基于侧信道与量化推理缺陷的模型逆向攻击

doi:10.11959/j.issn.2096-109x.2021038

网络与信息安全学报 ›› 2021, Vol. 7 ›› Issue (4): 53-67.doi: 10.11959/j.issn.2096-109x.2021038

• 专栏Ⅰ：网络攻防技术 • 上一篇下一篇

基于侧信道与量化推理缺陷的模型逆向攻击

李景海¹, 唐明¹^,², 黄诚轩¹

¹ 武汉大学国家网络安全学院空天信息安全与可信计算教育部重点实验室，湖北武汉 430072
² 密码科学技术国家重点实验室，北京 100878

修回日期:2021-01-20 出版日期:2021-08-15 发布日期:2021-08-01
作者简介:李景海（1996− ），男，重庆人，武汉大学硕士生，主要研究方向为侧信道与AI安全
唐明（1976− ），女，湖北武汉人，武汉大学教授、博士生导师，主要研究方向为信息安全、密码学、密码芯片
黄诚轩（1997− ），男，湖北武汉人，武汉大学硕士生，主要研究方向为侧信道与AI安全
基金资助:
国家自然科学基金(61972295);武汉市科技项目应用基础前沿专项(2019010701011407)

Using side-channel and quantization vulnerability to recover DNN weights

Jinghai LI¹, Ming TANG¹^,², Chengxuan HUANG¹

¹ Key Laboratory of Aerospace Information Security and Trusted Computing, Ministry of Education, School of Cyber Science and Engineering, Wuhan University, Wuhan 430072, China
² State Key Laboratory of Cryptology, Beijing 100878, China

Revised:2021-01-20 Online:2021-08-15 Published:2021-08-01
Supported by:
The National Natural Science Foundation of China(61972295);The Frontier Applied Basic Research Project of Science and Technology Department of Wuhan(2019010701011407)

摘要/Abstract

摘要：

模型逆向攻击旨在恢复部署在推理终端的神经网络模型的结构和权重值，是 AI 安全中的基础问题，为对抗样本等高阶攻击提供数据支撑。提出了一种名为 Cluster-based SCA 的新型模型权重逆向方法，该方法不要求攻击者构造泄露模型。Cluster-based SCA方法以量化推理中存在的安全隐患为出发点，深入分析了量化推理过程，发现在量化推理中存在的输出序列分类不等价现象可以判断猜测权重的正确与否。Cluster-based SCA 将采集到的模型运行时产生的侧信道信息按照假设权重产生的中间值进行分类，以分类后的平均离散系数 $\bar{σ}$ 为评判标准，取 $\bar{σ}$ 最小时的权重为逆向权重。在仿真实验上验证了 Cluster-based SCA方法的有效性，实验使用汉明重模型来模拟AI芯片的泄露模型，对于目标CNN，Cluster-based SCA方法以52.66%的TOP2恢复率恢复了其第一层卷积层所有卷积核权重，对于取值位于显著区的权重，TOP2的恢复率均达到了100%。

关键词: AI安全, 模型逆向攻击, 量化推理缺陷, 侧信道分析, Cluster-basedSCA

Abstract:

Model extraction attack focuses on reverse engineering architecture and weights of DNN model deployed in edge.Model extraction attack is a basic security problem in AI security, it underlies advanced attacks as data provider, such as adversarial sample and data poisoning.A novel method named Cluster-based SCA was proposed,this method did not need leakage model.Cluster-based SCA was based on vulnerability of quantized inference.There exist a phenomenon in multiplication operation in quantized inference, which the output of different weights were not equivalent in respect of classification.It can be used to distinguish different weights.The proposed method computed output activations of each DNN layer with guessing weight.Then acquired side channel signal were classified into different class, the taxonomy was corresponding output activations' value.Average dispersion of all classes $\bar{σ}$ was used to decide whether guess was right.The effectiveness of Cluster-based SCA method was verified by simulation experiment and HW model was used as target leakage model.For all weights from first convolution layer of target CNN model, TOP2 recovery rate was 52.66%.And for large weights in significant interval,TOP2 recover rate was 100%.

