{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,24]],"date-time":"2026-03-24T16:15:12Z","timestamp":1774368912032,"version":"3.50.1"},"reference-count":87,"publisher":"IEEE","license":[{"start":{"date-parts":[[2019,9,1]],"date-time":"2019-09-01T00:00:00Z","timestamp":1567296000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/ieeexplore.ieee.org\/Xplorehelp\/downloads\/license-information\/IEEE.html"},{"start":{"date-parts":[[2019,9,1]],"date-time":"2019-09-01T00:00:00Z","timestamp":1567296000000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-029"},{"start":{"date-parts":[[2019,9,1]],"date-time":"2019-09-01T00:00:00Z","timestamp":1567296000000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-037"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2019,9]]},"DOI":"10.1109\/hpec.2019.8916519","type":"proceedings-article","created":{"date-parts":[[2019,11,29]],"date-time":"2019-11-29T07:11:36Z","timestamp":1575011496000},"page":"1-8","source":"Crossref","is-referenced-by-count":26,"title":["Survey of Attacks and Defenses on Edge-Deployed Neural Networks"],"prefix":"10.1109","author":[{"given":"Mihailo","family":"Isakov","sequence":"first","affiliation":[]},{"given":"Vijay","family":"Gadepally","sequence":"additional","affiliation":[]},{"given":"Karen M.","family":"Gettings","sequence":"additional","affiliation":[]},{"given":"Michel A.","family":"Kinsy","sequence":"additional","affiliation":[]}],"member":"263","reference":[{"key":"ref73","doi-asserted-by":"publisher","DOI":"10.1007\/s00446-002-0077-1"},{"key":"ref72","article-title":"GAZELLE: A Low Latency Framework for Secure Neural Network Inference","author":"juvekar","year":"0","journal-title":"Tech Rep"},{"key":"ref71","article-title":"Cryptonets: Applying neural networks to encrypted data with high throughput and accuracy","author":"dowlin","year":"2016","journal-title":"Tech Rep"},{"key":"ref70","first-page":"169","article-title":"On data banks and privacy homomorphisms","author":"rivest","year":"1978","journal-title":"Foundations of Secure Computation"},{"key":"ref76","first-page":"1","article-title":"Deep Compression - Compressing Deep Neural Networks with Pruning, Trained Quantization and Huffman Coding","author":"han","year":"2016","journal-title":"ICLRE"},{"key":"ref77","article-title":"Garbled Neural Networks are Practical","author":"ball","year":"2019","journal-title":"Tech Rep"},{"key":"ref74","doi-asserted-by":"publisher","DOI":"10.1145\/3812.3818"},{"key":"ref39","first-page":"719","article-title":"Flush + reload: A high resolution, low noise, l3 cache side-channel attack","author":"yarom","year":"2014","journal-title":"23rd USENIX Security Symposium (USENIX Security 14)"},{"key":"ref75","author":"darvish","year":"2018","journal-title":"Deepsecure Scalable provably-secure deep learning"},{"key":"ref38","author":"yan","year":"2018","journal-title":"Cache Telepathy Leveraging Shared Resource Attacks to Learn DNN Architectures"},{"key":"ref78","article-title":"XONN: xnor-based oblivious deep neural network inference","volume":"abs 1902 7342","author":"riazi","year":"2019","journal-title":"CoRR"},{"key":"ref79","article-title":"Xnor-net: Imagenet classification using binary convolutional neural networks","volume":"abs 1603 5279","author":"rastegari","year":"2016","journal-title":"CoRR"},{"key":"ref33","article-title":"Knockoff Nets: Stealing Functionality of Black-Box Models","author":"orekondy","year":"0","journal-title":"Tech Rep"},{"key":"ref32","first-page":"arxiv:1711.01768","article-title":"Towards Reverse-Engineering Black-Box Neural Networks","author":"oh","year":"2017","journal-title":"ArXiv e-prints"},{"key":"ref31","first-page":"arxiv:1503.02531","article-title":"Distilling the Knowledge in a Neural Network","author":"hinton","year":"2015","journal-title":"ArXiv e-prints"},{"key":"ref30","article-title":"Stealing machine learning models via prediction apis","volume":"abs 1609 2943","author":"tramer","year":"2016","journal-title":"CoRR"},{"key":"ref37","author":"salem","year":"2018","journal-title":"ML-Leaks Model and data independent membership inference attacks and defenses on machine learning models"},{"key":"ref36","article-title":"Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples","volume":"abs 1802 420","author":"athalye","year":"2018","journal-title":"CoRR"},{"key":"ref35","first-page":"arxiv:1412.6572","article-title":"Explaining and Harnessing Adversarial Examples","author":"goodfellow","year":"2014","journal-title":"ArXiv e-prints"},{"key":"ref34","article-title":"Stealing hyperparameters in machine learning","volume":"abs 1802 5351","author":"wang and n z gong","year":"2018","journal-title":"CoRR"},{"key":"ref60","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP.2019.00044"},{"key":"ref62","doi-asserted-by":"publisher","DOI":"10.1145\/3078971.3078974"},{"key":"ref61","article-title":"Turning