DeepTheft: Stealing DNN Model Architectures through Power Side Channel

TL;DR

DeepTheft is a novel power side-channel attack that accurately recovers complex DNN architectures, including hyperparameters, from low-rate energy traces, posing significant security risks to MLaaS deployments.

Contribution

The paper introduces a generic learning-based framework for extracting DNN architectures from low-rate power side-channel signals, demonstrating high accuracy across multiple models and signals.

Findings

Achieved 99.75% Levenshtein Distance Accuracy in model structure recovery.

Attacked models include large architectures like ResNet152.

Effective against both RAPL-based energy traces and CPU frequency signals.

Abstract

Deep Neural Network (DNN) models are often deployed in resource-sharing clouds as Machine Learning as a Service (MLaaS) to provide inference services.To steal model architectures that are of valuable intellectual properties, a class of attacks has been proposed via different side-channel leakage, posing a serious security challenge to MLaaS. Also targeting MLaaS, we propose a new end-to-end attack, DeepTheft, to accurately recover complex DNN model architectures on general processors via the RAPL-based power side channel. However, an attacker can acquire only a low sampling rate (1 KHz) of the time-series energy traces from the RAPL interface, rendering existing techniques ineffective in stealing large and deep DNN models. To this end, we design a novel and generic learning-based framework consisting of a set of meta-models, based on which DeepTheft is demonstrated to have high accuracy in recovering a large number (thousands) of models architectures from different model families including the deepest ResNet152. Particularly, DeepTheft has achieved a Levenshtein Distance Accuracy of 99.75% in recovering network structures, and a weighted average F1 score of 99.60% in recovering diverse layer-wise hyperparameters. Besides, our proposed learning framework is general to other time-series side-channel signals. To validate its generalization, another existing side channel is exploited, i.e., CPU frequency. Different from RAPL, CPU frequency is accessible to unprivileged users in bare-metal OSes. By using our generic learning framework trained against CPU frequency traces, DeepTheft has shown similarly high attack performance in stealing model architectures.