DeepSniffer: A DNN Model Extraction Framework Based on Learning Architectural Hints

Authors:
Xing Hu

University of California, Santa Barbara, Santa Barbara, CA, USA

University of California, Santa Barbara, Santa Barbara, CA, USA
View Profile

,
Ling Liang

University of California, Santa Barbara, Santa Barbara, CA, USA

University of California, Santa Barbara, Santa Barbara, CA, USA
View Profile

,
Shuangchen Li

University of California, Santa Barbara, Santa Barbara, CA, USA

University of California, Santa Barbara, Santa Barbara, CA, USA
View Profile

,
Lei Deng

University of California, Santa Barbara & Tsinghua University, Santa Barbara, CA, USA

University of California, Santa Barbara & Tsinghua University, Santa Barbara, CA, USA
View Profile

,
Pengfei Zuo

University of California, Santa Barbara & Huazhong University of Science and Technology, Wuhan, China

University of California, Santa Barbara & Huazhong University of Science and Technology, Wuhan, China
View Profile

,
Yu Ji

University of California, Santa Barbara & Tsinghua University, Beijing, China

University of California, Santa Barbara & Tsinghua University, Beijing, China
View Profile

,
Xinfeng Xie

University of California, Santa Barbara, Santa Barbara, CA, Uganda

University of California, Santa Barbara, Santa Barbara, CA, Uganda
View Profile

,
Yufei Ding

University of California, Santa Barbara, Santa Barbara, CA, USA

University of California, Santa Barbara, Santa Barbara, CA, USA
View Profile

,
Chang Liu

Citadel Securities, Chicago, IL, USA

Citadel Securities, Chicago, IL, USA
View Profile

,
Timothy Sherwood

University of California, Santa Barbara, Santa Barbara, CA, USA

University of California, Santa Barbara, Santa Barbara, CA, USA
View Profile

,
Yuan Xie

University of California, Santa Barbara, Santa Barbara, CA, USA

University of California, Santa Barbara, Santa Barbara, CA, USA
View Profile

ASPLOS '20: Proceedings of the Twenty-Fifth International Conference on Architectural Support for Programming Languages and Operating SystemsMarch 2020Pages 385–399https://doi.org/10.1145/3373376.3378460

Published:13 March 2020Publication History

ASPLOS '20: Proceedings of the Twenty-Fifth International Conference on Architectural Support for Programming Languages and Operating Systems

Pages 385–399

ABSTRACT

As deep neural networks (DNNs) continue their reach into a wide range of application domains, the neural network architecture of DNN models becomes an increasingly sensitive subject, due to either intellectual property protection or risks of adversarial attacks. Previous studies explore to leverage architecture-level events disposed in hardware platforms to extract the model architecture information. They pose the following limitations: requiring a priori knowledge of victim models, lacking in robustness and generality, or obtaining incomplete information of the victim model architecture.

Our paper proposes DeepSniffer, a learning-based model extraction framework to obtain the complete model architecture information without any prior knowledge of the victim model. It is robust to architectural and system noises introduced by the complex memory hierarchy and diverse run-time system optimizations. The basic idea of DeepSniffer is to learn the relation between extracted architectural hints (e.g., volumes of memory reads/writes obtained by side-channel or bus snooping attacks) and model internal architectures. Taking GPU platforms as a show case, DeepSniffer conducts model extraction by learning both the architecture-level execution features of kernels and the inter-layer temporal association information introduced by the common practice of DNN design. We demonstrate that DeepSniffer works experimentally in the context of an off-the-shelf Nvidia GPU platform running a variety of DNN models. The extracted models are directly helpful to the attempting of crafting adversarial inputs. Our experimental results show that DeepSniffer achieves a high accuracy of model extraction and thus improves the adversarial attack success rate from 14.6%$\sim$25.5% (without network architecture knowledge) to 75.9% (with extracted network architecture). The DeepSniffer project has been released in Github.

