Modern smart surveillance systems can not only record the monitored environment but also identify the targeted objects and detect anomaly activities. These advanced functions are often facilitated by deep neural networks, achieving very high accuracy and large data processing throughput. However, inappropriate design of the neural network may expose such smart systems to the risks of leaking the target being searched or even the adopted learning model itself to attackers. In this talk, we will present the security challenges in the design of smart surveillance systems. We will also discuss some possible solutions that leverage the unique properties of emerging nano-devices, including the incurred design and performance cost and optimization methods for minimizing these overheads.
INTRODUCTION
Cyber-physical systems (CPSs) are envisioned to incorporate learning capabilities to make it intelligent, offering better service quality, accessibility, and controllability. Given the rapidly-growing computing capacity of mobile and embedded devices, a significant part of the data processing capability is expected to be moved from a centralized server to end-point devices for lower communication bandwidth requirement, faster response time, and less total power consumption [2] .
These end-point devices often handle sensitive information and are susceptible to different types of attacks, ranging from snooping to tampering to side-channel analysis. Furthermore, these embedded devices implement proprietary algorithms that can be reverse engineered by an attacker. One particular example is the smart surveillance system. Consider the following scenario: Assume a surveillance system embedded with a anomaly detector. This detector is build by state-of-the-art classifier, e.g. deep neural network, which takes captured frames as inputs and outputs detection Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from permissions@acm.org. result. The surveillance system then is exposing to learning attacks. Once the system is obtained by attackers, they are able to send in pseudo inputs and receive outputs from the system, thus learn a replicated model from these pairs. In another word, the model behind the surveillance system is stolen by attackers. While classical security (i.e. mathematical or algorithmic) has created elegant security primitives and protocols, unfortunately, these solutions are not only slow but also consume significant amounts of energy for most modern security primitives.
At the meantime, many embedded hardware engines for learning applications have been developed on various platforms, including the recent emerging memristor circuits [16] . Particularly, the similarity between the programmable resistance state of memristors and the variable synaptic strengths of biological synapses dramatically simplifies the structure of neural network circuits [13] . The compact structure, high efficiency, and low-power consumption of memristor-based learning systems can greatly promote the scale and capability of learning applications in end-point devices [13] .
In this paper, we propose to leverage the emerging memristor to build a secured system, focusing on the aforementioned learning attacks. We also study the influence of different configurations and techniques that could lower the overhead of calibration and increase performance, including the comparison of activation functions and cost functions, and critical weights detection.
The remainder of the paper is organized as follows: In Section 2, we briefly introduce memristor, its obsolescence effect, and the basis of MBLS. The application of surveillance system and accompanying security issues are explained in Section 3. In Section 4, we propose a memristor-based so- Figure 1 : Conceptual view of metal-oxide memristor [18] .
Memristor obsolescence effect under sensing pulses [3] .
lution, as well as studies on activation functions comparison and critical weights technique. In Section 5, several classification datasets are experimented on system degradation. Section 6 concludes the paper.
PRELIMINARY

Memristors
Predicted by Prof. Leon Chua [4] , memristor is the 4 th fundamental circuit element defining the relation between magnetic flux (φ) and electrical charge (q) as: dΦ = M dq. The resistance (memristance) state of a memristor can be programmed by applying current or voltage [5] . In 2008, HP Lab first reported their discovery of a nanoscale memrsitor based on TiO2 thin-film devices [17] . Figure 1 depicts an ion-migration filament model of HfOx memristors [18] . An HfOx layer is sandwiched between two metal electrodes. During reset process, the memristor switches from low resistance state (LRS) to high resistance state (HRS). The oxygen ions migrate from the electrode/oxide interface and recombine with the oxygen vacancies. A partially ruptured conductive filament region with high resistance per unit length (R of f ) and a conductive filament region with low resistance per unit length (Ron) are formed; during set process, the memristor switches from HRS to LRS as the ruptured conductive filament region shrinks. The resistance of many types of memristors can be programmed to an arbitrary value (e.g., multi-level states) by applying a current or voltage with proper pulse-width or magnitude. In many cases, the memristor resistance changes only when the applied voltage is above a threshold, e.g., V wrth .
