Revealing CNN Architectures via Side-Channel Analysis in Dataflow-based Inference Accelerators

TL;DR

This work addresses the privacy risk of architecture leakage from CNNs deployed on dataflow-based edge accelerators. It introduces a memory-based side-channel attack that exploits inherent data reuse in weight-stationary and output-stationary dataflows to recover CNN structures and parameters layer-by-layer. The authors demonstrate full architectural recovery for Lenet, AlexNet, VGG-16, and YOLOv2, both in simulation and on FPGA hardware, highlighting concrete parameter extractions for Conv, FC, and pooling layers and discussing mitigations. The results emphasize the practical threat of side-channel leakage in edge inference and motivate defenses that obscure memory-access patterns in dataflow accelerators.

Abstract

Convolutional Neural Networks (CNNs) are widely used in various domains, including image recognition, medical diagnosis and autonomous driving. Recent advances in dataflow-based CNN accelerators have enabled CNN inference in resource-constrained edge devices. These dataflow accelerators utilize inherent data reuse of convolution layers to process CNN models efficiently. Concealing the architecture of CNN models is critical for privacy and security. This article evaluates memory-based side-channel information to recover CNN architectures from dataflow-based CNN inference accelerators. The proposed attack exploits spatial and temporal data reuse of the dataflow mapping on CNN accelerators and architectural hints to recover the structure of CNN models. Experimental results demonstrate that our proposed side-channel attack can recover the structures of popular CNN models, namely, Lenet, Alexnet, VGGnet16, and YOLOv2.

Figures (9)

• Figure 1: Convolution layer parameters, semantics and operation: An $R \times R \times C$ filter is applied on same size neighborhood of ifmap of size $X \times Y \times C$ to calculate single value in ofmap of size $X' \times Y' \times K$.
• Figure 2: WS($m,n$) architecture: weight stationary dataflow with n processing element (PE) arrays and m PEs per array, with separate interconnects for weight/input reads and partial sum reads and writes from/to Global Buffer (GB). Neighboring PEs in an array has input-forwarding connections.
• Figure 3: Dataflow mapping and data reads for the first two cycles for three scenarios: (a) mapping of $2 \times 2 \times 2$ filter into WS($4,1$), (b) mapping of $4 \times 4 \times 2$ filter into WS($4,1$), and (c) mapping of $2\time 2\times 2$ filter into OS($4,1$) with $st=1$ and $pd=0$ and ifmap of $\{X=5, Y=5, C=2\}$, and ofmap of $\{X'=4, Y'=4, K=1\}$.
• Figure 4: Overview of a typical CNN accelerator. The controller, interconnects, global buffer (GB), and processing element (PE) arrays are the critical components. Unprotected communication can be snooped to extract side-channel data.
• Figure 5: Overview of the proposed side-channel attack to recover CNN model. The adversary collects layer-by-layer side-channel information, and utilizes them to recover layer-by-layer CNN structure.