Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

CNN architecture extraction on edge GPU

Peter Horvath, Lukasz Chmielewski, Leo Weissbart, Lejla Batina, Yuval Yarom

TL;DR

This paper examines the risk that convolutional neural network architectures deployed on edge GPUs can be reverse-engineered via side-channel analysis. Using the NVIDIA Jetson Nano and EM plus timing measurements, the authors demonstrate architecture extraction across 15 widely used CNNs, including EfficientNets, MobileNets, NasNet, and more. They present two extraction routes: conventional SEMA+timing analysis and an automated deep-learning classifier, achieving near-perfect identification (≈99% accuracy) on a DL-based classifier. The work contributes a practical threat model, detailed measurement methodology, and a DL-based pipeline that can rapidly infer network architectures, highlighting significant security implications for edge AI and prompting consideration of mitigations such as shielding, noise, or custom architectures.

Abstract

Neural networks have become popular due to their versatility and state-of-the-art results in many applications, such as image classification, natural language processing, speech recognition, forecasting, etc. These applications are also used in resource-constrained environments such as embedded devices. In this work, the susceptibility of neural network implementations to reverse engineering is explored on the NVIDIA Jetson Nano microcomputer via side-channel analysis. To this end, an architecture extraction attack is presented. In the attack, 15 popular convolutional neural network architectures (EfficientNets, MobileNets, NasNet, etc.) are implemented on the GPU of Jetson Nano and the electromagnetic radiation of the GPU is analyzed during the inference operation of the neural networks. The results of the analysis show that neural network architectures are easily distinguishable using deep learning-based side-channel analysis.

CNN architecture extraction on edge GPU

TL;DR

This paper examines the risk that convolutional neural network architectures deployed on edge GPUs can be reverse-engineered via side-channel analysis. Using the NVIDIA Jetson Nano and EM plus timing measurements, the authors demonstrate architecture extraction across 15 widely used CNNs, including EfficientNets, MobileNets, NasNet, and more. They present two extraction routes: conventional SEMA+timing analysis and an automated deep-learning classifier, achieving near-perfect identification (≈99% accuracy) on a DL-based classifier. The work contributes a practical threat model, detailed measurement methodology, and a DL-based pipeline that can rapidly infer network architectures, highlighting significant security implications for edge AI and prompting consideration of mitigations such as shielding, noise, or custom architectures.

Abstract

Neural networks have become popular due to their versatility and state-of-the-art results in many applications, such as image classification, natural language processing, speech recognition, forecasting, etc. These applications are also used in resource-constrained environments such as embedded devices. In this work, the susceptibility of neural network implementations to reverse engineering is explored on the NVIDIA Jetson Nano microcomputer via side-channel analysis. To this end, an architecture extraction attack is presented. In the attack, 15 popular convolutional neural network architectures (EfficientNets, MobileNets, NasNet, etc.) are implemented on the GPU of Jetson Nano and the electromagnetic radiation of the GPU is analyzed during the inference operation of the neural networks. The results of the analysis show that neural network architectures are easily distinguishable using deep learning-based side-channel analysis.
Paper Structure (21 sections, 2 equations, 6 figures, 2 tables)

This paper contains 21 sections, 2 equations, 6 figures, 2 tables.

Table of Contents

  1. Introduction
  2. Comparison with related work
  3. Contributions and outline
  4. Background
  5. CNN architectures
  6. Side-channel analysis
  7. Timing analysis
  8. Power analysis
  9. Electromagnetic emanations
  10. Architecture extraction
  11. Threat model
  12. NVIDIA neural network implementations
  13. Measurement collection
  14. Architecture extraction using SEMA and timing analysis
  15. Architecture extraction using deep learning
  16. ...and 6 more sections

Figures (6)

  • Figure 1: Heatmap of 78MHz clock frequency after scanning the chip of the Jetson Nano device. The heatmap was generated by applying the Fourier-transform on traces collected at each point on the chip. Purple indicates no activity of the 78MHz clock frequency while yellow indicates the highest activity of this frequency at a certain point. Multiple yellow points can be used to mount a successful architecture extraction attack.
  • Figure 2: Location of the Riscure EM probe. The probe tip is located above the chip.
  • Figure 3: Example traces of the investigated architectures.
  • Figure 4: 3-layer MLP with 3 ReLU activations (top) and 2 ReLU activations (bottom)
  • Figure 5: 2-layer MLP with 2 ReLU activations (top) and 1 ReLU activation (bottom)
  • ...and 1 more figures