Stealing Neural Networks via Timing Side Channels

TL;DR

This paper demonstrates that timing side channel attacks can effectively extract neural network architectures and parameters, posing significant security risks for cloud-based AI services.

Contribution

It introduces a black box timing attack method using reinforcement learning and knowledge distillation to reconstruct neural networks, applicable across various architectures.

Findings

Successfully reconstructed models with high test accuracy

Attack scalable across different neural network architectures

Effective in inferring network depth via timing analysis

Abstract

Deep learning is gaining importance in many applications. However, Neural Networks face several security and privacy threats. This is particularly significant in the scenario where Cloud infrastructures deploy a service with Neural Network model at the back end. Here, an adversary can extract the Neural Network parameters, infer the regularization hyperparameter, identify if a data point was part of the training data, and generate effective transferable adversarial examples to evade classifiers. This paper shows how a Neural Network model is susceptible to timing side channel attack. In this paper, a black box Neural Network extraction attack is proposed by exploiting the timing side channels to infer the depth of the network. Although, constructing an equivalent architecture is a complex search problem, it is shown how Reinforcement Learning with knowledge distillation can effectively reduce the search space to infer a target model. The proposed approach has been tested with VGG architectures on CIFAR10 data set. It is observed that it is possible to reconstruct substitute models with test accuracy close to the target models and the proposed approach is scalable and independent of type of Neural Network architectures.