Using side-channel and quantization vulnerability to recover DNN weights

Using side-channel and quantization vulnerability to recover DNN weights

Model extraction attack focuses on reverse engineering architecture and weights of DNN model deployed in edge.Model extraction attack is a basic security problem in AI security, it underlies advanced attacks as data provider, such as adversarial sample and data poisoning.A novel method named Cluster...

Full description

Saved in:
Bibliographic Details
Main Authors: Jinghai LI, Ming TANG, Chengxuan HUANG
Format: Article
Language:English
Published: POSTS&TELECOM PRESS Co., LTD 2021-08-01
Series:网络与信息安全学报
Subjects:
AI security
model extraction attack
quantization vulnerability
side-channel analysis
Cluster-based SCA
Online Access:http://www.cjnis.com.cn/thesisDetails#10.11959/j.issn.2096-109x.2021038
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Model extraction attack focuses on reverse engineering architecture and weights of DNN model deployed in edge.Model extraction attack is a basic security problem in AI security, it underlies advanced attacks as data provider, such as adversarial sample and data poisoning.A novel method named Cluster-based SCA was proposed,this method did not need leakage model.Cluster-based SCA was based on vulnerability of quantized inference.There exist a phenomenon in multiplication operation in quantized inference, which the output of different weights were not equivalent in respect of classification.It can be used to distinguish different weights.The proposed method computed output activations of each DNN layer with guessing weight.Then acquired side channel signal were classified into different class, the taxonomy was corresponding output activations' value.Average dispersion of all classes <inline-formula><math xmlns="http://www.w3.org/1998/Math/MathML"> <mover accent="true"> <mi>σ</mi> <mo>¯</mo> </mover> </math></inline-formula> was used to decide whether guess was right.The effectiveness of Cluster-based SCA method was verified by simulation experiment and HW model was used as target leakage model.For all weights from first convolution layer of target CNN model, TOP2 recovery rate was 52.66%.And for large weights in significant interval,TOP2 recover rate was 100%.
ISSN:2096-109X

Similar Items