A team of computer scientists has successfully devised a method to extract the architecture and layer details of AI models running on Google Edge Tensor Processing Units (TPUs). This breakthrough, achieved through a novel side-channel attack, raises serious questions about the security of AI models deployed on edge devices.
How the Attack Works
The attack, developed by researchers at North Carolina State University, focuses on measuring the electromagnetic intensity of AI model use during inference. By analyzing these electromagnetic emanations, the researchers were able to infer model hyperparameters. Hyperparameters are values set before the training process that significantly influence how the model learns, such as the learning rate, batch size, or pool size. They are different from model parameters (like weights), which are learned during training.
The researchers' approach is notable for its sequential extraction of information from each neural network layer. Previous attempts at hyperparameter attacks required impractical brute-force methods that only yielded partial results. This new method is more efficient and comprehensive. The attack requires access to the device during inference, specific hardware including Riscure equipment and a PicoScope Oscilloscope, and knowledge of the software deployment environment (TF Lite for Edge TPU). It does not require details about the Edge TPU's architecture or instruction set.
Implications of the Attack
The implications of this research are significant. The researchers demonstrated that an adversary could use the extracted information to recreate a model with 99.91% accuracy. This means that an attacker could potentially create a high-fidelity substitute model that mimics the original. The models tested include MobileNet V3, Inception V3, and ResNet-50. This was done in approximately three hours per layer, on models ranging from 28 to 242 layers. The researchers call this a "hyperparameter stealing attack". Such an attack poses a risk to developers who invest heavily in building their AI models, as a substitute model can be created at far less cost than the original training.
The study highlights the vulnerability of commercial accelerators, like the Edge TPU, to model stealing. The researchers emphasize that their approach works even in a "black box" setting. The Coral Dev Board was chosen for this attack, in part, because it does not implement memory encryption.
Google's Response
Google is aware of the findings but has declined to comment on the record. The fact that a relatively accessible attack can extract such sensitive information underscores the need for robust security measures when deploying AI models on edge devices.
Key Takeaways
- A side-channel attack using electromagnetic measurements can reveal AI model hyperparameters on Google Edge TPUs.
- This attack can be used to recreate AI models with high accuracy.
- The attack is efficient, extracting information sequentially, layer by layer.
- The vulnerability could lead to the unauthorized creation of substitute models.
- This raises questions about the security of commercial AI accelerators.
This research serves as a critical reminder of the ongoing need for enhanced security in AI hardware and software to protect against model theft.