request for the training set from the base station. This attack is not possible, because the base station authenticates the drone before sending the training set. iii) Probing attack. An attacker can probe the memristors and can try to learn the stored weights [15] . Since he already has the structure of the MNCS through reverse engineering, in addition to the weights, he can replicate the proprietary algorithm. This attack is not possible, because memristors are highly dense and can be compactly stacked in 3D structure, making them difficult to probe without physically damaging the neighborhood devices. Besides, countermeasures can be used to prevent probing attack [16] . iv) Chosen input attack. An attacker can apply inputs of his choice, observe the corresponding outputs, and infer the weights. In this paper, we focus on this attack and thwart it using the obsolescence effect of the memristor in the MNCS.
Chosen-input attack
Since the attacker does not know the model implemented by the MCNS, an arbitrary model is selected. Besides the original model, (e.g., neural network), we could also use other model (e.g., support vector machine) as the replicated model to learn the function of the original model. In addition, it has been proved that although the selection of learning model is crucial for replication efficiency and accuracy, it is not necessary to select the same model type as the one of the original model [10] .
Security Metric. The performance of the MNCS is evaluated by their accuracy, which is defined as: 
Here the number of true-positives is the number of predictions that match the ground-truth labels. In this paper, we use accuracy as the security metric to quantify the effectiveness of our attack.
To demonstrate the effect of different learning models on accuracy, we use MNIST dataset as an example [14] . MNIST is a handwritten digit dataset, which is widely used in machine learning field and various image processing training. The system implements the target application using SVM model. Other candidate learning models include: SVM, random forest, and Knearest neighbors. The attacker does not know which of the four learning model is being implemented in the system.
As we mentioned in Section 3, the attack models take the I/O pairs from our system model as their training data. The SVM model (normal model) trained by original training labels is also evaluated for comparison. Experimental results can be found in Figure 4 . The replicated model based on SVM has a similar rate of increase in accuracy w.r.to accuracy as the original one. Even if the replication attack uses other learning models, the rate of increase in accuracy w.r.to I/O pairs is similar. And, their accuracies both approach to the normal model (90%) after applying 1000 I/O pairs.
This experiment shows that the model replication attack is feasible and even if the replication model is different from original model (SVM, in this case), it still can achieve a good enough accuracy. Thus, the proposed defense mechanism should prevent the attacker from learning the algorithm, irrespective of the underlying learning model.
Secure MNCS Design 4.1 Device Level: Memristors
While one can use different types of devices such as phase change memrories, RRAM, etc., we use memristor because of its following attractive properties: 1. Memristors are highly dense and can be stacked in 3D structure, which makes it extremely difficult for physical attacks. 2. Memristor is energy-efficient. 3. Memristor is programmable for online training.
In this paper, we adopt the memristor model from the work of Miao et al. [13] . The memristance can be expressed as:
where is the relative doping front position which ranges from 0 to 1. It can be obtained by solving the differential equation of velocity:
where and corresponding derivative: Figure 5 depicts an overview of the MNCS structure. Since the elements in the weight matrix W of a neural network can be either positive or negative but the conductances of memristors can be only positive, we split W into two matrices A and B as:
Circuit Level

Naïve design -Linear degradation
Here ∈ denote the elements in W. Matrices A and B are represented using one memristor crossbar for each ( and , respectively) where the conductance of every memristor 0. As such, Eq. (2) (v,t) can be adjusted by adjusting v and t, and input is target application specific.
As the conductance of the crossbar changes upon applying an input, the accuracy of the system degrades over time, which means the function of the model implemented by the system is gradually changing. In order to control this property, we propose to apply random voltage pulses to all memristors for each I/O pair, so that the conductance can change linearly and evenly, across all memristors.
In order to guarantee stable, correct outputs for authenticated users, a calibration mechanism must be applied to such a system with forgetting property. A naïve way to calibrate is to refresh the crossbars with initial conductance states periodically.
Revised design -Nonlinear degradation
When the accuracy of MNCS is high, it offers a better service quality to normal users, but aids the attacker in learning the proprietary algorithm better as he can obtain outputs with higher accuracy. Degradation of accuracy prevents an attacker from accurately learning the model, but also reduces the accuracy for a normal user. In order to solve the above dilemma, in this paper, we propose to design a MNCS that has a very nonlinear degradation in accuracy (Figure 6(b) ).
Consider a classification application as an example. On applying inputs, the classification accuracy degrades. The rate of degradation is slow initially so as to provide accurate outputs for the authorized user. The degradation then sharply accelerates when the number of test operations exceeds a threshold to prevent the attacker from replicating the model by obtained sufficient number of I/O pairs.
We design the system by manipulating the input voltages applied on the memristor crossbar. In the naïve design, only positive inputs are applied to memristor crossbars and , and the result from will be deducted from the result of in the postprocessing logic. In such a design, the conductances of the memristors in both and are changing in the same direction. In our revised design, see Figure 6 , the inverted negative inputs are applied to while the inputs to still kept positive. The result of , hence, needs to be added on top of the result of . The conductances of the memristors in and are now changing in the opposite directions, and the weight changing function will change from Eq. (13) to:
The revised design with negative inputs demonstrates a stronger nonlinearity than the naïve design when the number of test operations increases. Hence, we prefer to use the revised design over the naïve design. The comparison results will be shown in Section 5.
