Cache Telepathy: Leveraging Shared Resource Attacks to Learn DNN Architectures
This addresses a security vulnerability for cloud-based DNN services, enabling attackers to gain commercial advantage and facilitate further attacks, representing a novel application of side-channel techniques rather than an incremental improvement.
The paper tackles the problem of stealing confidential deep neural network (DNN) architectures from cloud deployments by exploiting cache side channels, specifically using Prime+Probe and Flush+Reload attacks on VGG and ResNet models with OpenBLAS and Intel MKL libraries, resulting in a dramatic reduction of the search space from over 10^35 to just 16 architectures for VGG with OpenBLAS.
Deep Neural Networks (DNNs) are fast becoming ubiquitous for their ability to attain good accuracy in various machine learning tasks. A DNN's architecture (i.e., its hyper-parameters) broadly determines the DNN's accuracy and performance, and is often confidential. Attacking a DNN in the cloud to obtain its architecture can potentially provide major commercial value. Further, attaining a DNN's architecture facilitates other, existing DNN attacks. This paper presents Cache Telepathy: a fast and accurate mechanism to steal a DNN's architecture using the cache side channel. Our attack is based on the insight that DNN inference relies heavily on tiled GEMM (Generalized Matrix Multiply), and that DNN architecture parameters determine the number of GEMM calls and the dimensions of the matrices used in the GEMM functions. Such information can be leaked through the cache side channel. This paper uses Prime+Probe and Flush+Reload to attack VGG and ResNet DNNs running OpenBLAS and Intel MKL libraries. Our attack is effective in helping obtain the architectures by very substantially reducing the search space of target DNN architectures. For example, for VGG using OpenBLAS, it reduces the search space from more than $10^{35}$ architectures to just 16.