Chinese Journal of Network and Information Security ›› 2021, Vol. 7 ›› Issue (4): 53-67.doi: 10.11959/j.issn.2096-109x.2021038

• TopicⅠ: Network Security: Attack and Defense • Previous Articles     Next Articles

Using side-channel and quantization vulnerability to recover DNN weights

Jinghai LI1, Ming TANG1,2, Chengxuan HUANG1   

  1. 1 Key Laboratory of Aerospace Information Security and Trusted Computing, Ministry of Education, School of Cyber Science and Engineering, Wuhan University, Wuhan 430072, China
    2 State Key Laboratory of Cryptology, Beijing 100878, China
  • Revised:2021-01-20 Online:2021-08-15 Published:2021-08-01
  • Supported by:
    The National Natural Science Foundation of China(61972295);The Frontier Applied Basic Research Project of Science and Technology Department of Wuhan(2019010701011407)

Abstract:

Model extraction attack focuses on reverse engineering architecture and weights of DNN model deployed in edge.Model extraction attack is a basic security problem in AI security, it underlies advanced attacks as data provider, such as adversarial sample and data poisoning.A novel method named Cluster-based SCA was proposed,this method did not need leakage model.Cluster-based SCA was based on vulnerability of quantized inference.There exist a phenomenon in multiplication operation in quantized inference, which the output of different weights were not equivalent in respect of classification.It can be used to distinguish different weights.The proposed method computed output activations of each DNN layer with guessing weight.Then acquired side channel signal were classified into different class, the taxonomy was corresponding output activations' value.Average dispersion of all classes σ ¯ was used to decide whether guess was right.The effectiveness of Cluster-based SCA method was verified by simulation experiment and HW model was used as target leakage model.For all weights from first convolution layer of target CNN model, TOP2 recovery rate was 52.66%.And for large weights in significant interval,TOP2 recover rate was 100%.

Key words: AI security, model extraction attack, quantization vulnerability, side-channel analysis, Cluster-based SCA

CLC Number: 

No Suggested Reading articles found!