Stealing Deep Learning Model Secret through Remote FPGA Side-channel Analysis
- Author(s): Zhang, Yicheng
- Advisor(s): Al Faruque, Mohammad Abdullah
- et al.
Companies have extensively developed deep Neural Network (DNN) models for a wide range of applications. The development of a customized DNN model with great performance requires costly investments, and its structure (layers and hyper-parameters) is considered intellectual property and holds immense value. However, in this paper, we found the model secret is vulnerable when a cloud-based FPGA accelerator executes it.We demonstrate an end-to-end attack based on remote power side-channel analysis and machine-learning-based secret inference against different DNN models. The evaluation result shows that an attacker can reconstruct the layer and hyper-parameter sequence at over 90% accuracy using our method, significantly reducing their model development workloads. We believe the threat presented by our attack is tangible, and new defense mechanisms should be developed against this threat.