SNIFF : reverse engineering of neural networks with fault attacks
Neural networks have been shown to be vulnerable against fault injection attacks. These attacks change the physical behavior of the device during the computation, resulting in a change of value that is currently being computed. They can be realized by various techniques, ranging from clock/voltage g...
Saved in:
| Main Authors: | , , , , |
|---|---|
| Other Authors: | |
| Format: | Article |
| Language: | English |
| Published: |
2022
|
| Subjects: | |
| Online Access: | https://hdl.handle.net/10356/155678 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Nanyang Technological University |
| Language: | English |
| id |
sg-ntu-dr.10356-155678 |
|---|---|
| record_format |
dspace |
| spelling |
sg-ntu-dr.10356-1556782022-03-19T20:11:53Z SNIFF : reverse engineering of neural networks with fault attacks Breier, Jakub Jap, Dirmanto Hou, Xiaolu Bhasin, Shivam Liu, Yang School of Computer Science and Engineering Temasek Laboratories @ NTU Library and information science::Cryptography Engineering::Computer science and engineering::Computing methodologies::Artificial intelligence Engineering::Computer science and engineering::Hardware::Performance and reliability Deep Learning Fault Attacks Neural networks have been shown to be vulnerable against fault injection attacks. These attacks change the physical behavior of the device during the computation, resulting in a change of value that is currently being computed. They can be realized by various techniques, ranging from clock/voltage glitching to application of lasers to rowhammer. Previous works have mostly explored fault attacks for output misclassification, thus affecting the reliability of neural networks. In this article, we investigate the possibility to reverse engineer neural networks with fault attacks. Sign bit flip fault attack enables the reverse engineering by changing the sign of intermediate values. We develop the first exact extraction method on deep-layer feature extractor networks that provably allows the recovery of proprietary model parameters. Our experiments with Keras library show that the precision error for the parameter recovery for the tested networks is less than <formula><tex>$10^{-13}$</tex></formula>with the usage of 64-bit floats, which improves the current state of the art by six orders of magnitude. National Research Foundation (NRF) Submitted/Accepted version This work was supported in part by the University SAL Labs initiative of Silicon Austria Labs (SAL) and its Austrian partner universities for applied fundamental research for electronic based sys- tems, in part by the Singapore National Research Foundation SOCure under Grant NRF2018NCR-NCR002-0001, in part by the European Union’s Horizon 2020 Research and Innovation Programme under the Programme SASPRO 2 COFUND Marie Sklodowska-Curie under Grant 945478. 2022-03-14T01:46:43Z 2022-03-14T01:46:43Z 2021 Journal Article Breier, J., Jap, D., Hou, X., Bhasin, S. & Liu, Y. (2021). SNIFF : reverse engineering of neural networks with fault attacks. IEEE Transactions On Reliability. https://dx.doi.org/10.1109/TR.2021.3105697 0018-9529 https://hdl.handle.net/10356/155678 10.1109/TR.2021.3105697 2-s2.0-85114752078 en NRF2018NCR-NCR002-0001 SASPRO 2 COFUND (Grant 945478) IEEE Transactions on Reliability © 2021 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in. other works. The published version is available at: https://doi.org/10.1109/TR.2021.3105697 application/pdf |
| institution |
Nanyang Technological University |
| building |
NTU Library |
| continent |
Asia |
| country |
Singapore Singapore |
| content_provider |
NTU Library |
| collection |
DR-NTU |
| language |
English |
| topic |
Library and information science::Cryptography Engineering::Computer science and engineering::Computing methodologies::Artificial intelligence Engineering::Computer science and engineering::Hardware::Performance and reliability Deep Learning Fault Attacks |
| spellingShingle |
Library and information science::Cryptography Engineering::Computer science and engineering::Computing methodologies::Artificial intelligence Engineering::Computer science and engineering::Hardware::Performance and reliability Deep Learning Fault Attacks Breier, Jakub Jap, Dirmanto Hou, Xiaolu Bhasin, Shivam Liu, Yang SNIFF : reverse engineering of neural networks with fault attacks |
| description |
Neural networks have been shown to be vulnerable against fault injection attacks. These attacks change the physical behavior of the device during the computation, resulting in a change of value that is currently being computed. They can be realized by various techniques, ranging from clock/voltage glitching to application of lasers to rowhammer. Previous works have mostly explored fault attacks for output misclassification, thus affecting the reliability of neural networks. In this article, we investigate the possibility to reverse engineer neural networks with fault attacks. Sign bit flip fault attack enables the reverse engineering by changing the sign of intermediate values. We develop the first exact extraction method on deep-layer feature extractor networks that provably allows the recovery of proprietary model parameters. Our experiments with Keras library show that the precision error for the parameter recovery for the tested networks is less than <formula><tex>$10^{-13}$</tex></formula>with the usage of 64-bit floats, which improves the current state of the art by six orders of magnitude. |
| author2 |
School of Computer Science and Engineering |
| author_facet |
School of Computer Science and Engineering Breier, Jakub Jap, Dirmanto Hou, Xiaolu Bhasin, Shivam Liu, Yang |
| format |
Article |
| author |
Breier, Jakub Jap, Dirmanto Hou, Xiaolu Bhasin, Shivam Liu, Yang |
| author_sort |
Breier, Jakub |
| title |
SNIFF : reverse engineering of neural networks with fault attacks |
| title_short |
SNIFF : reverse engineering of neural networks with fault attacks |
| title_full |
SNIFF : reverse engineering of neural networks with fault attacks |
| title_fullStr |
SNIFF : reverse engineering of neural networks with fault attacks |
| title_full_unstemmed |
SNIFF : reverse engineering of neural networks with fault attacks |
| title_sort |
sniff : reverse engineering of neural networks with fault attacks |
| publishDate |
2022 |
| url |
https://hdl.handle.net/10356/155678 |
| _version_ |
1728433384641789952 |