Stealing Neural Network Structure Through Remote FPGA Side-Channel Analysis

被引:38
作者
Zhang, Yicheng [1 ]
Yasaei, Rozhin [1 ]
Chen, Hao [1 ]
Li, Zhou [1 ]
Al Faruque, Mohammad Abdullah [1 ]
机构
[1] Univ Calif Irvine, Dept Elect Engn & Comp Sci, Irvine, CA 92617 USA
来源
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY | 2021年 / 16卷
关键词
Field programmable gate arrays; Cloud computing; Computational modeling; Analytical models; Integrated circuit modeling; Hardware; Inverters; Deep neural network; cloud FPGA; side-channel analysis; hardware trojan; ATTACKS;
D O I
10.1109/TIFS.2021.3106169
中图分类号
TP301 [理论、方法];
学科分类号
081202 ;
摘要
Deep Neural Network (DNN) models have been extensively developed by companies for a wide range of applications. The development of a customized DNN model with great performance requires costly investments, and its structure (layers and hyper-parameters) is considered intellectual property and holds immense value. However, in this paper, we found the model secret is vulnerable when a cloud-based FPGA accelerator executes it. We demonstrate an end-to-end attack based on remote power side-channel analysis and machine-learning-based secret inference against different DNN models. The evaluation result shows that an attacker can reconstruct the layer and hyper-parameter sequence at over 90% accuracy using our method, which can significantly reduce her model development workload. We believe the threat presented by our attack is tangible, and new defense mechanisms should be developed against this threat.
引用
收藏
页码:4377 / 4388
页数:12
相关论文
共 81 条
[21]  
Faezi S, 2021, PROCEEDINGS OF THE 2021 DESIGN, AUTOMATION & TEST IN EUROPE CONFERENCE & EXHIBITION (DATE 2021), P1484, DOI 10.23919/DATE51398.2021.9474076
[22]   Brain-Inspired Golden Chip Free Hardware Trojan Detection [J].
Faezi, Sina ;
Yasaei, Rozhin ;
Barua, Anomadarshi ;
Al Faruque, Mohammad Abdullah .
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, 2021, 16 (16) :2697-2708
[23]   Stochastic gradient boosting [J].
Friedman, JH .
COMPUTATIONAL STATISTICS & DATA ANALYSIS, 2002, 38 (04) :367-378
[24]  
Giechaskiel I., 2019, ACM T RECONFIGURABLE, V12, P1
[25]   C3APSULe: Cross-FPGA Covert-Channel Attacks through Power Supply Unit Leakage [J].
Giechaskiel, Ilias ;
Rasmussen, Kasper Bonne ;
Szefer, Jakub .
2020 IEEE SYMPOSIUM ON SECURITY AND PRIVACY (SP 2020), 2020, :1728-1741
[26]   Reading Between the Dies: Cross-SLR Covert Channels on Multi-Tenant Cloud FPGAs [J].
Giechaskiel, Ilias ;
Rasmussen, Kasper ;
Szefer, Jakub .
2019 IEEE 37TH INTERNATIONAL CONFERENCE ON COMPUTER DESIGN (ICCD 2019), 2019, :1-10
[27]   Checking for Electrical Level Security Threats in Bitstreams for Multi-Tenant FPGAs [J].
Gnad, Dennis R. E. ;
Rapp, Sascha ;
Krautter, Jonas ;
Tahoori, Mehdi B. .
2018 INTERNATIONAL CONFERENCE ON FIELD-PROGRAMMABLE TECHNOLOGY (FPT 2018), 2018, :289-292
[28]  
Hong Sanghyun, 2018, SECURITY ANAL DEEP N
[29]   DeepSniffer: A DNN Model Extraction Framework Based on Learning Architectural Hints [J].
Hu, Xing ;
Liang, Ling ;
Li, Shuangchen ;
Deng, Lei ;
Zuo, Pengfei ;
Ji, Yu ;
Xie, Xinfeng ;
Ding, Yufei ;
Liu, Chang ;
Sherwood, Timothy ;
Xie, Yuan .
TWENTY-FIFTH INTERNATIONAL CONFERENCE ON ARCHITECTURAL SUPPORT FOR PROGRAMMING LANGUAGES AND OPERATING SYSTEMS (ASPLOS XXV), 2020, :385-399
[30]   Reverse Engineering Convolutional Neural Networks Through Side-channel Information Leaks [J].
Hua, Weizhe ;
Zhang, Zhiru ;
Suh, G. Edward .
2018 55TH ACM/ESDA/IEEE DESIGN AUTOMATION CONFERENCE (DAC), 2018,
123456789