NeuroPlug: Plugging Side-Channel Leaks in NPUs using Space Filling Curves

TL;DR

NeuroPlug introduces a novel side-channel countermeasure for neural networks that employs space filling curves and mathematical obfuscation techniques, significantly improving security and performance against attacks.

Contribution

The paper presents NeuroPlug, a new countermeasure that uses space filling curves and a theoretical framework to enhance DNN security against side-channel attacks, with proven effectiveness.

Findings

NeuroPlug effectively obfuscates side-channel information.

It provides a 15% performance boost over existing methods.

Theoretical analysis quantifies security based on noise and side information.

Abstract

Securing deep neural networks (DNNs) from side-channel attacks is an important problem as of today, given the substantial investment of time and resources in acquiring the raw data and training complex models. All published countermeasures (CMs) add noise N to a signal X (parameter of interest such as the net memory traffic that is leaked). The adversary observes X+N ; we shall show that it is easy to filter this noise out using targeted measurements, statistical analyses and different kinds of reasonably-assumed side information. We present a novel CM NeuroPlug that is immune to these attack methodologies mainly because we use a different formulation CX + N . We introduce a multiplicative variable C that naturally arises from feature map compression; it plays a key role in obfuscating the parameters of interest. Our approach is based on mapping all the computations to a 1-D space filling curve and then performing a sequence of tiling, compression and binning-based obfuscation operations. We follow up with proposing a theoretical framework based on Mellin transforms that allows us to accurately quantify the size of the search space as a function of the noise we add and the side information that an adversary possesses. The security guarantees provided by NeuroPlug are validated using a battery of statistical and information theory-based tests. We also demonstrate a substantial performance enhancement of 15% compared to the closest competing work.