Key words: AI security, model extraction attack, quantization vulnerability, side-channel analysis, Cluster-based SCA

中图分类号:

TP309.2

李景海, 唐明, 黄诚轩. 基于侧信道与量化推理缺陷的模型逆向攻击[J]. 网络与信息安全学报, 2021, 7(4): 53-67.

Jinghai LI, Ming TANG, Chengxuan HUANG. Using side-channel and quantization vulnerability to recover DNN weights[J]. Chinese Journal of Network and Information Security, 2021, 7(4): 53-67.

图/表 14

图1

表1

图2

图3

图4

图5

图6

表2

图7

图8

表3

图9

图10

图11

参考文献 24

[1]	KURAKIN A , GOODFELLOW I J , BENGIO S ,et al. Adversarial examples in the physical world[J]. CoRR,abs/1607.02533, 2016.
[2]	GOODFELLOW I J , SHLENS J , SZEGEDY C ,et al. Explaining and harnessing adversarial examples[C]// 3rd International Conference on Learning Representations(ICLR 2015). 2015.
[3]	BIGGIO B , NELSON B , LASKOV P ,et al. Poisoning attacks against support vector machines[C]// Proceedings of the 29th International Conference on Machine Learning(ICML 2012). 2012.
[4]	XIAO H , BIGGIO B , BROWN G ,et al. Is feature selection secure against training data poisoning?[J]. CoRR,abs /1804.07933, 2018.
[5]	SHOKRI R , STRONATI M , SONG C Z ,et al. Membership inference attacks against machine learning models[C]// 2017 IEEE Symposium on Security and Privacy (SP 2017). 2017: 3-18.
[6]	TRAM_ER F , ZHANG F , JUELS A ,et al. Stealing machine learning models via prediction apis[C]// 25th USENIX Security Symposium. 2016: 601-618.
[7]	OH S J , AUGUSTIN M , FRITZ M ,et al. Towards reverse-engineering black-box neural networks[C]// 6th International Conference on Learning Representations(ICLR 2018). 2018.
[8]	BATINA L , BHASIN S , JAP D ,et al. CSI NN:reverse engineering of neural network architectures through electromagnetic side channel[C]// 28th USENIX Security Symposium. 2019: 515-532.
[9]	OREKONDY T , SCHIELE B , FRITZ M ,et al. Knockoff nets:stealing functionality of black-box models[C]// IEEE Conference on Computer Vision and Pattern Recognition(CVPR 2019). 2019: 4954-4963.
[10]	HUA W , ZHANG Z R , SUH G E . Reverse engineering convolutional neural networks through side-channel information leaks[C]// Proceedings of the 55th Annual Design Automation Conference (DAC 2018). 2018: 41-46.
[11]	WEI L X , LUO B , LI Y ,et al. I know what you see:Power side-channel attack on convolutional neural network accelerators[C]// Proceedings of the 34th Annual Computer Security Applications Conference. 2018: 393-406.
[12]	HU X , LIANG L , DENG L ,et al. Neural network model extraction attacks in edge devices by hearing architectural hints[J]. CoRR,abs/1903.03916, 2019.
[13]	HAN S , MAO H Z , DALLY W J . Deep compression:compressing deep neural networks with pruning,trained quantization and human coding[C]// ICLR 2016. 2016.
[14]	JACOB B , KLIGYS S , CHEN B ,et al. Quantization and training of neural networks for efficient integer- arithmetic-only inference[C]// 2018 IEEE Conference on Computer Vision and Pattern Recognition(CVPR 2018). 2008: 2704-2713.
[15]	RASTEGARI M , ORDONEZ V , REDMON J ,et al. Xnor-net:Imagenet classification using binary convolutional neural networks[J]. CoRR,abs/1603.05279, 2016.
[16]	PATIL N , JOUPPI N P , YOUNG C ,et al. In-datacenter performance analysis of a tensor processing unit[C]// Proceedings of the 44th Annual International Symposium on Computer Architecture(ISCA 2017). 2017: 1-12.
[17]	KOCHER P C , . Timing attacks on implementations of Diffie-Hellman,RSA,DSS,and other systems[C]// Advances in Cryptology \| CRYPTO '96. 1996: 104-113.
[18]	MANGARD S , . A simple power-analysis (spa) attack on implementations of the AES key expansion[C]// International Conference on Information Security and Cryptology(ICISC 2002). 2002: 343-358.
[19]	KOCHER P , JAFFE J , JUN B . Differential power analysis[C]// Advances in Cryptology(CRYPTO' 99). 1999: 388-397.
[20]	BRIER E , CLAVIER C , OLIVIER F . Correlation power analysis with a leakage model[C]// Cryptographic Hardware and Embedded Systems(CHES 2004). 2004: 16-29.
[21]	KRIZHEVSKY A . One weird trick for parallelizing convolutional neural networks[J]. CoRR,abs/1404.5997, 2014.
[22]	HE K , ZHANG X Y , REN S Q ,et al. Deep residual learning for image recognition[C]// 2016 IEEE Conference on Computer Vision and Pattern Recognition(CVPR 2016). 2016: 770-778.
[23]	KRISHNAMOORTHI R . Quantizing deep convolutional networks for efficient inference:a whitepaper[M]. CoRR,abs/1806.08342, 2018.
[24]	LIN D D , SACHIN S , TALATHI V ,et al. Fixed point quantization of deep convolutional networks[C]// Proceedings of the 33nd International Conference on Machine Learning(ICML 2016). 2016: 2849-258.

