Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

On the Evaluation of User Privacy in Deep Neural Networks using Timing Side Channel

Shubhi Shukla, Manaar Alam, Sarani Bhattacharya, Debdeep Mukhopadhyay, Pabitra Mitra

TL;DR

It is demonstrated that a DL model secured with differential privacy is still vulnerable to MIA against an adversary exploiting Class Leakage, and an easy-to-implement countermeasure is developed by making a constant-time branching operation that alleviates the Class Leaks and also aids in mitigating MIA.

Abstract

Recent Deep Learning (DL) advancements in solving complex real-world tasks have led to its widespread adoption in practical applications. However, this opportunity comes with significant underlying risks, as many of these models rely on privacy-sensitive data for training in a variety of applications, making them an overly-exposed threat surface for privacy violations. Furthermore, the widespread use of cloud-based Machine-Learning-as-a-Service (MLaaS) for its robust infrastructure support has broadened the threat surface to include a variety of remote side-channel attacks. In this paper, we first identify and report a novel data-dependent timing side-channel leakage (termed Class Leakage) in DL implementations originating from non-constant time branching operation in a widely used DL framework PyTorch. We further demonstrate a practical inference-time attack where an adversary with user privilege and hard-label black-box access to an MLaaS can exploit Class Leakage to compromise the privacy of MLaaS users. DL models are vulnerable to Membership Inference Attack (MIA), where an adversary's objective is to deduce whether any particular data has been used while training the model. In this paper, as a separate case study, we demonstrate that a DL model secured with differential privacy (a popular countermeasure against MIA) is still vulnerable to MIA against an adversary exploiting Class Leakage. We develop an easy-to-implement countermeasure by making a constant-time branching operation that alleviates the Class Leakage and also aids in mitigating MIA. We have chosen two standard benchmarking image classification datasets, CIFAR-10 and CIFAR-100 to train five state-of-the-art pre-trained DL models, over two different computing environments having Intel Xeon and Intel i7 processors to validate our approach.

On the Evaluation of User Privacy in Deep Neural Networks using Timing Side Channel

TL;DR

It is demonstrated that a DL model secured with differential privacy is still vulnerable to MIA against an adversary exploiting Class Leakage, and an easy-to-implement countermeasure is developed by making a constant-time branching operation that alleviates the Class Leaks and also aids in mitigating MIA.

Abstract

Recent Deep Learning (DL) advancements in solving complex real-world tasks have led to its widespread adoption in practical applications. However, this opportunity comes with significant underlying risks, as many of these models rely on privacy-sensitive data for training in a variety of applications, making them an overly-exposed threat surface for privacy violations. Furthermore, the widespread use of cloud-based Machine-Learning-as-a-Service (MLaaS) for its robust infrastructure support has broadened the threat surface to include a variety of remote side-channel attacks. In this paper, we first identify and report a novel data-dependent timing side-channel leakage (termed Class Leakage) in DL implementations originating from non-constant time branching operation in a widely used DL framework PyTorch. We further demonstrate a practical inference-time attack where an adversary with user privilege and hard-label black-box access to an MLaaS can exploit Class Leakage to compromise the privacy of MLaaS users. DL models are vulnerable to Membership Inference Attack (MIA), where an adversary's objective is to deduce whether any particular data has been used while training the model. In this paper, as a separate case study, we demonstrate that a DL model secured with differential privacy (a popular countermeasure against MIA) is still vulnerable to MIA against an adversary exploiting Class Leakage. We develop an easy-to-implement countermeasure by making a constant-time branching operation that alleviates the Class Leakage and also aids in mitigating MIA. We have chosen two standard benchmarking image classification datasets, CIFAR-10 and CIFAR-100 to train five state-of-the-art pre-trained DL models, over two different computing environments having Intel Xeon and Intel i7 processors to validate our approach.
Paper Structure (38 sections, 2 equations, 20 figures, 2 tables)

This paper contains 38 sections, 2 equations, 20 figures, 2 tables.

Table of Contents

  1. Introduction
  2. Preliminaries
  3. Multilayer Perceptron
  4. Convolution Neural Networks
  5. Max Pooling
  6. Timing Side-channel Analysis
  7. Differential Privacy
  8. Implementation Vulnerability in PyTorch
  9. Experimental Scenario and Setup
  10. Analysis of Timing Measurements
  11. Inference Time Analysis
  12. Layer-wise Inference Time Analysis
  13. Timing Analysis with Average Pool
  14. Analysis on PyTorch Maxpool Implementation
  15. Vulnerability in the implementation
  16. ...and 23 more sections

Figures (20)

  • Figure 1: An example of max pooling operation
  • Figure 2: Experimental Scenario: A client having hard-label black-box access to a remote cloud-server providing MLaaS through a CNN implemented using PyTorch. The client can also monitor execution time during inference operation
  • Figure 3: Number of distinguishable class pairs using timing side-channel in different CNN models on CIFAR10 (out of 45) and CIFAR100 (out of 4950) on (a) Intel Xeon and (b) Intel i7 machines
  • Figure 4: Number of distinguishable class pairs (out of 45) using timing side-channel of each layer in Custom CNN on CIFAR10 with (a) Max Pooling (b) Average Pooling
  • Figure 5: An example of varying number of if statement calls for two different windows (Kernels) during Maxpool operation
  • ...and 15 more figures