<div class="csl-bib-body">
<div class="csl-entry">Ahmadi, M. M., Alrahis, L., Colucci, A., Sinanoglu, O., & Shafique, M. (2022). NeuroUnlock: Unlocking the Architecture of Obfuscated Deep Neural Networks. In <i>Proceedings 2022 International Joint Conference on Neural Networks (IJCNN)</i> (pp. 01–10). https://doi.org/10.1109/IJCNN55064.2022.9892545</div>
</div>
-
dc.identifier.uri
http://hdl.handle.net/20.500.12708/142200
-
dc.description.abstract
The advancements of deep neural networks (DNNs) have led to their deployment in diverse settings, including safety and security-critical applications. As a result, the characteristics of these models (e.g., the architecture of layers and weight values/distributions) have become sensitive intellectual properties that require protection from malicious users. Extracting the architecture of a DNN through leaky side-channels (e.g., memory access) allows adversaries to (i) clone the model (i.e., build proxy models with similar accuracy profiles), and (ii) craft adversarial attacks. DNN obfuscation thwarts side-channel-based architecture stealing (SCAS) attacks by altering the run-time traces of a given DNN while preserving its functionality. In this work, we expose the vulnerability of state-of-the-art DNN obfuscation methods (based on predictable and reversible modifications employed in a given DNN architecture) to these attacks. We present NeuroUnlock, a novel SCAS attack against obfuscated DNNs. Our NeuroUnlock employs a sequence-to-sequence model that learns the obfuscation procedure and automatically reverts it, thereby recovering the original DNN architecture. We demonstrate the effectiveness of NeuroUnlock by recovering the architecture of 200 randomly generated and obfuscated DNNs running on the Nvidia RTX 2080 TI graphics processing unit (GPU). Moreover, NeuroUnlock recovers the architecture of various other obfuscated (and publicly available) DNNs, such as the VGG-11, VGG-13, ResNet-20, and ResNet-32 networks. After recovering the architecture, NeuroUnlock automatically builds a near-equivalent DNN with only a 1.4% drop in the testing accuracy. We further show that launching a subsequent adversarial attack on the recovered DNNs boosts the success rate of the adversarial attack by 51.7% in average compared to launching it on the obfuscated versions. Additionally, we propose a novel methodology for DNN obfuscation, ReDLock, which eradicates the deterministic nature of the obfuscation and achieves 2.16 x more resilience to the NeuroUnlock attack. We release the NeuroUnlock and the ReDLock as open-source frameworks11https://github.com/Mahya-Ahmadi/NeuroUnlock.
en
dc.language.iso
en
-
dc.subject
hardware architecture
en
dc.subject
Deep neural networks
en
dc.subject
Model extraction
en
dc.subject
Obfuscation
en
dc.subject
Side-channel-based attacks
en
dc.title
NeuroUnlock: Unlocking the Architecture of Obfuscated Deep Neural Networks
en
dc.type
Inproceedings
en
dc.type
Konferenzbeitrag
de
dc.contributor.affiliation
New York University Abu Dhabi (NYUAD), United Arab Emirates
-
dc.contributor.affiliation
New York University Abu Dhabi (NYUAD), United Arab Emirates
-
dc.contributor.affiliation
New York Univeersity Abu Dhabi (NYUAD), United Arab Emirates
-
dc.relation.isbn
978-1-7281-8671-9
-
dc.description.startpage
01
-
dc.description.endpage
10
-
dc.type.category
Full-Paper Contribution
-
tuw.booktitle
Proceedings 2022 International Joint Conference on Neural Networks (IJCNN)
-
tuw.container.volume
2022-July
-
tuw.peerreviewed
true
-
tuw.researchTopic.id
I2
-
tuw.researchTopic.name
Computer Engineering and Software-Intensive Systems
-
tuw.researchTopic.value
100
-
tuw.publication.orgunit
E191-02 - Forschungsbereich Embedded Computing Systems
-
tuw.publisher.doi
10.1109/IJCNN55064.2022.9892545
-
dc.description.numberOfPages
10
-
tuw.author.orcid
0000-0003-1805-750X
-
tuw.event.name
2022 International Joint Conference on Neural Networks (IJCNN)
en
tuw.event.startdate
18-07-2022
-
tuw.event.enddate
23-07-2022
-
tuw.event.online
On Site
-
tuw.event.type
Event for scientific audience
-
tuw.event.place
Padua
-
tuw.event.country
IT
-
tuw.event.presenter
Ahmadi, Mahya Morid
-
wb.sciencebranch
Informatik
-
wb.sciencebranch.oefos
1020
-
wb.sciencebranch.value
100
-
item.openairecristype
http://purl.org/coar/resource_type/c_5794
-
item.grantfulltext
restricted
-
item.languageiso639-1
en
-
item.openairetype
conference paper
-
item.fulltext
no Fulltext
-
item.cerifentitytype
Publications
-
crisitem.author.dept
E191-01 - Forschungsbereich Cyber-Physical Systems
-
crisitem.author.dept
E191-02 - Forschungsbereich Embedded Computing Systems
-
crisitem.author.dept
New York Univeersity Abu Dhabi (NYUAD), United Arab Emirates