pith. sign in

arxiv: 1812.11720 · v4 · pith:ZFYONWSXnew · submitted 2018-12-31 · 💻 cs.CR · cs.LG

Stealing Neural Networks via Timing Side Channels

Vasisht Duddu , Debasis Samanta , D Vijay Rao , Valentina E. Balas This is my paper
classification 💻 cs.CR cs.LG
keywords neuralnetworkdatainfermodelproposedsidetiming
0
0 comments X
read the original abstract

Deep learning is gaining importance in many applications. However, Neural Networks face several security and privacy threats. This is particularly significant in the scenario where Cloud infrastructures deploy a service with Neural Network model at the back end. Here, an adversary can extract the Neural Network parameters, infer the regularization hyperparameter, identify if a data point was part of the training data, and generate effective transferable adversarial examples to evade classifiers. This paper shows how a Neural Network model is susceptible to timing side channel attack. In this paper, a black box Neural Network extraction attack is proposed by exploiting the timing side channels to infer the depth of the network. Although, constructing an equivalent architecture is a complex search problem, it is shown how Reinforcement Learning with knowledge distillation can effectively reduce the search space to infer a target model. The proposed approach has been tested with VGG architectures on CIFAR10 data set. It is observed that it is possible to reconstruct substitute models with test accuracy close to the target models and the proposed approach is scalable and independent of type of Neural Network architectures.

This paper has not been read by Pith yet.

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Forward citations

Cited by 3 Pith papers

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

  1. The False Promise of Imitating Proprietary LLMs

    cs.CL 2023-05 conditional novelty 6.0

    Finetuning open LMs on ChatGPT outputs creates models that mimic style and fool human raters but fail to close the performance gap to proprietary systems on tasks not well-represented in the imitation data.

  2. Open DNN Box by Power Side-Channel Attack

    cs.CR 2019-07 unverdicted novelty 6.0

    Power side-channel analysis recovers DNN architecture and parameters at 96.5% average accuracy on real embedded devices.

  3. ALDEN: Boosting Private Data Extraction from Retrieval-Augmented Generation Systems via Active Learning and Distribution Estimation

    cs.IR 2026-04 unverdicted novelty 5.0

    ALDEN boosts private data extraction rates from RAG systems by combining active learning for query diversification with dynamic estimation of the underlying knowledge-base topic distribution.