γ-Knife: Extracting Neural Network Architecture Through Software-Based Power Side-Channel

Several side-channel attacks exploiting timing, cache, or power side channels have recently been proposed to obtain private information of a neural network. However, the hardware-based attacks require physical access to the system, using high-precision equipment to measure physical system behaviors such as power consumption or electromagnetic emanations, to exploit them as side channels. Whereas, the previous software-based side-channel attacks on neural networks can extract their model information only when the target architecture is known. In this article, we propose the γ-Knife attack, a software-based power side-channel attack on a neural network, which can extract its architecture without any physical access or high-precision measuring equipment. Our work demonstrates that side-channels can be formed that leak architecture of neural networks by utilizing statistical metrics without high-resolution power data. The γ-Knife attack can reduce the search space of candidate architectures by obtaining private information such as filter size, depth of convolutional layer, and activation functions in the target architecture, as accurately as hardware-based power side-channel attacks even when the target neural network is totally unknown. We demonstrated the efficacy of the γ-Knife attack by implementing the attack on the well-known neural networks VGGNet, ResNet, GoogleNet, and MobileNet, using the Pytorch library on Intel CPUs and AMD CPUs. The γ-Knife attack could identify the target neural network architecture with an accuracy of approximately 90%, and efficiently extract its private information, by significantly reducing the search space of the target architecture.