CSI Neural Network: Using Side-channels to Recover Your Artificial Neural Network Information

Machine learning has become mainstream across industries. Numerous examples proved the validity of it for security applications. In this work, we investigate how to reverse engineer a neural network by using only power side-channel information. To this end, we consider a multilayer perceptron as the machine learning architecture of choice and assume a non-invasive and eavesdropping attacker capable of measuring only passive side-channel leakages like power consumption, electromagnetic radiation, and reaction time. We conduct all experiments on real data and common neural net architectures in order to properly assess the applicability and extendability of those attacks. Practical results are shown on an ARM CORTEX-M3 microcontroller. Our experiments show that the side-channel attacker is capable of obtaining the following information: the activation functions used in the architecture, the number of layers and neurons in the layers, the number of output classes, and weights in the neural network. Thus, the attacker can effectively reverse engineer the network using side-channel information. Next, we show that once the attacker has the knowledge about the neural network architecture, he/she could also recover the inputs to the network with only a single-shot measurement. Finally, we discuss several mitigations one could use to thwart such attacks.

[1]  Vitaly Shmatikov,et al.  Membership Inference Attacks Against Machine Learning Models , 2016, 2017 IEEE Symposium on Security and Privacy (SP).

[2]  Zhiru Zhang,et al.  Reverse Engineering Convolutional Neural Networks Through Side-channel Information Leaks , 2018, 2018 55th ACM/ESDA/IEEE Design Automation Conference (DAC).

[3]  Christos Gkantsidis,et al.  Observing and Preventing Leakage in MapReduce , 2015, CCS.

[4]  Christophe Clavier,et al.  Horizontal Correlation Analysis on Exponentiation , 2010, ICICS.

[5]  Bo Luo,et al.  I Know What You See: Power Side-Channel Attack on Convolutional Neural Network Accelerators , 2018, ACSAC.

[6]  Christophe Clavier,et al.  Correlation Power Analysis with a Leakage Model , 2004, CHES.

[7]  Le Song,et al.  Neural Network-based Graph Embedding for Cross-Platform Binary Code Similarity Detection , 2018 .

[8]  Samy Bengio,et al.  Links between perceptrons, MLPs and SVMs , 2004, ICML.

[9]  Jian Sun,et al.  Deep Residual Learning for Image Recognition , 2015, 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR).

[10]  Sylvain Guilley,et al.  From cryptography to hardware: analyzing and protecting embedded Xilinx BRAM for cryptographic applications , 2013, Journal of Cryptographic Engineering.

[11]  Sylvain Guilley,et al.  Lightweight Ciphers and Their Side-Channel Resilience , 2020, IEEE Transactions on Computers.

[12]  Abdolreza Abhari,et al.  Application of multilayer perceptron neural networks and support vector machines in classification of healthcare data , 2016, 2016 Future Technologies Conference (FTC).

[13]  Romain Poussier,et al.  Template Attacks vs. Machine Learning Revisited (and the Curse of Dimensionality in Side-Channel Analysis) , 2015, COSADE.

[14]  Marco Guarnieri,et al.  Synthesis of Probabilistic Privacy Enforcement , 2017, CCS.

[15]  Udo Payer,et al.  From NLP (Natural Language Processing) to MLP (Machine Language Processing) , 2010, MMM-ACNS.

[16]  Simon Haykin,et al.  Neural Networks: A Comprehensive Foundation , 1998 .

[17]  Sylvain Guilley,et al.  Side-channel analysis and machine learning: A practical perspective , 2017, 2017 International Joint Conference on Neural Networks (IJCNN).

[18]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[19]  Jean-Sébastien Coron,et al.  On Boolean and Arithmetic Masking against Differential Power Analysis , 2000, CHES.

[20]  Michael Naehrig,et al.  CryptoNets: applying neural networks to encrypted data with high throughput and accuracy , 2016, ICML 2016.

[21]  Christopher M. Bishop,et al.  Pattern Recognition and Machine Learning (Information Science and Statistics) , 2006 .

[22]  A. Al Hasib,et al.  A Comparative Study of the Performance and Security Issues of AES and RSA Cryptography , 2008, 2008 Third International Conference on Convergence and Hybrid Information Technology.

[23]  Geoffrey E. Hinton,et al.  ImageNet classification with deep convolutional neural networks , 2012, Commun. ACM.

[24]  Jan Peters,et al.  Reinforcement learning in robotics: A survey , 2013, Int. J. Robotics Res..

[25]  Somesh Jha,et al.  Privacy in Pharmacogenetics: An End-to-End Case Study of Personalized Warfarin Dosing , 2014, USENIX Security Symposium.

[26]  Emmanuel Prouff,et al.  Masking against Side-Channel Attacks: A Formal Security Proof , 2013, EUROCRYPT.

[27]  Stefan Mangard,et al.  Power analysis attacks - revealing the secrets of smart cards , 2007 .

[28]  David R. Kaeli,et al.  Side-channel power analysis of a GPU AES implementation , 2015, 2015 33rd IEEE International Conference on Computer Design (ICCD).

[29]  Arquimedes Canedo,et al.  Acoustic Side-Channel Attacks on Additive Manufacturing Systems , 2016, 2016 ACM/IEEE 7th International Conference on Cyber-Physical Systems (ICCPS).

[30]  François-Xavier Standaert,et al.  Shuffling against Side-Channel Attacks: A Comprehensive Study with Cautionary Note , 2012, ASIACRYPT.

[31]  Paul C. Kocher,et al.  Differential Power Analysis , 1999, CRYPTO.

[32]  William J. Dally,et al.  SCNN: An accelerator for compressed-sparse convolutional neural networks , 2017, 2017 ACM/IEEE 44th Annual International Symposium on Computer Architecture (ISCA).

[33]  Geoffrey E. Hinton,et al.  Rectified Linear Units Improve Restricted Boltzmann Machines , 2010, ICML.

[34]  Emmanuel Prouff,et al.  Breaking Cryptographic Implementations Using Deep Learning Techniques , 2016, SPACE.

[35]  Máire O'Neill,et al.  Neural network based attack on a masked implementation of AES , 2015, 2015 IEEE International Symposium on Hardware Oriented Security and Trust (HOST).

[36]  Giovanni Felici,et al.  Hacking smart machines with smarter ones: How to extract meaningful data from machine learning classifiers , 2013, Int. J. Secur. Networks.

[37]  Vitaly Shmatikov,et al.  Machine Learning Models that Remember Too Much , 2017, CCS.

[38]  Marcus Peinado,et al.  Controlled-Channel Attacks: Deterministic Side Channels for Untrusted Operating Systems , 2015, 2015 IEEE Symposium on Security and Privacy.

[39]  Marie-Christine Suhner,et al.  A New Multilayer Perceptron Pruning Algorithm for Classification and Regression Applications , 2014, Neural Processing Letters.

[40]  Sebastian Nowozin,et al.  Oblivious Multi-Party Machine Learning on Trusted Processors , 2016, USENIX Security Symposium.

[41]  Shivam Bhasin,et al.  Support vector regression: exploiting machine learning techniques for leakage modeling , 2015, HASP@ISCA.

[42]  Jean-Jacques Quisquater,et al.  Montgomery Exponentiation with no Final Subtractions: Improved Results , 2000, CHES.

[43]  Stefan Mangard,et al.  A Simple Power-Analysis (SPA) Attack on Implementations of the AES Key Expansion , 2002, ICISC.