{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,9,16]],"date-time":"2025-09-16T17:38:52Z","timestamp":1758044332048,"version":"3.44.0"},"reference-count":48,"publisher":"Association for Computing Machinery (ACM)","issue":"5","content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Embed. Comput. Syst."],"published-print":{"date-parts":[[2025,9,30]]},"abstract":"<jats:p>\n            During the last decade, there has been a stunning progress in the domain of Artificial Intelligence (AI) aided by highly trained Machine Learning (ML) models. Such models are valuable Intellectual Property (IP) and, therefore, have been subjected to various model recovery attacks. In this work, we study the vulnerabilities of commercial, open-source accelerator\n            <jats:sans-serif>NVDLA<\/jats:sans-serif>\n            and present the first successful model recovery attack. For this purpose, we used power and timing information from the side-channel leakage of convolutional neural networks (CNN) models to train CNN-based attack models. Utilizing these attack models, we demonstrate that even with a highly pipelined architecture, multiple parallel execution in the accelerator along with Linux OS running tasks in the background, recovery of number of layers, kernel sizes, output neurons and distinguishing different layers, is possible with very high accuracy. This is also the first work to show the impact of differences in hyperparameters on the power traces.\n          <\/jats:p>\n          <jats:p>Our solution is fully automated, AI-based, and portable to other hardware neural networks, thus presenting a greater threat toward IP protection. Using LeNet as the target victim model, we demonstrate an accuracy of more than 95% in recovering various parameters. This study presents a serious practical threat, in the form of side-channel attack, toward complex commercial architectures. Furthermore, we show that AI-guided attack significantly boosts the attacker capability.<\/jats:p>","DOI":"10.1145\/3731560","type":"journal-article","created":{"date-parts":[[2025,4,21]],"date-time":"2025-04-21T07:05:26Z","timestamp":1745219126000},"page":"1-29","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":0,"title":["AI Attacks AI: Recovering Neural Network Architecture from NVDLA Using AI-Assisted Side Channel Attack"],"prefix":"10.1145","volume":"24","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-3056-9241","authenticated-orcid":false,"given":"Naina","family":"Gupta","sequence":"first","affiliation":[{"name":"Nanyang Technological University","place":["Singapore, Singapore"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1082-4049","authenticated-orcid":false,"given":"Arpan","family":"Jati","sequence":"additional","affiliation":[{"name":"Nanyang Technological University","place":["Singapore, Singapore"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8818-6983","authenticated-orcid":false,"given":"Anupam","family":"Chattopadhyay","sequence":"additional","affiliation":[{"name":"Nanyang Technological University","place":["Singapore, Singapore"]}]}],"member":"320","published-online":{"date-parts":[[2025,9,12]]},"reference":[{"key":"e_1_3_2_2_2","first-page":"515","volume-title":"Proceedings of the 28th USENIX Conference on Security Symposium.","author":"Batina Lejla","year":"2019","unstructured":"Lejla Batina, Shivam Bhasin, Dirmanto Jap, and Stjepan Picek. 2019. CSI NN: Reverse engineering of neural network architectures through electromagnetic side channel. In Proceedings of the 28th USENIX Conference on Security Symposium.USENIX Association, USA, 515\u2013532."},{"key":"e_1_3_2_3_2","volume-title":"Proceedings of the CRYPTOLOGY EPRINT ARCHIVE, REPORT 2004\/145","author":"Carlier Vincent","year":"2004","unstructured":"Vincent Carlier, Herv\u00e9 Chabanne, Emmanuelle Dottax, and Herv\u00e9 Pelletier. 2004. Electromagnetic side channels of an FPGA implementation of AES. In Proceedings of the CRYPTOLOGY EPRINT ARCHIVE, REPORT 2004\/145. Citeseer."