Revealing CNN Architectures via Side-Channel Analysis in Dataflow-based Inference Accelerators
This addresses a privacy and security problem for users of CNN accelerators in edge devices, but it is incremental as it builds on existing side-channel techniques.
The paper tackles the problem of recovering CNN architectures from dataflow-based inference accelerators using memory-based side-channel analysis, and the result shows that the attack can successfully recover structures of models like Lenet, Alexnet, VGGnet16, and YOLOv2.
Convolutional Neural Networks (CNNs) are widely used in various domains, including image recognition, medical diagnosis and autonomous driving. Recent advances in dataflow-based CNN accelerators have enabled CNN inference in resource-constrained edge devices. These dataflow accelerators utilize inherent data reuse of convolution layers to process CNN models efficiently. Concealing the architecture of CNN models is critical for privacy and security. This article evaluates memory-based side-channel information to recover CNN architectures from dataflow-based CNN inference accelerators. The proposed attack exploits spatial and temporal data reuse of the dataflow mapping on CNN accelerators and architectural hints to recover the structure of CNN models. Experimental results demonstrate that our proposed side-channel attack can recover the structures of popular CNN models, namely, Lenet, Alexnet, VGGnet16, and YOLOv2.