Off-campus UMass Amherst users: To download campus access dissertations, please use the following link to log into our proxy server with your UMass Amherst user name and password.
Non-UMass Amherst users: Please talk to your librarian about requesting this dissertation through interlibrary loan.
Dissertations that have an embargo placed on them will not be available to anyone until the embargo expires.
ORCID
https://orcid.org/0009-0005-4119-7887
Access Type
Open Access Thesis
Document Type
thesis
Degree Program
Electrical & Computer Engineering
Degree Type
Master of Science in Electrical and Computer Engineering (M.S.E.C.E.)
Year Degree Awarded
2023
Month Degree Awarded
May
Abstract
Deep Neural Networks (DNNs) have become ubiquitous due to their performance on prediction and classification problems. However, they face a variety of threats as their usage spreads. Model extraction attacks, which steal DNN models, endanger intellectual property, data privacy, and security. Previous research has shown that system-level side channels can be used to leak the architecture of a victim DNN, exacerbating these risks. We propose a novel DNN architecture extraction attack, called EZClone, which uses aggregate rather than time-series GPU profiles as a side-channel to predict DNN architecture. This approach is not only simpler, but also requires less adversary capability than earlier works. We investigate the effectiveness of EZClone under various scenarios including reduction of attack complexity, against pruned models, and across GPUs with varied resources. We find that EZClone correctly predicts DNN architectures for the entire set of PyTorch vision architectures with 100\% accuracy. No other work has shown this degree of architecture prediction accuracy with the same adversarial constraints or using aggregate side-channel information. Prior work has shown that, once a DNN has been successfully cloned, further attacks such as model evasion or model inversion can be accelerated significantly. Then, we evaluate several mitigation techniques against EZClone, showing that carefully inserted dummy computation reduces the success rate of the attack.
DOI
https://doi.org/10.7275/35614344
First Advisor
Sandip Kundu
Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 License.
Recommended Citation
O'Brien Weiss, Jonah G., "A Model Extraction Attack on Deep Neural Networks Running on GPUs" (2023). Masters Theses. 1293.
https://doi.org/10.7275/35614344
https://scholarworks.umass.edu/masters_theses_2/1293