Security Analysis of Deep Neural Networks Operating in the Presence of Cache Side-Channel Attacks

by   Sanghyun Hong, et al.

Recent work has introduced attacks that extract the architecture information of deep neural networks (DNN), as this knowledge enhances an adversary's capability to conduct black-box attacks against the model. This paper presents the first in-depth security analysis of DNN fingerprinting attacks that exploit cache side-channels. First, we define the threat model for these attacks: our adversary does not need the ability to query the victim model; instead, she runs a co-located process on the host machine victim's deep learning (DL) system is running and passively monitors the accesses of the target functions in the shared framework. Second, we introduce DeepRecon, an attack that reconstructs the architecture of the victim network by using the internal information extracted via Flush+Reload, a cache side-channel technique. Once the attacker observes function invocations that map directly to architecture attributes of the victim network, the attacker can reconstruct the victim's entire network architecture. In our evaluation, we demonstrate that an attacker can accurately reconstruct two complex networks (VGG19 and ResNet50) having observed only one forward propagation. Based on the extracted architecture attributes, we also demonstrate that an attacker can build a meta-model that accurately fingerprints the architecture and family of the pre-trained model in a transfer learning setting. From this meta-model, we evaluate the importance of the observed attributes in the fingerprinting process. Third, we propose and evaluate new framework-level defense techniques that obfuscate our attacker's observations. Our empirical security analysis represents a step toward understanding the DNNs' vulnerability to cache side-channel attacks.


page 1

page 2

page 3

page 4


Cache Telepathy: Leveraging Shared Resource Attacks to Learn DNN Architectures

Deep Neural Networks (DNNs) are fast becoming ubiquitous for their abili...

Robust Website Fingerprinting Through the Cache Occupancy Channel

Website fingerprinting attacks, which use statistical analysis on networ...

Stealing Neural Networks via Timing Side Channels

Deep learning is gaining importance in many applications and Cloud infra...

Playing with blocks: Toward re-usable deep learning models for side-channel profiled attacks

This paper introduces a deep learning modular network for side-channel a...

Quantifying (Hyper) Parameter Leakage in Machine Learning

Black Box Machine Learning models leak information about the proprietary...

Optimization and Amplification of Cache Side Channel Signals

In cache-based side channel attacks, an attacker infers information abou...

Spy in the GPU-box: Covert and Side Channel Attacks on Multi-GPU Systems

The deep learning revolution has been enabled in large part by GPUs, and...

Please sign up or login with your details

Forgot password? Click here to reset