Paper 2023/368

AI Attacks AI: Recovering Neural Network architecture from NVDLA using AI-assisted Side Channel Attack

Naina Gupta, Nanyang Technological University
Arpan Jati, Nanyang Technological University, Indraprastha Institute of Information Technology Delhi
Anupam Chattopadhyay, Nanyang Technological University
Abstract

During the last decade, there has been a stunning progress in the domain of AI with adoption in both safety-critical and security-critical applications. A key requirement for this is highly trained Machine Learning (ML) models, which are valuable Intellectual Property (IP) of the respective organizations. Naturally, these models have become targets for model recovery attacks through side-channel leakage. However, majority of the attacks reported in literature are either on simple embedded devices or assume a custom Vivado HLS based FPGA accelerator. On the other hand, for commercial neural network accelerators, such as Google TPU, Intel Compute Stick and NVDLA, there are relatively fewer successful attacks. Focussing on that direction, in this work, we study the vulnerabilities of commercial open-source accelerator NVDLA and present the first successful model recovery attack. For this purpose, we use power and timing side-channel leakage information from Convolutional Neural Network (CNN) models to train CNN based attack models. Utilizing these attack models, we demonstrate that even with a highly pipelined architecture, multiple parallel execution in the accelerator along with Linux OS running tasks in the background, recovery of number of layers, kernel sizes, output neurons and distinguishing different layers, is possible with very high accuracy. Our solution is fully automated, and portable to other hardware neural networks, thus presenting a greater threat towards IP protection.

Metadata
Available format(s)
PDF
Category
Attacks and cryptanalysis
Publication info
Preprint.
Keywords
AIMLIP StealingSide-ChannelNVDLA
Contact author(s)
naina003 @ e ntu edu sg
arpan jati @ ntu edu sg
anupam @ ntu edu sg
History
2023-03-16: approved
2023-03-14: received
See all versions
Short URL
https://ia.cr/2023/368
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2023/368,
      author = {Naina Gupta and Arpan Jati and Anupam Chattopadhyay},
      title = {{AI} Attacks {AI}: Recovering Neural Network architecture from {NVDLA} using {AI}-assisted Side Channel Attack},
      howpublished = {Cryptology {ePrint} Archive, Paper 2023/368},
      year = {2023},
      url = {https://eprint.iacr.org/2023/368}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.