Browse > Article
http://dx.doi.org/10.13089/JKIISC.2020.30.6.1031

Extracting Neural Networks via Meltdown  

Jeong, Hoyong (Korea University)
Ryu, Dohyun (Korea University)
Hur, Junbeom (Korea University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.30, no.6, 2020 , pp. 1031-1041 More about this Journal
Abstract
Cloud computing technology plays an important role in the deep learning industry as deep learning services are deployed frequently on top of cloud infrastructures. In such cloud environment, virtualization technology provides logically independent and isolated computing space for each tenant. However, recent studies demonstrate that by leveraging vulnerabilities of virtualization techniques and shared processor architectures in the cloud system, various side-channels can be established between cloud tenants. In this paper, we propose a novel attack scenario that can steal internal information of deep learning models by exploiting the Meltdown vulnerability in a multi-tenant system environment. On the basis of our experiment, the proposed attack method could extract internal information of a TensorFlow deep-learning service with 92.875% accuracy and 1.325kB/s extraction speed.
Keywords
Meltdown; neural network stealing; cloud computing; deep learning;
Citations & Related Records
연도 인용수 순위
  • Reference
1 Lipp, M., et al. "Meltdown: Reading kernel memory from user space," 27th USENIX Security Symposium, pp. 973-990, Aug. 2018.
2 Weisse, O., et al. "Foreshadow-NG: Breaking the virtual memory abstraction with transient out-of-order execution," Aug. 2018.
3 Schwarz, M., et al. "ZombieLoad: Cross-privilege-boundary data sampling," Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pp. 753-768, Nov. 2019.
4 Zhang, Y., et al. "Cross-tenant side-channel attacks in PaaS clouds," Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 990-1003, Nov. 2014
5 Moosavi-Dezfooli, S.M., et al. "Deepfool: a simple and accurate method to fool deep neural networks," Proceedings of the IEEE conference on computer vision and pattern recognition, pp. 2574-2582, June. 2016.
6 Fredrikson, M., et al. "Model inversion attacks that exploit confidence information and basic countermeasures," Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 1322-1333, Oct. 2015.
7 Rossum, G.V. and Drake Jr, F.L. "Python tutorial," Amsterdam: Centrum voor Wiskunde en Informatica, vol. 620, April. 1995.
8 Inci, M.S., et al. "Co-location detection on the cloud," International Workshop on Constructive Side-Channel Analysis and Secure Design, Springer, Cham, pp. 19-34, April. 2016.
9 Tramer, F., et al. "Stealing machine learning models via prediction apis," 25th USENIX Security Symposium, pp. 601-618, Aug. 2016.
10 Papernot, N., et al. "Practical black-box attacks against machine learning," Proceedings of the 2017 ACM on Asia conference on computer and communications security. pp. 506-519, April. 2017.
11 Jagielski, M. et al. "High Accuracy and High Fidelity Extraction of Neural Networks," 29th USENIX Security Symposium, Aug. 2020.
12 Duddu, V., et al. "Stealing neural networks via timing side channels." arXiv preprint, arXiv:1812.11720, Dec. 2018.
13 Wang, B., and Gong, N.Z. "Stealing hyperparameters in machine learning," 2018 IEEE Symposium on Security and Privacy, pp. 36-52. May 2018.
14 Yarom, Y. and Falkner, K. "FLUSH+RELOAD: a high resolution, low noise, L3 cache side-channel attack," 23rd USENIX Security Symposium, pp. 719-732, 2014.
15 Wei, L., et al. "I know what you see: Power side-channel attack on convolutional neural network accelerators," Proceedings of the 34th Annual Computer Security Applications Conference, pp. 393-406, Dec. 2018.
16 Dong, G., et al. "Floating-Point Multiplication Timing Attack on Deep Neural Network," 2019 IEEE International Conference on Smart Internet of Things, pp. 155-161, Aug. 2019
17 Batina, L., et al. "CSI NN: Reverse Engineering of Neural Network Architectures Through Electromagnetic Side Channel," 28th USENIX Security Symposium. pp. 515-532. Aug. 2019.
18 Wei, J., et al. "Leaky DNN: Stealing Deep-learning Model Secret with GPU Context-switching Side-channel," 2020 IEEE/IFIP International Conference on Dependable Systems and Networks. June. 2020.
19 Yan, M., et al. "Cache Telepathy: Leveraging Shared Resource Attacks to Learn DNN Architectures," 29th USENIX Security Symposium, pp. 2003-2020, Aug. 2020.
20 Deng, L. "The MNIST database of handwritten digit images for machine learning research [best of the web]," IEEE Signal Processing Magazine, 29.6, pp. 141-142, Nov 2012.   DOI
21 Gregg, B. "KPTI/KAISER Meltdown Initial Performance Regressions," http://www.brendangregg.com/blog/2018-02-09/kpti-kaiser-meltdown-performance.html, Feb. 2018.
22 Simonyan, K., and Zisserman, A. "Very deep convolutional networks for large-scale image recognition," arXiv preprint, arXiv:1409.1556. Sep. 2014.
23 Goodrich, M.T., et al. "Data structures and algorithms in Python," John Wiley & Sons Ltd, 2013.
24 Gruss, D., et al. "Kaslr is dead: long live kaslr," International Symposium on Engineering Secure Software and Systems, pp. 161-176, Springer, Cham, July. 2017.
25 Zhu, J., et al. "CPU security benchmark," Proceedings of the 1st Workshop on Security-Oriented Designs of Computer Architectures and Processors, pp. 8-14, Jan. 2018.