ABSTRACT
As deep neural networks (DNNs) continue their reach into a wide range of application domains, the neural network architecture of DNN models becomes an increasingly sensitive subject, due to either intellectual property protection or risks of adversarial attacks. Previous studies explore to leverage architecture-level events disposed in hardware platforms to extract the model architecture information. They pose the following limitations: requiring a priori knowledge of victim models, lacking in robustness and generality, or obtaining incomplete information of the victim model architecture.
Our paper proposes DeepSniffer, a learning-based model extraction framework to obtain the complete model architecture information without any prior knowledge of the victim model. It is robust to architectural and system noises introduced by the complex memory hierarchy and diverse run-time system optimizations. The basic idea of DeepSniffer is to learn the relation between extracted architectural hints (e.g., volumes of memory reads/writes obtained by side-channel or bus snooping attacks) and model internal architectures. Taking GPU platforms as a show case, DeepSniffer conducts model extraction by learning both the architecture-level execution features of kernels and the inter-layer temporal association information introduced by the common practice of DNN design. We demonstrate that DeepSniffer works experimentally in the context of an off-the-shelf Nvidia GPU platform running a variety of DNN models. The extracted models are directly helpful to the attempting of crafting adversarial inputs. Our experimental results show that DeepSniffer achieves a high accuracy of model extraction and thus improves the adversarial attack success rate from 14.6%$\sim$25.5% (without network architecture knowledge) to 75.9% (with extracted network architecture). The DeepSniffer project has been released in Github.
- 2019. HMTT: Hybrid Memory Trace Toolkit. http://asg.ict.ac.cn/hmtt/Google Scholar
- Naveed Akhtar and Ajmal Mian. 2018. Threat of Adversarial Attacks on Deep Learning in Computer Vision: A Survey. CoRR abs/1801.00553 (2018). arXiv:1801.00553Google ScholarCross Ref
- Scott Alfeld, Xiaojin Zhu, and Paul Barford. 2016. Data Poisoning Attacks Against Autoregressive Models (AAAI'16). AAAI Press, 1452? 1458.Google Scholar
- Shumeet Baluja and Ian Fischer. 2017. Adversarial transformation networks: Learning to generate adversarial examples. arXiv preprint arXiv:1703.09387 (2017).Google Scholar
- Erik-Oliver Blass and William Robertson. 2012. TRESOR-HUNT: Attacking CPU-bound Encryption (ACSAC '12). ACM, New York, NY, USA, 71--78.Google ScholarDigital Library
- Robert Callan, Alenka Zajic, and Milos Prvulovic. 2014. A Practical Methodology for Measuring the Side-Channel Signal Available to the Attacker for Instruction-Level Events (MICRO-47). IEEE Computer Society, Washington, DC, USA, 242?254.Google Scholar
- Nicholas Carlini and David Wagner. 2017. Towards evaluating the robustness of neural networks. In 2017 IEEE Symposium on Security and Privacy (SP). IEEE, 39--57.Google ScholarCross Ref
- Tianqi Chen, Thierry Moreau, Ziheng Jiang, Haichen Shen, Eddie Q. Yan, Leyuan Wang, Yuwei Hu, Luis Ceze, Carlos Guestrin, and Arvind Krishnamurthy. 2018. TVM: End-to-End Optimization Stack for Deep Learning. CoRR abs/1802.04799 (2018). arXiv:1802.04799Google Scholar
- Moustapha Cisse, Yossi Adi, Natalia Neverova, and Joseph Keshet. 2017. Houdini: Fooling deep structured prediction models. arXiv preprint arXiv:1707.05373 (2017).Google Scholar
- Ronan Collobert and Jason Weston. 2008. A Unified Architecture for Natural Language Processing: Deep Neural Networks with Multitask Learning (ICML '08). ACM, New York, NY, USA, 160--167.Google Scholar
- Swagatam Das and Ponnuthurai Nagaratnam Suganthan. 2011. Differential evolution: a survey of the state-of-the-art. IEEE transactions on evolutionary computation 15, 1 (2011), 4--31.Google Scholar
