Paper 2023/368
AI Attacks AI: Recovering Neural Network architecture from NVDLA using AI-assisted Side Channel Attack
Abstract
During the last decade, there has been a stunning progress in the domain of AI with adoption in both safety-critical and security-critical applications. A key requirement for this is highly trained Machine Learning (ML) models, which are valuable Intellectual Property (IP) of the respective organizations. Naturally, these models have become targets for model recovery attacks through side-channel leakage. However, majority of the attacks reported in literature are either on simple embedded devices or assume a custom Vivado HLS based FPGA accelerator. On the other hand, for commercial neural network accelerators, such as Google TPU, Intel Compute Stick and NVDLA, there are relatively fewer successful attacks. Focussing on that direction, in this work, we study the vulnerabilities of commercial open-source accelerator NVDLA and present the first successful model recovery attack. For this purpose, we use power and timing side-channel leakage information from Convolutional Neural Network (CNN) models to train CNN based attack models. Utilizing these attack models, we demonstrate that even with a highly pipelined architecture, multiple parallel execution in the accelerator along with Linux OS running tasks in the background, recovery of number of layers, kernel sizes, output neurons and distinguishing different layers, is possible with very high accuracy. Our solution is fully automated, and portable to other hardware neural networks, thus presenting a greater threat towards IP protection.
Metadata
- Available format(s)
- Category
- Attacks and cryptanalysis
- Publication info
- Preprint.
- Keywords
- AIMLIP StealingSide-ChannelNVDLA
- Contact author(s)
-
naina003 @ e ntu edu sg
arpan jati @ ntu edu sg
anupam @ ntu edu sg - History
- 2023-03-16: approved
- 2023-03-14: received
- See all versions
- Short URL
- https://ia.cr/2023/368
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2023/368, author = {Naina Gupta and Arpan Jati and Anupam Chattopadhyay}, title = {{AI} Attacks {AI}: Recovering Neural Network architecture from {NVDLA} using {AI}-assisted Side Channel Attack}, howpublished = {Cryptology {ePrint} Archive, Paper 2023/368}, year = {2023}, url = {https://eprint.iacr.org/2023/368} }