Maria Méndez Real,Rubén Salvador

DOI: https://doi.org/10.3390/app11156790

2021-10-22

Abstract:During the last decade, Deep Neural Networks (DNN) have progressively been integrated on all types of platforms, from data centers to embedded systems including low-power processors and, recently, FPGAs. Neural Networks (NN) are expected to become ubiquitous in IoT systems by transforming all sorts of real-world applications, including applications in the safety-critical and security-sensitive domains. However, the underlying hardware security vulnerabilities of embedded NN implementations remain unaddressed. In particular, embedded DNN implementations are vulnerable to Side-Channel Analysis (SCA) attacks, which are especially important in the IoT and edge computing contexts where an attacker can usually gain physical access to the targeted device. A research field has therefore emerged and is rapidly growing in terms of the use of SCA including timing, electromagnetic attacks and power attacks to target NN embedded implementations. Since 2018, research papers have shown that SCA enables an attacker to recover inference models architectures and parameters, to expose industrial IP and endangers data confidentiality and privacy. Without a complete review of this emerging field in the literature so far, this paper surveys state-of-the-art physical SCA attacks relative to the implementation of embedded DNNs on micro-controllers and FPGAs in order to provide a thorough analysis on the current landscape. It provides a taxonomy and a detailed classification of current attacks. It first discusses mitigation techniques and then provides insights for future research leads.

Cryptography and Security,Machine Learning,Neural and Evolutionary Computing

Jakub Breier,Dirmanto Jap,Xiaolu Hou,Shivam Bhasin

DOI: https://doi.org/10.48550/arXiv.2303.18132

2023-03-25

Abstract:Model extraction attacks have been widely applied, which can normally be used to recover confidential parameters of neural networks for multiple layers. Recently, side-channel analysis of neural networks allows parameter extraction even for networks with several multiple deep layers with high effectiveness. It is therefore of interest to implement a certain level of protection against these attacks. In this paper, we propose a desynchronization-based countermeasure that makes the timing analysis of activation functions harder. We analyze the timing properties of several activation functions and design the desynchronization in a way that the dependency on the input and the activation type is hidden. We experimentally verify the effectiveness of the countermeasure on a 32-bit ARM Cortex-M4 microcontroller and employ a t-test to show the side-channel information leakage. The overhead ultimately depends on the number of neurons in the fully-connected layer, for example, in the case of 4096 neurons in VGG-19, the overheads are between 2.8% and 11%.

Cryptography and Security,Machine Learning

Lejla Batina,Shivam Bhasin,Dirmanto Jap,Stjepan Picek

DOI: https://doi.org/10.48550/arXiv.1810.09076

2018-10-22

Abstract:Machine learning has become mainstream across industries. Numerous examples proved the validity of it for security applications. In this work, we investigate how to reverse engineer a neural network by using only power side-channel information. To this end, we consider a multilayer perceptron as the machine learning architecture of choice and assume a non-invasive and eavesdropping attacker capable of measuring only passive side-channel leakages like power consumption, electromagnetic radiation, and reaction time. We conduct all experiments on real data and common neural net architectures in order to properly assess the applicability and extendability of those attacks. Practical results are shown on an ARM CORTEX-M3 microcontroller. Our experiments show that the side-channel attacker is capable of obtaining the following information: the activation functions used in the architecture, the number of layers and neurons in the layers, the number of output classes, and weights in the neural network. Thus, the attacker can effectively reverse engineer the network using side-channel information. Next, we show that once the attacker has the knowledge about the neural network architecture, he/she could also recover the inputs to the network with only a single-shot measurement. Finally, we discuss several mitigations one could use to thwart such attacks.

