Off-campus UMass Amherst users: To download campus access dissertations, please use the following link to log into our proxy server with your UMass Amherst user name and password.
Non-UMass Amherst users: Please talk to your librarian about requesting this dissertation through interlibrary loan.
Dissertations that have an embargo placed on them will not be available to anyone until the embargo expires.
ORCID
https://orcid.org/0009-0006-9303-6900
Access Type
Open Access Thesis
Document Type
thesis
Embargo Period
1-1-2024
Degree Program
Electrical & Computer Engineering
Degree Type
Master of Science (M.S.)
Year Degree Awarded
2024
Month Degree Awarded
February
Abstract
Due to significant investment, research, and development efforts over the past decade, deep neural networks (DNNs) have achieved notable advancements in classification and regression domains. As a result, DNNs are considered valuable intellectual property for artificial intelligence providers. Prior work has demonstrated highly effective model extraction attacks which steal a DNN, dismantling the provider’s business model and paving the way for unethical or malicious activities, such as misuse of personal data, safety risks in critical systems, or spreading misinformation. This thesis explores the feasibility of model extraction attacks on mobile devices using aggregated runtime profiles as a side-channel to leak DNN architecture. Since mobile devices are resource constrained, DNN deployments require optimization efforts to reduce latency. The main hurdle in extracting DNN architectures in this scenario is that optimization techniques, such as operator-level and graph-level fusion, can obfuscate the association between runtime profile operators and their corresponding DNN layers, posing challenges for adversaries to accurately predict the computation performed. The thesis presents a novel approach for identifying the original architecture of a Deep Neural Network (DNN) based on analyzing its GPU call profile as a side-channel. Even when the optimization process has obscured layer information and introduced noise, the proposed approach can effectively determine the original structure. Additionally, we propose extraction of hyperparameters layer-by-layer from sub-layer patterns. No existing solution has extracted architectures from optimized DNN models deployed on mobile GPUs, especially in the presence of obfuscation or optimization. This research is the first to do so.
First Advisor
Sandip Kundu
Recommended Citation
Kim, Dong Hyub, "Extracting DNN Architectures Via Runtime Profiling On Mobile GPUs" (2024). Masters Theses. 1406.
https://scholarworks.umass.edu/masters_theses_2/1406
Included in
Artificial Intelligence and Robotics Commons, Computer and Systems Architecture Commons, Data Science Commons