MACPruning: Dynamic Operation Pruning to Mitigate Side-Channel DNN Model Extraction

TL;DR

MACPruning introduces a lightweight, DNN-aware defense against EM side-channel based model extraction by randomly deactivating input pixels (RPAM) and pruning corresponding MAC operations, leveraging the inherent robustness of DNNs to input variation. It further improves resilience via IaPAM, which preserves critical input pixels while allowing randomness elsewhere, achieving strong leakage suppression with minimal accuracy loss. The authors derive a theoretical mitigation strength $R$ and its empirical analogue ${\hat{R}}$, validate them on real MCU measurements for MNIST and CIFAR-10, and demonstrate favorable overhead compared to masking or shuffling. An adaptive-attack analysis yields upper bounds on leakage and shows that $R$ remains large for practical settings, implying robust protection of early layers where parameter leakage would otherwise be most feasible. Overall, MACPruning provides a practical, efficient approach to protect DNN IP on edge devices against SCA-based parameter extraction.

Abstract

As deep learning gains popularity, edge IoT devices have seen proliferating deployment of pre-trained Deep Neural Network (DNN) models. These DNNs represent valuable intellectual property and face significant confidentiality threats from side-channel analysis (SCA), particularly non-invasive Differential Electromagnetic (EM) Analysis (DEMA), which retrieves individual model parameters from EM traces collected during model inference. Traditional SCA mitigation methods, such as masking and shuffling, can still be applied to DNN inference, but will incur significant performance degradation due to the large volume of operations and parameters. Based on the insight that DNN models have high redundancy and are robust to input variation, we introduce MACPruning, a novel lightweight defense against DEMA-based parameter extraction attacks, exploiting specific characteristics of DNN execution. The design principle of MACPruning is to randomly deactivate input pixels and prune the operations (typically multiply-accumulate-MAC) on those pixels. The technique removes certain leakages and overall redistributes weight-dependent EM leakages temporally, and thus effectively mitigates DEMA. To maintain DNN performance, we propose an importance-aware pixel map that preserves critical input pixels, keeping randomness in the defense while minimizing its impact on DNN performance due to operation pruning. We conduct a comprehensive security analysis of MACPruning on various datasets for DNNs on edge devices. Our evaluations demonstrate that MACPruning effectively reduces EM leakages with minimal impact on the model accuracy and negligible computational overhead.

Figures (12)

• Figure 1: Illustration of the threat model. The victim model is deployed on an edge device MCU. The attacker is able to conduct DEMA to retrieve secret parameters. Our proposed protection MACPruning is deployed during the DNN training and inference phase to hide side-channel leakage.
• Figure 2: DEMA attack procedure on MCU against edge DNNsand MACPruning defense rationale: the attacker leverages DEMA attack by correlating the EM leakage signals with the cumulative values in a sequential manner, they must attack the target weights $w_1$, $w_2$, $w_3$ in order. Note that when attack $w_1$, they can only get possible values of $w_1$ due to aliasing, denoted as $\tilde{w}_1$. The real value of $w_1$ can be confirmed in Step 2. By randomly deactivate the input pixel, MACPruning drops the corresponding MAC operations so that the percentage of vulnerable EM signal reduced.
• Figure 3: DNN classification accuracy with the pixel zeroization ratio from $10\%$ to $90\%$ for an MNIST sample.
• Figure 4: A CIFAR-10 image with activation ratio $0.5$
• Figure 5: IaPAM recognizes the variance of input pixel importance and finds the most critical pixels to generate an activation map with STE and one-shot pruning.