Collection of papers on Deep Neural Network model extraction through Physical Side Channels.
This collection is regularly updated, starting with the initial version featured in our paper: SoK: Neural Network Extraction Through Physical Side Channels. Péter Horváth, Dirk Lauret, Zhuoran Liu, and Lejla Batina.
Listed papers are divided into three categories based on their goals: Architecture extraction, Parameter extraction, and Input recovery.
- [USENIX'19] Reverse engineering of neural network architectures through electromagnetic side channel.
- [ICCAD'20] Machine Learning and Hardware security: Challenges and Opportunities
- [ASPLOS'20] DeepSniffer: A DNN Model Extraction Framework Based on Learning Architectural Hints.
- [ACNS'20] Simple Electromagnetic Analysis Against Activation Functions of Deep Neural Networks
- [TCAS-I'20] Open DNN Box by Power Side-Channel Attack
- [HOST'20] DeepEM: Deep Neural Networks Model Recovery through EM Side-Channel Information Leakage
- [AIHWS'21] On reverse engineering neural network implementation on GPU.
- [ISCAS'21] Extraction of Binarized Neural Network Architecture and Secret Parameters Using Side-Channel Information
- [ISVLSI'21] Stealing Machine Learning Parameters via Side Channel Power Attacks
- [USENIX'22] Can one hear the shape of a neural network?: Snooping the GPU via magnetic side channel.
- [SPW'22] Clairvoyance: Exploiting Far-field EM Emanations of GPU to "See" Your DNN Models through Obstacles at a Distance
- [CARDIS'23] Like an Open Book? Read Neural Network Architecture with Simple Power Analysis on 32-Bit Microcontrollers
- [SENSORS'23] SNATCH: Stealing neural network architecture from ML accelerator in intelligent sensors
- [AIHWS'24] CNN Architecture Extraction on Edge GPU
- [SP'24] Side-Channel-Assisted Reverse-Engineering of Encrypted DNN Hardware Accelerator IP and Attack Surface Exploration
- [CHES'24] TPUXtract: An Exhaustive HyperparameterExtraction Framework
- [USENIX'19] Reverse engineering of neural network architectures through electromagnetic side channel.
- [ICCAD'20] Machine Learning and Hardware security: Challenges and Opportunities
- [HOST'20] MaskedNet: The First Hardware Inference Engine Aiming Power Side-Channel Protection
- [ISCAS'20] Model reverse-engineering attack using correlation power analysis against systolic array based neural network accelerator.
- [TRANS-A'21] Model Reverse-Engineering Attack against Systolic-Array-Based DNN Accelerator Using Correlation Power Analysis
- [ISCAS'21] Extraction of Binarized Neural Network Architecture and Secret Parameters Using Side-Channel Information
- [IoT-J'21] Leaky Nets: Recovering Embedded Neural Network Models and Inputs Through Simple Power and Timing Side-Channels—Attacks and Defenses
- [JETC'22] Power-based attacks on spatial DNN accelerators.
- [CARDIS'22] A Practical Introduction to Side-Channel Extraction of Deep Neural Network Parameters
- [SP'24] Side-Channel-Assisted Reverse-Engineering of Encrypted DNN Hardware Accelerator IP and Attack Surface Exploration
- [USENIX'25] BarraCUDA: Edge GPUs do Leak DNN Weights
- [ACSAC'18] I Know What You See: Power Side-Channel Attack on Convolutional Neural Network Accelerators
- [SIGSAC'19] Poster: Recovering the input of neural networks via single shot side-channel attacks.
- [SmartIoT'19] Floating-Point Multiplication Timing Attack on Deep Neural Network
- [IoT-J'21] Leaky Nets: Recovering Embedded Neural Network Models and Inputs Through Simple Power and Timing Side-Channels—Attacks and Defenses
- [ARES'23] You Only Get One-Shot: Eavesdropping Input Images to Neural Network by Spying SoC-FPGA Internal Bus