Like an Open Book? Read Neural Network Architecture with Simple Power Analysis on 32-bit Microcontrollers
This addresses security concerns for AI systems on edge devices, highlighting vulnerabilities in physically accessible platforms, though it is incremental as it builds on existing side-channel techniques.
The paper tackles the problem of extracting neural network architecture information from edge devices using electromagnetic side-channel analysis, achieving successful extraction for MLP and CNN models on a Cortex-M7 microcontroller with relatively low attack complexity.
Model extraction is a growing concern for the security of AI systems. For deep neural network models, the architecture is the most important information an adversary aims to recover. Being a sequence of repeated computation blocks, neural network models deployed on edge-devices will generate distinctive side-channel leakages. The latter can be exploited to extract critical information when targeted platforms are physically accessible. By combining theoretical knowledge about deep learning practices and analysis of a widespread implementation library (ARM CMSIS-NN), our purpose is to answer this critical question: how far can we extract architecture information by simply examining an EM side-channel trace? For the first time, we propose an extraction methodology for traditional MLP and CNN models running on a high-end 32-bit microcontroller (Cortex-M7) that relies only on simple pattern recognition analysis. Despite few challenging cases, we claim that, contrary to parameters extraction, the complexity of the attack is relatively low and we highlight the urgent need for practicable protections that could fit the strong memory and latency requirements of such platforms.