Abstract
Model confidentiality attacks on convolutional neural networks (CNN) are becoming more and more common. At present, model reverse attack is an important means of model confidentiality attacks, but all of these attacks require strong attack ability, meanwhile, the success rates of these attacks are low. We study the time leakage of CNN running on the SoC (system on-chip) system and propose a reverse method based on side-channel attack. It uses the SDK tool-profiler to collect the time leakage of different networks of various CNNs. According to the linear relationship between time leakage, calculation, and memory usage parameters, we take the profiling attack to establish a mapping library of time and the different networks. After that, the smallest difference between the measured time of unknown models and the theoretical time in the mapping library is considered to be the real parameters of the unknown models. Finally, we can reverse other layers even the entire model. Based on the experiments, the reverse success rate of common convolutional layers is above 78.5%, and the reverse success rates of different CNNs (such as AlexNet, ConvNet, LeNet, etc.) are all above 67.67%. Moreover, the results show that the success rate of our method is 10% higher than the traditional methods on average. In the adversarial sample attack, the success rate reached 97%.
Highlights
Introduction e application ofconvolutional neural networks (CNN) has formed a business model of machine-learning as a service (MLaaS)
In terms of algorithm structure, symmetric encryption algorithms are connected by round functions, and CNN is composed of multiple network layers, both of them have linear components and nonlinear components, in the operating mode, the input of the layer or round relies on the output of the previous layer or round [4]
We propose a novel timing attack based on side-channel attacks in the SoC platform for model reversion
Summary
Key Laboratory of Aerospace Information Security and Trusted Computing, Ministry of Education, School of Cyber Science and Engineering, Wuhan University, Wuhan 430072, China. They can use the reversed model to generate data that is close to the original data to make a great threat to the model, but these attacks require higher abilities from the attackers In response to these contact attacks, some scholars proposed methods for protecting model confidentiality based on homomorphic encryption and secure multiparty computing [2, 3]. Our method does not need to know the distribution of the original training data or the edge distribution of different features, but we assume that the attacker knows about the category of the target model and does not know about the details of the model architecture, and they use the profiling tool in the SDK of the SoC board to collect timing leakage. By reversing the physical structure of the PCB, including the cryptographic module, and considering the dominant field, the secret key information from the cryptographic module can be efficiently extracted [12]
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
