Robust Stealthy High-Impact Malicious Hardware Attacks on Deep Neural Networks

The rapid advancement of modern Deep Neural Networks (DNNs) has played a crucial role in aiding humans in many real-world applications, yet their hardware accelerators have been proven to be vulnerable to malicious attacks. One particularly severe and serious attack involves inserting a hardware Trojan (HT) into DNN accelerator hardware in order to enable attackers to stealthily manipulate model predictions during the supply chain. In this paper, we present a stealthy HT that is difficult to be detected and has a significant impact on the performance of DNN models. To successfully achieve this goal, we introduce the Sensitivity-Based Weight Selection (SBWS) algorithm, a novel technique that adapts machine learning (ML) sensitivity analysis to identify and modify only a small number of weights that have the highest impact on DNN performance, compared to previous work. We evaluate our proposed attack on five DNN models and multiple datasets using two designed payload types: weight zeroing and sign-flipping, and record the results based on various security metrics. The experimental results show average accuracy reductions of 26.7% for the zeroing attack and 48.1% for the sign-flipping attack, yielding an overall average of 37.4%, calculated over five independent runs per dataset with standard deviation < 2%. The sign-flipping technique consistently outperforms zeroing one because it preserves the magnitudes of the attacked weights while inverting their signs, thereby disrupting the learned decision boundaries more severely and amplifying error propagation in subsequent layers. These results significantly exceed previous random-weight perturbation attacks (typically 12–20% drops) and other targeted HT approaches, while incurring lower computational and hardware resource overheads. This work provides a more effective and scalable method for assessing the vulnerability of DNN accelerators under real supply-chain threat models.