Loading...
Citations
Altmetric:
Abstract
Due to significant investment, research, and development efforts over the past decade, deep neural networks (DNNs) have achieved notable advancements in classification and regression domains. As a result, DNNs are considered valuable intellectual property for artificial intelligence providers. Prior work has demonstrated highly effective model extraction attacks which steal a DNN, dismantling the provider’s business model and paving the way for unethical or malicious activities, such as misuse of personal data, safety risks in critical systems, or spreading misinformation. This thesis explores the feasibility of model extraction attacks on mobile devices using aggregated runtime profiles as a side-channel to leak DNN architecture. Since mobile devices are resource constrained, DNN deployments require optimization efforts to reduce latency. The main hurdle in extracting DNN architectures in this scenario is that optimization techniques, such as operator-level and graph-level fusion, can obfuscate the association between runtime profile operators and their corresponding DNN layers, posing challenges for adversaries to accurately predict the computation performed. The thesis presents a novel approach for identifying the original architecture of a Deep Neural Network (DNN) based on analyzing its GPU call profile as a side-channel. Even when the optimization process has obscured layer information and introduced noise, the proposed approach can effectively determine the original structure. Additionally, we propose extraction of hyperparameters layer-by-layer from sub-layer patterns. No existing solution has extracted architectures from optimized DNN models deployed on mobile GPUs, especially in the presence of obfuscation or optimization. This research is the first to do so.
Type
thesis
Date
2024-02