Reverse Engineering of Deep Learning Models by Side-Channel Analysis

Abstract: Side-Channel Analysis (SCA) aims to extract secrets from cryptographic systems by exploiting the physical leakage acquired from implementations of cryptographic algorithms. With the development of Deep Learning (DL), a new type of SCA called Deep Learning Side-Channel Analysis (DLSCA) utilizes the advantages of DL techniques in data features processing to break cryptographic systems more efficiently. Recent works show that DLSCA could be applied not only to extract the secrets from implementations of cryptographic algorithms but also to reverse the architecture of neural networks from physical devices. In short, reverse engineering of neural networks aims to recover the parameters and architecture of neural networks by accessing only the input and output of the target model. However, most of previous works have focused on recovering the ratio between weights and biases, which is not threatening enough. This thesis aims to explore to which extent the DLSCA can make reverse engineering on neural networks more efficient. To achieve this goal, we first implement perceptron networks as the target model on an 8-bit Atmel ATXmega128D4 microcontroller. Then, we use Chipwhisperer Lite to capture power traces from the victim device during the execution of the neural network. Our experimental results first show that it is feasible to distinguish different activation functions directly from the captured traces. Afterward, we select the multiplication of the weights and inputs as the attack point, and use Test Vector Leakage Assessment (TVLA) method to detect the location of leakage intervals. Next, we train a DL classifier by using the captured traces and use the trained model to classify the actual weight of the target neural network. We show that it is feasible to reverse a weight by using less than 1000 traces on average. For some specific weights, our DL classifier is able to recover them by using only one trace.