After over a decade of research on AI security and despite major and regular advances in the state of the art, there are still significant limitations when it comes to protecting complex real-world systems, particularly highly dynamic and distributed systems such as those based on federated learning (FL). AI.MMUNITY aims to address two major challenges to secure these systems. First, using the MLOps formalism and modeling, the project seeks to expand threat modeling to consider the entire lifecycle of an FL system and not just the models. The goal is to characterize advanced threats that exploit the very broad attack surface of an FL system, including data and/or model poisoning attacks, attacks targeting the aggregation of local models or their deployment, and attacks on software (SW) or hardware (HW) implementations. Secondly, AI.MMUNITY focuses on "security by design" through a holistic approach based on three levels: at the system level with the reinforcement of operations and processes considered as security blind spots in the FL life cycle; at the model level with model reinforcement learning techniques; and at the implementation level through the development of innovative SW and HW protections on advanced platforms (SoC, MCU, RISC-V). AI.MMUNITY will demonstrate its innovations through three use cases in the fields of IoT cybersecurity, facial recognition systems, and human activity recognition (HAR) IoT applications. The methods and tools developed within AI.MMUNITY will enable AI actors and security and standardization bodies to improve the evaluation and reduce the impact of risks associated with these distributed learning systems.

We want to demonstrate the possibility of programming phase change memories (PCMs) based on a nitrogen-doped germanium-rich GeSbTe alloy (NG-GST) in several states, with an electrical resistance intermediate between those of the extrem SET and RESET states of the device (intermedate resistance states, IRS) and with a low resistance drift over time. This would allow to propel into the neuromorphic era an already existing advanced digital platform fabricated by our partner STMicroelectronics. A deep understanding of the physical properties (from the atomic to the device scales) of the IRS is required to successfully control the formation of several distinguishable IRS with a good stability in time. We aim at understanding: 1-which kinds of conduction paths must be opened in the NG-GST layer for each of the targeted IRS, 2-which precise micro/nanostructure of this layer must be reached to open these specific conduction paths and 3-which sequence of electric current pulses must be applied to get this microstructure. This understanding can only be achieved by combining the complementary set of techniques and scientific skills offered in the INTERSTATE project: measurement of the atomic and chemical structure down to the nanoscale, measurement of the static and dynamic transport properties, multiscale simulation of the physical properties. The results that we will obtain from our investigations at the border between materials science and physical properties will pave the way towards futur developments on brain-inspired electronic devices working at high temperature and are a prerequisite before future investigations on the programming strategies adapted to specific neuromorphic or AI application.

The aim of STREAMS is to bring Europe into the new leading thermal management paradigm and maintain EU position at the forefront of ICT development. With a focused consortium gathering complementary experts, STREAMS will develop a generic active cooling thermal management solution (reaching TRL4), to keep nanoelectronic devices and systems performances at their best, while meeting IC future challenges. To successfully integrate Versatile microfluidic actuation, Anticipating thermal map and Thermal energy harvesting in a Si-based interposer, STREAMS will: - Lay-out advanced functionalities for the power efficient cooling control of application use-cases with critical heat load spatial distributions including hotspot areas (150 to 300 W/cm2) and background areas (20W/cm2) and temporal heat load variation in typical sub-second time scale - Develop self-adaptive and controlled micro-fluidic actuators to decrease by 25% both the pressure loss and the fluid flow rate, while controlling the temperature distribution within 15% below the acceptable limits of each component for spatial and temporal heat flux variation scenarios - Integrate IC compatible passive heat flux sensors (sensitivity up to S=100mV/K) at the interposer level to anticipate thermal map variation (time response~200ms, lateral spatial resolution=500µm) - Take advantage of existing thermal gradients to embed high performance nanostructured thermoelectric generator (harvested power up to 10mW) to power local functionalities (microfluidic valves, power management and read-out circuits, control ASIC) - Integrate the developed functionalities into a Si based interposer to demonstrate a smart, adaptable and embedded active cooling thermal management solution with reduced footprint (70% thickness reduction) and reduced consumption (-50%) - Assess reliability and performances of STREAMS thermal management solution in real future high performance applications in micro-servers (P=50W) and network use cases (P=200W)

A major trend in Artificial Intelligence is the deployment of Machine Learning models even for highly constrained platforms such as low power 32-bit microcontrollers. However, the security of embedded Machine Learning systems is one of the most important issues to this massive deployment, more particularly for deep neural network-based systems. The difficulty comes from a complex twofold attack surface. First of all, an impressive amount of works demonstrate algorithmic flaws targeting the model’s integrity (e.g., adversarial examples) or the confidentiality and privacy of data and models (e.g., membership inference, model inversion). However, few works take into consideration the specificities of embedded models (e.g. quantization, pruning). Second, physical attacks (side-channel and fault injection analysis) represent upcoming and highly critical threats. Today, these two types of threats are considered separately. For the first time, the PICTURE project proposes to jointly analyze the algorithmic and physical threats in order to develop protection schemes bridging these two worlds and to promote a set of good practices enabling the design, development and deployment of more robust models. PICTURE gathers CEA Tech (LETI) and Ecole des Mines de Saint-Etienne (MSE, Centre de Microélectronique de Provence) as academic partners and IDEMIA and STMicroelectronics as industrial partners that will bring real, complete and critical use cases more particularly focused on Facial Recognition. To achieve its objectives, the consortium of PICTURE will precisely describe the different threat models targeting the integrity and the confidentiality of software implementation of neural network models on hardware targets from 32-bit microcontrollers (Cortex-M), dual architecture with Cortex-M and Cortex-A platforms to GPU platforms dedicated to embedded systems. Then, PICTURE aims at demonstrating and analyzing – for the first time – complex attacks combining algorithmic and physical attacks. On one hand, for integrity-based threats (i.e. fooling the prediction of a model) by combining principle of adversarial examples attacks and fault injection approaches. On the other hand, by studying the impact of the exploitation of side-channel leakages (side-channel analysis), even fault injection analysis associated to theoretical approaches to reverse engineer a model (model inversion) or to extract training data (membership inference attack). The development of new protection schemes will be achieved by the analysis of the relevance of state-of-the-art countermeasures against physical attacks (such an analysis has never been achieved at this scale). PICTURE will propose protections that will take place at different position within the traditional Machine Learning pipeline and more particularly training-based approaches that enable more robust models. Finally, PICTURE will present new evaluation methods to promote PICTURE results to academic and industrial actors. PICTURE aims at facilitating a shift in the way to consider ML models by putting security at the core of the development and deployment strategy and anticipate as well as influence future certification strategies.