Cache Telepathy: Leveraging Shared Resource Attacks to Learn DNN Architectures (1808.04761v1)

Abstract: Deep Neural Networks (DNNs) are fast becoming ubiquitous for their ability to attain good accuracy in various machine learning tasks. A DNN's architecture (i.e., its hyper-parameters) broadly determines the DNN's accuracy and performance, and is often confidential. Attacking a DNN in the cloud to obtain its architecture can potentially provide major commercial value. Further, attaining a DNN's architecture facilitates other, existing DNN attacks. This paper presents Cache Telepathy: a fast and accurate mechanism to steal a DNN's architecture using the cache side channel. Our attack is based on the insight that DNN inference relies heavily on tiled GEMM (Generalized Matrix Multiply), and that DNN architecture parameters determine the number of GEMM calls and the dimensions of the matrices used in the GEMM functions. Such information can be leaked through the cache side channel. This paper uses Prime+Probe and Flush+Reload to attack VGG and ResNet DNNs running OpenBLAS and Intel MKL libraries. Our attack is effective in helping obtain the architectures by very substantially reducing the search space of target DNN architectures. For example, for VGG using OpenBLAS, it reduces the search space from more than $10^{35}$ architectures to just 16.

• The paper demonstrates a novel cache side-channel attack, Cache Telepathy, that extracts DNN architectures by analyzing tiled GEMM operations.
• It leverages Prime+Probe and Flush+Reload techniques on libraries like OpenBLAS and Intel MKL to reduce the search space from 10^35 possibilities to 16 for models like VGG.
• The findings underscore significant security vulnerabilities in MLaaS and highlight the urgent need for robust countermeasures in shared cloud environments.

Overview of "Cache Telepathy: Leveraging Shared Resource Attacks to Learn DNN Architectures"

The paper "Cache Telepathy: Leveraging Shared Resource Attacks to Learn DNN Architectures" presents an innovative mechanism to extract the architecture of Deep Neural Networks (DNNs) leveraging cache side-channel attacks. The authors discuss how the architecture of a DNN, determined by its hyper-parameters, is often a highly-valued proprietary asset. These architectures can be targeted for malicious purposes in cloud-based environments offering Machine Learning as a Service (MLaaS). The fundamental contribution of this research is the development and demonstration of a cache-based side-channel attack, termed "Cache Telepathy," which can effectively reconstruct the DNN architecture by exploiting the shared resource vulnerabilities.

Details and Analysis

The architecture of DNNs, involving hyper-parameters such as the number of layers and the configuration of neurons, is critical as it dramatically affects the model's accuracy and efficiency. The paper addresses the challenge of naturally large and complex search spaces associated with these hyper-parameters, showing that conventional brute-force methods for reverse-engineering such architectures are impractical. The novel insight driving the attack is the dependency of DNN inference on tiled Generalized Matrix-Multiply (GEMM) operations, whereby matrix sizes and configurations correlate with architectural features. Due to this dependency, these operations can be analyzed to infer the architecture using cache-access patterns.

The authors utilize Prime+Probe and Flush+Reload techniques on popular libraries such as OpenBLAS and Intel's MKL to demonstrate their attack's effectiveness. Remarkably, the search space needed to ascertain the architecture of target DNNs, like VGG and ResNet, is reduced by several orders of magnitude. For instance, for VGG, the space is reduced from over $10^{35}$ possibilities to just 16.

Implications

The implications of this work are profound. Practically, this research highlights a significant security vulnerability in MLaaS platforms that rely on shared cloud environments. For attackers, knowledge of the architecture acts as a facilitator for further attacks, such as weight extraction or membership inference, which have their own implications concerning privacy and intellectual property. Theoretically, this introduces a new lens through which the security of high-performance libraries and their interactions with underlying hardware must be considered.

Future Directions

The future trajectory of this research could involve developing more sophisticated defenses against such side-channel attacks, possibly involving architectural or software-based solutions to obfuscate access patterns at the hardware level. Furthermore, exploration into cache-based side-channel attacks for other neural network operations could also unveil further attack vectors. Finally, the dialogue between performance optimization and security in HPC libraries might prompt new methodologies that harmonize these often conflicting priorities.

Overall, the paper "Cache Telepathy" provides a detailed analysis of how shared resource attacks can unveil confidential DNN structures, presenting a significant concern for the security paradigms of current machine learning services. The paper effectively paves the way for fortified design strategies that reconcile the dual demands of performance and security in shared computing environments.