Presentation
Architectural Whispers: Robust Machine Learning Models Fingerprinting via Frequency Throttling Side-Channels
SessionWhat's Your Best Side?
DescriptionSecurity practices in the field of Machine learning (ML)
encompass a range of measures, with one notable strategy that involves
concealing the architecture of ML models from users, thereby adding
an extra layer of protection. This proactive strategy serves multiple
key purposes, including safeguarding intellectual property, mitigating
model vulnerabilities, and preventing adversarial attacks. In this work, we
propose a novel fingerprinting attack that identifies a given ML model's
architecture family, from among the latest categories. To this aim, we
are the first to leverage a Frequency Throttling Side-Channel Attack, a
method that enables us to convert power side-channel information into
timing variations at the user-space level. We utilize the timing information
of crafted adversary kernels combined with a supervised machine learning
classifier to identify the ML model architecture. In particular, our
proposed method involves capturing timing information by monitoring
an adversary kernel's execution time while a specific ML model runs,
unveiling distinctive timing patterns. This process involves initiating the
frequency throttling side-channel effect and transforming it into timing
information. Subsequently, we employ a specialized machine learning
classifier trained on this timing data to precisely identify the victim's
ML model architecture. With this approach, we achieve 98% accuracy
in correctly classifying a known ML model into its corresponding
architecture family. Furthermore, our attack demonstrates transferability
by accurately assigning the correct family to unseen models with 90.6%
accuracy on average. Additionally, for the purpose of thorough analysis, we
have reproduced this attack across 3 different platforms, with comparable
results underscoring the attack's platform portability. Finally, it is notable
that we intend to publicly release our work, making it accessible to the
research community for the purpose of reproducibility.
encompass a range of measures, with one notable strategy that involves
concealing the architecture of ML models from users, thereby adding
an extra layer of protection. This proactive strategy serves multiple
key purposes, including safeguarding intellectual property, mitigating
model vulnerabilities, and preventing adversarial attacks. In this work, we
propose a novel fingerprinting attack that identifies a given ML model's
architecture family, from among the latest categories. To this aim, we
are the first to leverage a Frequency Throttling Side-Channel Attack, a
method that enables us to convert power side-channel information into
timing variations at the user-space level. We utilize the timing information
of crafted adversary kernels combined with a supervised machine learning
classifier to identify the ML model architecture. In particular, our
proposed method involves capturing timing information by monitoring
an adversary kernel's execution time while a specific ML model runs,
unveiling distinctive timing patterns. This process involves initiating the
frequency throttling side-channel effect and transforming it into timing
information. Subsequently, we employ a specialized machine learning
classifier trained on this timing data to precisely identify the victim's
ML model architecture. With this approach, we achieve 98% accuracy
in correctly classifying a known ML model into its corresponding
architecture family. Furthermore, our attack demonstrates transferability
by accurately assigning the correct family to unseen models with 90.6%
accuracy on average. Additionally, for the purpose of thorough analysis, we
have reproduced this attack across 3 different platforms, with comparable
results underscoring the attack's platform portability. Finally, it is notable
that we intend to publicly release our work, making it accessible to the
research community for the purpose of reproducibility.
Event Type
Research Manuscript
TimeWednesday, June 262:15pm - 2:30pm PDT
Location3012, 3rd Floor
Security
Hardware Security: Attack and Defense