Reverse Engineering Convolutional Neural Networks Through Side-channel Information Leaks

Hua, Weizhe; Zhang, Zhiru; Suh, G. Edward

doi:10.1109/dac.2018.8465773

Cited by 124 publications

(155 citation statements)

References 10 publications

Supporting

Mentioning

154

Contrasting

Order By: Relevance

“…The proposed work can effective get the key by only analysing 32,500 number of plaintexts. In [314], studies the robustness of CNN on various side channel information leaks.…”

Section: F Deep Learning In Side Channel Attacks Detectionmentioning

confidence: 99%

A Comprehensive Tutorial and Survey of Applications of Deep Learning for Cyber Security

Ravi¹,

Alazab²,

Sriram³

et al. 2020

Preprint

View full text Add to dashboard Cite

show abstract

“…The proposed work can effective get the key by only analysing 32,500 number of plaintexts. In [314], studies the robustness of CNN on various side channel information leaks.…”

Section: F Deep Learning In Side Channel Attacks Detectionmentioning

confidence: 99%

A Comprehensive Tutorial and Survey of Applications of Deep Learning for Cyber Security

Ravi¹,

Alazab²,

Sriram³

et al. 2020

Preprint

View full text Add to dashboard Cite

show abstract

“…In [5], attackers fool DNNs to make mistakes by modifying their parameters through fault injection, in which single bias attack modifies one parameter with a large perturbation for misclassification and gradient descent attack considers stealthiness by adding small perturbations on a number of parameters. Reverse-engineering attacks [6] can identify model parameters in the off-chip memory, which may be stealthily replaced by attackers. [15] performs practical laser fault injection on activation functions of DNNs using a nearinfrared diode plus laser.…”

Section: B Related Work and Motivationmentioning

confidence: 99%

“…Liu et al [5] first proposes to attack DNN parameters for misclassifications based on two fault injection methods: single bias attack and gradient descent attack. Reverse-engineering attacks [6], [7] on hardware DNN accelerators can identify the model parameters in the off-chip memory and then attackers may stealthily substitute original parameters with malicious ones. These attacks seriously threat safety-critical applications based on DNNs.…”

Section: Introductionmentioning

confidence: 99%

On Functional Test Generation for Deep Neural Network IPs

Luo

Wei

et al. 2019

2019 Design, Automation &Amp; Test in Europe Conference &Amp; Exhibition (DATE)

View full text Add to dashboard Cite

Machine learning systems based on deep neural networks (DNNs) produce state-of-the-art results in many applications. Considering the large amount of training data and know-how required to generate the network, it is more practical to use third-party DNN intellectual property (IP) cores for many designs. No doubt to say, it is essential for DNN IP vendors to provide test cases for functional validation without leaking their parameters to IP users. To satisfy this requirement, we propose to effectively generate test cases that activate parameters as many as possible and propagate their perturbations to outputs. Then the functionality of DNN IPs can be validated by only checking their outputs. However, it is difficult considering large numbers of parameters and highly non-linearity of DNNs. In this paper, we tackle this problem by judiciously selecting samples from the DNN training set and applying a gradient-based method to generate new test cases. Experimental results demonstrate the efficacy of our proposed solution.

show abstract

“…Tramer et al [37] demonstrated a model inversion attack by exploiting the relationship of queries and confidence values on different machine learning models, such as DNN, logistic regressions, etc. Despite the attacks exploiting the privacy leakage in the training sets, Hua et al [11] presented a novel attack to reverse engineer the underlying network information. They utilize the memory accessing patterns to infer the network structures, such as number of layers, the feature map sizes of each layer.…”

Section: Related Workmentioning

confidence: 99%

I Know What You See

Wei

Luo

et al. 2018

Proceedings of the 34th Annual Computer Security Applications Conference

130

View full text Add to dashboard Cite

Deep learning has become the de-facto computational paradigm for various kinds of perception problems, including many privacysensitive applications such as online medical image analysis. No doubt to say, the data privacy of these deep learning systems is a serious concern. Different from previous research focusing on exploiting privacy leakage from deep learning models, in this paper, we present the first attack on the implementation of deep learning models. To be specific, we perform the attack on an FPGA-based convolutional neural network accelerator and we manage to recover the input image from the collected power traces without knowing the detailed parameters in the neural network. For the MNIST dataset, our power side-channel attack is able to achieve up to 89% recognition accuracy. CCS CONCEPTS• Security and privacy → Side-channel analysis and countermeasures; • Hardware → Hardware accelerators; KEYWORDSPower side-channel attack, convolutional neural accelerators, privacy leakage ACM Reference Format:

show abstract

Reverse Engineering Convolutional Neural Networks Through Side-channel Information Leaks

Cited by 124 publications

References 10 publications

A Comprehensive Tutorial and Survey of Applications of Deep Learning for Cyber Security

A Comprehensive Tutorial and Survey of Applications of Deep Learning for Cyber Security

On Functional Test Generation for Deep Neural Network IPs

I Know What You See

Contact Info

Product

Resources

About