Paper 2018/477

CSI Neural Network: Using Side-channels to Recover Your Artificial Neural Network Information

Lejla Batina, Shivam Bhasin, Dirmanto Jap, and Stjepan Picek

Abstract

Machine learning has become mainstream across industries. In this work we pose the following question: Is it possible to reverse engineer a neural network by using only side-channel information? We answer the question affirmatively. To this end, we consider a multi layer perceptron as the machine learning architecture of choice and assume a passive attacker capable of measuring only passive side-channels like power, electromagnetic radiation, and timing. We conduct all experiments on real data and common neural net architectures in order to properly assess the applicability and extendability of such attacks. Our experiments show that the side-channel attacker is able to obtain information about the activation functions, the number of layers and neurons in layers, the number of output classes, and weights in the neural network. Thus, the attacker can efficiently reverse engineer the network using side-channel information. Next, we show that if the attacker has the knowledge about the neural network architecture, he/she could also recover the inputs to the network with only a single measurement. Finally, we discuss several mitigations one could use to thwart such attacks.

Metadata
Available format(s)
PDF
Category
Implementation
Publication info
Preprint. MINOR revision.
Keywords
Side-channel AnalysisArtificial Neural NetworksPowerReverse EngineeringCountermeasures
Contact author(s)
picek stjepan @ gmail com
History
2018-05-23: received
Short URL
https://ia.cr/2018/477
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2018/477,
      author = {Lejla Batina and Shivam Bhasin and Dirmanto Jap and Stjepan Picek},
      title = {CSI Neural Network: Using Side-channels to Recover Your Artificial Neural Network Information},
      howpublished = {Cryptology ePrint Archive, Paper 2018/477},
      year = {2018},
      note = {\url{https://eprint.iacr.org/2018/477}},
      url = {https://eprint.iacr.org/2018/477}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.