Cryptography and Security

Raphael Joud,Pierre-Alain Moellic,Simon Pontie,Jean-Baptiste Rigaud

2024-02-06

Abstract:Model extraction is a growing concern for the security of AI systems. For deep neural network models, the architecture is the most important information an adversary aims to recover. Being a sequence of repeated computation blocks, neural network models deployed on edge-devices will generate distinctive side-channel leakages. The latter can be exploited to extract critical information when targeted platforms are physically accessible. By combining theoretical knowledge about deep learning practices and analysis of a widespread implementation library (ARM CMSIS-NN), our purpose is to answer this critical question: how far can we extract architecture information by simply examining an EM side-channel trace? For the first time, we propose an extraction methodology for traditional MLP and CNN models running on a high-end 32-bit microcontroller (Cortex-M7) that relies only on simple pattern recognition analysis. Despite few challenging cases, we claim that, contrary to parameters extraction, the complexity of the attack is relatively low and we highlight the urgent need for practicable protections that could fit the strong memory and latency requirements of such platforms.

Cryptography and Security,Artificial Intelligence,Machine Learning

Jiafeng Cheng,Nengyuan Sun,Wenrui Liu,Zhaokang Peng,Chunyang Wang,Caiban Sun,Yufei Wang,Yijian Bi,Yiming Wen,Hongliu Zhang,Pengcheng Zhang,Selcuk Kose,Weize Yu

DOI: https://doi.org/10.1142/s0218126623200013

2022-01-01

Abstract:Side-channel attacks (SCAs) are powerful noninvasive attacks that can be used for leaking the secret key of integrated circuits (ICs). Numerous countermeasures were proposed to elevate the security level of ICs against SCAs. Unfortunately, it is quite inconvenient to predict the security levels of these countermeasures since no solid mathematical model exists in the literature. In this paper, neural network (NN)-based entropy is proposed to model the resilience of a system against SCAs. The NN-based entropy model well links the side-channel leakages and probabilities with the neurons and weights of NNs, respectively. In such a circumstance, the NN-based entropy can be used for modeling the robustness of countermeasures since a one-to-one relationship is established between the NN-based entropy and the measurement-to-disclose (MTD) enhancement ratio related with the countermeasures. As demonstrated in the result, the proposed NN-based entropy metric shows 100% consistency with the MTD enhancement ratio if multiple SCA countermeasures are employed into a system.

Ya Gao,Haocheng Ma,Mingkai Yan,Jiaji He,Yiqiang Zhao,Yier Jin

DOI: https://doi.org/10.1109/AsianHOST59942.2023.10409396

2023-01-01

Abstract:Side channel analysis (SCA) attacks have become emerging threats to AI algorithms and deep neural network (DNN) models. However, most existing SCA attacks focus on extracting models deployed on embedded devices, such as microcontrollers. Accurate SCA attacks on extracting DNN models deployed on AI accelerators are largely missing, leaving researchers with an (improper) assumption that DNNs on AI accelerators may be immune to SCA attacks due to their complexity. In this paper, we propose a novel method, namely NNLeak to extract complete DNN models on FPGA-based AI accelerators. To achieve this goal, NNLeak first exploits simple power analysis (SPA) to identify model architecture. Then a multi-stage correlation power analysis (CPA) is designed to recover model weights accurately. Finally, NNLeak determines the activation functions of DNN models through an AI-oriented classifier. The efficacy of NNLeak is validated on FPGA implementations of two DNN models, including multilayer perceptron (MLP) and LeNet. Experimental results show that NNLeak can successfully extract complete DNN models within 2000 power traces.

Jiafeng Cheng,Nengyuan Sun,Wenrui Liu,Zhaokang Peng,Chunyang Wang,Caiban Sun,Yufei Wang,Yijian Bi,Yiming Wen,Hongliu Zhang,Pengcheng Zhang,Selcuk Kose,Weize Yu

