TY - GEN
T1 - Extraction of binarized neural network architecture and secret parameters using side-channel information
AU - Yli-Mäyry, Ville
AU - Ito, Akira
AU - Homma, Naofumi
AU - Bhasin, Shivam
AU - Jap, Dirmanto
N1 - Funding Information:
This work was performed in the Cooperative Research Project of the Research Institute of Electrical Communication, Tohoku University with Nanyang Technological University. This research was also supported in part by JST CREST Grant No. JPMJCR19K5, Japan.
Publisher Copyright:
© 2021 Institute of Electrical and Electronics Engineers Inc.. All rights reserved.
PY - 2021
Y1 - 2021
N2 - In recent years, neural networks have been applied to various applications. To speed up the evaluation, a method using binarized network weights has been introduced, facilitating extremely efficient hardware implementation. Using electromagnetic (EM) side-channel analysis techniques, this study presents a framework of model extraction from practical binarized neural network (BNN) hardware. The target BNN hardware is generated and synthesized using open-source and commercial high-level synthesis tools GUINNESS and Xilinx SDSoC, respectively. With the hardware implemented on an up-to-date FPGA chip, we demonstrate how the layers can be identified from a single EM trace measured during the network evaluation, and we also demonstrate how an attacker may use side-channel attacks to recover secret weights used in the network.
AB - In recent years, neural networks have been applied to various applications. To speed up the evaluation, a method using binarized network weights has been introduced, facilitating extremely efficient hardware implementation. Using electromagnetic (EM) side-channel analysis techniques, this study presents a framework of model extraction from practical binarized neural network (BNN) hardware. The target BNN hardware is generated and synthesized using open-source and commercial high-level synthesis tools GUINNESS and Xilinx SDSoC, respectively. With the hardware implemented on an up-to-date FPGA chip, we demonstrate how the layers can be identified from a single EM trace measured during the network evaluation, and we also demonstrate how an attacker may use side-channel attacks to recover secret weights used in the network.
KW - Binarized neural network
KW - High-level synthesis
KW - Machine learning
KW - Model extraction
KW - Side-channel attacks
UR - http://www.scopus.com/inward/record.url?scp=85109003016&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85109003016&partnerID=8YFLogxK
U2 - 10.1109/ISCAS51556.2021.9401626
DO - 10.1109/ISCAS51556.2021.9401626
M3 - Conference contribution
AN - SCOPUS:85109003016
T3 - Proceedings - IEEE International Symposium on Circuits and Systems
BT - 2021 IEEE International Symposium on Circuits and Systems, ISCAS 2021 - Proceedings
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 53rd IEEE International Symposium on Circuits and Systems, ISCAS 2021
Y2 - 22 May 2021 through 28 May 2021
ER -