Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Like an Open Book? Read Neural Network Architecture with Simple Power Analysis on 32-bit Microcontrollers

Raphael Joud, Pierre-Alain Moellic, Simon Pontie, Jean-Baptiste Rigaud

TL;DR

This work demonstrates that architectural details of DNNs deployed on 32-bit microcontrollers can be extracted from simple EM side-channel traces without extensive profiling. By examining CMSIS-NN based execution of CNNs and MLPs, the authors reveal a Russian doll effect where single EM patterns map to layer hyper-parameters such as $H_{out}$, $K$, $Z$, $S$, $P$, $Z_{pool}$, and $N_e$, enabling stepwise reconstruction of the full architecture. The key contributions include a practical extraction methodology, empirical validation on MNIST and CIFAR-10 models, and a discussion of the implications for security and the urgent need for architecture-obfuscation defenses on constrained devices. The findings indicate that protecting model architecture on edge devices is critical for robust AI security in regulated and safety-critical deployments.

Abstract

Model extraction is a growing concern for the security of AI systems. For deep neural network models, the architecture is the most important information an adversary aims to recover. Being a sequence of repeated computation blocks, neural network models deployed on edge-devices will generate distinctive side-channel leakages. The latter can be exploited to extract critical information when targeted platforms are physically accessible. By combining theoretical knowledge about deep learning practices and analysis of a widespread implementation library (ARM CMSIS-NN), our purpose is to answer this critical question: how far can we extract architecture information by simply examining an EM side-channel trace? For the first time, we propose an extraction methodology for traditional MLP and CNN models running on a high-end 32-bit microcontroller (Cortex-M7) that relies only on simple pattern recognition analysis. Despite few challenging cases, we claim that, contrary to parameters extraction, the complexity of the attack is relatively low and we highlight the urgent need for practicable protections that could fit the strong memory and latency requirements of such platforms.

Like an Open Book? Read Neural Network Architecture with Simple Power Analysis on 32-bit Microcontrollers

TL;DR

This work demonstrates that architectural details of DNNs deployed on 32-bit microcontrollers can be extracted from simple EM side-channel traces without extensive profiling. By examining CMSIS-NN based execution of CNNs and MLPs, the authors reveal a Russian doll effect where single EM patterns map to layer hyper-parameters such as , , , , , , and , enabling stepwise reconstruction of the full architecture. The key contributions include a practical extraction methodology, empirical validation on MNIST and CIFAR-10 models, and a discussion of the implications for security and the urgent need for architecture-obfuscation defenses on constrained devices. The findings indicate that protecting model architecture on edge devices is critical for robust AI security in regulated and safety-critical deployments.

Abstract

Model extraction is a growing concern for the security of AI systems. For deep neural network models, the architecture is the most important information an adversary aims to recover. Being a sequence of repeated computation blocks, neural network models deployed on edge-devices will generate distinctive side-channel leakages. The latter can be exploited to extract critical information when targeted platforms are physically accessible. By combining theoretical knowledge about deep learning practices and analysis of a widespread implementation library (ARM CMSIS-NN), our purpose is to answer this critical question: how far can we extract architecture information by simply examining an EM side-channel trace? For the first time, we propose an extraction methodology for traditional MLP and CNN models running on a high-end 32-bit microcontroller (Cortex-M7) that relies only on simple pattern recognition analysis. Despite few challenging cases, we claim that, contrary to parameters extraction, the complexity of the attack is relatively low and we highlight the urgent need for practicable protections that could fit the strong memory and latency requirements of such platforms.
Paper Structure (38 sections, 3 equations, 9 figures, 3 tables, 4 algorithms)

This paper contains 38 sections, 3 equations, 9 figures, 3 tables, 4 algorithms.

Table of Contents

  1. Introduction
  2. Background
  3. Neural network models
  4. Model deployment on Cortex-M platforms
  5. Model Extraction
  6. Related works and contributions
  7. Experimental setup
  8. Models and datasets
  9. Target device and setup
  10. Threat model
  11. Layers analysis
  12. Convolutional layer
  13. Output shape ($H_{out}$)
  14. Code analysis.
  15. Observations and limitations.
  16. ...and 23 more sections

Figures (9)

  • Figure 1: Detailed architecture of considered models. Various conv. implementations are detailed in Section \ref{['exp_section:conv_overview']}
  • Figure 2: Overviews of conv. layers EM activity related to $H_{out}$
  • Figure 3: Single GeMM execution traces with zoom for MNIST conv. layers
  • Figure 4: Zoom in Matrix-product EM activity with kernels of size $Z=3$
  • Figure 5: MaxPool layers of CNN models
  • ...and 4 more figures