DOI: https://doi.org/10.1142/S0218126623200013

2023-01-01

Abstract:Side-channel attacks (SCAs) are powerful noninvasive attacks that can be used for leaking the secret key of integrated circuits (ICs). Numerous countermeasures were proposed to elevate the security level of ICs against SCAs. Unfortunately, it is quite inconvenient to predict the security levels of these countermeasures since no solid mathematical model exists in the literature. In this paper, neural network (NN)-based entropy is proposed to model the resilience of a system against SCAs. The NN-based entropy model well links the side-channel leakages and probabilities with the neurons and weights of NNs, respectively. In such a circumstance, the NN-based entropy can be used for modeling the robustness of countermeasures since a one-to-one relationship is established between the NN-based entropy and the measurement-to-disclose (MTD) enhancement ratio related with the countermeasures. As demonstrated in the result, the proposed NN-based entropy metric shows 100% consistency with the MTD enhancement ratio if multiple SCA countermeasures are employed into a system.

Raphael Joud,Pierre-Alain Moellic,Simon Pontie,Jean-Baptiste Rigaud

DOI: https://doi.org/10.48550/arXiv.2211.05590

2022-11-10

Abstract:Model extraction is a major threat for embedded deep neural network models that leverages an extended attack surface. Indeed, by physically accessing a device, an adversary may exploit side-channel leakages to extract critical information of a model (i.e., its architecture or internal parameters). Different adversarial objectives are possible including a fidelity-based scenario where the architecture and parameters are precisely extracted (model cloning). We focus this work on software implementation of deep neural networks embedded in a high-end 32-bit microcontroller (Cortex-M7) and expose several challenges related to fidelity-based parameters extraction through side-channel analysis, from the basic multiplication operation to the feed-forward connection through the layers. To precisely extract the value of parameters represented in the single-precision floating point IEEE-754 standard, we propose an iterative process that is evaluated with both simulations and traces from a Cortex-M7 target. To our knowledge, this work is the first to target such an high-end 32-bit platform. Importantly, we raise and discuss the remaining challenges for the complete extraction of a deep neural network model, more particularly the critical case of biases.

Cryptography and Security,Machine Learning

Saurav Maji,Kyungmi Lee,Anantha P. Chandrakasan

DOI: https://doi.org/10.1109/lca.2024.3397730

IF: 2.3

2024-06-04

IEEE Computer Architecture Letters

Abstract:This letter explores security vulnerabilities in sparsity-aware optimizations for Neural Network (NN) platforms, specifically focusing on timing side-channel attacks introduced by optimizations such as skipping sparse multiplications. We propose a classification prediction attack that utilizes this timing side-channel information to mimic the NN's prediction outcomes. Our techniques were demonstrated for CIFAR-10, MNIST, and biomedical classification tasks using diverse dataflows and processing loads in timing models. The demonstrated results could predict the original classification decision with high accuracy.

computer science, hardware & architecture

Honggang Yu,Haocheng Ma,Kaichen Yang,Yiqiang Zhao,Yier Jin

DOI: https://doi.org/10.1109/HOST45689.2020.9300274

2020-01-01

Abstract:Neural Network (NN) accelerators are currently widely deployed in various security-crucial scenarios, including image recognition, natural language processing and autonomous vehicles. Due to economic and privacy concerns, the hardware implementations of structures and designs inside NN accelerators are usually inaccessible to the public. However, these accelerators still tend to leak crucial information through Electromagnetic (EM) side channels in addition to timing and power information. In this paper, we propose an effective and efficient model stealing attack against current popular large-scale NN accelerators deployed on hardware platforms through side-channel information. Specifically, the proposed attack approach contains two stages: 1) Inferring the underlying network architecture through EM sidechannel information; 2) Estimating the parameters, especially the weights, through a margin-based, adversarial active learning method. The experimental results show that the proposed attack approach can accurately recover the large-scale NN through EM side-channel information leakages. Overall, our attack highlights the importance of masking EM traces for large-scale NN accelerators in real-world applications.

