FeatureBleed: Inferring Private Enriched Attributes From Sparsity-Optimized AI Accelerators

TL;DR

This paper reveals a hardware-level timing attack called FEATUREBLEED that exploits zero-skipping in AI accelerators to infer private data, demonstrating significant privacy risks and proposing an effective padding-based defense.

Contribution

It introduces the first hardware-level data-stealing attack on AI accelerators exploiting zero-skipping, with broad evaluation across datasets, hardware, and models, and proposes a practical mitigation strategy.

Findings

FEATUREBLEED achieves up to 98.87% adversarial advantage.

Zero-skipping is identified as the root cause of leakage.

Padding defense reduces performance overhead to 7.24%.

Abstract

Backend enrichment is now widely deployed in sensitive domains such as product recommendation pipelines, healthcare, and finance, where models are trained on confidential data and retrieve private features whose values influence inference behavior while remaining hidden from the API caller. This paper presents the first hardware-level backend retrieval data-stealing attack, showing that accelerator optimizations designed for performance can directly undermine data confidentiality and bypass state-of-the-art privacy defenses. Our attack, FEATUREBLEED, exploits zero-skipping in AI accelerators to infer private backend-retrieved features solely through end-to-end timing, without relying on power analysis, DVFS manipulation, or shared-cache side channels. We evaluate FEATUREBLEED on three datasets spanning medical and non-medical domains: Texas-100X (clinical records), OrganAMNIST (medical imaging), and Census-19 (socioeconomic data). We further evaluate FEATUREBLEED across three hardware backends (Intel AVX, Intel AMX, and NVIDIA A100) and three model architectures (DNNs, CNNs, and hybrid CNN-MLP pipelines), demonstrating that the leakage generalizes across CPU and GPU accelerators, data modalities, and application domains, with an adversarial advantage of up to 98.87 percentage points. Finally, we identify the root cause of the leakage as sparsity-driven zero-skipping in modern hardware. We quantify the privacy-performance-power trade-off: disabling zero-skipping increases Intel AMX per-operation energy by up to 25 percent and incurs 100 percent performance overhead. We propose a padding-based defense that masks timing leakage by equalizing responses to the worst-case execution time, achieving protection with only 7.24 percent average performance overhead and no additional power cost.