References

2019. HMTT: Hybrid Memory Trace Toolkit. http://asg.ict.ac.cn/hmtt/Google Scholar
Naveed Akhtar and Ajmal Mian. 2018. Threat of Adversarial Attacks on Deep Learning in Computer Vision: A Survey. CoRR abs/1801.00553 (2018). arXiv:1801.00553Google ScholarCross Ref
Scott Alfeld, Xiaojin Zhu, and Paul Barford. 2016. Data Poisoning Attacks Against Autoregressive Models (AAAI'16). AAAI Press, 1452? 1458.Google Scholar
Shumeet Baluja and Ian Fischer. 2017. Adversarial transformation networks: Learning to generate adversarial examples. arXiv preprint arXiv:1703.09387 (2017).Google Scholar
Erik-Oliver Blass and William Robertson. 2012. TRESOR-HUNT: Attacking CPU-bound Encryption (ACSAC '12). ACM, New York, NY, USA, 71--78.Google ScholarDigital Library
Robert Callan, Alenka Zajic, and Milos Prvulovic. 2014. A Practical Methodology for Measuring the Side-Channel Signal Available to the Attacker for Instruction-Level Events (MICRO-47). IEEE Computer Society, Washington, DC, USA, 242?254.Google Scholar
Nicholas Carlini and David Wagner. 2017. Towards evaluating the robustness of neural networks. In 2017 IEEE Symposium on Security and Privacy (SP). IEEE, 39--57.Google ScholarCross Ref
Tianqi Chen, Thierry Moreau, Ziheng Jiang, Haichen Shen, Eddie Q. Yan, Leyuan Wang, Yuwei Hu, Luis Ceze, Carlos Guestrin, and Arvind Krishnamurthy. 2018. TVM: End-to-End Optimization Stack for Deep Learning. CoRR abs/1802.04799 (2018). arXiv:1802.04799Google Scholar
Moustapha Cisse, Yossi Adi, Natalia Neverova, and Joseph Keshet. 2017. Houdini: Fooling deep structured prediction models. arXiv preprint arXiv:1707.05373 (2017).Google Scholar
Ronan Collobert and Jason Weston. 2008. A Unified Architecture for Natural Language Processing: Deep Neural Networks with Multitask Learning (ICML '08). ACM, New York, NY, USA, 160--167.Google Scholar
Swagatam Das and Ponnuthurai Nagaratnam Suganthan. 2011. Differential evolution: a survey of the state-of-the-art. IEEE transactions on evolutionary computation 15, 1 (2011), 4--31.Google Scholar
Jia Deng, Wei Dong, Richard Socher, Li-Jia Li, Kai Li, and Li Fei-Fei. 2009. Imagenet: A large-scale hierarchical image database. In IEEE Conference on Computer Vision and Pattern Recognition (CVPR), 2009. IEEE, 248--255.Google ScholarCross Ref
M. Dey, A. Nazari, A. Zajic, and M. Prvulovic. 2018. EMPROF: Memory Profiling Via EM-Emanation in IoT and Hand-Held Devices. In 2018 51st Annual IEEE/ACM International Symposium on Microarchitecture (MICRO). 881--893.Google Scholar
Ian J Goodfellow, Jonathon Shlens, and Christian Szegedy. 2015. Explaining and harnessing adversarial examples. Proceedings of the International Conference on Learning Representations (2015).Google Scholar
Alex Graves, Santiago Fernández, Faustino Gomez, and Jürgen Schmidhuber. 2006. Connectionist Temporal Classification: Labelling Unsegmented Sequence Data with Recurrent Neural Networks (ICML '06). ACM, New York, NY, USA, 369--376.Google ScholarDigital Library
Alex Graves and Navdeep Jaitly. 2014. Towards End-to-end Speech Recognition with Recurrent Neural Networks (ICML'14). II-1764- 1772.Google Scholar
Kaiming He, Xiangyu Zhang, Shaoqing Ren, and Jian Sun. 2016. Deep residual learning for image recognition. In Proceedings of the IEEE conference on computer vision and pattern recognition. 770--778.Google ScholarCross Ref
Weizhe Hua, Zhiru Zhang, and G. Edward Suh. 2018. Reverse Engineering Convolutional Neural Networks Through Side-channel Information Leaks (DAC '18). ACM, New York, NY, USA, 4:1--4:6.Google Scholar
Andrew Huang. 2003. Keeping Secrets in Hardware: The Microsoft Xbox Case Study. In Revised Papers from the 4th International Workshop on Cryptographic Hardware and Embedded Systems (CHES '02). Springer-Verlag, London, UK, UK, 213--227.Google Scholar
Gao Huang, Zhuang Liu, Laurens Van Der Maaten, and Kilian QWeinberger. [n.d.]. Densely connected convolutional networks. In CVPR 2017.Google ScholarCross Ref
Yongbing Huang, Licheng Chen, Zehan Cui, Yuan Ruan, Yungang Bao, Mingyu Chen, and Ninghui Sun. 2014. HMTT: A Hybrid Hardware/ Software Tracing System for Bridging the DRAM Access Trace's Semantic Gap. ACM Trans. Archit. Code Optim. 11, 1, Article 7 (Feb. 2014), 25 pages.Google ScholarDigital Library
