Precise Extraction of Deep Learning Models via Side-Channel Attacks on Edge/Endpoint Devices
Younghan Lee, Sohee Jun, Yungi Cho, Woorim Han, Hyungon Moon, Yunheung Paek
TL;DR
On-device DL deployments expose security risks where side-channel attacks on edge devices reveal critical victim-model information, notably the image dimension $ID$ and architecture $MA$, enabling potent model extraction attacks (MEA). The authors propose an empirical framework linking SCA-derived $ID$ and $MA$ to MEA performance across datasets, query budgets, and attack strategies, and they validate end-to-end MEA under realistic threat assumptions. A key finding is that $ID$ is the most influential piece of information; surrogate models achieve maximal fidelity when their $ID$ matches the victim's and when their $MA$ is more complex, and SCA can estimate $ID$ with high accuracy to enable near-ideal MEA even without explicit prior knowledge. These results inform defense strategies, suggesting that obfuscating or concealing $ID$ is an effective mitigation, and they provide a practical methodology for assessing MEA risk in edge/endpoint scenarios.
Abstract
With growing popularity, deep learning (DL) models are becoming larger-scale, and only the companies with vast training datasets and immense computing power can manage their business serving such large models. Most of those DL models are proprietary to the companies who thus strive to keep their private models safe from the model extraction attack (MEA), whose aim is to steal the model by training surrogate models. Nowadays, companies are inclined to offload the models from central servers to edge/endpoint devices. As revealed in the latest studies, adversaries exploit this opportunity as new attack vectors to launch side-channel attack (SCA) on the device running victim model and obtain various pieces of the model information, such as the model architecture (MA) and image dimension (ID). Our work provides a comprehensive understanding of such a relationship for the first time and would benefit future MEA studies in both offensive and defensive sides in that they may learn which pieces of information exposed by SCA are more important than the others. Our analysis additionally reveals that by grasping the victim model information from SCA, MEA can get highly effective and successful even without any prior knowledge of the model. Finally, to evince the practicality of our analysis results, we empirically apply SCA, and subsequently, carry out MEA under realistic threat assumptions. The results show up to 5.8 times better performance than when the adversary has no model information about the victim model.