"A Model Extraction Attack on Deep Neural Networks Running on GPUs" by Jonah G. O'Brien Weiss

Masters Theses

Off-campus UMass Amherst users: To download campus access dissertations, please use the following link to log into our proxy server with your UMass Amherst user name and password.

Non-UMass Amherst users: Please talk to your librarian about requesting this dissertation through interlibrary loan.

Dissertations that have an embargo placed on them will not be available to anyone until the embargo expires.

Title

A Model Extraction Attack on Deep Neural Networks Running on GPUs

Authors

Jonah G. O'Brien Weiss, University of Massachusetts AmherstFollow

ORCID

https://orcid.org/0009-0005-4119-7887

Access Type

Open Access Thesis

Document Type

thesis

Embargo Period

5-18-2023

Degree Program

Electrical & Computer Engineering

Degree Type

Master of Science in Electrical and Computer Engineering (M.S.E.C.E.)

Year Degree Awarded

2023

Month Degree Awarded

May

Abstract

Deep Neural Networks (DNNs) have become ubiquitous due to their performance on prediction and classification problems. However, they face a variety of threats as their usage spreads. Model extraction attacks, which steal DNN models, endanger intellectual property, data privacy, and security. Previous research has shown that system-level side channels can be used to leak the architecture of a victim DNN, exacerbating these risks. We propose a novel DNN architecture extraction attack, called EZClone, which uses aggregate rather than time-series GPU profiles as a side-channel to predict DNN architecture. This approach is not only simpler, but also requires less adversary capability than earlier works. We investigate the effectiveness of EZClone under various scenarios including reduction of attack complexity, against pruned models, and across GPUs with varied resources. We find that EZClone correctly predicts DNN architectures for the entire set of PyTorch vision architectures with 100\% accuracy. No other work has shown this degree of architecture prediction accuracy with the same adversarial constraints or using aggregate side-channel information. Prior work has shown that, once a DNN has been successfully cloned, further attacks such as model evasion or model inversion can be accelerated significantly. Then, we evaluate several mitigation techniques against EZClone, showing that carefully inserted dummy computation reduces the success rate of the attack.

DOI

https://doi.org/10.7275/35614344

First Advisor

Sandip Kundu

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 License.

Recommended Citation

O'Brien Weiss, Jonah G., "A Model Extraction Attack on Deep Neural Networks Running on GPUs" (2023). Masters Theses. 1293.
https://doi.org/10.7275/35614344 https://scholarworks.umass.edu/masters_theses_2/1293

Download

COinS

ScholarWorks@UMass Amherst