Machine learning has become mainstream across industries with many applications in the security domain. In this work, we investigate how to reverse engineer a neural network by using side-channel information such as timing and electromagnetic emanations. To this end, we consider multilayer perceptrons and convolutional neural networks as the machine learning architectures and assume a non-invasive, passive attacker capable of measuring such leakages.
We conduct all experiments on real data and commonly used neural network architectures in order to properly assess the applicability and extendability of those attacks. Practical results are shown on an ARM Cortex-M3 microcontroller, which is a platform often used in pervasive applications using neural networks such as wearables or surveillance cameras. Our experiments show that a side-channel attacker is capable of obtaining the following information: the activation functions, the number of layers and neurons in the layers, the number of output classes, and weights in the neural network. Thus, the attacker can effectively reverse engineer the network using side-channel information. Additionally, if the attacker knows the architecture of a neural network, he can reverse engineer the input of neural networks via a single-shot side-channel attack.
Stjepan Picek is an assistant professor in the Cybersecurity group at TU Delft, The Netherlands. His research interests are security/cryptography, machine learning, and evolutionary computation. Prior to the assistant professor position, Stjepan was a postdoctoral researcher at ALFA group, MIT, USA. Before that, he was a postdoctoral researcher at KU Leuven, Belgium as a part of the Computer Security and Industrial Cryptography (COSIC) group. Stjepan finished his PhD in 2015 with a topic on cryptology and evolutionary computation techniques. Stjepan also has several years of experience working in industry and government. Up to now, Stjepan gave more than 10 invited talks at conferences and summer schools and published more than 70 refereed papers in both evolutionary computation and cryptography journals and conferences. Stjepan is a member of the organization committee for International Summer School in Cryptography and president of the Croatian IEEE CIS Chapter. He is a general co-chair for Eurocrypt 2020, program committee member and reviewer for a number of conferences and journals, and a member of several professional societies.