Stealing Neural Networks via Timing Side Channels

Duddu, Vasisht; Samanta, Debasis; Rao, D Vijay; Balas, Valentina E.

doi:10.48550/arxiv.1812.11720

Cited by 21 publications

(34 citation statements)

References 26 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Similarly, [50] presented an attack on an FPGA-based convolutional neural network accelerator and recovered the input image from the collected power traces. [16] proposed an extraction attack by exploiting the side timing channels to infer the depth of the network. [48] designed an attack on stealing the hyper-parameters of a variety of machine learning algorithms, this attack is derived by know parameters and the machine learning algorithms, and training data set.…”

Section: Mitigation Countermeasuresmentioning

confidence: 99%

“…This privatization-deployment situation further exacerbates the risk of model leakage. There have been many DNN extraction works proposed in the literature [16,21,22,36,43,47,48,50,51,54]. All of them use either a search or prediction method to recover DNN models.…”

Section: Introductionmentioning

confidence: 99%

“…Besides, the performance of their searching processes is particularly low. The prediction based schemes [16,21,51] result in a significant drop in inference accuracy. Most importantly, all of these attacks are not able to reconstruct the whole DNN model.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Hermes Attack: Steal DNN Models with Lossless Inference Accuracy

Zhu¹,

Cheng²,

Zhou³

et al. 2020

Preprint

View full text Add to dashboard Cite

Deep Neural Network (DNN) models become one of the most valuable enterprise assets due to their critical roles in all aspects of applications. With the trend of privatization deployment of DNN models, the data leakage of the DNN models is becoming increasingly serious and widespread. All existing model-extraction attacks can only leak parts of targeted DNN models with low accuracy or high overhead. In this paper, we first identify a new attack surface -unencrypted PCIe traffic, to leak DNN models. Based on this new attack surface, we propose a novel model-extraction attack, namely Hermes Attack, which is the first attack to fully steal the whole victim DNN model. The stolen DNN models have the same hyper-parameters, parameters, and semantically identical architecture as the original ones. It is challenging due to the closed-source CUDA runtime, driver, and GPU internals, as well as the undocumented data structures and the loss of some critical semantics in the PCIe traffic. Additionally, there are millions of PCIe packets with numerous noises and chaos orders. Our Hermes Attack addresses these issues by huge reverse engineering efforts and reliable semantic reconstruction, as well as skillful packet selection and order correction. We implement a prototype of the Hermes Attack, and evaluate two sequential DNN models (i.e., MINIST and VGG) and one nonsequential DNN model (i.e., ResNet) on three NVIDIA GPU platforms, i.e., NVIDIA Geforce GT 730, NVIDIA Geforce GTX 1080 Ti, and NVIDIA Geforce RTX 2080 Ti. The evaluation results indicate that our scheme is able to efficiently and completely reconstruct ALL of them with making inference on any one image. Evaluated with Cifar10 test dataset that contains 10, 000 images, the experiment results show that the stolen models have the same inference accuracy as the original ones (i.e., lossless inference accuracy).

show abstract

Section: Mitigation Countermeasuresmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Hermes Attack: Steal DNN Models with Lossless Inference Accuracy

Zhu¹,

Cheng²,

Zhou³

et al. 2020

Preprint

View full text Add to dashboard Cite

show abstract

“…Query-based attacks can be effectively defended by limiting model output. Side-channel attacks have also been demonstrated as effective for DNN model extraction [3,8,9,12,13,[34][35][36]. Side-channel attacks offer a significant risk because side-channel information emanating during DNN execution is difficult to eliminate.…”

Section: Introductionmentioning

confidence: 99%

“…Hu et al, extracted the DNN architecture from the noisy PCIe and memory-bus events on a GPU platform [12]. Duddu et al utilized execution time to infer target DNN layer depth [9].…”

Section: Introductionmentioning

confidence: 99%

Power-Based Attacks on Spatial DNN Accelerators

Li¹,

Tiwari²,

Orshansky³

2021

Preprint

View full text Add to dashboard Cite

With proliferation of DNN-based applications, the confidentiality of DNN model is an important commercial goal. Spatial accelerators, that parallelize matrix/vector operations, are utilized for enhancing energy efficiency of DNN computation. Recently, model extraction attacks on simple accelerators, either with a single processing element or running a binarized network, were demonstrated using the methodology derived from differential power analysis (DPA) attack on cryptographic devices. This paper investigates the vulnerability of realistic spatial accelerators using general, 8-bit, number representation.We investigate two systolic array architectures with weight-stationary dataflow: (1) a 3 × 1 array for a dot-product operation, and (2) a 3 × 3 array for matrix-vector multiplication. Both are implemented on the SAKURA-G FPGA board. We show that both architectures are ultimately vulnerable. A conventional DPA succeeds fully on the 1D array, requiring 20K power measurements. However, the 2D array exhibits higher security even with 460K traces. We show that this is because the 2D array intrinsically entails multiple MACs simultaneously dependent on the same input. However, we find that a novel template-based DPA with multiple profiling phases is able to fully break the 2D array with only 40K traces. Corresponding countermeasures need to be investigated for spatial DNN accelerators.CCS Concepts: • Security and privacy → Side-channel analysis and countermeasures.

show abstract

Securing AI‐based healthcare systems using blockchain technology: A state‐of‐the‐art systematic literature review and future research directions

Shinde,

Patil,

Kotecha

et al. 2023

Trans Emerging Tel Tech

View full text Add to dashboard Cite

Healthcare institutions are progressively integrating artificial intelligence (AI) into their operations. The extraordinary potential of AI is restricted by insufficient medical data for AI model training and adversarial attacks wherein attackers perturb the dataset by adding some noise to it, which leads to the malfunctioning of the AI models, and a lack of trust caused by the opaque operational approach it employs. This Systematic Literature Review (SLR) is a state‐of‐the‐art survey of the research on blockchain technology for securing AI‐integrated healthcare applications. The most relevant articles from the Scopus and Web of Science (WoS) databases were identified using the PRISMA model. Most of the existing literature is about protecting the healthcare data used by AI‐based healthcare systems using blockchain technology, but the modality of data (text, images, audio, and sound) was not specifically mentioned. Information on protecting the training phase and model deployment for AI‐based healthcare systems considering the variations in feature extraction based on the modality of data was also not clearly specified. Hence, the three subfields of AI, namely, natural language processing (NLP), computer vision, and acoustic AI are further studied to identify security loopholes in its implementation pipeline. The three phases, namely the dataset, the training phase, and the trained models need to be protected from adversaries to avoid malfunctioning of the deployed AI models. The nature of the data processed by NLP, computer vision, and acoustic AI, underlying deep neural network (DNN) architectures, the complexity of attacks, and the perceivability of attacks by humans are analyzed to identify the need for security. A blockchain solution for AI‐based healthcare systems is synthesized based on the findings that have demonstrated the distinctive technological features of blockchains. It offers a solution for the privacy and security issues encountered by NLP, computer vision, and acoustic AI to boost the widespread adoption of AI applications in healthcare.

show abstract

Stealing Neural Networks via Timing Side Channels

Cited by 21 publications

References 26 publications

Hermes Attack: Steal DNN Models with Lossless Inference Accuracy

Hermes Attack: Steal DNN Models with Lossless Inference Accuracy

Power-Based Attacks on Spatial DNN Accelerators

Securing AI‐based healthcare systems using blockchain technology: A state‐of‐the‐art systematic literature review and future research directions

Contact Info

Product

Resources

About