Guardado en:
Detalles Bibliográficos
Autores principales: Joud, Raphael, Moellic, Pierre-Alain, Pontie, Simon, Rigaud, Jean-Baptiste
Formato: Preprint
Publicado: 2023
Materias:
Acceso en línea:https://arxiv.org/abs/2311.01344
Etiquetas: Agregar Etiqueta
Sin Etiquetas, Sea el primero en etiquetar este registro!
_version_ 1866913224249573376
author Joud, Raphael
Moellic, Pierre-Alain
Pontie, Simon
Rigaud, Jean-Baptiste
author_facet Joud, Raphael
Moellic, Pierre-Alain
Pontie, Simon
Rigaud, Jean-Baptiste
contents Model extraction is a growing concern for the security of AI systems. For deep neural network models, the architecture is the most important information an adversary aims to recover. Being a sequence of repeated computation blocks, neural network models deployed on edge-devices will generate distinctive side-channel leakages. The latter can be exploited to extract critical information when targeted platforms are physically accessible. By combining theoretical knowledge about deep learning practices and analysis of a widespread implementation library (ARM CMSIS-NN), our purpose is to answer this critical question: how far can we extract architecture information by simply examining an EM side-channel trace? For the first time, we propose an extraction methodology for traditional MLP and CNN models running on a high-end 32-bit microcontroller (Cortex-M7) that relies only on simple pattern recognition analysis. Despite few challenging cases, we claim that, contrary to parameters extraction, the complexity of the attack is relatively low and we highlight the urgent need for practicable protections that could fit the strong memory and latency requirements of such platforms.
format Preprint
id arxiv_https___arxiv_org_abs_2311_01344
institution arXiv
publishDate 2023
record_format arxiv
spellingShingle Like an Open Book? Read Neural Network Architecture with Simple Power Analysis on 32-bit Microcontrollers
Joud, Raphael
Moellic, Pierre-Alain
Pontie, Simon
Rigaud, Jean-Baptiste
Cryptography and Security
Artificial Intelligence
Machine Learning
Model extraction is a growing concern for the security of AI systems. For deep neural network models, the architecture is the most important information an adversary aims to recover. Being a sequence of repeated computation blocks, neural network models deployed on edge-devices will generate distinctive side-channel leakages. The latter can be exploited to extract critical information when targeted platforms are physically accessible. By combining theoretical knowledge about deep learning practices and analysis of a widespread implementation library (ARM CMSIS-NN), our purpose is to answer this critical question: how far can we extract architecture information by simply examining an EM side-channel trace? For the first time, we propose an extraction methodology for traditional MLP and CNN models running on a high-end 32-bit microcontroller (Cortex-M7) that relies only on simple pattern recognition analysis. Despite few challenging cases, we claim that, contrary to parameters extraction, the complexity of the attack is relatively low and we highlight the urgent need for practicable protections that could fit the strong memory and latency requirements of such platforms.
title Like an Open Book? Read Neural Network Architecture with Simple Power Analysis on 32-bit Microcontrollers
topic Cryptography and Security
Artificial Intelligence
Machine Learning
url https://arxiv.org/abs/2311.01344