CSI Neural Network: Using Side-channels to Recover Your Artificial Neural Network Information

TL;DR

This paper demonstrates that passive side-channel measurements like power consumption and electromagnetic radiation can be exploited to reverse engineer neural network architectures and inputs, highlighting security vulnerabilities in ML deployments.

Contribution

The study provides practical methods for extracting neural network details and inputs using side-channel attacks on real hardware, revealing significant security risks.

Findings

Side-channel attacks can reveal neural network architecture details.

Attacker can recover neural network inputs with a single measurement.

Effective mitigations against such attacks are discussed.

Abstract

Machine learning has become mainstream across industries. Numerous examples proved the validity of it for security applications. In this work, we investigate how to reverse engineer a neural network by using only power side-channel information. To this end, we consider a multilayer perceptron as the machine learning architecture of choice and assume a non-invasive and eavesdropping attacker capable of measuring only passive side-channel leakages like power consumption, electromagnetic radiation, and reaction time. We conduct all experiments on real data and common neural net architectures in order to properly assess the applicability and extendability of those attacks. Practical results are shown on an ARM CORTEX-M3 microcontroller. Our experiments show that the side-channel attacker is capable of obtaining the following information: the activation functions used in the architecture, the number of layers and neurons in the layers, the number of output classes, and weights in the neural network. Thus, the attacker can effectively reverse engineer the network using side-channel information. Next, we show that once the attacker has the knowledge about the neural network architecture, he/she could also recover the inputs to the network with only a single-shot measurement. Finally, we discuss several mitigations one could use to thwart such attacks.