Salvato in:
Dettagli Bibliografici
Autori principali: Hector, Kevin, Moellic, Pierre-Alain, Dumont, Mathieu, Dutertre, Jean-Max
Natura: Preprint
Pubblicazione: 2023
Soggetti:
Accesso online:https://arxiv.org/abs/2308.16703
Tags: Aggiungi Tag
Nessun Tag, puoi essere il primo ad aggiungerne!!
_version_ 1866929591981965312
author Hector, Kevin
Moellic, Pierre-Alain
Dumont, Mathieu
Dutertre, Jean-Max
author_facet Hector, Kevin
Moellic, Pierre-Alain
Dumont, Mathieu
Dutertre, Jean-Max
contents Model extraction emerges as a critical security threat with attack vectors exploiting both algorithmic and implementation-based approaches. The main goal of an attacker is to steal as much information as possible about a protected victim model, so that he can mimic it with a substitute model, even with a limited access to similar training data. Recently, physical attacks such as fault injection have shown worrying efficiency against the integrity and confidentiality of embedded models. We focus on embedded deep neural network models on 32-bit microcontrollers, a widespread family of hardware platforms in IoT, and the use of a standard fault injection strategy - Safe Error Attack (SEA) - to perform a model extraction attack with an adversary having a limited access to training data. Since the attack strongly depends on the input queries, we propose a black-box approach to craft a successful attack set. For a classical convolutional neural network, we successfully recover at least 90% of the most significant bits with about 1500 crafted inputs. These information enable to efficiently train a substitute model, with only 8% of the training dataset, that reaches high fidelity and near identical accuracy level than the victim model.
format Preprint
id arxiv_https___arxiv_org_abs_2308_16703
institution arXiv
publishDate 2023
record_format arxiv
spellingShingle Fault Injection and Safe-Error Attack for Extraction of Embedded Neural Network Models
Hector, Kevin
Moellic, Pierre-Alain
Dumont, Mathieu
Dutertre, Jean-Max
Cryptography and Security
Artificial Intelligence
Model extraction emerges as a critical security threat with attack vectors exploiting both algorithmic and implementation-based approaches. The main goal of an attacker is to steal as much information as possible about a protected victim model, so that he can mimic it with a substitute model, even with a limited access to similar training data. Recently, physical attacks such as fault injection have shown worrying efficiency against the integrity and confidentiality of embedded models. We focus on embedded deep neural network models on 32-bit microcontrollers, a widespread family of hardware platforms in IoT, and the use of a standard fault injection strategy - Safe Error Attack (SEA) - to perform a model extraction attack with an adversary having a limited access to training data. Since the attack strongly depends on the input queries, we propose a black-box approach to craft a successful attack set. For a classical convolutional neural network, we successfully recover at least 90% of the most significant bits with about 1500 crafted inputs. These information enable to efficiently train a substitute model, with only 8% of the training dataset, that reaches high fidelity and near identical accuracy level than the victim model.
title Fault Injection and Safe-Error Attack for Extraction of Embedded Neural Network Models
topic Cryptography and Security
Artificial Intelligence
url https://arxiv.org/abs/2308.16703