Yansong Gao,Huming Qiu,Zhi Zhang,Binghui Wang,Hua Ma,Alsharif Abuadbba,Minhui Xue,Anmin Fu,Surya Nepal

2023-09-21

Abstract:Deep Neural Network (DNN) models are often deployed in resource-sharing clouds as Machine Learning as a Service (MLaaS) to provide inference <a class="link-external link-http" href="http://services.To" rel="external noopener nofollow">this http URL</a> steal model architectures that are of valuable intellectual properties, a class of attacks has been proposed via different side-channel leakage, posing a serious security challenge to MLaaS. Also targeting MLaaS, we propose a new end-to-end attack, DeepTheft, to accurately recover complex DNN model architectures on general processors via the RAPL-based power side channel. However, an attacker can acquire only a low sampling rate (1 KHz) of the time-series energy traces from the RAPL interface, rendering existing techniques ineffective in stealing large and deep DNN models. To this end, we design a novel and generic learning-based framework consisting of a set of meta-models, based on which DeepTheft is demonstrated to have high accuracy in recovering a large number (thousands) of models architectures from different model families including the deepest ResNet152. Particularly, DeepTheft has achieved a Levenshtein Distance Accuracy of 99.75% in recovering network structures, and a weighted average F1 score of 99.60% in recovering diverse layer-wise hyperparameters. Besides, our proposed learning framework is general to other time-series side-channel signals. To validate its generalization, another existing side channel is exploited, i.e., CPU frequency. Different from RAPL, CPU frequency is accessible to unprivileged users in bare-metal OSes. By using our generic learning framework trained against CPU frequency traces, DeepTheft has shown similarly high attack performance in stealing model architectures.

Cryptography and Security

Raphaël Joud,Pierre-Alain Moellic,Rémi Bernhard,Jean-Baptiste Rigaud

DOI: https://doi.org/10.48550/arXiv.2105.01401

2021-05-04

Abstract:Utilization of Machine Learning (ML) algorithms, especially Deep Neural Network (DNN) models, becomes a widely accepted standard in many domains more particularly IoT-based systems. DNN models reach impressive performances in several sensitive fields such as medical diagnosis, smart transport or security threat detection, and represent a valuable piece of Intellectual Property. Over the last few years, a major trend is the large-scale deployment of models in a wide variety of devices. However, this migration to embedded systems is slowed down because of the broad spectrum of attacks threatening the integrity, confidentiality and availability of embedded models. In this review, we cover the landscape of attacks targeting the confidentiality of embedded DNN models that may have a major impact on critical IoT systems, with a particular focus on model extraction and data leakage. We highlight the fact that Side-Channel Analysis (SCA) is a relatively unexplored bias by which model's confidentiality can be compromised. Input data, architecture or parameters of a model can be extracted from power or electromagnetic observations, testifying a real need from a security point of view.

Cryptography and Security,Artificial Intelligence

Yun Xiang,Zhuangzhi Chen,Zuohui Chen,Zebin Fang,Haiyang Hao,Jinyin Chen,Yi Liu,Zhefu Wu,Qi Xuan,Xiaoniu Yang

DOI: https://doi.org/10.1109/tcsii.2020.2973007

2020-11-01

Abstract:Deep neural networks are becoming popular and important assets of many AI companies. However, recent studies indicate that they are also vulnerable to adversarial attacks. Adversarial attacks can be either white-box or black-box. The white-box attacks assume full knowledge of the models while the black-box ones assume none. In general, revealing more internal information can enable much more powerful and efficient attacks. However, in most real-world applications, the internal information of embedded AI devices is unavailable. Therefore, in this brief, we propose a side-channel information based technique to reveal the internal information of black-box models. Specifically, we have made the following contributions: (1) different from previous works, we use side-channel information to reveal internal network architecture in embedded devices; (2) we construct models for internal parameter estimation that no research has been reached yet; and (3) we validate our methods on real-world devices and applications. The experimental results show that our method can achieve 96.50% accuracy on average. Such results suggest that we should pay strong attention to the security problem of many AI devices, and further propose corresponding defensive strategies in the future.