RESULTS
In this section, we will demonstrate the effectiveness of our proposed MNCS design. In the experiments, we choose two benchmarks from UCI machine learning repository [11] : Image Segmentation (Image), Steel Plates Faults (Faults), one benchmark from Scikit-learn [12] : Hand-writtern digits (Digit) and popular digit classification dataset MNIST [14] . All the details of the data sets are listed in Table I . These are all representative classification tasks that can be realized on memristor-based devices.
Linear vs. Nonlinear Degradation
To provide better usability 1 and increase protection against replication attack, we compare the naïve design and revised design. Naïve design has a linear degradation model, leading to slower degradation. An attacker can apply more I/O pairs with more accuracy and can thus learn the proprietary algorithm. Revised design has a nonlinear degradation model that degrades faster than the linear one. Experiment results of the comparison between naïve and revised designs are summarized in Figure 7 , where x-axis represents the number of I/O pairs and y-axis shows the mean square error (MSE) and error rate, respectively. o i denotes the final output obtained from the last layer of the network:
error rate=
.
(20) The y-axis of the figure is in logarithmic scale for better view. MSE is the absolute difference between target results and classification results, so it has a smooth monotonous curve. Error rate does not necessarily linearly depend on the system degradation, so the curve may contain many inflection points, which is caused by uncertainty in real classification task. As we can see from Figure 7 , the degradation curve of the revised design is highly nonlinear with respect of the naïve design. The low error rate region at the beginning provides the usability for normal users, and the rapidly increasing portion guarantee the protection of the model. Take Digit as an example. As we can see from Figure 7 (a), the error rate of revised design keeps below 20% before obtaining 100 I/O pairs, and it increases to over 70% between 100 to 200 I/O pairs. At the same time, the error rate of naïve design increases from below 20% to 60% gradually through the whole process without showing significant nonlinearity.
We also quantitatively analyze the nonlinearity using the correlation coefficient:
x denotes the evaluating operations and y denotes evaluation index, i.e., error rate or MSE. r∈(0,1) of which 1 represents high linearity, and 0 represents high nonlinearity. Then, we define the nonlinearity index as 1-r. We take the curve from initial error rate to 60% of its maximum into consideration, because that is the part reflecting the change in first-order derivative. The result is shown in Table II . We can notice that the nonlinearity index of the revised design is much higher than that of the naïve design. The average increase in degradation rate for MSE is 179.93% and for error rate is 288.99%.
Accuracy of Replicated Model
In this section, we will show the effectiveness of our proposed design on preventing replication attack. The effectiveness is evaluated by determining the highest accuracy that can be achieved by a replicated model. Lower accuracy means the system has better resiliency against replication attack. Figure 8 summarizes the results of comparison, where x-axis is the I/O pairs and y-axis is the accuracy. The model chosen for replication is the model with the best accuracy, e.g., SVM for Digit, Random Forest for Faults. Other models include K-Nearest Neighbors and feedforward neural network. We compare the accuracy of three systems: original system without forgetting property, system with naïve design, and system with revised design.
In the simulation, we assume the best-case scenario for an attacker: All the I/O pairs chosen by attacker are the same as the one in the original training samples. If there is another set of I/O pairs that can provide the same or better accuracy, the designer would have used it. Hence, this is the best-case scenario for the attacker. We now show that even for these chosen inputs, an attacker cannot obtain the correct outputs due to the obsolescence effect of the system.
The accuracy of system after degradation is similar to the one before degradation, during the initial phases, because this period belongs to the low error rate region as we can observe from the curve in Figure 7 . The degradation rate remains low. The accuracy of revised and naïve design then both drop, while the accuracy of original model increases. The accuracy of naïve design drops more slowly compared with the revised design. We also observe that the highest accuracy of revised design is always lower than naïve design. For example, in Figure 8(a) , the maximum accuracy of revised design is 78.5%, compared to the maximum of naïve design, which is 85.4%, let alone the fast decreasing part after the maximum. In a nutshell, the proposed revised design is more resilient to replication attack.
Calibration Overhead
The cost of every calibration operation can be measured by ∑ |w ij -w ij ' |, which is the summed discrepancy between the changed conductance and the fully trained conductance of the memristors. 
Here  is error rate threshold (system needs calibration when error rate approaches ) and g(ε) is the number of test operations that can be performed when the system is required to maintain error rate lower than . f eval is the frequency of evaluating operations, and t cal (w ij -w ij ') denotes the unit time to calibrate w ij from w ij '.
Our result shows that revised design does not involve a larger calibration cost compared with the naïve one. This is because the conductance changing speed is almost the same for both designs as indicated by Eq. (13) and Eq. (14) . The calibration cost only depends on the initial weight distribution.
CONCLUSION
In this paper, we propose a design for memristor-based neuromorphic computing system to prevent attackers from learning the function of the model behind the system. We propose a crosslayer approach -device-and circuit-levels -to thwart this attack. Experimental results show that our design provides with better usability as well as security against replication attack. Compared to the naïve design, revised design has a higher nonlinearity index, 179.93% increase on MSE and 288.99% on error rate.
