The original paper is in English. Non-English content has been machine-translated and may contain typographical errors or mistranslations. ex. Some numerals are expressed as "XNUMX".
Copyrights notice
The original paper is in English. Non-English content has been machine-translated and may contain typographical errors or mistranslations. Copyrights notice
Exibições de texto completo
151
Um ataque de extração de modelo é um problema de segurança em redes neurais profundas (DNNs). As informações em um modelo DNN treinado são um alvo atraente para um adversário, não apenas em termos de propriedade intelectual, mas também de segurança. Assim, um adversário tenta revelar as informações confidenciais contidas no modelo DNN treinado a partir de serviços de aprendizado de máquina. Estudos anteriores sobre ataques de extração de modelos presumiram que a vítima fornece um serviço de aprendizado de máquina em nuvem e o adversário acessa o serviço por meio de consultas formais. No entanto, quando um modelo DNN é implementado em um dispositivo de ponta, os adversários podem acessar fisicamente o dispositivo e tentar revelar as informações confidenciais contidas no modelo DNN implementado. Chamamos esses ataques de extração de modelo físico de ataques de engenharia reversa de modelo (MRE) para distingui-los de ataques a serviços em nuvem. As análises do canal lateral de energia são frequentemente usadas em ataques MRE para revelar a operação interna devido ao consumo de energia ou vazamento eletromagnético. Estudos anteriores, incluindo o nosso, avaliaram ataques MRE contra vários tipos de processadores DNN com análises de canal lateral de potência. Neste artigo, é avaliado o vazamento de informações de uma matriz sistólica que é usada para a unidade de multiplicação de matrizes nos processadores DNN. Utilizamos análise de poder de correlação (CPA) para o ataque MRE e revelamos parâmetros de peso de um modelo DNN da matriz sistólica. Dois tipos de matriz sistólica foram implementados em matriz de portas programáveis em campo (FPGA) para demonstrar que a CPA revela parâmetros de peso dessas matrizes sistólicas. Além disso, aplicamos uma abordagem de análise estendida chamada “CPA em cadeia” para uma análise robusta da CPA em relação às matrizes sistólicas. Nossos resultados experimentais indicam que um adversário pode revelar parâmetros do modelo treinado de um acelerador DNN, mesmo que os parâmetros do modelo DNN no barramento fora do chip estejam protegidos com criptografia de dados. Contramedidas contra vazamentos de canal lateral serão importantes para a implementação de um acelerador DNN em um FPGA ou circuito integrado de aplicação específica (ASIC).
Kota YOSHIDA
Ritsumeikan University
Mitsuru SHIOZAKI
Ritsumeikan University
Shunsuke OKURA
Ritsumeikan University
Takaya KUBOTA
Ritsumeikan University
Takeshi FUJINO
Ritsumeikan University
The copyright of the original papers published on this site belongs to IEICE. Unauthorized use of the original or translated papers is prohibited. See IEICE Provisions on Copyright for details.
Copiar
Kota YOSHIDA, Mitsuru SHIOZAKI, Shunsuke OKURA, Takaya KUBOTA, Takeshi FUJINO, "Model Reverse-Engineering Attack against Systolic-Array-Based DNN Accelerator Using Correlation Power Analysis" in IEICE TRANSACTIONS on Fundamentals,
vol. E104-A, no. 1, pp. 152-161, January 2021, doi: 10.1587/transfun.2020CIP0024.
Abstract: A model extraction attack is a security issue in deep neural networks (DNNs). Information on a trained DNN model is an attractive target for an adversary not only in terms of intellectual property but also of security. Thus, an adversary tries to reveal the sensitive information contained in the trained DNN model from machine-learning services. Previous studies on model extraction attacks assumed that the victim provides a machine-learning cloud service and the adversary accesses the service through formal queries. However, when a DNN model is implemented on an edge device, adversaries can physically access the device and try to reveal the sensitive information contained in the implemented DNN model. We call these physical model extraction attacks model reverse-engineering (MRE) attacks to distinguish them from attacks on cloud services. Power side-channel analyses are often used in MRE attacks to reveal the internal operation from power consumption or electromagnetic leakage. Previous studies, including ours, evaluated MRE attacks against several types of DNN processors with power side-channel analyses. In this paper, information leakage from a systolic array which is used for the matrix multiplication unit in the DNN processors is evaluated. We utilized correlation power analysis (CPA) for the MRE attack and reveal weight parameters of a DNN model from the systolic array. Two types of the systolic array were implemented on field-programmable gate array (FPGA) to demonstrate that CPA reveals weight parameters from those systolic arrays. In addition, we applied an extended analysis approach called “chain CPA” for robust CPA analysis against the systolic arrays. Our experimental results indicate that an adversary can reveal trained model parameters from a DNN accelerator even if the DNN model parameters in the off-chip bus are protected with data encryption. Countermeasures against side-channel leaks will be important for implementing a DNN accelerator on a FPGA or application-specific integrated circuit (ASIC).
