Like an Open Book? Read Neural Network Architecture with Simple Power Analysis on 32-bit Microcontrollers

TL;DR

This paper demonstrates that neural network architectures deployed on 32-bit microcontrollers can be effectively extracted using simple electromagnetic side-channel analysis, highlighting security vulnerabilities in edge AI devices.

Contribution

It introduces a novel methodology for extracting neural network architectures from EM side-channel traces on Cortex-M7 microcontrollers using basic pattern recognition techniques.

Findings

Architecture can be extracted with high accuracy in many cases

Simple analysis techniques are effective against embedded neural networks

Security risks are significant for edge AI devices

Abstract

Model extraction is a growing concern for the security of AI systems. For deep neural network models, the architecture is the most important information an adversary aims to recover. Being a sequence of repeated computation blocks, neural network models deployed on edge-devices will generate distinctive side-channel leakages. The latter can be exploited to extract critical information when targeted platforms are physically accessible. By combining theoretical knowledge about deep learning practices and analysis of a widespread implementation library (ARM CMSIS-NN), our purpose is to answer this critical question: how far can we extract architecture information by simply examining an EM side-channel trace? For the first time, we propose an extraction methodology for traditional MLP and CNN models running on a high-end 32-bit microcontroller (Cortex-M7) that relies only on simple pattern recognition analysis. Despite few challenging cases, we claim that, contrary to parameters extraction, the complexity of the attack is relatively low and we highlight the urgent need for practicable protections that could fit the strong memory and latency requirements of such platforms.