Can one hear the shape of a neural network?: Snooping the GPU via Magnetic Side Channel

TL;DR

This paper demonstrates that electromagnetic side channels can reveal detailed information about neural network architectures deployed on GPUs, posing security risks and highlighting the need for protective measures.

Contribution

It introduces a novel magnetic side channel attack that can reconstruct neural network topology and hyperparameters from electromagnetic signals emitted during GPU computation.

Findings

Magnetic flux signals correlate with neural network layer evaluations

Layer topology and hyperparameters can be inferred with high accuracy

Potential for adversarial attacks exploiting this side channel

Abstract

Neural network applications have become popular in both enterprise and personal settings. Network solutions are tuned meticulously for each task, and designs that can robustly resolve queries end up in high demand. As the commercial value of accurate and performant machine learning models increases, so too does the demand to protect neural architectures as confidential investments. We explore the vulnerability of neural networks deployed as black boxes across accelerated hardware through electromagnetic side channels. We examine the magnetic flux emanating from a graphics processing unit's power cable, as acquired by a cheap $3 induction sensor, and find that this signal betrays the detailed topology and hyperparameters of a black-box neural network model. The attack acquires the magnetic signal for one query with unknown input values, but known input dimensions. The network reconstruction is possible due to the modular layer sequence in which deep neural networks are evaluated. We find that each layer component's evaluation produces an identifiable magnetic signal signature, from which layer topology, width, function type, and sequence order can be inferred using a suitably trained classifier and a joint consistency optimization based on integer programming. We study the extent to which network specifications can be recovered, and consider metrics for comparing network similarity. We demonstrate the potential accuracy of this side channel attack in recovering the details for a broad range of network architectures, including random designs. We consider applications that may exploit this novel side channel exposure, such as adversarial transfer attacks. In response, we discuss countermeasures to protect against our method and other similar snooping techniques.