DeepFreeze : cold boot attacks and high fidelity model recovery on commercial EdgeML device
EdgeML accelerators like Intel Neural Compute Stick 2 (NCS) can enable efficient edge-based inference with complex pre-trained models. The models are loaded in the host (like Raspberry Pi) and then transferred to NCS for inference. In this paper, we demonstrate practical and low-cost cold boot based...
Saved in:
Main Authors: | , , , , |
---|---|
Other Authors: | |
Format: | Conference or Workshop Item |
Language: | English |
Published: |
2022
|
Subjects: | |
Online Access: | https://hdl.handle.net/10356/156094 |
Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
Institution: | Nanyang Technological University |
Language: | English |
id |
sg-ntu-dr.10356-156094 |
---|---|
record_format |
dspace |
spelling |
sg-ntu-dr.10356-1560942022-04-09T20:11:34Z DeepFreeze : cold boot attacks and high fidelity model recovery on commercial EdgeML device Won, Yoo-Seung Chatterjee, Soham Jap, Dirmanto Basu, Arindam Bhasin, Shivam School of Electrical and Electronic Engineering 2021 IEEE/ACM International Conference On Computer Aided Design (ICCAD) Temasek Laboratories @ NTU Engineering::Electrical and electronic engineering::Computer hardware, software and systems Cold Boot Attack EdgeML EdgeML accelerators like Intel Neural Compute Stick 2 (NCS) can enable efficient edge-based inference with complex pre-trained models. The models are loaded in the host (like Raspberry Pi) and then transferred to NCS for inference. In this paper, we demonstrate practical and low-cost cold boot based model recovery attacks on NCS to recover the model architecture and weights, loaded from the Raspberry Pi. The architecture is recovered with 100% success and weights with an error rate of 0.04%. The recovered model reports maximum accuracy loss of 0.5% as compared to original model and allows high fidelity transfer of adversarial examples. We further extend our study to other cold boot attack setups reported in the literature with higher error rates leading to accuracy loss as high as 70%. We then propose a methodology based on knowledge distillation to correct the erroneous weights in recovered model, even without access to original training data. The proposed attack remains unaffected by the model encryption features of the OpenVINO and NCS framework. National Research Foundation (NRF) Submitted/Accepted version This research is supported by the National Research Foundation, Singapore, under its National Cybersecurity Research & Development Programme / Cyber-Hardware Forensic & Assurance Evaluation R&D Programme (Award: NRF2018NCR- NCR009-0001) 2022-04-07T05:27:34Z 2022-04-07T05:27:34Z 2021 Conference Paper Won, Y., Chatterjee, S., Jap, D., Basu, A. & Bhasin, S. (2021). DeepFreeze : cold boot attacks and high fidelity model recovery on commercial EdgeML device. 2021 IEEE/ACM International Conference On Computer Aided Design (ICCAD), 1-9. https://dx.doi.org/10.1109/ICCAD51958.2021.9643512 9781665445078 https://hdl.handle.net/10356/156094 10.1109/ICCAD51958.2021.9643512 2-s2.0-85124155429 1 9 en NRF2018NCR- NCR009-0001 © 2021 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works. The published version is available at: https://doi.org/10.1109/ICCAD51958.2021.9643512. application/pdf |
institution |
Nanyang Technological University |
building |
NTU Library |
continent |
Asia |
country |
Singapore Singapore |
content_provider |
NTU Library |
collection |
DR-NTU |
language |
English |
topic |
Engineering::Electrical and electronic engineering::Computer hardware, software and systems Cold Boot Attack EdgeML |
spellingShingle |
Engineering::Electrical and electronic engineering::Computer hardware, software and systems Cold Boot Attack EdgeML Won, Yoo-Seung Chatterjee, Soham Jap, Dirmanto Basu, Arindam Bhasin, Shivam DeepFreeze : cold boot attacks and high fidelity model recovery on commercial EdgeML device |
description |
EdgeML accelerators like Intel Neural Compute Stick 2 (NCS) can enable efficient edge-based inference with complex pre-trained models. The models are loaded in the host (like Raspberry Pi) and then transferred to NCS for inference. In this paper, we demonstrate practical and low-cost cold boot based model recovery attacks on NCS to recover the model architecture and weights, loaded from the Raspberry Pi. The architecture is recovered with 100% success and weights with an error rate of 0.04%. The recovered model reports maximum accuracy loss of 0.5% as compared to original model and allows high fidelity transfer of adversarial examples. We further extend our study to other cold boot attack setups reported in the literature with higher error rates leading to accuracy loss as high as 70%. We then propose a methodology based on knowledge distillation to correct the erroneous weights in recovered model, even without access to original training data. The proposed attack remains unaffected by the model encryption features of the OpenVINO and NCS framework. |
author2 |
School of Electrical and Electronic Engineering |
author_facet |
School of Electrical and Electronic Engineering Won, Yoo-Seung Chatterjee, Soham Jap, Dirmanto Basu, Arindam Bhasin, Shivam |
format |
Conference or Workshop Item |
author |
Won, Yoo-Seung Chatterjee, Soham Jap, Dirmanto Basu, Arindam Bhasin, Shivam |
author_sort |
Won, Yoo-Seung |
title |
DeepFreeze : cold boot attacks and high fidelity model recovery on commercial EdgeML device |
title_short |
DeepFreeze : cold boot attacks and high fidelity model recovery on commercial EdgeML device |
title_full |
DeepFreeze : cold boot attacks and high fidelity model recovery on commercial EdgeML device |
title_fullStr |
DeepFreeze : cold boot attacks and high fidelity model recovery on commercial EdgeML device |
title_full_unstemmed |
DeepFreeze : cold boot attacks and high fidelity model recovery on commercial EdgeML device |
title_sort |
deepfreeze : cold boot attacks and high fidelity model recovery on commercial edgeml device |
publishDate |
2022 |
url |
https://hdl.handle.net/10356/156094 |
_version_ |
1731235698854330368 |