},{"key":"e_1_3_2_4_2","doi-asserted-by":"publisher","DOI":"10.1049\/cit2.12026"},{"key":"e_1_3_2_5_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-81645-2_7"},{"key":"e_1_3_2_6_2","doi-asserted-by":"publisher","DOI":"10.1109\/EURCON.2005.1630348"},{"key":"e_1_3_2_7_2","doi-asserted-by":"publisher","DOI":"10.5555\/646692.703439"},{"key":"e_1_3_2_8_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICCSN.2016.7586627"},{"key":"e_1_3_2_9_2","first-page":"506","article-title":"ModuloNET: Neural networks meet modular arithmetic for efficient hardware masking","author":"Dubey Anuj","year":"2022","unstructured":"Anuj Dubey, Afzal Ahmad, Muhammad Adeel Pasha, Rosario Cammarota, and Aydin Aysu. 2022. ModuloNET: Neural networks meet modular arithmetic for efficient hardware masking. IACR Transactions on Cryptographic Hardware and Embedded Systems 2020, 1 (2022), 506\u2013556.","journal-title":"IACR Transactions on Cryptographic Hardware and Embedded Systems"},{"key":"e_1_3_2_10_2","doi-asserted-by":"publisher","DOI":"10.1145\/3400302.3415649"},{"key":"e_1_3_2_11_2","doi-asserted-by":"publisher","DOI":"10.1109\/HOST45689.2020.9300276"},{"key":"e_1_3_2_12_2","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134028"},{"key":"e_1_3_2_13_2","unstructured":"Peter Horvath Lukasz Chmielewski Leo Weissbart Lejla Batina and Yuval Yarom. 2023. BarraCUDA: Bringing electromagnetic side channel into play to steal the weights of neural networks from NVIDIA GPUs. arXiv:2312.07783. Retrieved from https:\/\/arxiv.org\/abs\/2312.07783"},{"key":"e_1_3_2_14_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.microrel.2021.114116"},{"key":"e_1_3_2_15_2","doi-asserted-by":"publisher","DOI":"10.1145\/3195970.3196105"},{"key":"e_1_3_2_16_2","unstructured":"Intel. Intel Movidius Neural Compute Stick. Retrieved from https:\/\/www.intel.com\/content\/www\/us\/en\/developer\/articles\/technical\/intel-movidius-neural-compute-stick.html"},{"key":"e_1_3_2_17_2","doi-asserted-by":"publisher","DOI":"10.1145\/2647868.2654889"},{"key":"e_1_3_2_18_2","first-page":"256","volume-title":"Proceedings of the International Conference on Smart Card Research and Advanced Applications","author":"Joud Rapha\u00ebl","year":"2023","unstructured":"Rapha\u00ebl Joud, Pierre-Alain Mo\u00ebllic, Simon Ponti\u00e9, and Jean-Baptiste Rigaud. 2023. Like an open book? Read neural network architecture with simple power analysis on 32-bit microcontrollers. In Proceedings of the International Conference on Smart Card Research and Advanced Applications. Springer, 256\u2013276."},{"key":"e_1_3_2_19_2","doi-asserted-by":"publisher","DOI":"10.1145\/3079856.3080246"},{"issue":"3","key":"e_1_3_2_20_2","first-page":"1100","article-title":"Model inversion attack: Analysis under gray-box scenario on deep learning based face recognition system","volume":"15","author":"Khosravy Mahdi","year":"2021","unstructured":"Mahdi Khosravy, Kazuaki Nakamura, Yuki Hirose, Naoko Nitta, and Noboru Babaguchi. 2021. Model inversion attack: Analysis under gray-box scenario on deep learning based face recognition system. KSII Transactions on Internet and Information Systems 15, 3 (2021), 1100\u20131118.","journal-title":"KSII Transactions on Internet and Information Systems"},{"key":"e_1_3_2_21_2","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2022.3140687"},{"key":"e_1_3_2_22_2","doi-asserted-by":"publisher","DOI":"10.1007\/3-540-48405-1_25"},{"key":"e_1_3_2_23_2","doi-asserted-by":"publisher","DOI":"10.1007\/3-540-68697-5_9"},{"key":"e_1_3_2_24_2","unstructured":"Francois Koeune Jean-Jacques Quisquater and Jean-Jacques Quisquater. 1999. A timing attack against rijndael. (1999)."},{"key":"e_1_3_2_25_2","doi-asserted-by":"publisher","DOI":"10.46586\/tches.v2025.i1.78-103"},{"key":"e_1_3_2_26_2","article-title":"The MNIST database of handwritten digits","author":"LeCun Yann","year":"1998","unstructured":"Yann LeCun. 