I Know What You See: Power Side-Channel Attack on Convolutional Neural Network Accelerators
This addresses privacy concerns for users of deep learning applications, such as in medical image analysis, by exposing a new vulnerability in hardware implementations, representing an incremental but specific security threat.
The paper tackles the problem of data privacy in deep learning systems by performing a power side-channel attack on an FPGA-based convolutional neural network accelerator, recovering input images with up to 89% recognition accuracy on the MNIST dataset without needing network parameters.
Deep learning has become the de-facto computational paradigm for various kinds of perception problems, including many privacy-sensitive applications such as online medical image analysis. No doubt to say, the data privacy of these deep learning systems is a serious concern. Different from previous research focusing on exploiting privacy leakage from deep learning models, in this paper, we present the first attack on the implementation of deep learning models. To be specific, we perform the attack on an FPGA-based convolutional neural network accelerator and we manage to recover the input image from the collected power traces without knowing the detailed parameters in the neural network. For the MNIST dataset, our power side-channel attack is able to achieve up to 89% recognition accuracy.