Side-channel attack analysis on in-memory computing architectures

TL;DR

This paper demonstrates a side-channel attack on in-memory computing systems that can extract neural network architecture details from power traces, highlighting security vulnerabilities in IMC-based AI hardware.

Contribution

It introduces a novel side-channel attack methodology on IMC architectures, capable of reverse engineering neural network models without prior knowledge.

Findings

Power traces can reveal layer types and sequence

Model architecture can be reconstructed from leakage analysis

Countermeasures for IMC security are discussed

Abstract

In-memory computing (IMC) systems have great potential for accelerating data-intensive tasks such as deep neural networks (DNNs). As DNN models are generally highly proprietary, the neural network architectures become valuable targets for attacks. In IMC systems, since the whole model is mapped on chip and weight memory read can be restricted, the pre-mapped DNN model acts as a ``black box'' for users. However, the localized and stationary weight and data patterns may subject IMC systems to other attacks. In this paper, we propose a side-channel attack methodology on IMC architectures. We show that it is possible to extract model architectural information from power trace measurements without any prior knowledge of the neural network. We first developed a simulation framework that can emulate the dynamic power traces of the IMC macros. We then performed side-channel leakage analysis to reverse engineer model information such as the stored layer type, layer sequence, output channel/feature size and convolution kernel size from power traces of the IMC macros. Based on the extracted information, full networks can potentially be reconstructed without any knowledge of the neural network. Finally, we discuss potential countermeasures for building IMC systems that offer resistance to these model extraction attack.