Defense against ML-based Power Side-channel Attacks on DNN Accelerators with Adversarial Attacks

TL;DR

This paper introduces AIAShield, a novel defense mechanism against power side-channel attacks on FPGA-based AI accelerators, using adversarial noise crafted via neural architecture search to significantly reduce information leakage with minimal overhead.

Contribution

AIAShield combines hardware-based adversarial noise generation with algorithmic obfuscation using neural architecture search to enhance security against power side-channel attacks.

Findings

AIAShield effectively reduces side-channel information leakage.

The method incurs minimal performance overhead.

It outperforms existing defense solutions on NVDLA.

Abstract

Artificial Intelligence (AI) hardware accelerators have been widely adopted to enhance the efficiency of deep learning applications. However, they also raise security concerns regarding their vulnerability to power side-channel attacks (SCA). In these attacks, the adversary exploits unintended communication channels to infer sensitive information processed by the accelerator, posing significant privacy and copyright risks to the models. Advanced machine learning algorithms are further employed to facilitate the side-channel analysis and exacerbate the privacy issue of AI accelerators. Traditional defense strategies naively inject execution noise to the runtime of AI models, which inevitably introduce large overheads. In this paper, we present AIAShield, a novel defense methodology to safeguard FPGA-based AI accelerators and mitigate model extraction threats via power-based SCAs. The key insight of AIAShield is to leverage the prominent adversarial attack technique from the machine learning community to craft delicate noise, which can significantly obfuscate the adversary's side-channel observation while incurring minimal overhead to the execution of the protected model. At the hardware level, we design a new module based on ring oscillators to achieve fine-grained noise generation. At the algorithm level, we repurpose Neural Architecture Search to worsen the adversary's extraction results. Extensive experiments on the Nvidia Deep Learning Accelerator (NVDLA) demonstrate that AIAShield outperforms existing solutions with excellent transferability.