Itay Hubara, Matthieu Courbariaux, Daniel Soudry, Ran El-Yaniv, and Yoshua Bengio. 2016. Binarized neural networks. In Advances in neural information processing systems. 4107--4115.Google Scholar
Forrest N Iandola, Song Han, Matthew W Moskewicz, Khalid Ashraf, William J Dally, and Kurt Keutzer. 2016. Squeezenet: Alexnet-level accuracy with 50x fewer parameters and < 0.5 mb model size. arXiv preprint arXiv:1602.07360 (2016).Google Scholar
Alex Krizhevsky, Ilya Sutskever, and Geoffrey E. Hinton. 2012. ImageNet Classification with Deep Convolutional Neural Networks (NIPS'12). Curran Associates Inc., USA, 1097--1105.Google ScholarDigital Library
Alexey Kurakin, Ian Goodfellow, and Samy Bengio. 2016. Adversarial examples in the physical world. arXiv preprint arXiv:1607.02533 (2016).Google Scholar
Chang Liu, Austin Harris, Martin Maas, Michael Hicks, Mohit Tiwari, and Elaine Shi. 2015. GhostRider: A Hardware-Software System for Memory Trace Oblivious Computation (ASPLOS '15). ACM, New York, NY, USA, 87--101.Google ScholarDigital Library
Chang Liu, Michael Hicks, and Elaine Shi. 2013. Memory Trace Oblivious Program Execution. In Proceedings of the 2013 IEEE 26th Computer Security Foundations Symposium (CSF '13). IEEE Computer Society, Washington, DC, USA, 51--65.Google ScholarDigital Library
Yanpei Liu, Xinyun Chen, Chang Liu, and Dawn Song. 2017. Delving into Transferable Adversarial Examples and Black-box Attacks. ICLR abs/1611.02770 (2017). arXiv:1611.02770Google Scholar
Seyed-Mohsen Moosavi-Dezfooli, Alhussein Fawzi, Omar Fawzi, and Pascal Frossard. 2017. Universal adversarial perturbations. arXiv preprint (2017).Google Scholar
Seyed Mohsen Moosavi Dezfooli, Alhussein Fawzi, and Pascal Frossard. 2016. Deepfool: a simple and accurate method to fool deep neural networks. In Proceedings of 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR).Google ScholarCross Ref
Konda Reddy Mopuri, Utsav Garg, and R Venkatesh Babu. 2017. Fast feature fool: A data independent approach to universal adversarial perturbations. arXiv preprint arXiv:1707.05572 (2017).Google Scholar
Hoda Naghibijouybari, Ajaya Neupane, Zhiyun Qian, and Nael Abu- Ghazaleh. 2018. Rendered Insecure: GPU Side Channel Attacks Are Practical (CCS '18). ACM, New York, NY, USA, 2139--2153.Google ScholarDigital Library
Papernot Nicolas, D. McDaniel Patrick, Jha Somesh, Fredrikson Matt, Celik Z. Berkay, and Swami Ananthram. 2015. The Limitations of Deep Learning in Adversarial Settings. CoRR abs/1511.07528 (2015). arXiv:1511.07528Google Scholar
Nvidia. [n.d.]. CUDA toolkit documentation. http://docs.nvidia.com/ cuda/profiler-users-guide/index.htmlGoogle Scholar
NVIDIA. 2016. NVIDIA Tesla K40 Active GPU Accelerator. http: //www.pny.com/nvidia-tesla-k40-active-gpu-accelerator.Google Scholar
Nvidia. 2017. NVIDIA cuDNN GPU Accelerated Deep Learning. https: //developer.nvidia.com/cudnnGoogle Scholar
Nicolas Papernot, Patrick McDaniel, Ian Goodfellow, Somesh Jha, Z. Berkay Celik, and Ananthram Swami. 2017. Practical Black-Box Attacks Against Machine Learning (ASIA CCS '17). ACM, New York, NY, USA, 506--519.Google Scholar
Nicolas Papernot, Patrick McDaniel, Arunesh Sinha, and MichaelWellman. 2016. Towards the science of security and privacy in machine learning. arXiv preprint arXiv:1611.03814 (2016).Google Scholar
Nicolas Papernot, Patrick D. McDaniel, and Ian J. Goodfellow. 2016. Transferability in Machine Learning: from Phenomena to Black-Box Attacks using Adversarial Samples. CoRR abs/1605.07277 (2016). arXiv:1605.07277 http://arxiv.org/abs/1605.07277Google Scholar
PyTorch. [n.d.]. Pytorch Tutorials. http://pytorch.org/tutorials/Google Scholar
Tractica Report. 2016. Artificial Intelligience Market Forecasts.Google Scholar
M. Rhu, M. O'Connor, N. Chatterjee, J. Pool, Y. Kwon, and S.W. Keckler. 2018. Compressing DMA Engine: Leveraging Activation Sparsity for Training Deep Neural Networks. In 2018 IEEE International Symposium on High Performance Computer Architecture (HPCA). 78--91.Google Scholar
Sayantan Sarkar, Ankan Bansal, Upal Mahbub, and Rama Chellappa. 2017. UPSET and ANGRI: Breaking High Performance Image Classifiers. arXiv preprint arXiv:1707.01159 (2017).Google Scholar
