Reverse engineering convolutional neural networks through side-channel information leaks

Hua, Weizhe; Zhang, Zhiru; Suh, G. Edward

doi:10.1145/3195970.3196105

Cited by 80 publications

(19 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The adversary can obtain this value from the training set and model. Hua et al [56] "investigated reverse-engineering attacks on CNN models exploiting information leaks through memory and timing side-channels".…”

Section: Model Extractionmentioning

confidence: 99%

When Machine Learning Meets Privacy

et al. 2021

View full text Add to dashboard Cite

The newly emerged machine learning (e.g., deep learning) methods have become a strong driving force to revolutionize a wide range of industries, such as smart healthcare, financial technology, and surveillance systems. Meanwhile, privacy has emerged as a big concern in this machine learning-based artificial intelligence era. It is important to note that the problem of privacy preservation in the context of machine learning is quite different from that in traditional data privacy protection, as machine learning can act as both friend and foe. Currently, the work on the preservation of privacy and machine learning are still in an infancy stage, as most existing solutions only focus on privacy problems during the machine learning process. Therefore, a comprehensive study on the privacy preservation problems and machine learning is required. This article surveys the state of the art in privacy issues and solutions for machine learning. The survey covers three categories of interactions between privacy and machine learning: (i) private machine learning, (ii) machine learning-aided privacy protection, and (iii) machine learning-based privacy attack and corresponding protection schemes. The current research progress in each category is reviewed and the key challenges are identified. Finally, based on our in-depth analysis of the area of privacy and machine learning, we point out future research directions in this field.

show abstract

Section: Model Extractionmentioning

confidence: 99%

When Machine Learning Meets Privacy

et al. 2021

View full text Add to dashboard Cite

show abstract

“…The aim is to duplicate the functionality of the target model. Hua et al [7] proposed to exploit information leakage through timing (and memory) side-channels targeting DNN accelerators running in a secure enclave like SGX. Batina et al [8] proposed a generic model recovery by side-channels.…”

Section: B Related Workmentioning

confidence: 99%

Time to Leak: Cross-Device Timing Attack On Edge Deep Learning Accelerator

Won

Chatterjee

Jap

et al. 2021

2021 International Conference on Electronics, Information, and Communication (ICEIC)

View full text Add to dashboard Cite

Edge deep learning accelerators are optimised hardware to enable efficient inference on the edge. The models deployed on these accelerators are often proprietary and thus sensitive for commercial and privacy reasons. In this paper, we demonstrate practical vulnerability of deployed deep learning models to timing side-channel attacks. By measuring the execution time of the inference, the adversary can determine and reconstruct the model from a known family of well known deep learning model and then use available techniques to recover remaining hyperparameters. The vulnerability is validated on Intel Compute Stick 2 for VGG and ResNet family of models. Moreover, the presented attack is quite devastating as it can be performed in a cross-device setting, where adversary profiles constructed on a legally own device can be used to exploit the victim device with a single query and still can achieve near perfect success rate.

show abstract

“…SCA attacks are relatively cheap to perform, and hard and expensive to protect against. Recently SCA attacks have been applied to steal the IP of DNN models [4,9,14]. [17], facilitate differential fault analysis for secret key retrieval [3], or simply disrupt or shut down the operation [16].…”

Section: Side-channel Analysismentioning

confidence: 99%