Deep Neural Network (DNN) models have been extensively developed by companies for a wide range of applications. The development of a customized DNN model with great performance requires costly investments, and its structure (layers and hyper-parameters) is considered intellectual property and holds immense value. However, in this paper, we found the model secret is vulnerable when a cloud-based FPGA accelerator executes it. We demonstrate an end-to-end attack based on remote power side-channel analysis and machine-learning-based secret inference against different DNN models. The evaluation result shows that an attacker can reconstruct the layer and hyper-parameter sequence at over 90% accuracy using our method, which can significantly reduce her model development workload. We believe the threat presented by our attack is tangible, and new defense mechanisms should be developed against this threat.

中文翻译：

---

通过远程 FPGA 侧通道分析窃取神经网络结构


深度神经网络（DNN）模型已被公司广泛开发用于广泛的应用。开发具有高性能的定制 DNN 模型需要昂贵的投资，其结构（层和超参数）被视为知识产权并具有巨大的价值。然而，在本文中，我们发现当基于云的 FPGA 加速器执行模型秘密时，该模型秘密很容易受到攻击。我们演示了基于远程电源侧信道分析和针对不同 DNN 模型的基于机器学习的秘密推理的端到端攻击。评估结果表明，攻击者使用我们的方法可以以超过 90% 的准确率重建图层和超参数序列，这可以显着减少其模型开发工作量。我们相信我们的攻击带来的威胁是切实存在的，应该针对这种威胁制定新的防御机制。