A Practical Introduction to Side-Channel Extraction of Deep Neural Network Parameters

Joud, Raphaël; Moëllic, Pierre-Alain; Pontié, S.; Rigaud, Jean-Baptiste

doi:10.1007/978-3-031-25319-5_3

Cited by 8 publications

(7 citation statements)

References 23 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Assuming the Hamming weight (HW) model as the leakage model as in previous works [8], [15], [16], we compute CPA-guesses G based on H (Y ), where H (x) denotes the HW of the IEEE 754 representation of the variable x.…”

Section: Cpa On Floating-point Arithmeticmentioning

confidence: 99%

“…In particular, precise extraction of target models, so-called model reverse-engineering, attempts to recover the model architecture and/or model parameters of deep neural networks (DNNs). Model reverse-engineering attacks based on sidechannel analysis (SCA), such as timing analysis (TA) [3] and power analysis (PA) [4] -typically correlation power analysis (CPA) [5], correlation electromagnetic analysis (CEMA) [6], and simple power analysis (SPA) [4] -, are now being proposed [7]- [16].…”

Section: Introductionmentioning

confidence: 99%

“…Joud et al [16] proposed a CEMA-based attack to recover weights with high precision, as fidelity-oriented extraction [17], using both electromagnetic (EM) traces acquired on an ARM Cortex-M7 with FPU and simulated traces. Bias recovery has been mentioned as a remaining challenge for the full extraction of DNN models.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Power Analysis of Floating-Point Operations for Leakage Resistance Evaluation of Neural Network Model Parameters

NOZAKI,

KOBARA

2024

IEICE Trans. Fundamentals

View full text Add to dashboard Cite

In the field of machine learning security, as one of the attack surfaces especially for edge devices, the application of side-channel analysis such as correlation power/electromagnetic analysis (CPA/CEMA) is expanding. Aiming to evaluate the leakage resistance of neural network (NN) model parameters, i.e. weights and biases, we conducted a feasibility study of CPA/CEMA on floating-point (FP) operations, which are the basic operations of NNs. This paper proposes approaches to recover weights and biases using CPA/CEMA on multiplication and addition operations, respectively. It is essential to take into account the characteristics of the IEEE 754 representation in order to realize the recovery with high precision and efficiency. We show that CPA/CEMA on FP operations requires different approaches than traditional CPA/CEMA on cryptographic implementations such as the AES.

show abstract

Section: Cpa On Floating-point Arithmeticmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Power Analysis of Floating-Point Operations for Leakage Resistance Evaluation of Neural Network Model Parameters

NOZAKI,

KOBARA

2024

IEICE Trans. Fundamentals

View full text Add to dashboard Cite

show abstract

“…To validate the methodology introduced in Section 3.1, the NNOM softmax function is targeted. We choose this implementation as it is a common solution in the literature [20,35,51,58]. Whereas traditional softmax function is defined by a normalization which maps the logits (or the confidence scores) to a probability distribution following…”

Section: Security Flawmentioning

confidence: 99%

“…In [6], Batina et al proposed a hardware attack scenario based on side-channel attacks, in order to steal the IP and the inputs of a targeted embedded model. The practicability of the latter scenario has nevertheless been questioned when an attacker has to deal with real-world and complex DNN implementations [34]. A second key consideration for the IP comes from the privacy of the input data during training and inference time.…”

Section: Introductionmentioning

confidence: 99%

When Side-Channel Attacks Break the Black-Box Property of Embedded Artificial Intelligence

Coqueret,

Carbone,

Sentieys

et al. 2023

Proceedings of the 16th ACM Workshop on Artificial Intelligence and Security

View full text Add to dashboard Cite

Artificial intelligence, and specifically deep neural networks (DNNs), has rapidly emerged in the past decade as the standard for several tasks from specific advertising to object detection. The performance offered has led DNN algorithms to become a part of critical embedded systems, requiring both efficiency and reliability. In particular, DNNs are subject to malicious examples designed in a way to fool the network while being undetectable to the human observer: the adversarial examples. While previous studies propose frameworks to implement such attacks in black box settings, those often rely on the hypothesis that the attacker has access to the logits of the neural network, breaking the assumption of the traditional black box. In this paper, we investigate a real black box scenario where the attacker has no access to the logits. In particular, we propose an architecture-agnostic attack which solve this constraint by extracting the logits. Our method combines hardware and software attacks, by performing a side-channel attack that exploits electromagnetic leakages to extract the logits for a given input, allowing an attacker to estimate the gradients and produce state-of-the-art adversarial examples to fool the targeted neural network. Through this example of adversarial attack, we demonstrate the effectiveness of logits extraction using side-channel as a first step for more general attack frameworks requiring either the logits or the confidence scores. CCS CONCEPTS• Security and privacy → Side-channel analysis and countermeasures.

show abstract

Evaluation of Parameter-Based Attacks Against Embedded Neural Networks with Laser Injection

Dumont,

Hector,

Moëllic

et al. 2023

Lecture Notes in Computer Science

View full text Add to dashboard Cite

A Practical Introduction to Side-Channel Extraction of Deep Neural Network Parameters

Cited by 8 publications

References 23 publications

Power Analysis of Floating-Point Operations for Leakage Resistance Evaluation of Neural Network Model Parameters

Power Analysis of Floating-Point Operations for Leakage Resistance Evaluation of Neural Network Model Parameters

When Side-Channel Attacks Break the Black-Box Property of Embedded Artificial Intelligence

Evaluation of Parameter-Based Attacks Against Embedded Neural Networks with Laser Injection

Contact Info

Product

Resources

About