Abstract: Deep Learning has gained tremendous momentum in the last decade and is now
widely used for many tasks. Deep Neural Networks (DNNs) are constantly being developed and
improved, finding themselves throughout our everyday life and even in critical and sensitive
areas and fields -- this makes DNNs a target for malicious adversaries. Various research has
explored the security and vulnerabilities of DNNs. Such is the imminent threat of DNN model
extraction attacks that aim to steal the knowledge of a black-box DNN system. Prior works have
explored model extraction using various side-channels like power, EM, cache, memory-access,
and GPU. These attacks can be passive but require physical access (e.g., power consumption
monitoring) or remote but more active attacks (e.g., manipulating cache). We demonstrated a
fingerprinting attack to identify the (running) DNN model architecture family on CPU-GPU edge
devices by exploiting a stealthy analysis of system-level side-channel information such as
memory, CPU, and GPU usages with only the user privilege. Such attacks do not require
physical access or sudo access to the victim's device. With a combination of RAM, CPU, and
GPU features and a Random Forest-based classifier, our proposed attack classifies a known
DNN model into its model architecture family with 99% accuracy. Also, the introduced attack is
so transferable that it can detect an unknown DNN model into the right DNN architecture
category with 87.2% accuracy. We also demonstrate that the leakage of the model architecture
family information from this stealthy attack can strengthen an adversarial attack against a victim
DNN model by up to 2X. We are currently exploring detection and mitigation mechanisms.
- Tags
-