{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,9,25]],"date-time":"2025-09-25T16:41:50Z","timestamp":1758818510103,"version":"3.44.0"},"publisher-location":"New York, NY, USA","reference-count":40,"publisher":"ACM","funder":[{"name":"Ministry of Education, Singapore","award":["MOE-T2EP20121-0008"],"award-info":[{"award-number":["MOE-T2EP20121-0008"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2025,8,25]]},"DOI":"10.1145\/3709017.3737712","type":"proceedings-article","created":{"date-parts":[[2025,7,15]],"date-time":"2025-07-15T16:18:38Z","timestamp":1752596318000},"page":"52-63","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":0,"title":["Extracting Proxy Models from Side-Channel Insights to Enhance Adversarial Attacks on Black-Box DNNs"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-0236-8533","authenticated-orcid":false,"given":"Srivatsan","family":"Chandrasekar","sequence":"first","affiliation":[{"name":"Nanyang Technological University, Singapore"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0006-6248-0830","authenticated-orcid":false,"given":"Likith","family":"Anaparty","sequence":"additional","affiliation":[{"name":"Indian Institute of Technology, Palakkad, Kerala, India"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8346-2635","authenticated-orcid":false,"given":"Siew-Kei","family":"Lam","sequence":"additional","affiliation":[{"name":"Nanyang Technological University, Singapore"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1358-0107","authenticated-orcid":false,"given":"Vivek","family":"Chaturvedi","sequence":"additional","affiliation":[{"name":"Indian Institute of Technology, Palakkad, Kerala, India"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2025,8,25]]},"reference":[{"key":"e_1_3_2_1_1_1","doi-asserted-by":"publisher","DOI":"10.1186\/s40537-021-00444-8"},{"key":"e_1_3_2_1_2_1","volume-title":"Bandwidth Utilization Side-Channel on ML Inference Accelerators. (10","author":"Banerjee Sarbartha","year":"2021","unstructured":"Sarbartha Banerjee, Shijia Wei, Prakash Ramrakhyani, and Mohit Tiwari. 2021. Bandwidth Utilization Side-Channel on ML Inference Accelerators. (10 2021). http:\/\/arxiv.org\/abs\/2110.07157"},{"key":"e_1_3_2_1_3_1","unstructured":"Lejla Batina Shivam Bhasin Dirmanto Jap and Stjepan Picek. 2018. CSI Neural Network: Using Side-channels to Recover Your Artificial Neural Network Information. https:\/\/arxiv.org\/abs\/1810.09076"},{"key":"e_1_3_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1007\/s10207-010-0115-0"},{"key":"e_1_3_2_1_5_1","volume-title":"Support Vector Machines Under Adversarial Label Noise. 20","author":"Biggio Battista","year":"2011","unstructured":"Battista Biggio, Blaine Nelson, and Pavel Laskov. 2011. Support Vector Machines Under Adversarial Label Noise. 20 (2011), 97--112."},{"key":"e_1_3_2_1_6_1","volume-title":"DNN Model Theft Through Trojan Side-Channel on Edge FPGA Accelerator. In International Symposium on Applied Reconfigurable Computing. Springer, 146--158","author":"Chandrasekar Srivatsan","year":"2023","unstructured":"Srivatsan Chandrasekar, Siew-Kei Lam, and Srikanthan Thambipillai. 2023. DNN Model Theft Through Trojan Side-Channel on Edge FPGA Accelerator. In International Symposium on Applied Reconfigurable Computing. Springer, 146--158."},{"key":"e_1_3_2_1_7_1","volume-title":"13th USENIX Symposium on Operating Systems Design and Implementation (OSDI 18)","author":"Chen Tianqi","year":"2018","unstructured":"Tianqi Chen, Thierry Moreau, Ziheng Jiang, Lianmin Zheng, Eddie Yan, Haichen Shen, Meghan Cowan, Leyuan Wang, Yuwei Hu, Luis Ceze, et al. 2018. {TVM}: An automated {End-to-End} optimizing compiler for deep learning. In 13th USENIX Symposium on Operating Systems Design and Implementation (OSDI 18). 