Side-Channel Analysis of OpenVINO-based Neural Network Models

TL;DR

This paper investigates the vulnerability of OpenVINO-based neural network models on embedded devices to side-channel attacks, demonstrating high-precision recovery of model parameters with minimal accuracy loss.

Contribution

It is the first to analyze side-channel attack susceptibility of OpenVINO-implemented models, showing they can be compromised with high accuracy.

Findings

Model parameters can be recovered with high precision.

Recovered models perform nearly as well as original models.

Minimal accuracy difference (1% Top 1, 0.64% Top 5) after attack.

Abstract

Embedded devices with neural network accelerators offer great versatility for their users, reducing the need to use cloud-based services. At the same time, they introduce new security challenges in the area of hardware attacks, the most prominent being side-channel analysis (SCA). It was shown that SCA can recover model parameters with a high accuracy, posing a threat to entities that wish to keep their models confidential. In this paper, we explore the susceptibility of quantized models implemented in OpenVINO, an embedded framework for deploying neural networks on embedded and Edge devices. We show that it is possible to recover model parameters with high precision, allowing the recovered model to perform very close to the original one. Our experiments on GoogleNet v1 show only a 1% difference in the Top 1 and a 0.64% difference in the Top 5 accuracies.