EdgeML accelerators like Intel Neural Compute Stick 2 (NCS) can enable efficient edge-based inference with complex pre-trained models. The models are loaded in the host (like Raspberry Pi) and then transferred to NCS for inference. In this paper, we demonstrate practical and low-cost cold boot based model recovery attacks on NCS to recover the model architecture and weights, loaded from the Raspberry Pi. The architecture is recovered with 100% success and weights with an error rate of 0.04%. The recovered model reports maximum accuracy loss of 0.5% as compared to original model and allows high fidelity transfer of adversarial examples. We further extend our study to other cold boot attack setups reported in the literature with higher error rates leading to accuracy loss as high as 70%. We then propose a methodology based on knowledge distillation to correct the erroneous weights in recovered model, even without access to original training data. The proposed attack remains unaffected by the model encryption features of the OpenVINO and NCS framework.

中文翻译：

---

DeepFreeze：商业 EdgeML 设备上的冷启动攻击和高保真模型恢复

英特尔神经计算棒 2 (NCS) 等 EdgeML 加速器可以通过复杂的预训练模型实现高效的基于边缘的推理。模型加载到主机（如 Raspberry Pi）中，然后传输到 NCS 进行推理。在本文中，我们展示了对 NCS 的实用且低成本的基于冷启动的模型恢复攻击，以恢复从 Raspberry Pi 加载的模型架构和权重。该架构以 100% 的成功率和权重以 0.04% 的错误率恢复。与原始模型相比，恢复的模型报告的最大精度损失为 0.5%，并允许对抗样本的高保真转移。我们进一步将我们的研究扩展到文献中报告的其他冷启动攻击设置，这些设置具有更高的错误率，导致准确度损失高达 70%。然后，我们提出了一种基于知识蒸馏的方法来纠正恢复模型中的错误权重，即使无法访问原始训练数据。提议的攻击不受 OpenVINO 和 NCS 框架的模型加密功能的影响。