1998. The MNIST database of handwritten digits. http:\/\/yann. lecun. com\/exdb\/mnist\/ (1998).","journal-title":"http:\/\/yann. lecun. com\/exdb\/mnist\/"},{"key":"e_1_3_2_27_2","doi-asserted-by":"publisher","DOI":"10.1109\/HOST49136.2021.9702279"},{"key":"e_1_3_2_28_2","doi-asserted-by":"publisher","DOI":"10.1109\/JIOT.2021.3061314"},{"key":"e_1_3_2_29_2","doi-asserted-by":"publisher","DOI":"10.5555\/1765361.1765392"},{"key":"e_1_3_2_30_2","article-title":"Low cost attacks on smart cards: The electromagnetic sidechannel","author":"Matthews Adam","year":"2006","unstructured":"Adam Matthews. 2006. Low cost attacks on smart cards: The electromagnetic sidechannel. Next Generation Security Software, Sept (2006).","journal-title":"Next Generation Security Software, Sept"},{"key":"e_1_3_2_31_2","doi-asserted-by":"publisher","DOI":"10.1007\/3-540-44499-8_6"},{"key":"e_1_3_2_32_2","doi-asserted-by":"publisher","DOI":"10.3390\/app11156790"},{"key":"e_1_3_2_33_2","first-page":"151","article-title":"Investigations of power analysis attacks on smartcards.","volume":"99","author":"Messerges Thomas S.","year":"1999","unstructured":"Thomas S. Messerges, Ezzy A. Dabbish, and Robert H. Sloan. 1999. Investigations of power analysis attacks on smartcards. Smartcard 99 (1999), 151\u2013161.","journal-title":"Smartcard"},{"key":"e_1_3_2_34_2","doi-asserted-by":"publisher","DOI":"10.1109\/JETCAS.2021.3074608"},{"key":"e_1_3_2_35_2","unstructured":"NVDLA. 2018. NVDLA PReLU Issue. Retrieved from https:\/\/github.com\/nvdla\/sw\/issues\/16#issuecomment-384517936 https:\/\/github.com\/nvdla\/sw\/issues\/32. (2018)."},{"key":"e_1_3_2_36_2","unstructured":"NVIDIA. 2019. NVIDIA Deep Learning Accelerator. Retrieved from http:\/\/nvdla.org\/hw\/v1\/ias\/unit_description.html. (2019)."},{"key":"e_1_3_2_37_2","unstructured":"NVIDIA. 2018. NVIDIA Deep Learning Accelerator. Retrieved from http:\/\/nvdla.org\/primer.html. (2018)."},{"key":"e_1_3_2_38_2","doi-asserted-by":"publisher","DOI":"10.1145\/3595292"},{"key":"e_1_3_2_39_2","doi-asserted-by":"publisher","DOI":"10.1109\/ISCAS58744.2024.10558566"},{"key":"e_1_3_2_40_2","doi-asserted-by":"publisher","DOI":"10.1145\/3274694.3274696"},{"key":"e_1_3_2_41_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICCAD51958.2021.9643512"},{"key":"e_1_3_2_42_2","doi-asserted-by":"publisher","DOI":"10.1145\/3474376.3487284"},{"key":"e_1_3_2_43_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICEIC51217.2021.9369754"},{"key":"e_1_3_2_44_2","doi-asserted-by":"publisher","DOI":"10.1145\/3394885.3431639"},{"key":"e_1_3_2_45_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICFPT59805.2023.00026"},{"key":"e_1_3_2_46_2","doi-asserted-by":"publisher","DOI":"10.1109\/ISCAS45731.2020.9180580"},{"key":"e_1_3_2_47_2","doi-asserted-by":"publisher","DOI":"10.1109\/HOST45689.2020.9300274"},{"key":"e_1_3_2_48_2","first-page":"12278","volume-title":"Proceedings of the International Conference on Machine Learning","author":"Zanella-Beguelin Santiago","year":"2021","unstructured":"Santiago Zanella-Beguelin, Shruti Tople, Andrew Paverd, and Boris K\u00f6pf. 2021. Grey-box extraction of natural language models. In Proceedings of the International Conference on Machine Learning. PMLR, 12278\u201312286."},{"key":"e_1_3_2_49_2","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2021.3106169"}],"container-title":["ACM Transactions on Embedded Computing Systems"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3731560","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,9,12]],"date-time":"2025-09-12T11:45:10Z","timestamp":1757677510000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3731560"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,9,12]]},"references-count":48,"journal-issue":{"issue":"5","published-print":{"date-parts":[[2025,9,30]]}},"alternative-id":["10.1145\/3731560"],"URL":"https:\/\/doi.org\/10.1145\/3731560","relation":{},"ISSN":["1539-9087","1558-3465"],"issn-type":[{"type":"print","value":"1539-9087"},{"type":"electronic","value":"1558-3465"}],"subject":[],"published":{"date-parts":[[2025,9,12]]},"assertion":[{"value":"2024-03-04","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-03-25","order":2,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-09-12","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}