Your Weakness Into a Strength: Watermarking Deep Neural Networks by Backdooring","author":"adi","year":"2018","journal-title":"Tech Rep"},{"key":"ref63","article-title":"Deepsigns: A generic watermarking framework for IP protection of deep learning models","volume":"abs 1804 750","author":"rouhani","year":"2018","journal-title":"CoRR"},{"key":"ref28","article-title":"Poisoning attacks against support vector machines","author":"biggio","year":"2012","journal-title":"ICML"},{"key":"ref64","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.41"},{"key":"ref27","first-page":"623","author":"tria","year":"2011","journal-title":"Invasive Attacks"},{"key":"ref65","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978318"},{"key":"ref66","first-page":"1929","article-title":"Dropout: A simple way to prevent neural networks from overfitting","volume":"15","author":"srivastava","year":"2014","journal-title":"Journal of Machine Learning Research"},{"key":"ref29","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23291"},{"key":"ref67","doi-asserted-by":"publisher","DOI":"10.1109\/HPCA.2016.7446082"},{"key":"ref68","article-title":"Sequence to sequence learning with neural networks","volume":"abs 1409 3215","author":"sutskever","year":"2014","journal-title":"CoRR"},{"key":"ref69","article-title":"Software grand exposure: SGX cache attacks are practical","author":"brasser","year":"2017","journal-title":"11th USENIX Workshop on Offensive Technologies (WOOT 17)"},{"key":"ref2","article-title":"Theano: A python framework for fast computation of mathematical expressions","volume":"abs 1605 2688","author":"al-rfou","year":"2016","journal-title":"CoRR"},{"key":"ref1","doi-asserted-by":"publisher","DOI":"10.1145\/2647868.2654889"},{"key":"ref20","article-title":"Branchynet: Fast inference via early exiting from deep neural networks","volume":"abs 1709 1686","author":"teerapittayanon","year":"2017","journal-title":"CoRR"},{"key":"ref22","article-title":"Chexnet: Radiologist-level pneumonia detection on chest x-rays with deep learning","volume":"abs 1711 5225","author":"rajpurkar","year":"2017","journal-title":"CoRR"},{"key":"ref21","doi-asserted-by":"publisher","DOI":"10.3115\/v1\/P15-1150"},{"key":"ref24","article-title":"Transferability in machine learning: from phenomena to black-box attacks using adversarial samples","volume":"abs 1605 7277","author":"papernot","year":"2016","journal-title":"CoRR"},{"key":"ref23","first-page":"62","author":"isakov","year":"2018","journal-title":"Preventing neural network model exfiltration in machine learning hardware accelerators"},{"key":"ref26","article-title":"How to backdoor federated learning","volume":"abs 1807 459","author":"bagdasaryan","year":"2018","journal-title":"CoRR"},{"key":"ref25","article-title":"The secret sharer: Measuring unintended neural network memorization & extracting secrets","volume":"abs 1802 8232","author":"carlini","year":"2018","journal-title":"CoRR"},{"key":"ref50","article-title":"CSI Neural Network: Using Side-channels to Recover Your Artificial Neural Network Information","author":"batina","year":"0","journal-title":"Tech Rep"},{"key":"ref51","doi-asserted-by":"publisher","DOI":"10.1145\/3274694.3274696"},{"key":"ref59","doi-asserted-by":"publisher","DOI":"10.1145\/1506409.1506429"},{"key":"ref58","doi-asserted-by":"publisher","DOI":"10.1109\/TNNLS.2018.2886017"},{"key":"ref57","article-title":"DeepLaser: Practical Fault Attack on Deep Neural Networks","author":"breier","year":"0","journal-title":"Tech Rep"},{"key":"ref56","doi-asserted-by":"publisher","DOI":"10.1145\/3287560.3287562"},{"key":"ref55","doi-asserted-by":"crossref","first-page":"299","DOI":"10.1145\/2508859.2516660","article-title":"Path oram: An extremely simple oblivious ram protocol","author":"stefanov","year":"2013","journal-title":"Proceedings of the 2013 ACM SIGSAC Conference on Computer &#38 Communications Security ser CCS ’13"},{"key":"ref54","author":"gruss","year":"2017","journal-title":"Another flip in the wall of rowhammer defenses"},{"key":"ref53","article-title":"Bit-Flip Attack: Crushing Neural Network with Progressive Bit Search","author":"rakin","year":"0","journal-title":"Tech Rep"},{"key":"ref52","doi-asserted-by":"publisher","DOI":"10.1109\/ICCAD.2017.8203770"},{"key":"ref10","article-title":"Tensorflow.js: Machine learning for the web and beyond","volume":"abs 1901 5350","author":"smilkov","year":"2019","journal-title":"CoRR"},{"key":"ref11","year":"2019","journal-title":"Google Edge TPU"},{"key":"ref40","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.43"},{"key":"ref12","year":"2019","journal-title":"NVIDIA Jetson Nano"},{"key":"ref13","doi-asserted-by":"publisher","DOI":"10.1109\/ICDCS.2017.226"},{"key":"ref14","first-page":"3123","article-title":"Binaryconnect: Training deep neural networks with binary weights during