Obsolescence effect of memristors
The obsolescence effect of a memristor denotes the fact that the resistance of the device will gradually change after being programmed. This obsolescence effect has two major contributors: 1) the intrinsic retention property of the device [3] , and 2) the read-induced change in resistance. Retention property denotes that the resistance of a programmed memristor continuously shifts to a high resistance state without any applied voltage. This type of resistance change is hard to control since it is related to the material relaxing mechanism. The read-induced change is depicted in Figure 2 where a memristor is constantly stimulated by short minor voltage pulses, and its resistance change (reflected by the sensed current) is recorded every second. This experiment is to mimic the impact of the small sensing signal Figure 3 : (a) Conceptual overview of a neural network [8] . (b) Computing core in a memristor-based learning system [11] .
applied to the memristor during read operations. It shows that the memristor resistance keeps increasing with stimulation. Therefore, the obsolescence rate (i.e., changing rate of its resistance) can be controlled by choosing the amplitude and duration of the sensing current/voltage. In general, the resistance change of a memristor in a memristor-based hardware is a continuous procedure that can be described as ∆R = f (v, t). Here, v and t are the sensing voltages and operation time of the memristor-based hardware, respectively.
Memristor-based learning systems
We define a learning system as the hardware specifically designed to accelerate neural network or machine learning algorithms. Figure 3 (a) depicts a conceptual overview of a neural network that can be directly mapped onto a learning system. Here two layers of neurons are fully connected by one layer of synapses. The output neurons collect the information from the input neurons through a network of weighted synaptic connections and process them with a activation function. In general, the relationship between the input vector x and the output vector y can be described by [6] : yn = f (xm · Wm×n), where the connection weight matrix Wm×n denotes the synaptic strengths between the two layers of neurons. Figure 3 (b) shows a memristor crossbar structure which consists of two sets of nanowires running perpendicular to one another [14] . A memristor is sandwiched by two nanowires at each crosspoint. Because of its structural similarity, the memristor crossbar can efficiently execute matrix-vector multiplications [11] . For a multi-layer neural network, several memristor crossbars can be connected to match the network topology [10] .
In "Testing" operations of a memristor-based learning system, x is represented as a vector of voltage signals applied to the word-lines (WLs) of the memristor crossbar while the bit-lines (BLs) are grounded. The current sensed from the bottom of each bit-line will be converted to output voltage vector y by a sensing circuit. In a real implementation, the matrix Wm×n is often implemented by two memristor crossbars, which represent the positive and negative elements of Wm×n, respectively. In "Training" operations, the resistance states of the memristors are programmed to represent the Wm×n, while the value of the states are trained off-line.
PROBLEM FORMULATION
Application of Surveillance System: Anomaly Detector
A typical video anomaly detector consists of two unsu- nificantly. In this case, we can also change the obsolescence speed of the memristor for better security, i.e., better error increase curve. The comparison result of the sum of weight changes can be found in Table 2 .
CONCLUSION
In this paper, we identify a new security issue in smart surveillance systems, named learning attack. A memristorbased solution is proposed by leveraging its obsolescence effect. Our preliminary result shows the effectiveness of our approach. The degrading system is able to prevent attackers from learning the model behind it. Furthermore, we study on the influence brought by different activation functions and critical weights. The result indicates that softmax with cross entropy has a slightly better degraded curve than hyperbolic tangent with MSE, and critical weights detection helps to keep a lower calibration cost while maintain a reasonable performance.
ACKNOWLEDGMENTS
The presented works were supported by NSF CNS-1253424, CCF-1615475 and AFRL FA8750-15-2-0048.
