<italic><inline-formula><tex-math notation="LaTeX">$\gamma$</tex-math></inline-formula>-Knife:</italic> Extracting Neural Network Architecture Through Software-Based Power Side-Channel

Dohyun Ryu, Yerim Kim, Junbeom Hur

Research output: Contribution to journalArticlepeer-review


Several side-channel attacks exploiting timing, cache, or power side channels have recently been proposed to obtain private information of a neural network. However, the hardware-based attacks require physical access to the system, using high-precision equipment to measure physical system behaviors such as power consumption or electromagnetic emanations, to exploit them as side channels. Whereas, the previous software-based side-channel attacks on neural networks can extract their model information only when the target architecture is known. In this paper, we propose the <italic><inline-formula><tex-math notation="LaTeX">$\gamma$</tex-math></inline-formula>-Knife attack</italic>, a software-based power side-channel attack on a neural network, which can extract its architecture without any physical access or high-precision measuring equipment. Our work demonstrates that side-channels can be formed that leak architecture of neural networks by utilizing statistical metrics without high-resolution power data. The <inline-formula><tex-math notation="LaTeX">$\gamma$</tex-math></inline-formula>-Knife attack can reduce the search space of candidate architectures by obtaining private information such as filter size, depth of convolutional layer, and activation functions in the target architecture, as accurately as hardware-based power side-channel attacks even when the target neural network is totally unknown. We demonstrated the efficacy of the <inline-formula><tex-math notation="LaTeX">$\gamma$</tex-math></inline-formula>-Knife attack by implementing the attack on the well-known neural networks VGGNet, ResNet, GoogleNet, and MobileNet, using the Pytorch library on Intel CPUs and AMD CPUs. The <inline-formula><tex-math notation="LaTeX">$\gamma$</tex-math></inline-formula>-Knife attack could identify the target neural network architecture with an accuracy of approximately 90&#x0025;, and efficiently extract its private information, by significantly reducing the search space of the target architecture.

Original languageEnglish
Pages (from-to)1-17
Number of pages17
JournalIEEE Transactions on Dependable and Secure Computing
Publication statusAccepted/In press - 2023

Bibliographical note

Publisher Copyright:


  • Biological neural networks
  • Computer architecture
  • Data mining
  • Intel RAPL
  • neural network model extraction
  • Power demand
  • Power measurement
  • Privacy
  • side-channel attack
  • Side-channel attacks

ASJC Scopus subject areas

  • General Computer Science
  • Electrical and Electronic Engineering


Dive into the research topics of '<italic><inline-formula><tex-math notation="LaTeX">$\gamma$</tex-math></inline-formula>-Knife:</italic> Extracting Neural Network Architecture Through Software-Based Power Side-Channel'. Together they form a unique fingerprint.

Cite this