propagations","author":"courbariaux","year":"2015","journal-title":"Advances in Neural IInformation Processing Systems"},{"key":"ref15","article-title":"SC-DCNN: highly-scalable deep convolutional neural network using stochastic computing","volume":"abs 1611 5939","author":"ren","year":"2016","journal-title":"CoRR"},{"key":"ref82","doi-asserted-by":"publisher","DOI":"10.1145\/2591635.2667184"},{"key":"ref16","article-title":"ESE: efficient speech recognition engine with compressed LSTM on FPGA","volume":"abs 1612 694","author":"han","year":"2016","journal-title":"CoRR"},{"key":"ref81","author":"tehranipoor","year":"2011","journal-title":"Introduction to Hardware Security and Trust"},{"key":"ref17","first-page":"55","author":"isakov","year":"2018","journal-title":"Closnets Batchless dnn training with on-chip a priori sparse neural topologies"},{"key":"ref84","article-title":"Mlcapsule: Guarded offline deployment of machine learning as a service","volume":"abs 1808 590","author":"hanzlik","year":"2018","journal-title":"CoRR"},{"key":"ref18","doi-asserted-by":"publisher","DOI":"10.1088\/1748-0221\/13\/07\/P07027"},{"key":"ref83","article-title":"Keystone: A framework for architecting tees","volume":"abs 1907 10119","author":"lee","year":"2019","journal-title":"CoRR"},{"key":"ref19","doi-asserted-by":"publisher","DOI":"10.1162\/neco.1997.9.8.1735"},{"key":"ref80","doi-asserted-by":"crossref","first-page":"486","DOI":"10.1007\/978-3-540-70583-3_40","article-title":"Improved garbled circuit: Free xor gates and applications","author":"kolesnikov","year":"2008","journal-title":"Automata Languages and Programming"},{"key":"ref4","author":"chollet","year":"2015","journal-title":"Keras"},{"key":"ref3","author":"abadi","year":"2015","journal-title":"Tensor-Flow Large-scale machine learning on heterogeneous systems"},{"key":"ref6","article-title":"Google’s neural machine translation system: Bridging the gap between human and machine translation","volume":"abs 1609 8144","author":"wu","year":"2016","journal-title":"CoRR"},{"key":"ref5","author":"paszke","year":"2017","journal-title":"On Automatic Differentiation"},{"key":"ref85","author":"tramer","year":"2018","journal-title":"Slalom Fast verifiable and private execution of neural networks in trusted hardware"},{"key":"ref8","year":"2019","journal-title":"ONNX Open Neural Network Exchange Format"},{"key":"ref86","doi-asserted-by":"crossref","first-page":"9","DOI":"10.1145\/1278480.1278484","article-title":"physical unclonable functions for device authentication and secret key generation","author":"suh","year":"2007","journal-title":"2007 44th ACM\/IEEE Design Automation Conference DAC"},{"key":"ref7","year":"2019","journal-title":"TensorFlow Serving"},{"key":"ref49","doi-asserted-by":"publisher","DOI":"10.1145\/3007787.3001138"},{"key":"ref87","doi-asserted-by":"publisher","DOI":"10.1145\/2382536.2382540"},{"key":"ref9","year":"2019","journal-title":"Apple Core ML"},{"key":"ref46","year":"2019","journal-title":"Dormant Yet Always-Alert Sensor Awakes Only in the Presence of a Signal of Interest"},{"key":"ref45","article-title":"Federated learning of deep networks using model averaging","volume":"abs 1602 5629","author":"mcmahan","year":"2016","journal-title":"CoRR"},{"key":"ref48","first-page":"86","article-title":"Intel sgx explained","volume":"2016","author":"costan","year":"2016","journal-title":"IACR Cryptology ePrint Archive"},{"key":"ref47","author":"hua","year":"2018","journal-title":"Reverse Engineering Convolutional Neural Networks Through Side-channel Information Leaks"},{"key":"ref42","article-title":"Security analysis of deep neural networks operating in the presence of cache side-channel attacks","volume":"abs 1810 3487","author":"hong","year":"2018","journal-title":"CoRR"},{"key":"ref41","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243831"},{"key":"ref44","doi-asserted-by":"publisher","DOI":"10.1145\/2382196.2382230"},{"key":"ref43","article-title":"Stealing neural networks via timing side channels","volume":"abs 1812 11720","author":"duddu","year":"2018","journal-title":"CoRR"}],"event":{"name":"2019 IEEE High Performance Extreme Computing Conference (HPEC)","location":"Waltham, MA, USA","start":{"date-parts":[[2019,9,24]]},"end":{"date-parts":[[2019,9,26]]}},"container-title":["2019 IEEE High Performance Extreme Computing Conference (HPEC)"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx7\/8910148\/8916214\/08916519.pdf?arnumber=8916519","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,7,18]],"date-time":"2022-07-18T10:47:02Z","timestamp":1658141222000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/8916519\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2019,9]]},"references-count":87,"URL":"https:\/\/doi.org\/10.1109\/hpec.2019.8916519","relation":{},"subject":[],"published":{"date-parts":[[2019,9]]}}}