Paper 2024/913

SoK: Model Reverse Engineering Threats for Neural Network Hardware

Seetal Potluri, University at Albany, SUNY
Farinaz Koushanfar, University of California, San Diego
Abstract

There has been significant progress over the past seven years in model reverse engineering (RE) for neural network (NN) hardware. Although there has been systematization of knowledge (SoK) in an overall sense, however, the treatment from the hardware perspective has been far from adequate. To bridge this gap, this paper systematically categorizes the types of NN hardware used prevalently by the industry/academia, and also the model RE attacks/defenses published in each category. Further, we sub-categorize existing NN model RE attacks based on different criteria including the degree of hardware parallelism, threat vectors like side channels, fault-injection, scan-chain attacks, system-level attacks, type of asset under attack, the type of NN, exact versus approximate recovery, etc. We make important technical observations and identify key open research directions. Subsequently, we discuss the state-of-the-art defenses against NN model RE, identify certain categorization criteria, and compare the existing works based on these criteria. We note significant qualitative gaps for defenses, and suggest recommendations for important open research directions for protection of NN models. Finally, we discuss limitations of existing work in terms of the types of models where security evaluation or defenses were proposed, and suggest open problems in terms of protecting practically expensive model IPs.

Metadata
Available format(s)
PDF
Category
Implementation
Publication info
Preprint.
Keywords
AI HardwareModel Reverse EngineeringHardware Security
Contact author(s)
spotluri @ albany edu
farinaz @ ucsd edu
History
2024-08-02: last of 6 revisions
2024-06-07: received
See all versions
Short URL
https://ia.cr/2024/913
License
Creative Commons Attribution-NonCommercial-ShareAlike
CC BY-NC-SA

BibTeX

@misc{cryptoeprint:2024/913,
      author = {Seetal Potluri and Farinaz Koushanfar},
      title = {{SoK}: Model Reverse Engineering Threats for Neural Network Hardware},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/913},
      year = {2024},
      url = {https://eprint.iacr.org/2024/913}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.