Michscan: Black-Box Neural Network Integrity Checking at Runtime Through Power Analysis

TL;DR

Michscan is a novel black-box runtime verification method that uses power analysis to detect integrity violations in TinyML neural networks on resource-constrained devices without needing model parameters or cooperation from the model owner.

Contribution

This paper introduces Michscan, a power analysis-based approach for verifying neural network integrity in black-box TinyML models on embedded devices, addressing security concerns without model access.

Findings

Successfully detected all integrity violations in experiments.

Achieved negligible false positive rate (P < 10^(-5)).

Operates effectively in resource-constrained environments.

Abstract

As neural networks are increasingly used for critical decision-making tasks, the threat of integrity attacks, where an adversary maliciously alters a model, has become a significant security and safety concern. These concerns are compounded by the use of licensed models, where end-users purchase third-party models with only black-box access to protect model intellectual property (IP). In such scenarios, conventional approaches to verify model integrity require knowledge of model parameters or cooperative model owners. To address this challenge, we propose Michscan, a methodology leveraging power analysis to verify the integrity of black-box TinyML neural networks designed for resource-constrained devices. Michscan is based on the observation that modifications to model parameters impact the instantaneous power consumption of the device. We leverage this observation to develop a runtime model integrity-checking methodology that employs correlational power analysis using a golden template or signature to mathematically quantify the likelihood of model integrity violations at runtime through the Mann-Whitney U-Test. Michscan operates in a black-box environment and does not require a cooperative or trustworthy model owner. We evaluated Michscan using an STM32F303RC microcontroller with an ARM Cortex-M4 running four TinyML models in the presence of three model integrity violations. Michscan successfully detected all integrity violations at runtime using power data from five inferences. All detected violations had a negligible probability P < 10^(-5) of being produced from an unmodified model (i.e., false positive).