TY - GEN
T1 - NeuroUnlock
T2 - 2022 International Joint Conference on Neural Networks, IJCNN 2022
AU - Ahmadi, Mahya Morid
AU - Alrahis, Lilas
AU - Colucci, Alessio
AU - Sinanoglu, Ozgur
AU - Shafique, Muhammad
N1 - Publisher Copyright:
© 2022 IEEE.
PY - 2022
Y1 - 2022
N2 - The advancements of deep neural networks (DNNs) have led to their deployment in diverse settings, including safety and security-critical applications. As a result, the characteristics of these models (e.g., the architecture of layers and weight values/distributions) have become sensitive intellectual properties that require protection from malicious users. Extracting the architecture of a DNN through leaky side-channels (e.g., memory access) allows adversaries to (i) clone the model (i.e., build proxy models with similar accuracy profiles), and (ii) craft adversarial attacks. DNN obfuscation thwarts side-channel-based architecture stealing (SCAS) attacks by altering the run-time traces of a given DNN while preserving its functionality. In this work, we expose the vulnerability of state-of-the-art DNN obfuscation methods (based on predictable and reversible modifications employed in a given DNN architecture) to these attacks. We present NeuroUnlock, a novel SCAS attack against obfuscated DNNs. Our NeuroUnlock employs a sequence-to-sequence model that learns the obfuscation procedure and automatically reverts it, thereby recovering the original DNN architecture. We demonstrate the effectiveness of NeuroUnlock by recovering the architecture of 200 randomly generated and obfuscated DNNs running on the Nvidia RTX 2080 TI graphics processing unit (GPU). Moreover, NeuroUnlock recovers the architecture of various other obfuscated (and publicly available) DNNs, such as the VGG-11, VGG-13, ResNet-20, and ResNet-32 networks. After recovering the architecture, NeuroUnlock automatically builds a near-equivalent DNN with only a 1.4% drop in the testing accuracy. We further show that launching a subsequent adversarial attack on the recovered DNNs boosts the success rate of the adversarial attack by 51.7% in average compared to launching it on the obfuscated versions. Additionally, we propose a novel methodology for DNN obfuscation, ReDLock, which eradicates the deterministic nature of the obfuscation and achieves 2.16 x more resilience to the NeuroUnlock attack. We release the NeuroUnlock and the ReDLock as open-source frameworks11https://github.com/Mahya-Ahmadi/NeuroUnlock.
AB - The advancements of deep neural networks (DNNs) have led to their deployment in diverse settings, including safety and security-critical applications. As a result, the characteristics of these models (e.g., the architecture of layers and weight values/distributions) have become sensitive intellectual properties that require protection from malicious users. Extracting the architecture of a DNN through leaky side-channels (e.g., memory access) allows adversaries to (i) clone the model (i.e., build proxy models with similar accuracy profiles), and (ii) craft adversarial attacks. DNN obfuscation thwarts side-channel-based architecture stealing (SCAS) attacks by altering the run-time traces of a given DNN while preserving its functionality. In this work, we expose the vulnerability of state-of-the-art DNN obfuscation methods (based on predictable and reversible modifications employed in a given DNN architecture) to these attacks. We present NeuroUnlock, a novel SCAS attack against obfuscated DNNs. Our NeuroUnlock employs a sequence-to-sequence model that learns the obfuscation procedure and automatically reverts it, thereby recovering the original DNN architecture. We demonstrate the effectiveness of NeuroUnlock by recovering the architecture of 200 randomly generated and obfuscated DNNs running on the Nvidia RTX 2080 TI graphics processing unit (GPU). Moreover, NeuroUnlock recovers the architecture of various other obfuscated (and publicly available) DNNs, such as the VGG-11, VGG-13, ResNet-20, and ResNet-32 networks. After recovering the architecture, NeuroUnlock automatically builds a near-equivalent DNN with only a 1.4% drop in the testing accuracy. We further show that launching a subsequent adversarial attack on the recovered DNNs boosts the success rate of the adversarial attack by 51.7% in average compared to launching it on the obfuscated versions. Additionally, we propose a novel methodology for DNN obfuscation, ReDLock, which eradicates the deterministic nature of the obfuscation and achieves 2.16 x more resilience to the NeuroUnlock attack. We release the NeuroUnlock and the ReDLock as open-source frameworks11https://github.com/Mahya-Ahmadi/NeuroUnlock.
KW - Architecture
KW - Deep neural networks
KW - Model extraction
KW - Obfuscation
KW - Side-channel-based attacks
UR - http://www.scopus.com/inward/record.url?scp=85140750107&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85140750107&partnerID=8YFLogxK
U2 - 10.1109/IJCNN55064.2022.9892545
DO - 10.1109/IJCNN55064.2022.9892545
M3 - Conference contribution
AN - SCOPUS:85140750107
T3 - Proceedings of the International Joint Conference on Neural Networks
BT - 2022 International Joint Conference on Neural Networks, IJCNN 2022 - Proceedings
PB - Institute of Electrical and Electronics Engineers Inc.
Y2 - 18 July 2022 through 23 July 2022
ER -