Bernt Schiele Mario Fritz Seong Joon Oh, Max Augustin. 2018. Towards Reverse-Engineering Black-Box Neural Networks. ICLR abs/1605.07277 (2018). https://arxiv.org/abs/1711.01768Google Scholar
Karen Simonyan and Andrew Zisserman. 2014. Very Deep Convolutional Networks for Large-Scale Image Recognition. CoRR abs/1409.1556 (2014). arXiv:1409.1556 http://arxiv.org/abs/1409.1556Google Scholar
Emil Stefanov, Marten van Dijk, Elaine Shi, Christopher Fletcher, Ling Ren, Xiangyao Yu, and Srinivas Devadas. 2013. Path ORAM: An Extremely Simple Oblivious RAM Protocol (CCS '13). ACM, New York, NY, USA, 299--310.Google ScholarDigital Library
Jiawei Su, Danilo Vasconcellos Vargas, and Sakurai Kouichi. 2017. One pixel attack for fooling deep neural networks. arXiv preprint arXiv:1710.08864 (2017).Google Scholar
Ilya Sutskever, Oriol Vinyals, and Quoc V Le. 2014. Sequence to Sequence Learning with Neural Networks. In Advances in Neural Information Processing Systems 27, Z. Ghahramani, M.Welling, C. Cortes, N. D. Lawrence, and K. Q. Weinberger (Eds.). Curran Associates, Inc., 3104--3112.Google ScholarDigital Library
Christian Szegedy, Sergey Ioffe, Vincent Vanhoucke, and Alexander A Alemi. 2017. Inception-v4, Inception-ResNet and the Impact of Residual Connections on Learning.. In AAAI. 4278--4284.Google Scholar
Christian Szegedy, Vincent Vanhoucke, Sergey Ioffe, Jonathon Shlens, and Zbigniew Wojna. 2015. Rethinking the Inception Architecture for Computer Vision. CoRR abs/1512.00567 (2015). arXiv:1512.00567Google Scholar
Christian Szegedy, Wojciech Zaremba, Ilya Sutskever, Joan Bruna, Dumitru Erhan, Ian Goodfellow, and Rob Fergus. 2013. Intriguing properties of neural networks. arXiv preprint arXiv:1312.6199 (2013).Google Scholar
Jin-Hua Tao, Zi-Dong Du, Qi Guo, Hui-Ying Lan, Lei Zhang, Sheng- Yuan Zhou, Cong Liu, Hai-Feng Liu, Shan Tang, and Allen Rush. 2017. BENCHIP: Benchmarking Intelligence Processors. arXiv preprint arXiv:1710.08315 (2017).Google Scholar
TechCrunch. 2017. Nvidia is powering the world's first level 3 selfdriving production car.Google Scholar
TensorFlow. [n.d.]. Post-training quantization. https://www. tensorflow.org/lite/performance/post_training_quantization.Google Scholar
Florian Tramèr, Fan Zhang, Ari Juels, Michael K. Reiter, and Thomas Ristenpart. 2016. Stealing Machine Learning Models via Prediction APIs (SEC'16). USENIX Association, Berkeley, CA, USA, 601--618.Google Scholar
Ashish Vaswani, Noam Shazeer, Niki Parmar, Jakob Uszkoreit, Llion Jones, Aidan N Gomez, Lukasz Kaiser, and Illia Polosukhin. 2017. Attention is all you need. In Advances in Neural Information Processing Systems. 6000--6010.Google Scholar
Binghui Wang and Neil Zhenqiang Gong. 2018. Stealing Hyperparameters in Machine Learning. CoRR abs/1802.05351 (2018). arXiv:1802.05351Google Scholar
Waymo. 2017. IntroducingWaymo's suite of custom-build, self-driving hardware. https://medium.com/waymo/introducing-waymos-suiteof- custom-built-self-driving-hardware-c47d1714563/Google Scholar
Lingxiao Wei, Yannan Liu, Bo Luo, Yu Li, and Qiang Xu. 2018. I Know What You See: Power Side-Channel Attack on Convolutional Neural Network Accelerators. CoRR abs/1803.05847 (2018). arXiv:1803.05847Google ScholarDigital Library
Nicholas Wilt. 2013. The cuda handbook: A comprehensive guide to gpu programming. Pearson Education.Google Scholar
Wayne Xiong, Jasha Droppo, Xuedong Huang, Frank Seide, Mike Seltzer, Andreas Stolcke, Dong Yu, and Geoffrey Zweig. 2017. The Microsoft 2016 conversational speech recognition system. In Acoustics, Speech and Signal Processing (ICASSP), 2017 IEEE International Conference on. IEEE, 5255--5259.Google ScholarCross Ref
Mengjia Yan, ChristopherW. Fletcher, and Josep Torrellas. 2018. Cache Telepathy: Leveraging Shared Resource Attacks to Learn DNN Architectures. CoRR abs/1808.04761 (2018). arXiv:1808.04761Google Scholar
Xingcheng Zhang, Zhizhong Li, Chen Change Loy, and Dahua Lin. 2016. PolyNet:APursuit of Structural Diversity in Very Deep Networks. CoRR abs/1611.05725 (2016). arXiv:1611.05725Google Scholar
Barret Zoph, Vijay Vasudevan, Jonathon Shlens, and Quoc V. Le. 2017. Learning Transferable Architectures for Scalable Image Recognition. CoRR abs/1707.07012 (2017). arXiv:1707.07012Google Scholar

