Side-Channel Analysis of OpenVINO-based Neural Network Models
This addresses a security problem for entities using embedded neural networks who wish to keep models confidential, but it is incremental as it builds on prior SCA research.
The paper tackles the security vulnerability of quantized neural network models deployed via OpenVINO on embedded devices, showing that side-channel analysis can recover model parameters with high precision, resulting in recovered models performing within 1% accuracy difference compared to the original.
Embedded devices with neural network accelerators offer great versatility for their users, reducing the need to use cloud-based services. At the same time, they introduce new security challenges in the area of hardware attacks, the most prominent being side-channel analysis (SCA). It was shown that SCA can recover model parameters with a high accuracy, posing a threat to entities that wish to keep their models confidential. In this paper, we explore the susceptibility of quantized models implemented in OpenVINO, an embedded framework for deploying neural networks on embedded and Edge devices. We show that it is possible to recover model parameters with high precision, allowing the recovered model to perform very close to the original one. Our experiments on GoogleNet v1 show only a 1% difference in the Top 1 and a 0.64% difference in the Top 5 accuracies.