578--594."},{"key":"e_1_3_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2009.5206848"},{"key":"e_1_3_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2018.00957"},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1109\/AICAS54282.2022.9869973"},{"key":"e_1_3_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1109\/ITC44170.2019.9000145"},{"key":"e_1_3_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1145\/3581783.3612070"},{"key":"e_1_3_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1145\/3316781.3317829"},{"key":"e_1_3_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.90"},{"key":"e_1_3_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICCD.2012.6378628"},{"key":"e_1_3_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1145\/3508352.3549452"},{"key":"e_1_3_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1145\/3373376.3378460"},{"key":"e_1_3_2_1_18_1","doi-asserted-by":"publisher","unstructured":"Weizhe Hua Zhiru Zhang and G Edward Suh. 2018. Reverse Engineering Convolutional Neural Networks Through Side-channel Information Leaks. (2018). https:\/\/doi.org\/10.1145\/3195970.3196105","DOI":"10.1145\/3195970.3196105"},{"key":"e_1_3_2_1_19_1","volume-title":"International conference on machine learning. pmlr, 448--456","author":"Ioffe Sergey","year":"2015","unstructured":"Sergey Ioffe and Christian Szegedy. 2015. Batch normalization: Accelerating deep network training by reducing internal covariate shift. In International conference on machine learning. pmlr, 448--456."},{"key":"e_1_3_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP.2019.00044"},{"key":"e_1_3_2_1_21_1","volume-title":"Weinberger (Eds.)","volume":"25","author":"Krizhevsky Alex","year":"2012","unstructured":"Alex Krizhevsky, Ilya Sutskever, and Geoffrey E Hinton. 2012. ImageNet Classification with Deep Convolutional Neural Networks. In Advances in Neural Information Processing Systems, F. Pereira, C.J. Burges, L. Bottou, and K.Q. Weinberger (Eds.), Vol. 25. Curran Associates, Inc. https:\/\/proceedings.neurips.cc\/paper_files\/paper\/2012\/file\/c399862d3b9d6b76c8436e924a68c45b-Paper.pdf"},{"key":"e_1_3_2_1_22_1","volume-title":"HTree: Hardware Trojan Attack on Cache Resizing Policies","author":"Kumar Atul","year":"2023","unstructured":"Atul Kumar, Shirshendu Das, and Basant Subba. 2023. HTree: Hardware Trojan Attack on Cache Resizing Policies. IEEE Embedded Systems Letters (2023)."},{"key":"e_1_3_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2018.00191"},{"key":"e_1_3_2_1_24_1","volume-title":"Foveation-based mechanisms alleviate adversarial examples. arXiv preprint arXiv:1511.06292","author":"Luo Yan","year":"2015","unstructured":"Yan Luo, Xavier Boix, Gemma Roig, Tomaso Poggio, and Qi Zhao. 2015. Foveation-based mechanisms alleviate adversarial examples. arXiv preprint arXiv:1511.06292 (2015)."},{"key":"e_1_3_2_1_25_1","unstructured":"Thierry Moreau Tianqi Chen Luis Vega Jared Roesch Eddie Yan Lianmin Zheng Josh Fromm Ziheng Jiang Luis Ceze Carlos Guestrin and Arvind Krishnamurthy. 2019. A Hardware-Software Blueprint for Flexible Deep Learning Specialization. (2019). https:\/\/arxiv.org\/abs\/1807.04188"},{"key":"e_1_3_2_1_26_1","volume-title":"Towards reverse-engineering black-box neural networks. Explainable AI: interpreting, explaining and visualizing deep learning","author":"Oh Seong Joon","year":"2019","unstructured":"Seong Joon Oh, Bernt Schiele, and Mario Fritz. 2019. Towards reverse-engineering black-box neural networks. Explainable AI: interpreting, explaining and visualizing deep learning (2019), 121--144."