Table of Contents
Fetching ...

Real-world Edge Neural Network Implementations Leak Private Interactions Through Physical Side Channel

Zhuoran Liu, Senna van Hoek, Péter Horváth, Dirk Lauret, Xiaoyun Xu, Lejla Batina

TL;DR

This work addresses privacy risks arising from electromagnetic side channels in real-world neural network hardware. It introduces ScaAR, a deep-learning-based, implementation-agnostic attack that infers private attributes of user interactions from EM traces rather than reconstructing exact inputs, and validates it on FPGA and Raspberry Pi devices, including edge LLM scenarios. The study demonstrates data-dependent leakage, robustness to misalignment, and the ability to extract both input and output attributes, revealing significant privacy implications for edge AI hardware. The findings motivate using ScaAR as a standard evaluation step for secure hardware and highlight the need for mitigations to protect interaction-level privacy in practical deployments.

Abstract

Neural networks have become a fundamental component of numerous practical applications, and their implementations, which are often accelerated by hardware, are integrated into all types of real-world physical devices. User interactions with neural networks on hardware accelerators are commonly considered privacy-sensitive. Substantial efforts have been made to uncover vulnerabilities and enhance privacy protection at the level of machine learning algorithms, including membership inference attacks, differential privacy, and federated learning. However, neural networks are ultimately implemented and deployed on physical devices, and current research pays comparatively less attention to privacy protection at the implementation level. In this paper, we introduce a generic physical side-channel attack, ScaAR, that extracts user interactions with neural networks by leveraging electromagnetic (EM) emissions of physical devices. Our proposed attack is implementation-agnostic, meaning it does not require the adversary to possess detailed knowledge of the hardware or software implementations, thanks to the capabilities of deep learning-based side-channel analysis (DLSCA). Experimental results demonstrate that, through the EM side channel, ScaAR can effectively extract the class label of user interactions with neural classifiers, including inputs and outputs, on the AMD-Xilinx MPSoC ZCU104 FPGA and Raspberry Pi 3 B. In addition, for the first time, we provide side-channel analysis on edge Large Language Model (LLM) implementations on the Raspberry Pi 5, showing that EM side channel leaks interaction data, and different LLM tokens can be distinguishable from the EM traces.

Real-world Edge Neural Network Implementations Leak Private Interactions Through Physical Side Channel

TL;DR

This work addresses privacy risks arising from electromagnetic side channels in real-world neural network hardware. It introduces ScaAR, a deep-learning-based, implementation-agnostic attack that infers private attributes of user interactions from EM traces rather than reconstructing exact inputs, and validates it on FPGA and Raspberry Pi devices, including edge LLM scenarios. The study demonstrates data-dependent leakage, robustness to misalignment, and the ability to extract both input and output attributes, revealing significant privacy implications for edge AI hardware. The findings motivate using ScaAR as a standard evaluation step for secure hardware and highlight the need for mitigations to protect interaction-level privacy in practical deployments.

Abstract

Neural networks have become a fundamental component of numerous practical applications, and their implementations, which are often accelerated by hardware, are integrated into all types of real-world physical devices. User interactions with neural networks on hardware accelerators are commonly considered privacy-sensitive. Substantial efforts have been made to uncover vulnerabilities and enhance privacy protection at the level of machine learning algorithms, including membership inference attacks, differential privacy, and federated learning. However, neural networks are ultimately implemented and deployed on physical devices, and current research pays comparatively less attention to privacy protection at the implementation level. In this paper, we introduce a generic physical side-channel attack, ScaAR, that extracts user interactions with neural networks by leveraging electromagnetic (EM) emissions of physical devices. Our proposed attack is implementation-agnostic, meaning it does not require the adversary to possess detailed knowledge of the hardware or software implementations, thanks to the capabilities of deep learning-based side-channel analysis (DLSCA). Experimental results demonstrate that, through the EM side channel, ScaAR can effectively extract the class label of user interactions with neural classifiers, including inputs and outputs, on the AMD-Xilinx MPSoC ZCU104 FPGA and Raspberry Pi 3 B. In addition, for the first time, we provide side-channel analysis on edge Large Language Model (LLM) implementations on the Raspberry Pi 5, showing that EM side channel leaks interaction data, and different LLM tokens can be distinguishable from the EM traces.
Paper Structure (36 sections, 11 figures, 6 tables)

This paper contains 36 sections, 11 figures, 6 tables.

Figures (11)

  • Figure 1: Diagram illustrating the working mechanism of ScaAR. The top row represents the profiling stage, where the adversary collect EM traces (②)from a physical device that runs neural network implementations, e.g., classifier, taking user interactions as inputs (①). Combining the input data annotations, e.g., class labels, and the collected traces, ScaAR (③ ) is trained and deployed for the attack. The middle and bottom rows represent the attack phase. EM traces (④) are collected from a target physical device. By feeding collected traces to ScaAR, the adversary can predict the private attributes of the user interactions (⑤).
  • Figure 2: Schematic physical setup for image input attribute extraction. From left to right, a "Dog" image is fed into a physical device. The EM emission from the image inference can be collected to predict the attribute "Dog".
  • Figure 3: Overview of the target devices. The EM probe position is shown relative to marked areas of interest.
  • Figure 4: EM traces when running SqueezeNet inference on all-zeros input and regular image input on AMD-Xilinx ZCU104 FPGA. The top row zooms in the first part of the original traces, showing the difference between the two types of inputs (all zeros vs regular random image input).
  • Figure 5: The relation between the attack accuracy of the attack model and the number of traces used in the attack.
  • ...and 6 more figures