DeepEM: Deep Neural Networks Model Recovery through EM Side-Channel Information Leakage

Yu, Honggang; Ma, Haocheng; Yang, Kaichen; Zhao, Yiqiang; Jin, Yier

doi:10.1109/host45689.2020.9300274

Cited by 71 publications

(58 citation statements)

References 24 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The time domain is used according to Tramèr et al [5], because it links a layer's parameters with the execution time of its sequential computations. For each layer type, Yu et al [35] determine the number of parameters depending on the layer's hyperparameters. Because EM traces are closely linked to that number of parameters and the computations executed, they can use this to identify the layer types based on the EM signatures.…”

Section: Memory Access Pattern Attackmentioning

confidence: 99%

Side channel attacks for architecture extraction of neural networks

Chabanne

Danger

Guiga

et al. 2021

CAAI Trans on Intel Tech

View full text Add to dashboard Cite

Side channel attacks (SCAs) on neural networks (NNs) are particularly efficient for retrieving secret information from NNs. We differentiate multiple types of threat scenarios regarding what kind of information is available before the attack and its purpose: recovering hyperparameters (the architecture) of the targeted NN, its weights (parameters), or its inputs. In this survey article, we consider the most relevant attacks to extract the architecture of CNNs. We also categorize SCAs, depending on access with respect to the victim: physical, local, or remote. Attacks targeting the architecture via local SCAs are most common. As of today, physical access seems necessary to retrieve the weights of an NN. We notably describe cache attacks, which are local SCAs aiming to extract the NN's underlying architecture. Few countermeasures have emerged; these are presented at the end of the survey. This is an open access article under the terms of the Creative Commons Attribution License, which permits use, distribution and reproduction in any medium, provided the original work is properly cited.

show abstract

Section: Memory Access Pattern Attackmentioning

confidence: 99%

Side channel attacks for architecture extraction of neural networks

Chabanne

Danger

Guiga

et al. 2021

CAAI Trans on Intel Tech

View full text Add to dashboard Cite

show abstract

“…Dubey et al [24] have also demonstrated an attack that can successfully reveal the parameters of Binarized Neural Network (BNN) using Differential Power Analysis (DPA). DeepEM [173] reverse engineers the model structure of BNN through the EM side-channel of the FPGA accelerator. It exploits the synthetic dataset generated by Random, FeatureAdversary and FeatureFool algorithms to recover the binarized weight parameters.…”

Section: Side-channel Attacks On MLmentioning

confidence: 99%

Two Sides of the Same Coin: Boons and Banes of Machine Learning in Hardware Security

Liu

Chang

Wang

et al. 2021

IEEE J. Emerg. Sel. Topics Circuits Syst.

View full text Add to dashboard Cite

The last decade has witnessed remarkable research advances at the intersection of machine learning (ML) and hardware security. The confluence of the two technologies has created many interesting and unique opportunities, but also left some issues in their wake. ML schemes have been extensively used to enhance the security and trust of embedded systems like hardware Trojans and malware detection. On the other hand, ML-based approaches have also been adopted by adversaries to assist side-channel attacks, reverse engineer integrated circuits and break hardware security primitives like Physically Unclonable Functions (PUFs). Deep learning is a subfield of ML. It can continuously learn from a large amount of labeled data with a layered structure. Despite the impressive outcomes demonstrated by deep learning in many application scenarios, the dark side of it has not been fully exposed yet. The inability to fully understand and explain what has been done within the super-intelligence can turn an inherently benevolent system into malevolent. Recent research has revealed that the outputs of Deep Neural Networks (DNNs) can be easily corrupted by imperceptibly small input perturbations. As computations are brought nearer to the source of data creation, the attack surface of DNN has also been extended from the input data to the edge devices. Accordingly, due to the opportunities of MLassisted security and the vulnerabilities of ML implementation, in this paper, we will survey the applications, vulnerabilities and fortification of ML from the perspective of hardware security. We will discuss the possible future research directions, and thereby, sharing a roadmap for the hardware security community in general.

show abstract

“…Model extraction attacks against BNN hardware have been reported in recent years [3], [4]. Dubey et al [3] demonstrated an attack on the adder-tree function of the authors' custom BNN hardware.…”

Section: Introductionmentioning

confidence: 99%

“…Dubey et al [3] demonstrated an attack on the adder-tree function of the authors' custom BNN hardware. In [4], the authors recovered the architecture of a targeted BNN through timing analysis with electromagnetic (EM) emanations from the data bus of a BNN accelerator, and built substitute models using this information. Such attacks have encouraged recent works to analyze neural network structures with side-channel countermeasures [5].…”

Section: Introductionmentioning

confidence: 99%

“…The target BNN description is generated with an open source high-level design tool named GUINNESS [6]; this tool generates highly customizable BNN hardware descriptions based on parallel pipelined convolutional circuits for Xilinx FPGAs. Because of their advantages such as implementation speed and high customizability, it is likely that complex BNN constructions will be generated rather than custom designed manually, such as those targeted in previous works [3], [4]. In this work, our target is a generated hardware network that classifies the MNIST [7] handwritten numerals dataset, implemented on an FPGA.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Extraction of Binarized Neural Network Architecture and Secret Parameters Using Side-Channel Information

Yli-Mäyry

Ito

Homma

et al. 2021

2021 IEEE International Symposium on Circuits and Systems (ISCAS)

View full text Add to dashboard Cite

In recent years, neural networks have been applied to various applications. To speed up the evaluation, a method using binarized network weights has been introduced, facilitating extremely efficient hardware implementation. Using electromagnetic (EM) side-channel analysis techniques, this study presents a framework of model extraction from practical binarized neural network (BNN) hardware. The target BNN hardware is generated and synthesized using open-source and commercial high-level synthesis tools GUINNESS and Xilinx SDSoC, respectively. With the hardware implemented on an up-to-date FPGA chip, we demonstrate how the layers can be identified from a single EM trace measured during the network evaluation, and we also demonstrate how an attacker may use side-channel attacks to recover secret weights used in the network.Index Terms-machine learning, high-level synthesis, sidechannel attacks, binarized neural network, model extraction

show abstract

DeepEM: Deep Neural Networks Model Recovery through EM Side-Channel Information Leakage

Cited by 71 publications

References 24 publications

Side channel attacks for architecture extraction of neural networks

Side channel attacks for architecture extraction of neural networks

Two Sides of the Same Coin: Boons and Banes of Machine Learning in Hardware Security

Extraction of Binarized Neural Network Architecture and Secret Parameters Using Side-Channel Information

Contact Info

Product

Resources

About