},{"key":"e_1_3_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1145\/3595292"},{"key":"e_1_3_2_1_28_1","volume-title":"Transferability in machine learning: from phenomena to black-box attacks using adversarial samples. arXiv preprint arXiv:1605.07277","author":"Papernot Nicolas","year":"2016","unstructured":"Nicolas Papernot, Patrick McDaniel, and Ian Goodfellow. 2016. Transferability in machine learning: from phenomena to black-box attacks using adversarial samples. arXiv preprint arXiv:1605.07277 (2016)."},{"key":"e_1_3_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1145\/3052973.3053009"},{"key":"e_1_3_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1109\/ISCAS51556.2021.9401481"},{"key":"e_1_3_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2018.00474"},{"key":"e_1_3_2_1_32_1","volume-title":"Garnett (Eds.)","volume":"31","author":"Santurkar Shibani","year":"2018","unstructured":"Shibani Santurkar, Dimitris Tsipras, Andrew Ilyas, and Aleksander Madry. 2018. How Does Batch Normalization Help Optimization?. In Advances in Neural Information Processing Systems, S. Bengio, H. Wallach, H. Larochelle, K. Grauman, N. Cesa-Bianchi, and R. Garnett (Eds.), Vol. 31. Curran Associates, Inc. https:\/\/proceedings.neurips.cc\/paper_files\/paper\/2018\/file\/905056c1ac1dad141560467e0a99e1cf-Paper.pdf"},{"key":"e_1_3_2_1_33_1","volume-title":"Very deep convolutional networks for large-scale image recognition. arXiv preprint arXiv:1409.1556","author":"Simonyan Karen","year":"2014","unstructured":"Karen Simonyan and Andrew Zisserman. 2014. Very deep convolutional networks for large-scale image recognition. arXiv preprint arXiv:1409.1556 (2014)."},{"key":"e_1_3_2_1_34_1","volume-title":"Ensemble adversarial training: Attacks and defenses. arXiv preprint arXiv:1705.07204","author":"Tram\u00e8r Florian","year":"2017","unstructured":"Florian Tram\u00e8r, Alexey Kurakin, Nicolas Papernot, Ian Goodfellow, Dan Boneh, and Patrick McDaniel. 2017. Ensemble adversarial training: Attacks and defenses. arXiv preprint arXiv:1705.07204 (2017)."},{"key":"e_1_3_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.5555\/3241094.3241142"},{"key":"e_1_3_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1145\/3627817"},{"key":"e_1_3_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1109\/iscas45731.2020.9180580"},{"key":"e_1_3_2_1_38_1","volume-title":"2017 27th International Conference on Field Programmable Logic and Applications (FPL). IEEE, 1--4.","author":"Zhang Xiaofan","year":"2017","unstructured":"Xiaofan Zhang, Xinheng Liu, Anand Ramachandran, Chuanhao Zhuge, Shibin Tang, Peng Ouyang, Zuofu Cheng, Kyle Rupnow, and Deming Chen. 2017. Highperformance video content recognition with long-term recurrent convolutional network for FPGA. In 2017 27th International Conference on Field Programmable Logic and Applications (FPL). IEEE, 1--4."},{"key":"e_1_3_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1109\/HST.2011.5954998"},{"key":"e_1_3_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2021.3106169"}],"event":{"name":"ASIA CCS '25: ACM Asia Conference on Computer and Communications Security","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"],"location":"Hanoi Vietnam","acronym":"ASIA CCS '25"},"container-title":["Proceedings of the 11th ACM Cyber-Physical System Security Workshop"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3709017.3737712","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,9,25]],"date-time":"2025-09-25T16:20:14Z","timestamp":1758817214000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3709017.3737712"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,8,25]]},"references-count":40,"alternative-id":["10.1145\/3709017.3737712","10.1145\/3709017"],"URL":"https:\/\/doi.org\/10.1145\/3709017.3737712","relation":{},"subject":[],"published":{"date-parts":[[2025,8,25]]},"assertion":[{"value":"2025-08-25","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}