Side-Channel Analysis of OpenVINO-based Neural Network Models
Dirmanto Jap, Jakub Breier, Zdenko Lehocký, Shivam Bhasin, Xiaolu Hou
TL;DR
The paper presents a side-channel analysis of quantized neural networks deployed with OpenVINO on edge devices, showing that attacker-accessible leakage can enable high-precision recovery of model parameters. Through Correlation Power Analysis, the authors demonstrate parameter and bias recovery, achieving reconstructed GoogleNet v1 models with Top-1 accuracy within about $1\%$ and Top-5 within $0.64\%$ of the originals. The study explores multiple leakage scenarios, revealing that accurate leakage modeling (profiling) significantly impacts attack success, while unprofiled settings can substantially degrade recovery. These findings underscore security risks for on-device NN deployments and motivate development of robust countermeasures to protect parameter confidentiality on edge hardware.
Abstract
Embedded devices with neural network accelerators offer great versatility for their users, reducing the need to use cloud-based services. At the same time, they introduce new security challenges in the area of hardware attacks, the most prominent being side-channel analysis (SCA). It was shown that SCA can recover model parameters with a high accuracy, posing a threat to entities that wish to keep their models confidential. In this paper, we explore the susceptibility of quantized models implemented in OpenVINO, an embedded framework for deploying neural networks on embedded and Edge devices. We show that it is possible to recover model parameters with high precision, allowing the recovered model to perform very close to the original one. Our experiments on GoogleNet v1 show only a 1% difference in the Top 1 and a 0.64% difference in the Top 5 accuracies.