- Jia Deng, Wei Dong, Richard Socher, Li-Jia Li, Kai Li, and Li Fei-Fei. 2009. Imagenet: A large-scale hierarchical image database. In IEEE Conference on Computer Vision and Pattern Recognition (CVPR), 2009. IEEE, 248--255.Google ScholarCross Ref
- M. Dey, A. Nazari, A. Zajic, and M. Prvulovic. 2018. EMPROF: Memory Profiling Via EM-Emanation in IoT and Hand-Held Devices. In 2018 51st Annual IEEE/ACM International Symposium on Microarchitecture (MICRO). 881--893.Google Scholar
- Ian J Goodfellow, Jonathon Shlens, and Christian Szegedy. 2015. Explaining and harnessing adversarial examples. Proceedings of the International Conference on Learning Representations (2015).Google Scholar
- Alex Graves, Santiago Fernández, Faustino Gomez, and Jürgen Schmidhuber. 2006. Connectionist Temporal Classification: Labelling Unsegmented Sequence Data with Recurrent Neural Networks (ICML '06). ACM, New York, NY, USA, 369--376.Google ScholarDigital Library
- Alex Graves and Navdeep Jaitly. 2014. Towards End-to-end Speech Recognition with Recurrent Neural Networks (ICML'14). II-1764- 1772.Google Scholar
- Kaiming He, Xiangyu Zhang, Shaoqing Ren, and Jian Sun. 2016. Deep residual learning for image recognition. In Proceedings of the IEEE conference on computer vision and pattern recognition. 770--778.Google ScholarCross Ref
- Weizhe Hua, Zhiru Zhang, and G. Edward Suh. 2018. Reverse Engineering Convolutional Neural Networks Through Side-channel Information Leaks (DAC '18). ACM, New York, NY, USA, 4:1--4:6.Google Scholar
- Andrew Huang. 2003. Keeping Secrets in Hardware: The Microsoft Xbox Case Study. In Revised Papers from the 4th International Workshop on Cryptographic Hardware and Embedded Systems (CHES '02). Springer-Verlag, London, UK, UK, 213--227.Google Scholar
- Gao Huang, Zhuang Liu, Laurens Van Der Maaten, and Kilian QWeinberger. [n.d.]. Densely connected convolutional networks. In CVPR 2017.Google ScholarCross Ref
- Yongbing Huang, Licheng Chen, Zehan Cui, Yuan Ruan, Yungang Bao, Mingyu Chen, and Ninghui Sun. 2014. HMTT: A Hybrid Hardware/ Software Tracing System for Bridging the DRAM Access Trace's Semantic Gap. ACM Trans. Archit. Code Optim. 11, 1, Article 7 (Feb. 2014), 25 pages.Google ScholarDigital Library
- Itay Hubara, Matthieu Courbariaux, Daniel Soudry, Ran El-Yaniv, and Yoshua Bengio. 2016. Binarized neural networks. In Advances in neural information processing systems. 4107--4115.Google Scholar
- Forrest N Iandola, Song Han, Matthew W Moskewicz, Khalid Ashraf, William J Dally, and Kurt Keutzer. 2016. Squeezenet: Alexnet-level accuracy with 50x fewer parameters and < 0.5 mb model size. arXiv preprint arXiv:1602.07360 (2016).Google Scholar
- Alex Krizhevsky, Ilya Sutskever, and Geoffrey E. Hinton. 2012. ImageNet Classification with Deep Convolutional Neural Networks (NIPS'12). Curran Associates Inc., USA, 1097--1105.Google ScholarDigital Library
- Alexey Kurakin, Ian Goodfellow, and Samy Bengio. 2016. Adversarial examples in the physical world. arXiv preprint arXiv:1607.02533 (2016).Google Scholar
- Chang Liu, Austin Harris, Martin Maas, Michael Hicks, Mohit Tiwari, and Elaine Shi. 2015. GhostRider: A Hardware-Software System for Memory Trace Oblivious Computation (ASPLOS '15). ACM, New York, NY, USA, 87--101.Google ScholarDigital Library
- Chang Liu, Michael Hicks, and Elaine Shi. 2013. Memory Trace Oblivious Program Execution. In Proceedings of the 2013 IEEE 26th Computer Security Foundations Symposium (CSF '13). IEEE Computer Society, Washington, DC, USA, 51--65.Google ScholarDigital Library
- Yanpei Liu, Xinyun Chen, Chang Liu, and Dawn Song. 2017. Delving into Transferable Adversarial Examples and Black-box Attacks. ICLR abs/1611.02770 (2017). arXiv:1611.02770Google Scholar
- Seyed-Mohsen Moosavi-Dezfooli, Alhussein Fawzi, Omar Fawzi, and Pascal Frossard. 2017. Universal adversarial perturbations. arXiv preprint (2017).Google Scholar
- Seyed Mohsen Moosavi Dezfooli, Alhussein Fawzi, and Pascal Frossard. 2016. Deepfool: a simple and accurate method to fool deep neural networks. In Proceedings of 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR).Google ScholarCross Ref
