In-memory computing (IMC) systems have great potential for accelerating data-intensive tasks such as deep neural networks (DNNs). As DNN models are generally highly proprietary, the neural network architectures become valuable targets for attacks. In IMC systems, since the whole model is mapped on chip and weight memory read can be restricted, the pre-mapped DNN model acts as a ``black box'' for users. However, the localized and stationary weight and data patterns may subject IMC systems to other attacks. In this paper, we propose a side-channel attack methodology on IMC architectures. We show that it is possible to extract model architectural information from power trace measurements without any prior knowledge of the neural network. We first developed a simulation framework that can emulate the dynamic power traces of the IMC macros. We then performed side-channel leakage analysis to reverse engineer model information such as the stored layer type, layer sequence, output channel/feature size and convolution kernel size from power traces of the IMC macros. Based on the extracted information, full networks can potentially be reconstructed without any knowledge of the neural network. Finally, we discuss potential countermeasures for building IMC systems that offer resistance to these model extraction attack.
翻译:In-memory计算(IMC)系统具有加速深度神经网络等数据密集型任务的巨大潜力。由于DNN模型通常高度专有,因此神经网络架构成为攻击的有价值目标。在IMC系统中,由于整个模型映射在芯片和权重内存读取可能受到限制,预映射的DNN模型对用户而言就好像一个黑盒。然而,局部化和静止的权重和数据模式可能会使IMC系统面临其他攻击。在本文中,我们提出了一种在IMC架构上的侧信道攻击方法。我们展示了如何通过功耗曲线测量从中提取模型架构信息,而不需要神经网络的任何先验知识。我们首先开发了一个模拟框架,可以模拟IMC宏的动态功耗曲线。接着,我们进行了侧信道泄露分析,从IMC宏的功耗曲线中反向工程出模型信息,如存储的层类型、层序列、输出通道/特征大小和卷积核大小等。基于提取的信息,完整的网络可能被重建,并不需要神经网络的任何知识。最后,我们讨论了可能的对策,以构建抵御这些模型提取攻击的IMC系统。