I Know What You See: Power Side-Channel Attack on Convolutional Neural Network Accelerators

TL;DR

This paper demonstrates a power side-channel attack on FPGA-based CNN accelerators, successfully recovering input images with high accuracy, raising privacy concerns for deep learning implementations.

Contribution

It introduces the first known attack on deep learning model implementations, specifically targeting FPGA accelerators to recover input data without model details.

Findings

Achieved up to 89% recognition accuracy on MNIST

First attack on deep learning model implementation via power analysis

Highlights privacy vulnerabilities in CNN hardware accelerators

Abstract

Deep learning has become the de-facto computational paradigm for various kinds of perception problems, including many privacy-sensitive applications such as online medical image analysis. No doubt to say, the data privacy of these deep learning systems is a serious concern. Different from previous research focusing on exploiting privacy leakage from deep learning models, in this paper, we present the first attack on the implementation of deep learning models. To be specific, we perform the attack on an FPGA-based convolutional neural network accelerator and we manage to recover the input image from the collected power traces without knowing the detailed parameters in the neural network. For the MNIST dataset, our power side-channel attack is able to achieve up to 89% recognition accuracy.