Xiangyin Kong,Zhiqiang Ge

DOI: https://doi.org/10.1109/tii.2021.3093386

IF: 12.3

2021-01-01

IEEE Transactions on Industrial Informatics

Abstract:Neural-network-based soft sensors are widely employed in the industrial process. Such models have great significance to smart manufacturing. Considering the strict requirements of industrial production, it is vital to ensure the safety and robustness of these models in their actual deployment. However, recent research has shown that neural networks are quite vulnerable to adversarial attacks. By imposing tiny perturbation to the original sample, the fabricated adversarial sample can cheat these models to make wrong decisions. Such a phenomenon may bring serious trouble to the practical application of soft sensors. This article focuses on the adversarial attacks on industrial soft sensors. For the first time, we verify and analyze the effectiveness and deficiencies of the existing attack methods in the industrial soft sensor scenario. Based on solving these defects, this article proposes a novel perspective for attacking soft sensors. We analyze the optimization mechanism behind this new idea and then design two algorithms to perform attacks. The proposed methods more conform to the actual situation. Besides, compared with the existing approaches, the proposed methods have potentials to cause severer damages since their attacks are not only more concealed but also more likely to cheat the technicians to execute wrong operations. The research and analyses of the proposed methods lay a solid foundation for more thorough defenses against various attacks, which is quite necessary for making the deployed soft sensors more robust and secure.

Dimitrios Serpanos,Shengqi Yang,Marilyn Wolf

DOI: https://doi.org/10.1109/dac18072.2020.9218511

2020-01-01

Abstract:This paper surveys results in the use of neural networks and deep learning in two areas of hardware security: power attacks and physically-unclonable functions (PUFs).

Rabin Yu Acharya,Fatemeh Ganji,Domenic Forte

DOI: https://doi.org/10.48550/arXiv.2105.00117

2022-10-15

Abstract:Profiled side-channel analysis (SCA) leverages leakage from cryptographic implementations to extract the secret key. When combined with advanced methods in neural networks (NNs), profiled SCA can successfully attack even those crypto-cores assumed to be protected against SCA. Despite the rise in the number of studies devoted to NN-based SCA, a range of questions has remained unanswered, namely: how to choose an NN with an adequate configuration, how to tune the NN's hyperparameters, when to stop the training, etc. Our proposed approach, ``InfoNEAT,'' tackles these issues in a natural way. InfoNEAT relies on the concept of neural structure search, enhanced by information-theoretic metrics to guide the evolution, halt it with novel stopping criteria, and improve time-complexity and memory footprint. The performance of InfoNEAT is evaluated by applying it to publicly available datasets composed of real side-channel measurements. In addition to the considerable advantages regarding the automated configuration of NNs, InfoNEAT demonstrates significant improvements over other approaches for effective key recovery in terms of the number of epochs (e.g.,x6 faster) and the number of attack traces compared to both MLPs and CNNs (e.g., up to 1000s fewer traces to break a device) as well as a reduction in the number of trainable parameters compared to MLPs (e.g., by the factor of up to 32). Furthermore, through experiments, it is demonstrated that InfoNEAT's models are robust against noise and desynchronization in traces.