Index Terms

DeepSniffer: A DNN Model Extraction Framework Based on Learning Architectural Hints

Recommendations

ATS-O2A: A state-based adversarial attack strategy on deep reinforcement learning
Highlights
- An effective and stealthy adversarial attack method on deep reinforcement learning.
- A new attack effect measurement index for attacked effectiveness and stealthiness.
- Experiment tests address the proposed method is better than the ...
Abstract
In recent years, deep reinforcement learning has been widely applied in many decision-making tasks requiring high safety and security due to its excellent performance. However, if an adversary attacks when the agent making critical decisions, it ...
Read More
Mind control attack: Undermining deep learning with GPU memory exploitation
Abstract
Modern deep learning frameworks rely heavily on GPUs to accelerate the computation. However, the security implication of GPU device memory exploitation on deep learning frameworks has been largely neglected. In this paper, we argue ...
Read More
Tenet: A Neural Network Model Extraction Attack in Multi-core Architecture
GLSVLSI '21: Proceedings of the 2021 on Great Lakes Symposium on VLSI

As neural networks (NNs) are being widely deployed in many cloud-oriented systems for safety-critical tasks, the privacy and security of NNs become significant concerns to users in the cloud platform that shares the computation infrastructure such as ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
ASPLOS '20: Proceedings of the Twenty-Fifth International Conference on Architectural Support for Programming Languages and Operating Systems
March 2020
1412 pages
ISBN:9781450371025
DOI:10.1145/3373376
General Chair:
James Larus
EPFL
,
Program Chairs:
Luis Ceze
University of Washington
,
Karin Strauss
Microsoft
Copyright © 2020 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 13 March 2020
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
deep learning security
domain-specific architecture
machine learning
Qualifiers
- research-article
Conference

Acceptance Rates
Overall Acceptance Rate535of2,713submissions,20%
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 54
  Total Citations
  View Citations
- 3,656
  Total Downloads
- Downloads (Last 12 months)846
- Downloads (Last 6 weeks)104
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

DeepSniffer: A DNN Model Extraction Framework Based on Learning Architectural Hints

ASPLOS '20: Proceedings of the Twenty-Fifth International Conference on Architectural Support for Programming Languages and Operating Systems

ABSTRACT

References

Cited By

Index Terms

Recommendations

ATS-O2A: A state-based adversarial attack strategy on deep reinforcement learning

Mind control attack: Undermining deep learning with GPU memory exploitation

Tenet: A Neural Network Model Extraction Attack in Multi-core Architecture