Abstract
Machine learning algorithms have been widely applied to solve various type of problems and applications. Among those, decision tree based algorithms have been considered for small Internet-of-Things (IoT) implementation, due to their simplicity. It has been shown in a recent publication, that Bonsai, a small tree-based algorithm, can be successfully fitted in a small 8-bit microcontroller. However, the security of machine learning algorithm has also been a major concern, especially with the threat of secret parameter recovery which could lead to breach of privacy. With machine learning taking over a significant proportion of industrial tasks, the security issue has become a matter of concern. Recently, secret parameter recovery for neural network based algorithm using physical side-channel leakage has been proposed. In the paper, we investigate the security of widely used decision tree algorithms running on ARM Cortex M3 platform against electromagnetic (EM) side-channel attacks. We show that by focusing on each building block function or component, one could perform divide-and-conquer approach to recover the secret parameters. To demonstrate the attack, we first report the recovery of secret parameters of Bonsai, such as, sparse projection parameters, branching function and node predictors. After the recovery of these parameters, the attacker can then reconstruct the whole architecture.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
The source code is publicly available at: https://github.com/microsoft/EdgeML.
- 2.
An example of a trained model can be found on: https://github.com/microsoft/EdgeML/tree/master/tools/SeeDot/seedot/arduino.
References
Batina, L., Bhasin, S., Jap, D., Picek, S.: CSI NN: reverse engineering of neural network architectures through electromagnetic side channel. In: Heninger, N., Traynor, P. (eds.) 28th USENIX Security Symposium, USENIX Security 2019, Santa Clara, CA, USA, 14–16 August 2019, pp. 515–532. USENIX Association (2019). https://www.usenix.org/conference/usenixsecurity19/presentation/batina
Breiman, L., Friedman, J.H., Olshen, R.A., Stone, C.J.: Classification and Regression Trees. Wadsworth (1984)
Brier, E., Clavier, C., Olivier, F.: Correlation power analysis with a leakage model. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 16–29. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-28632-5_2
Chari, S., Rao, J.R., Rohatgi, P.: Template attacks. In: Kaliski, B.S., Koç, K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 13–28. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36400-5_3
Hua, W., Zhang, Z., Suh, G.E.: Reverse engineering convolutional neural networks through side-channel information leaks. In: Proceedings of the 55th Annual Design Automation Conference, DAC 2018, San Francisco, CA, USA, 24–29 June 2018, pp. 4:1–4:6. ACM (2018). https://doi.org/10.1145/3195970.3196105
Hull, J.J.: A database for handwritten text recognition research. IEEE Trans. Pattern Anal. Mach. Intell. 16(5), 550–554 (1994). https://doi.org/10.1109/34.291440
Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68697-5_9
Kumar, A., Goyal, S., Varma, M.: Resource-efficient machine learning in 2 KB RAM for the internet of things. In: Precup, D., Teh, Y.W. (eds.) Proceedings of the 34th International Conference on Machine Learning, ICML 2017, Sydney, NSW, Australia, 6–11 August 2017. Proceedings of Machine Learning Research, vol. 70, pp. 1935–1944. PMLR (2017). http://proceedings.mlr.press/v70/kumar17a.html
Mangard, S., Oswald, E., Popp, T.: Power Analysis Attacks. Springer, Boston, MA (2007). https://doi.org/10.1007/978-0-387-38162-6
Messerges, T.S., Dabbish, E.A.: Investigations of power analysis attacks on smartcards. In: Guthery, S.B., Honeyman, P. (eds.) Proceedings of the 1st Workshop on Smartcard Technology, Smartcard 1999, Chicago, Illinois, USA, 10–11 May 1999. USENIX Association (1999). https://www.usenix.org/conference/usenix-workshop-smartcard-technology/investigations-power-analysis-attacks-smartcards
Wei, L., Luo, B., Li, Y., Liu, Y., Xu, Q.: I know what you see: power side-channel attack on convolutional neural network accelerators. In: Proceedings of the 34th Annual Computer Security Applications Conference, ACSAC 2018, San Juan, PR, USA, 03–07 December 2018, pp. 393–406. ACM (2018). https://doi.org/10.1145/3274694.3274696
Wu, D., Jennings, C., Terpenny, J., Gao, R.X., Kumara, S.: A comparative study on machine learning algorithms for smart manufacturing: tool wear prediction using random forests. J. Manufact. Sci. Eng. 139(7) (2017)
Acknowledgement
This work was performed in the Cooperative Research Project of the Research Institute of Electrical Communication, Tohoku University with Nanyang Technological University. This research was also supported in part by JST CREST Grant No. JPMJCR19K5, Japan.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Jap, D., Yli-Mäyry, V., Ito, A., Ueno, R., Bhasin, S., Homma, N. (2020). Practical Side-Channel Based Model Extraction Attack on Tree-Based Machine Learning Algorithm. In: Zhou, J., et al. Applied Cryptography and Network Security Workshops. ACNS 2020. Lecture Notes in Computer Science(), vol 12418. Springer, Cham. https://doi.org/10.1007/978-3-030-61638-0_6
Download citation
DOI: https://doi.org/10.1007/978-3-030-61638-0_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-61637-3
Online ISBN: 978-3-030-61638-0
eBook Packages: Computer ScienceComputer Science (R0)