A Closer Look at Evaluating the Bit-Flip Attack Against Deep Neural Networks

Hector, Kevin W.; Moëllic, Pierre-Alain; Dumont, Mathieu; Dutertre, Jean-Max

doi:10.1109/iolts56730.2022.9897693

Cited by 6 publications

(1 citation statement)

References 14 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…When dealing with parameter extraction, a usual assumption is that the adversary knows A M . This is the case for cryptanalysis-like approaches [2,7], active learning techniques [16,19] and recent efforts relying on physical attacks such as side-channel (SCA) [1,8] or fault injection (FIA) [18,6] analysis. Interestingly, whatever the adversarial goal, victim model architecture is a crucial information: it is compulsory for fidelity scenarios, and its knowledge significantly strengthen attacker's abilities to succeed in task-performance ones [15].…”

Section: Model Extractionmentioning

confidence: 99%

A Practical Introduction to Side-Channel Extraction of Deep Neural Network Parameters

Joud

Moëllic

Pontié

et al. 2023

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Model extraction is a growing concern for the security of AI systems. For deep neural network models, the architecture is the most important information an adversary aims to recover. Being a sequence of repeated computation blocks, neural network models deployed on edge-devices will generate distinctive side-channel leakages. The latter can be exploited to extract critical information when targeted platforms are physically accessible. By combining theoretical knowledge about deep learning practices and analysis of a widespread implementation library (ARM CMSIS-NN), our purpose is to answer this critical question: how far can we extract architecture information by simply examining an EM side-channel trace? For the first time, we propose an extraction methodology for traditional MLP and CNN models running on a high-end 32-bit microcontroller (Cortex-M7) that relies only on simple pattern recognition analysis. Despite few challenging cases, we claim that, contrary to parameters extraction, the complexity of the attack is relatively low and we highlight the urgent need for practicable protections that could fit the strong memory and latency requirements of such platforms.

show abstract

Section: Model Extractionmentioning

confidence: 99%

A Practical Introduction to Side-Channel Extraction of Deep Neural Network Parameters

Joud

Moëllic

Pontié

et al. 2023

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

Evaluation of Parameter-Based Attacks Against Embedded Neural Networks with Laser Injection

Dumont,

Hector,

Moëllic

et al. 2023

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Algorithmic and Implementation-Based Threats for the Security of Embedded Machine Learning Models

Moëllic,

Dumont,

Hector

et al. 2024

Studies in Computational Intelligence

View full text Add to dashboard Cite

The large-scale deployment of machine learning models in a wide variety of AI-based systems raises major security concerns related to their integrity, confidentiality and availability. These security issues encompass the overall traditional machine learning pipeline, including the training and the inference processes. In the case of embedded models deployed in physically accessible devices, the attack surface is particularly complex because of additional attack vectors exploiting implementation-based flaws. This chapter aims at describing the most important attacks that threaten state-of-the-art embedded machine learning models (especially deep neural networks) widely deployed in IoT applications (e.g., health, industry, transport) and highlighting new critical attack vectors that rely on side-channel and fault injection analysis and significantly extend the attack surface of AIoT systems (Artificial Intelligence of Things). More particularly, we focus on two advanced threats against models deployed in 32-bit microcontrollers: model extraction and weight-based adversarial attacks.

show abstract

A Closer Look at Evaluating the Bit-Flip Attack Against Deep Neural Networks

Cited by 6 publications

References 14 publications

A Practical Introduction to Side-Channel Extraction of Deep Neural Network Parameters

A Practical Introduction to Side-Channel Extraction of Deep Neural Network Parameters

Evaluation of Parameter-Based Attacks Against Embedded Neural Networks with Laser Injection

Algorithmic and Implementation-Based Threats for the Security of Embedded Machine Learning Models

Contact Info

Product

Resources

About