Abstract
Neural Networks (NNs) are now the target of various side-channel attacks whose aim is to recover the model’s parameters and/or architecture. We focus our work on EM side-channel attacks for parameter extraction. We propose a novel approach to countering such side-channel attacks, based on the method introduced by Chabanne et al. in 2021, where parasitic convolutional models are dynamically applied to the input of the victim model. We validate this new idea in the side-channel field by simulation.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
This is an unrealistic assumption, but since we aim to demonstrate the effectiveness of our protection, we assume perfect conditions for the attacker. Real CEMA attacks are much harder.
References
Batina, L., Bhasin, S., Jap, D., Picek, S.: CSI NN: reverse engineering of neural network architectures through electromagnetic side channel. In: USENIX Security Symposium, pp. 515–532. USENIX Association (2019)
Biryukov, A., Dinu, D., Le Corre, Y., Udovenko, A.: Optimal first-order Boolean masking for embedded IoT devices. In: Eisenbarth, T., Teglia, Y. (eds.) CARDIS 2017. LNCS, vol. 10728, pp. 22–41. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-75208-2_2
Breier, J., Jap, D., Hou, X., Bhasin, S., Liu, Y.: SNIFF: reverse engineering of neural networks with fault attacks. CoRR abs/2002.11021 (2020)
Brier, E., Clavier, C., Olivier, F.: Correlation power analysis with a leakage model. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 16–29. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-28632-5_2
Camurati, G., Poeplau, S., Muench, M., Hayes, T., Francillon, A.: Screaming channels: when electromagnetic side channels meet radio transceivers. In: CCS, pp. 163–177. ACM (2018)
Carlini, N., Jagielski, M., Mironov, I.: Cryptanalytic extraction of neural network models. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12172, pp. 189–218. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56877-1_7
Chabanne, H., Despiegel, V., Guiga, L.: A protection against the extraction of neural network models. In: ICISSP, pp. 258–269. SCITEPRESS (2021)
Chabanne, H., Danger, J., Guiga, L., Kühne, U.: Side channel attacks for architecture extraction of neural networks. CAAI Trans. Intell. Technol. 6(1), 3–16 (2021)
Chmielewski, Ł, Weissbart, L.: On reverse engineering neural network implementation on GPU. In: Zhou, J., et al. (eds.) ACNS 2021. LNCS, vol. 12809, pp. 96–113. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-81645-2_7
Deng, J., Dong, W., Socher, R., Li, L.J., Li, K., Fei-Fei, L.: ImageNet: a large-scale hierarchical image database. In: 2009 IEEE Conference on Computer Vision and Pattern Recognition, pp. 248–255. IEEE (2009)
Dubey, A., Cammarota, R., Aysu, A.: MaskedNet: a pathway for secure inference against power side-channel attacks. CoRR abs/1910.13063 (2019)
Dubey, A., Cammarota, R., Aysu, A.: BomaNet: Boolean masking of an entire neural network. CoRR abs/2006.09532 (2020)
Duddu, V., Samanta, D., Rao, D.V., Balas, V.E.: Stealing neural networks via timing side channels. CoRR abs/1812.11720 (2018). http://arxiv.org/abs/1812.11720
Eberl, M.: Fisher-yates shuffle. Arch. Formal Proofs 2016 (2016)
Genkin, D., Pachmanov, L., Pipman, I., Tromer, E., Yarom, Y.: ECDSA key extraction from mobile devices via nonintrusive physical side channels. IACR Cryptol. ePrint Arch. 2016, 230 (2016)
Hong, S., et al.: Security analysis of deep neural networks operating in the presence of cache side-channel attacks (code) (2017)
Hong, S., Davinroy, M., Kaya, Y., Dachman-Soled, D., Dumitras, T.: How to 0wn NAS in your spare time. In: International Conference on Learning Representations (2020)
Hua, W., Zhang, Z., Suh, G.E.: Reverse engineering convolutional neural networks through side-channel information leaks. In: DAC, pp. 4:1–4:6. ACM (2018)
Jagielski, M., Carlini, N., Berthelot, D., Kurakin, A., Papernot, N.: High-fidelity extraction of neural network models. CoRR abs/1909.01838 (2019)
Jagielski, M., Carlini, N., Berthelot, D., Kurakin, A., Papernot, N.: High accuracy and high fidelity extraction of neural networks. In: Capkun, S., Roesner, F. (eds.) 29th USENIX Security Symposium, USENIX Security 2020, 12–14 August 2020, pp. 1345–1362. USENIX Association (2020)
Krizhevsky, A.: Learning multiple layers of features from tiny images. Technical report (2009)
LeNail, A.: NN-SVG: publication-ready neural network architecture schematics. J. Open Source Softw. 4(33), 747 (2019)
Milli, S., Schmidt, L., Dragan, A.D., Hardt, M.: Model reconstruction from model explanations, pp. 1–9. Association for Computing Machinery, New York (2019)
