DeepFreeze : cold boot attacks and high fidelity model recovery on commercial EdgeML device

EdgeML accelerators like Intel Neural Compute Stick 2 (NCS) can enable efficient edge-based inference with complex pre-trained models. The models are loaded in the host (like Raspberry Pi) and then transferred to NCS for inference. In this paper, we demonstrate practical and low-cost cold boot based...

Full description

Saved in:
Bibliographic Details
Main Authors: Won, Yoo-Seung, Chatterjee, Soham, Jap, Dirmanto, Basu, Arindam, Bhasin, Shivam
Other Authors: School of Electrical and Electronic Engineering
Format: Conference or Workshop Item
Language:English
Published: 2022
Subjects:
Online Access:https://hdl.handle.net/10356/156094
Tags: Add Tag
No Tags, Be the first to tag this record!
Institution: Nanyang Technological University
Language: English
id sg-ntu-dr.10356-156094
record_format dspace
spelling sg-ntu-dr.10356-1560942022-04-09T20:11:34Z DeepFreeze : cold boot attacks and high fidelity model recovery on commercial EdgeML device Won, Yoo-Seung Chatterjee, Soham Jap, Dirmanto Basu, Arindam Bhasin, Shivam School of Electrical and Electronic Engineering 2021 IEEE/ACM International Conference On Computer Aided Design (ICCAD) Temasek Laboratories @ NTU Engineering::Electrical and electronic engineering::Computer hardware, software and systems Cold Boot Attack EdgeML EdgeML accelerators like Intel Neural Compute Stick 2 (NCS) can enable efficient edge-based inference with complex pre-trained models. The models are loaded in the host (like Raspberry Pi) and then transferred to NCS for inference. In this paper, we demonstrate practical and low-cost cold boot based model recovery attacks on NCS to recover the model architecture and weights, loaded from the Raspberry Pi. The architecture is recovered with 100% success and weights with an error rate of 0.04%. The recovered model reports maximum accuracy loss of 0.5% as compared to original model and allows high fidelity transfer of adversarial examples. We further extend our study to other cold boot attack setups reported in the literature with higher error rates leading to accuracy loss as high as 70%. We then propose a methodology based on knowledge distillation to correct the erroneous weights in recovered model, even without access to original training data. The proposed attack remains unaffected by the model encryption features of the OpenVINO and NCS framework. National Research Foundation (NRF) Submitted/Accepted version This research is supported by the National Research Foundation, Singapore, under its National Cybersecurity Research & Development Programme / Cyber-Hardware Forensic & Assurance Evaluation R&D Programme (Award: NRF2018NCR- NCR009-0001) 2022-04-07T05:27:34Z 2022-04-07T05:27:34Z 2021 Conference Paper Won, Y., Chatterjee, S., Jap, D., Basu, A. & Bhasin, S. (2021). DeepFreeze : cold boot attacks and high fidelity model recovery on commercial EdgeML device. 2021 IEEE/ACM International Conference On Computer Aided Design (ICCAD), 1-9. https://dx.doi.org/10.1109/ICCAD51958.2021.9643512 9781665445078 https://hdl.handle.net/10356/156094 10.1109/ICCAD51958.2021.9643512 2-s2.0-85124155429 1 9 en NRF2018NCR- NCR009-0001 © 2021 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works. The published version is available at: https://doi.org/10.1109/ICCAD51958.2021.9643512. application/pdf
institution Nanyang Technological University
building NTU Library
continent Asia
country Singapore
Singapore
content_provider NTU Library
collection DR-NTU
language English
topic Engineering::Electrical and electronic engineering::Computer hardware, software and systems
Cold Boot Attack
EdgeML
spellingShingle Engineering::Electrical and electronic engineering::Computer hardware, software and systems
Cold Boot Attack
EdgeML
Won, Yoo-Seung
Chatterjee, Soham
Jap, Dirmanto
Basu, Arindam
Bhasin, Shivam
DeepFreeze : cold boot attacks and high fidelity model recovery on commercial EdgeML device
description EdgeML accelerators like Intel Neural Compute Stick 2 (NCS) can enable efficient edge-based inference with complex pre-trained models. The models are loaded in the host (like Raspberry Pi) and then transferred to NCS for inference. In this paper, we demonstrate practical and low-cost cold boot based model recovery attacks on NCS to recover the model architecture and weights, loaded from the Raspberry Pi. The architecture is recovered with 100% success and weights with an error rate of 0.04%. The recovered model reports maximum accuracy loss of 0.5% as compared to original model and allows high fidelity transfer of adversarial examples. We further extend our study to other cold boot attack setups reported in the literature with higher error rates leading to accuracy loss as high as 70%. We then propose a methodology based on knowledge distillation to correct the erroneous weights in recovered model, even without access to original training data. The proposed attack remains unaffected by the model encryption features of the OpenVINO and NCS framework.
author2 School of Electrical and Electronic Engineering
author_facet School of Electrical and Electronic Engineering
Won, Yoo-Seung
Chatterjee, Soham
Jap, Dirmanto
Basu, Arindam
Bhasin, Shivam
format Conference or Workshop Item
author Won, Yoo-Seung
Chatterjee, Soham
Jap, Dirmanto
Basu, Arindam
Bhasin, Shivam
author_sort Won, Yoo-Seung
title DeepFreeze : cold boot attacks and high fidelity model recovery on commercial EdgeML device
title_short DeepFreeze : cold boot attacks and high fidelity model recovery on commercial EdgeML device
title_full DeepFreeze : cold boot attacks and high fidelity model recovery on commercial EdgeML device
title_fullStr DeepFreeze : cold boot attacks and high fidelity model recovery on commercial EdgeML device
title_full_unstemmed DeepFreeze : cold boot attacks and high fidelity model recovery on commercial EdgeML device
title_sort deepfreeze : cold boot attacks and high fidelity model recovery on commercial edgeml device
publishDate 2022
url https://hdl.handle.net/10356/156094
_version_ 1731235698854330368