Mitigating Reverse Engineering Attacks on Deep Neural Networks

Liu, Yuntao; Dachman-Soled, Dana; Srivastava, Ankur

doi:10.1109/isvlsi.2019.00122

Cited by 18 publications

(8 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Liu et al [44] aim to prevent recovery of the architecture through memory access patterns attacks. Their method first considers Hua et al [34] as a baseline attack, but proves the security of its protection against stronger memory access pattern attacks.…”

Section: Summary and Countermeasuresmentioning

confidence: 99%

Side channel attacks for architecture extraction of neural networks

Chabanne

Danger

Guiga

et al. 2021

CAAI Trans on Intel Tech

View full text Add to dashboard Cite

Side channel attacks (SCAs) on neural networks (NNs) are particularly efficient for retrieving secret information from NNs. We differentiate multiple types of threat scenarios regarding what kind of information is available before the attack and its purpose: recovering hyperparameters (the architecture) of the targeted NN, its weights (parameters), or its inputs. In this survey article, we consider the most relevant attacks to extract the architecture of CNNs. We also categorize SCAs, depending on access with respect to the victim: physical, local, or remote. Attacks targeting the architecture via local SCAs are most common. As of today, physical access seems necessary to retrieve the weights of an NN. We notably describe cache attacks, which are local SCAs aiming to extract the NN's underlying architecture. Few countermeasures have emerged; these are presented at the end of the survey. This is an open access article under the terms of the Creative Commons Attribution License, which permits use, distribution and reproduction in any medium, provided the original work is properly cited.

show abstract

Section: Summary and Countermeasuresmentioning

confidence: 99%

Side channel attacks for architecture extraction of neural networks

Chabanne

Danger

Guiga

et al. 2021

CAAI Trans on Intel Tech

View full text Add to dashboard Cite

show abstract

“…Relatively stronger defenses include the use of encryption [34][35], i.e., data confidentiality, while outsourcing the data for training. Similarly, measures to ensure IP privacy during third-party DNN training include the use of multiple training servers for joint dataset [99], verifying the training procedure [100], ensuring privacy after training by network transformation [101], obfuscating defenses against reverse engineeringbased attacks [102], [103], and isolating the hardware accelerators [104].…”

Section: Defending Against Ip Stealingmentioning

confidence: 99%

Robust Machine Learning Systems: Challenges,Current Trends, Perspectives, and the Road Ahead

et al. 2020

View full text Add to dashboard Cite

Machine Learning (ML) techniques have been rapidly adopted by smart Cyber-Physical Systems (CPS) and Internet-of-Things (IoT) due to their powerful decision-making capabilities. However, they are vulnerable to various security and reliability threats, at both hardware and software levels, that compromise their accuracy. These threats get aggravated in emerging edge ML devices that have stringent constraints in terms of resources (e.g., compute, memory, power/energy), and that therefore cannot employ costly security and reliability measures. Security, reliability, and vulnerability mitigation techniques span from network security measures to hardware protection, with an increased interest towards formal verification of trained ML models.This paper summarizes the prominent vulnerabilities of modern ML systems, highlights successful defenses and mitigation techniques against these vulnerabilities, both at the cloud (i.e., during the ML training phase) and edge (i.e., during the ML inference stage), discusses the implications of a resourceconstrained design on the reliability and security of the system, identifies verification methodologies to ensure correct system behavior, and describes open research challenges for building secure and reliable ML systems at both the edge and the cloud.

show abstract

“…Side-channel analysis on inference systems [14, 40-42, 44, 57, 58, 79, 87, 103, 110, 115], by contrast, can succeed with significantly fewer tests and are harder to prevent as we learned from the research on cryptographic engineering. Side-channel analysis can steal both the input data of the customer [110] and the model of the service provider [14], the general architecture of the deployed AI system [79] and the detailed, bit-level values of its coefficients [41]. The defenses against digital side-channels, such as timing sidechannels, are relatively more natural to establish for specialized accelerators (as opposed to general-purpose engines) because the design tools enable cycle-accurate control and simulation.…”

Section: Research and Standardsmentioning

confidence: 99%

Trustworthy AI Inference Systems: An Industry Research View

Cammarota¹,

Schunter²,

Anand³

et al. 2020

Preprint

View full text Add to dashboard Cite

In this work, we provide an industry research view for approaching the design, deployment, and operation of trustworthy Artificial Intelligence (AI) inference systems. Such systems provide customers with timely, informed, and customized inferences to aid their decision, while at the same time utilizing appropriate security protection mechanisms for AI models. Additionally, such systems should also use Privacy-Enhancing Technologies (PETs) to protect customers' data at any time.To approach the subject, we start by introducing trends in AI inference systems. We continue by elaborating on the relationship between Intellectual Property (IP) and private data protection in such systems. Regarding the protection mechanisms, we survey the security and privacy building blocks instrumental in designing, building, deploying, and operating private AI inference systems. For example, we highlight opportunities and challenges in AI systems using trusted execution environments combined with more recent advances in cryptographic techniques to protect data in use. Finally, we outline areas of further development that require the global collective attention of industry, academia, and government researchers to sustain the operation of trustworthy AI inference systems.

show abstract

Mitigating Reverse Engineering Attacks on Deep Neural Networks

Cited by 18 publications

References 11 publications

Side channel attacks for architecture extraction of neural networks

Side channel attacks for architecture extraction of neural networks

Robust Machine Learning Systems: Challenges,Current Trends, Perspectives, and the Road Ahead

Trustworthy AI Inference Systems: An Industry Research View

Contact Info

Product

Resources

About