技术路线	制造商	产品	量化支持
GPU	Nvidia	Tesla计算卡等	FP16,INT16/8
FPGA	Intel	Arria系列	—
	Xilinx	DPU	INT8
	Google	TPU	FP16,INT16/8
	Intel	NNP	FP16,INT8/4
ASIC	寒武纪	思元系列	FT16,INT16/8/4
	比特大陆	BM168X系列	FP16,INT8
	华为	Ascend系列	FP16,INT8
	IBM	TrueNorth	类脑芯片

网络编号	卷积核尺寸	卷积步长	通道数
1	3	1	16
2	3	2	16
3	3	1	64
4	3	2	64
5	3	1	128
6	3	2	128
7	5	1	16
8	5	2	16
9	5	1	64
10	5	2	64

编号		100条			1 000条			2 000条			6 000条
编号	TOP1	TOP2	TOP5	TOP1	TOP2	TOP5	TOP1	TOP2	TOP5	TOP1	TOP2	TOP5
1	24.74	46.57	57.42	26.69	52.08	61.68	27.34	56.55	64.32	26.48	56.64	65.37
2	18.01	34.85	49.44	28.43	54.43	64.84	29.60	55.60	66.62	24.70	54.34	62.24
3	21.70	44.62	54.95	22.13	44.18	57.99	27.60	53.21	60.24	27.17	50.87	62.85
4	18.69	34.88	45.69	26.44	53.50	59.88	25.56	50.94	59.13	27.19	54.63	64.25
5	22.74	46.70	53.65	27.78	59.90	69.97	28.65	55.38	69.44	27.26	56.42	66.32
6	19.69	39.31	51.25	26.00	50.50	57.88	23.25	50.31	61.88	29.19	56.13	66.13
7	16.44	34.95	49.07	22.80	50.35	55.56	27.78	53.59	62.27	25.23	50.35	64.12
8	20.50	42.75	50.88	27.25	50.00	60.12	25.62	51.50	62.75	25.75	51.88	65.63
9	16.15	34.55	45.49	21.18	43.75	51.91	20.66	44.27	56.25	21.88	43.58	50.87
10	19.68	41.20	47.45	25.46	48.61	59.84	25.81	46.99	56.94	27.32	51.74	63.31

基于侧信道与量化推理缺陷的模型逆向攻击

Using side-channel and quantization vulnerability to recover DNN weights

在线阅读

pdf下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 14

参考文献 24

相关文章 2

Metrics

推荐阅读 0

[1]	唐永康, 胡星, 苏颋, 李少青. 用于硬件木马检测的电磁辐射分析方法研究[J]. 网络与信息安全学报, 2021, 7(2): 43-56.
[2]	王侃,陈浩,管旭光,顾勇. 硬件木马防护技术研究[J]. 网络与信息安全学报, 2017, 3(9): 1-12.