Cryptography and Security

Shuguo Yang,Yongbin Zhou,Jiye Liu,Danyang Chen

DOI: https://doi.org/10.1007/978-3-642-31912-9_12

2012-01-01

Abstract:Side-channel attacks have posed serious threats to the physical security of cryptographic implementations. However, the effectiveness of these attacks strongly depends on the accuracy of underlying side-channel leakage characterization. Known leakage characterization models do not always apply into the real scenarios as they are working on some unrealistic assumptions about the leaking devices. In light of this, we propose a back propagation neural network based power leakage characterization attack for cryptographic devices. This attack makes full use of the intrinsic advantage of neural network in profiling non-linear mapping relationship as one basic machine learning tool, transforms the task of leakage profiling into a neural-network-supervised study process. In addition, two new attacks using this model have also been proposed, namely BP-CPA and BP-MIA. In order to justify the validity and accuracy of proposed attacks, we perform a series of experiments and carry out a detailed comparative study of them in multiple scenarios, with twelve typical attacks using mainstream power leakage characterization attacks, the results of which are measured by quantitative metrics such as SR, GE and DL. It has been turned out that BP neural network based power leakage characterization attack can largely improve the effectiveness of the attacks, regardless of the impact of noise and the limited number of power traces. Taking CPA only as one example, BP-CPA is 16.5% better than existing non-linear leakage characterized based attacks with respect to DL, and is 154% better than original CPA.

Dirmanto Jap,Jakub Breier,Zdenko Lehocký,Shivam Bhasin,Xiaolu Hou

2024-08-20

Abstract:Embedded devices with neural network accelerators offer great versatility for their users, reducing the need to use cloud-based services. At the same time, they introduce new security challenges in the area of hardware attacks, the most prominent being side-channel analysis (SCA). It was shown that SCA can recover model parameters with a high accuracy, posing a threat to entities that wish to keep their models confidential. In this paper, we explore the susceptibility of quantized models implemented in OpenVINO, an embedded framework for deploying neural networks on embedded and Edge devices. We show that it is possible to recover model parameters with high precision, allowing the recovered model to perform very close to the original one. Our experiments on GoogleNet v1 show only a 1% difference in the Top 1 and a 0.64% difference in the Top 5 accuracies.

Cryptography and Security,Artificial Intelligence

Yicheng Zhang,Rozhin Yasaei,Hao Chen,Zhou Li,Mohammad Abdullah Al Faruque

DOI: https://doi.org/10.1109/tifs.2021.3106169

IF: 7.231

2021-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Deep Neural Network (DNN) models have been extensively developed by companies for a wide range of applications. The development of a customized DNN model with great performance requires costly investments, and its structure (layers and hyper-parameters) is considered intellectual property and holds immense value. However, in this paper, we found the model secret is vulnerable when a cloud-based FPGA accelerator executes it. We demonstrate an end-to-end attack based on remote power side-channel analysis and machine-learning-based secret inference against different DNN models. The evaluation result shows that an attacker can reconstruct the layer and hyper-parameter sequence at over 90% accuracy using our method, which can significantly reduce her model development workload. We believe the threat presented by our attack is tangible, and new defense mechanisms should be developed against this threat.

computer science, theory & methods,engineering, electrical & electronic

Shayan Moini,Shanquan Tian,Jakub Szefer,Daniel Holcomb,Russell Tessier

DOI: https://doi.org/10.48550/arXiv.2011.07603

2021-04-18

Abstract:To lower cost and increase the utilization of Cloud Field-Programmable Gate Arrays (FPGAs), researchers have recently been exploring the concept of multi-tenant FPGAs, where multiple independent users simultaneously share the same remote FPGA. Despite its benefits, multi-tenancy opens up the possibility of malicious users co-locating on the same FPGA as a victim user, and extracting sensitive information. This issue becomes especially serious when the user is running a machine learning algorithm that is processing sensitive or private information. To demonstrate the dangers, this paper presents a remote, power-based side-channel attack on a deep neural network accelerator running in a variety of Xilinx FPGAs and also on Cloud FPGAs using Amazon Web Services (AWS) F1 instances. This work in particular shows how to remotely obtain voltage estimates as a deep neural network inference circuit executes, and how the information can be used to recover the inputs to the neural network. The attack is demonstrated with a binarized convolutional neural network used to recognize handwriting images from the MNIST handwritten digit database. With the use of precise time-to-digital converters for remote voltage estimation, the MNIST inputs can be successfully recovered with a maximum normalized cross-correlation of 79% between the input image and the recovered image on local FPGA boards and 72% on AWS F1 instances. The attack requires no physical access nor modifications to the FPGA hardware.

Cryptography and Security