- Konda Reddy Mopuri, Utsav Garg, and R Venkatesh Babu. 2017. Fast feature fool: A data independent approach to universal adversarial perturbations. arXiv preprint arXiv:1707.05572 (2017).Google Scholar
- Hoda Naghibijouybari, Ajaya Neupane, Zhiyun Qian, and Nael Abu- Ghazaleh. 2018. Rendered Insecure: GPU Side Channel Attacks Are Practical (CCS '18). ACM, New York, NY, USA, 2139--2153.Google ScholarDigital Library
- Papernot Nicolas, D. McDaniel Patrick, Jha Somesh, Fredrikson Matt, Celik Z. Berkay, and Swami Ananthram. 2015. The Limitations of Deep Learning in Adversarial Settings. CoRR abs/1511.07528 (2015). arXiv:1511.07528Google Scholar
- Nvidia. [n.d.]. CUDA toolkit documentation. http://docs.nvidia.com/ cuda/profiler-users-guide/index.htmlGoogle Scholar
- NVIDIA. 2016. NVIDIA Tesla K40 Active GPU Accelerator. http: //www.pny.com/nvidia-tesla-k40-active-gpu-accelerator.Google Scholar
- Nvidia. 2017. NVIDIA cuDNN GPU Accelerated Deep Learning. https: //developer.nvidia.com/cudnnGoogle Scholar
- Nicolas Papernot, Patrick McDaniel, Ian Goodfellow, Somesh Jha, Z. Berkay Celik, and Ananthram Swami. 2017. Practical Black-Box Attacks Against Machine Learning (ASIA CCS '17). ACM, New York, NY, USA, 506--519.Google Scholar
- Nicolas Papernot, Patrick McDaniel, Arunesh Sinha, and MichaelWellman. 2016. Towards the science of security and privacy in machine learning. arXiv preprint arXiv:1611.03814 (2016).Google Scholar
- Nicolas Papernot, Patrick D. McDaniel, and Ian J. Goodfellow. 2016. Transferability in Machine Learning: from Phenomena to Black-Box Attacks using Adversarial Samples. CoRR abs/1605.07277 (2016). arXiv:1605.07277 http://arxiv.org/abs/1605.07277Google Scholar
- PyTorch. [n.d.]. Pytorch Tutorials. http://pytorch.org/tutorials/Google Scholar
- Tractica Report. 2016. Artificial Intelligience Market Forecasts.Google Scholar
- M. Rhu, M. O'Connor, N. Chatterjee, J. Pool, Y. Kwon, and S.W. Keckler. 2018. Compressing DMA Engine: Leveraging Activation Sparsity for Training Deep Neural Networks. In 2018 IEEE International Symposium on High Performance Computer Architecture (HPCA). 78--91.Google Scholar
- Sayantan Sarkar, Ankan Bansal, Upal Mahbub, and Rama Chellappa. 2017. UPSET and ANGRI: Breaking High Performance Image Classifiers. arXiv preprint arXiv:1707.01159 (2017).Google Scholar
- Bernt Schiele Mario Fritz Seong Joon Oh, Max Augustin. 2018. Towards Reverse-Engineering Black-Box Neural Networks. ICLR abs/1605.07277 (2018). https://arxiv.org/abs/1711.01768Google Scholar
- Karen Simonyan and Andrew Zisserman. 2014. Very Deep Convolutional Networks for Large-Scale Image Recognition. CoRR abs/1409.1556 (2014). arXiv:1409.1556 http://arxiv.org/abs/1409.1556Google Scholar
- Emil Stefanov, Marten van Dijk, Elaine Shi, Christopher Fletcher, Ling Ren, Xiangyao Yu, and Srinivas Devadas. 2013. Path ORAM: An Extremely Simple Oblivious RAM Protocol (CCS '13). ACM, New York, NY, USA, 299--310.Google ScholarDigital Library
- Jiawei Su, Danilo Vasconcellos Vargas, and Sakurai Kouichi. 2017. One pixel attack for fooling deep neural networks. arXiv preprint arXiv:1710.08864 (2017).Google Scholar
- Ilya Sutskever, Oriol Vinyals, and Quoc V Le. 2014. Sequence to Sequence Learning with Neural Networks. In Advances in Neural Information Processing Systems 27, Z. Ghahramani, M.Welling, C. Cortes, N. D. Lawrence, and K. Q. Weinberger (Eds.). Curran Associates, Inc., 3104--3112.Google ScholarDigital Library
- Christian Szegedy, Sergey Ioffe, Vincent Vanhoucke, and Alexander A Alemi. 2017. Inception-v4, Inception-ResNet and the Impact of Residual Connections on Learning.. In AAAI. 4278--4284.Google Scholar
- Christian Szegedy, Vincent Vanhoucke, Sergey Ioffe, Jonathon Shlens, and Zbigniew Wojna. 2015. Rethinking the Inception Architecture for Computer Vision. CoRR abs/1512.00567 (2015). arXiv:1512.00567Google Scholar
- Christian Szegedy, Wojciech Zaremba, Ilya Sutskever, Joan Bruna, Dumitru Erhan, Ian Goodfellow, and Rob Fergus. 2013. Intriguing properties of neural networks. arXiv preprint arXiv:1312.6199 (2013).Google Scholar
