DeepTheft: Stealing DNN Model Architectures through Power Side Channel

• URL: http://arxiv.org/abs/2309.11894v1
• Date: Thu, 21 Sep 2023 08:58:14 GMT
• Title: DeepTheft: Stealing DNN Model Architectures through Power Side Channel
• Authors: Yansong Gao, Huming Qiu, Zhi Zhang, Binghui Wang, Hua Ma, Alsharif Abuadbba, Minhui Xue, Anmin Fu, Surya Nepal,
• Abstract summary: Deep Neural Network (DNN) models are often deployed in resource-sharing clouds as Machine Learning as a Service (ML) to provide inference services. To steal model architectures that are of valuable intellectual properties, a class of attacks has been proposed via different side-channel leakage. We propose a new end-to-end attack, DeepTheft, to accurately recover complex DNN model architectures on general processors via the RAPL-based power side channel.
• Score: 42.380259435613354
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: Deep Neural Network (DNN) models are often deployed in resource-sharing clouds as Machine Learning as a Service (MLaaS) to provide inference services.To steal model architectures that are of valuable intellectual properties, a class of attacks has been proposed via different side-channel leakage, posing a serious security challenge to MLaaS. Also targeting MLaaS, we propose a new end-to-end attack, DeepTheft, to accurately recover complex DNN model architectures on general processors via the RAPL-based power side channel. However, an attacker can acquire only a low sampling rate (1 KHz) of the time-series energy traces from the RAPL interface, rendering existing techniques ineffective in stealing large and deep DNN models. To this end, we design a novel and generic learning-based framework consisting of a set of meta-models, based on which DeepTheft is demonstrated to have high accuracy in recovering a large number (thousands) of models architectures from different model families including the deepest ResNet152. Particularly, DeepTheft has achieved a Levenshtein Distance Accuracy of 99.75% in recovering network structures, and a weighted average F1 score of 99.60% in recovering diverse layer-wise hyperparameters. Besides, our proposed learning framework is general to other time-series side-channel signals. To validate its generalization, another existing side channel is exploited, i.e., CPU frequency. Different from RAPL, CPU frequency is accessible to unprivileged users in bare-metal OSes. By using our generic learning framework trained against CPU frequency traces, DeepTheft has shown similarly high attack performance in stealing model architectures.

Related papers

• Stealing the Invisible: Unveiling Pre-Trained CNN Models through Adversarial Examples and Timing Side-Channels [14.222432788661914]
  We present an approach based on the observation that the classification patterns of adversarial images can be used as a means to steal the models. Our approach exploits varying misclassifications of adversarial images across different models to fingerprint several renowned Convolutional Neural Network (CNN) and Vision Transformer (ViT) architectures.
  arXiv  Detail & Related papers  (2024-02-19T08:47:20Z)
• Securing Graph Neural Networks in MLaaS: A Comprehensive Realization of Query-based Integrity Verification [68.86863899919358]
  We introduce a groundbreaking approach to protect GNN models in Machine Learning from model-centric attacks. Our approach includes a comprehensive verification schema for GNN's integrity, taking into account both transductive and inductive GNNs. We propose a query-based verification technique, fortified with innovative node fingerprint generation algorithms.
  arXiv  Detail & Related papers  (2023-12-13T03:17:05Z)
• Like an Open Book? Read Neural Network Architecture with Simple Power Analysis on 32-bit Microcontrollers [0.0]
  A neural network model's architecture is the most important information an adversary aims to recover. For the first time, we propose an extraction methodology for traditional and CNN models running on a high-end 32-bit microcontroller. Despite few challenging cases, we claim that, contrary to parameters extraction, the complexity of the attack is relatively low.
  arXiv  Detail & Related papers  (2023-11-02T15:55:20Z)
• EZClone: Improving DNN Model Extraction Attack via Shape Distillation from GPU Execution Profiles [0.1529342790344802]
  Deep Neural Networks (DNNs) have become ubiquitous due to their performance on prediction and classification problems. They face a variety of threats as their usage spreads. Model extraction attacks, which steal DNNs, endanger intellectual property, data privacy, and security. We propose two techniques catering to various threat models.
  arXiv  Detail & Related papers  (2023-04-06T21:40:09Z)
• ObfuNAS: A Neural Architecture Search-based DNN Obfuscation Approach [25.5826067429808]
  Malicious architecture extraction has been emerging as a crucial concern for deep neural network (DNN) security. We propose ObfuNAS, which converts the DNN architecture obfuscation into a neural architecture search (NAS) problem. We validate the performance of ObfuNAS with open-source architecture datasets like NAS-Bench-101 and NAS-Bench-301.
  arXiv  Detail & Related papers  (2022-08-17T23:25:42Z)
• DeepSteal: Advanced Model Extractions Leveraging Efficient Weight Stealing in Memories [26.067920958354]
  One of the major threats to the privacy of Deep Neural Networks (DNNs) is model extraction attacks. Recent studies show hardware-based side channel attacks can reveal internal knowledge about DNN models (e.g., model architectures) We propose an advanced model extraction attack framework DeepSteal that effectively steals DNN weights with the aid of memory side-channel attack.
  arXiv  Detail & Related papers  (2021-11-08T16:55:45Z)
• Learning to Estimate RIS-Aided mmWave Channels [50.15279409856091]
  We focus on uplink cascaded channel estimation, where known and fixed base station combining and RIS phase control matrices are considered for collecting observations. To boost the estimation performance and reduce the training overhead, the inherent channel sparsity of mmWave channels is leveraged in the deep unfolding method. It is verified that the proposed deep unfolding network architecture can outperform the least squares (LS) method with a relatively smaller training overhead and online computational complexity.
  arXiv  Detail & Related papers  (2021-07-27T06:57:56Z)
• ANNETTE: Accurate Neural Network Execution Time Estimation with Stacked Models [56.21470608621633]
  We propose a time estimation framework to decouple the architectural search from the target hardware. The proposed methodology extracts a set of models from micro- kernel and multi-layer benchmarks and generates a stacked model for mapping and network execution time estimation. We compare estimation accuracy and fidelity of the generated mixed models, statistical models with the roofline model, and a refined roofline model for evaluation.
  arXiv  Detail & Related papers  (2021-05-07T11:39:05Z)
• Neural Architecture Search For LF-MMI Trained Time Delay Neural Networks [61.76338096980383]
  A range of neural architecture search (NAS) techniques are used to automatically learn two types of hyper- parameters of state-of-the-art factored time delay neural networks (TDNNs) These include the DARTS method integrating architecture selection with lattice-free MMI (LF-MMI) TDNN training. Experiments conducted on a 300-hour Switchboard corpus suggest the auto-configured systems consistently outperform the baseline LF-MMI TDNN systems.
  arXiv  Detail & Related papers  (2020-07-17T08:32:11Z)
• Scalable Backdoor Detection in Neural Networks [61.39635364047679]
  Deep learning models are vulnerable to Trojan attacks, where an attacker can install a backdoor during training time to make the resultant model misidentify samples contaminated with a small trigger patch. We propose a novel trigger reverse-engineering based approach whose computational complexity does not scale with the number of labels, and is based on a measure that is both interpretable and universal across different network and patch types. In experiments, we observe that our method achieves a perfect score in separating Trojaned models from pure models, which is an improvement over the current state-of-the art method.
  arXiv  Detail & Related papers  (2020-06-10T04:12:53Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.