Mondal, A., Srivastava, A.: Energy-efficient design of MTJ-based neural networks with stochastic computing. ACM J. Emerg. Technol. Comput. Syst. 16(1), 7:1–7:27 (2020)
Oh, S.J., Schiele, B., Fritz, M.: Towards reverse-engineering black-box neural networks. In: Samek, W., Montavon, G., Vedaldi, A., Hansen, L.K., Müller, K.-R. (eds.) Explainable AI: Interpreting, Explaining and Visualizing Deep Learning. LNCS (LNAI), vol. 11700, pp. 121–144. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-28954-6_7
Rolnick, D., Kording, K.P.: Reverse-engineering deep Relu networks. In: Proceedings of the 37th International Conference on Machine Learning, ICML 2020, 13–18 July 2020, Virtual Event. Proceedings of Machine Learning Research, vol. 119, pp. 8178–8187. PMLR (2020)
Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: MobileNetV2: inverted residuals and linear bottlenecks. In: 2018 IEEE Conference on Computer Vision and Pattern Recognition, CVPR 2018, Salt Lake City, UT, USA, 18–22 June 2018, pp. 4510–4520. IEEE Computer Society (2018)
Takatoi, G., Sugawara, T., Sakiyama, K., Li, Y.: Simple electromagnetic analysis against activation functions of deep neural networks. In: Zhou, J., et al. (eds.) ACNS 2020. LNCS, vol. 12418, pp. 181–197. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-61638-0_11
Wang, R., Wang, H., Dubrova, E.: Far field EM side-channel attack on AES using deep learning. In: ASHES@CCS, pp. 35–44. ACM (2020)
Wang, X., Hou, R., Zhu, Y., Zhang, J., Meng, D.: NPUFort: a secure architecture of DNN accelerator against model inversion attack. In: CF, pp. 190–196. ACM (2019)
Y. LeCun, L. Bottou, Y.B., Haffner, P.: Gradient-based learning applied to document recognition. In: Proceedings of IEEE (1998)
Yan, M., Fletcher, C.W., Torrellas, J.: Cache telepathy: leveraging shared resource attacks to learn DNN architectures. In: USENIX Security Symposium, pp. 2003–2020. USENIX Association (2020)
Zhang, C., Bengio, S., Hardt, M., Mozer, M.C., Singer, Y.: Identity crisis: memorization and generalization under extreme overparameterization. In: 8th International Conference on Learning Representations, ICLR 2020, Addis Ababa, Ethiopia, 26–30 April 2020. OpenReview.net (2020)
Acknowledgements
We thank the reviewers for their very insightful inputs.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
Appendix A Pearson Correlation
To further explain the way our countermeasure works, we measured the Pearson correlation coefficient \(\rho \) between the extracted weights and original ones, one output channel at a time. Figure 4 shows the coefficients for each extracted convolutional layer, for a 1-layer protected model with standard deviation \(\sigma =0.01\). Thanks to the plots, we can see that the correlation decreases for deeper layers.
Pearson correlation coefficient between the extracted weights and the original ones, for the first, third and fourth convolutions in MobileNetV2. Each point in the graph corresponds to the correlation coefficient for one output channel.
Appendix B Weight Distribution
In this appendix, we plot the distribution of weight differences \(\delta = \frac{\hat{w_i} - w_i}{||W||_2}\) between the extracted and original weights, for each of the four recovered convolutional layers. We consider a MobileNetV2 model protected by a 1-layer parasite with standard deviation either \(\sigma =0.01\) in Fig. 5e or \(\sigma =0.1\) in Fig. 5j. As we reach deeper layers, recovered weights get further away from the original ones. Moreover, a higher \(\sigma \) leads to fewer correctly recovered weights. This also explains why the extracted accuracy for \(\sigma =0.1\) is so low: \(12.9\%\) when the original accuracy was \(71.41\%\) and the extracted accuracy for \(\sigma =0.01\) is \(71.41\%\).
Distribution of the weight differences \(\frac{\hat{w_i} - w_i}{||W||_2}\) within each of the four MobileNetV2 convolutional layers extracted by the attacker, in the first simulation with 128 traces (see Sect. 5.1) and \(\sigma =0.01\) (e) or \(\sigma =0.1\) (j).
Rights and permissions
Copyright information
© 2022 Springer Nature Switzerland AG
About this paper
Cite this paper
Chabanne, H., Danger, JL., Guiga, L., Kühne, U. (2022). Parasite: Mitigating Physical Side-Channel Attacks Against Neural Networks. In: Batina, L., Picek, S., Mondal, M. (eds) Security, Privacy, and Applied Cryptography Engineering. SPACE 2021. Lecture Notes in Computer Science(), vol 13162. Springer, Cham. https://doi.org/10.1007/978-3-030-95085-9_8
Download citation
DOI: https://doi.org/10.1007/978-3-030-95085-9_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-95084-2
Online ISBN: 978-3-030-95085-9
eBook Packages: Computer ScienceComputer Science (R0)