URL: https://global.ieice.org/en_transactions/fundamentals/10.1587/transfun.2020CIP0024/_p
Copiar
@ARTICLE{e104-a_1_152,
author={Kota YOSHIDA, Mitsuru SHIOZAKI, Shunsuke OKURA, Takaya KUBOTA, Takeshi FUJINO, },
journal={IEICE TRANSACTIONS on Fundamentals},
title={Model Reverse-Engineering Attack against Systolic-Array-Based DNN Accelerator Using Correlation Power Analysis},
year={2021},
volume={E104-A},
number={1},
pages={152-161},
abstract={A model extraction attack is a security issue in deep neural networks (DNNs). Information on a trained DNN model is an attractive target for an adversary not only in terms of intellectual property but also of security. Thus, an adversary tries to reveal the sensitive information contained in the trained DNN model from machine-learning services. Previous studies on model extraction attacks assumed that the victim provides a machine-learning cloud service and the adversary accesses the service through formal queries. However, when a DNN model is implemented on an edge device, adversaries can physically access the device and try to reveal the sensitive information contained in the implemented DNN model. We call these physical model extraction attacks model reverse-engineering (MRE) attacks to distinguish them from attacks on cloud services. Power side-channel analyses are often used in MRE attacks to reveal the internal operation from power consumption or electromagnetic leakage. Previous studies, including ours, evaluated MRE attacks against several types of DNN processors with power side-channel analyses. In this paper, information leakage from a systolic array which is used for the matrix multiplication unit in the DNN processors is evaluated. We utilized correlation power analysis (CPA) for the MRE attack and reveal weight parameters of a DNN model from the systolic array. Two types of the systolic array were implemented on field-programmable gate array (FPGA) to demonstrate that CPA reveals weight parameters from those systolic arrays. In addition, we applied an extended analysis approach called “chain CPA” for robust CPA analysis against the systolic arrays. Our experimental results indicate that an adversary can reveal trained model parameters from a DNN accelerator even if the DNN model parameters in the off-chip bus are protected with data encryption. Countermeasures against side-channel leaks will be important for implementing a DNN accelerator on a FPGA or application-specific integrated circuit (ASIC).},
keywords={},
doi={10.1587/transfun.2020CIP0024},
ISSN={1745-1337},
month={January},}
Copiar
TY - JOUR
TI - Model Reverse-Engineering Attack against Systolic-Array-Based DNN Accelerator Using Correlation Power Analysis
T2 - IEICE TRANSACTIONS on Fundamentals
SP - 152
EP - 161
AU - Kota YOSHIDA
AU - Mitsuru SHIOZAKI
AU - Shunsuke OKURA
AU - Takaya KUBOTA
AU - Takeshi FUJINO
PY - 2021
DO - 10.1587/transfun.2020CIP0024
JO - IEICE TRANSACTIONS on Fundamentals
SN - 1745-1337
VL - E104-A
IS - 1
JA - IEICE TRANSACTIONS on Fundamentals
Y1 - January 2021
AB - A model extraction attack is a security issue in deep neural networks (DNNs). Information on a trained DNN model is an attractive target for an adversary not only in terms of intellectual property but also of security. Thus, an adversary tries to reveal the sensitive information contained in the trained DNN model from machine-learning services. Previous studies on model extraction attacks assumed that the victim provides a machine-learning cloud service and the adversary accesses the service through formal queries. However, when a DNN model is implemented on an edge device, adversaries can physically access the device and try to reveal the sensitive information contained in the implemented DNN model. We call these physical model extraction attacks model reverse-engineering (MRE) attacks to distinguish them from attacks on cloud services. Power side-channel analyses are often used in MRE attacks to reveal the internal operation from power consumption or electromagnetic leakage. Previous studies, including ours, evaluated MRE attacks against several types of DNN processors with power side-channel analyses. In this paper, information leakage from a systolic array which is used for the matrix multiplication unit in the DNN processors is evaluated. We utilized correlation power analysis (CPA) for the MRE attack and reveal weight parameters of a DNN model from the systolic array. Two types of the systolic array were implemented on field-programmable gate array (FPGA) to demonstrate that CPA reveals weight parameters from those systolic arrays. In addition, we applied an extended analysis approach called “chain CPA” for robust CPA analysis against the systolic arrays. Our experimental results indicate that an adversary can reveal trained model parameters from a DNN accelerator even if the DNN model parameters in the off-chip bus are protected with data encryption. Countermeasures against side-channel leaks will be important for implementing a DNN accelerator on a FPGA or application-specific integrated circuit (ASIC).
ER -