- Jin-Hua Tao, Zi-Dong Du, Qi Guo, Hui-Ying Lan, Lei Zhang, Sheng- Yuan Zhou, Cong Liu, Hai-Feng Liu, Shan Tang, and Allen Rush. 2017. BENCHIP: Benchmarking Intelligence Processors. arXiv preprint arXiv:1710.08315 (2017).Google Scholar
- TechCrunch. 2017. Nvidia is powering the world's first level 3 selfdriving production car.Google Scholar
- TensorFlow. [n.d.]. Post-training quantization. https://www. tensorflow.org/lite/performance/post_training_quantization.Google Scholar
- Florian Tramèr, Fan Zhang, Ari Juels, Michael K. Reiter, and Thomas Ristenpart. 2016. Stealing Machine Learning Models via Prediction APIs (SEC'16). USENIX Association, Berkeley, CA, USA, 601--618.Google Scholar
- Ashish Vaswani, Noam Shazeer, Niki Parmar, Jakob Uszkoreit, Llion Jones, Aidan N Gomez, Lukasz Kaiser, and Illia Polosukhin. 2017. Attention is all you need. In Advances in Neural Information Processing Systems. 6000--6010.Google Scholar
- Binghui Wang and Neil Zhenqiang Gong. 2018. Stealing Hyperparameters in Machine Learning. CoRR abs/1802.05351 (2018). arXiv:1802.05351Google Scholar
- Waymo. 2017. IntroducingWaymo's suite of custom-build, self-driving hardware. https://medium.com/waymo/introducing-waymos-suiteof- custom-built-self-driving-hardware-c47d1714563/Google Scholar
- Lingxiao Wei, Yannan Liu, Bo Luo, Yu Li, and Qiang Xu. 2018. I Know What You See: Power Side-Channel Attack on Convolutional Neural Network Accelerators. CoRR abs/1803.05847 (2018). arXiv:1803.05847Google ScholarDigital Library
- Nicholas Wilt. 2013. The cuda handbook: A comprehensive guide to gpu programming. Pearson Education.Google Scholar
- Wayne Xiong, Jasha Droppo, Xuedong Huang, Frank Seide, Mike Seltzer, Andreas Stolcke, Dong Yu, and Geoffrey Zweig. 2017. The Microsoft 2016 conversational speech recognition system. In Acoustics, Speech and Signal Processing (ICASSP), 2017 IEEE International Conference on. IEEE, 5255--5259.Google ScholarCross Ref
- Mengjia Yan, ChristopherW. Fletcher, and Josep Torrellas. 2018. Cache Telepathy: Leveraging Shared Resource Attacks to Learn DNN Architectures. CoRR abs/1808.04761 (2018). arXiv:1808.04761Google Scholar
- Xingcheng Zhang, Zhizhong Li, Chen Change Loy, and Dahua Lin. 2016. PolyNet:APursuit of Structural Diversity in Very Deep Networks. CoRR abs/1611.05725 (2016). arXiv:1611.05725Google Scholar
- Barret Zoph, Vijay Vasudevan, Jonathon Shlens, and Quoc V. Le. 2017. Learning Transferable Architectures for Scalable Image Recognition. CoRR abs/1707.07012 (2017). arXiv:1707.07012Google Scholar
Index Terms
- DeepSniffer: A DNN Model Extraction Framework Based on Learning Architectural Hints
Recommendations
ATS-O2A: A state-based adversarial attack strategy on deep reinforcement learning
Highlights- An effective and stealthy adversarial attack method on deep reinforcement learning.
- A new attack effect measurement index for attacked effectiveness and stealthiness.
- Experiment tests address the proposed method is better than the ...
AbstractIn recent years, deep reinforcement learning has been widely applied in many decision-making tasks requiring high safety and security due to its excellent performance. However, if an adversary attacks when the agent making critical decisions, it ...
Mind control attack: Undermining deep learning with GPU memory exploitation
AbstractModern deep learning frameworks rely heavily on GPUs to accelerate the computation. However, the security implication of GPU device memory exploitation on deep learning frameworks has been largely neglected. In this paper, we argue ...
Tenet: A Neural Network Model Extraction Attack in Multi-core Architecture
GLSVLSI '21: Proceedings of the 2021 on Great Lakes Symposium on VLSIAs neural networks (NNs) are being widely deployed in many cloud-oriented systems for safety-critical tasks, the privacy and security of NNs become significant concerns to users in the cloud platform that shares the computation infrastructure such as ...
Comments