-
Side-Channel Analysis of OpenVINO-based Neural Network Models
Authors:
Dirmanto Jap,
Jakub Breier,
Zdenko Lehocký,
Shivam Bhasin,
Xiaolu Hou
Abstract:
Embedded devices with neural network accelerators offer great versatility for their users, reducing the need to use cloud-based services. At the same time, they introduce new security challenges in the area of hardware attacks, the most prominent being side-channel analysis (SCA). It was shown that SCA can recover model parameters with a high accuracy, posing a threat to entities that wish to keep…
▽ More
Embedded devices with neural network accelerators offer great versatility for their users, reducing the need to use cloud-based services. At the same time, they introduce new security challenges in the area of hardware attacks, the most prominent being side-channel analysis (SCA). It was shown that SCA can recover model parameters with a high accuracy, posing a threat to entities that wish to keep their models confidential. In this paper, we explore the susceptibility of quantized models implemented in OpenVINO, an embedded framework for deploying neural networks on embedded and Edge devices. We show that it is possible to recover model parameters with high precision, allowing the recovered model to perform very close to the original one. Our experiments on GoogleNet v1 show only a 1% difference in the Top 1 and a 0.64% difference in the Top 5 accuracies.
△ Less
Submitted 20 August, 2024; v1 submitted 23 July, 2024;
originally announced July 2024.
-
Adaptive Actor-Critic Based Optimal Regulation for Drift-Free Uncertain Nonlinear Systems
Authors:
Ashwin P. Dani,
Shubhendu Bhasin
Abstract:
In this paper, a continuous-time adaptive actor-critic reinforcement learning (RL) controller is developed for drift-free nonlinear systems. Practical examples of such systems are image-based visual servoing (IBVS) and wheeled mobile robots (WMR), where the system dynamics includes a parametric uncertainty in the control effectiveness matrix with no drift term. The uncertainty in the input term po…
▽ More
In this paper, a continuous-time adaptive actor-critic reinforcement learning (RL) controller is developed for drift-free nonlinear systems. Practical examples of such systems are image-based visual servoing (IBVS) and wheeled mobile robots (WMR), where the system dynamics includes a parametric uncertainty in the control effectiveness matrix with no drift term. The uncertainty in the input term poses a challenge for developing a continuous-time RL controller using existing methods. In this paper, an actor-critic or synchronous policy iteration (PI)-based RL controller is presented with a concurrent learning (CL)-based parameter update law for estimating the unknown parameters of the control effectiveness matrix. An infinite-horizon value function minimization objective is achieved by regulating the current states to the desired with near-optimal control efforts. The proposed controller guarantees closed-loop stability and simulation results validate the proposed theory using IBVS and WMR examples.
△ Less
Submitted 13 June, 2024;
originally announced June 2024.
-
Predicting User Experience on Laptops from Hardware Specifications
Authors:
Saswat Padhi,
Sunil K. Bhasin,
Udaya K. Ammu,
Alex Bergman,
Allan Knies
Abstract:
Estimating the overall user experience (UX) on a device is a common challenge faced by manufacturers. Today, device makers primarily rely on microbenchmark scores, such as Geekbench, that stress test specific hardware components, such as CPU or RAM, but do not satisfactorily capture consumer workloads. System designers often rely on domain-specific heuristics and extensive testing of prototypes to…
▽ More
Estimating the overall user experience (UX) on a device is a common challenge faced by manufacturers. Today, device makers primarily rely on microbenchmark scores, such as Geekbench, that stress test specific hardware components, such as CPU or RAM, but do not satisfactorily capture consumer workloads. System designers often rely on domain-specific heuristics and extensive testing of prototypes to reach a desired UX goal, and yet there is often a mismatch between the manufacturers' performance claims and the consumers' experience.
We present our initial results on predicting real-life experience on laptops from their hardware specifications. We target web applications that run on Chromebooks (ChromeOS laptops) for a simple and fair aggregation of experience across applications and workloads. On 54 laptops, we track 9 UX metrics on common end-user workloads: web browsing, video playback and audio/video calls. We focus on a subset of high-level metrics exposed by the Chrome browser, that are part of the Web Vitals initiative for judging the UX on web applications.
With a dataset of 100K UX data points, we train gradient boosted regression trees that predict the metric values from device specifications. Across our 9 metrics, we note a mean $R^2$ score (goodness-of-fit on our dataset) of 97.8% and a mean MAAPE (percentage error in prediction on unseen data) of 10.1%.
△ Less
Submitted 14 February, 2024;
originally announced February 2024.
-
Modeling and parametric optimization of 3D tendon-sheath actuator system for upper limb soft exosuit
Authors:
Amit Yadav,
Nitesh Kumar,
Shaurya Surana,
Aravind Ramasamy,
Abhishek Rudra Pal,
Sushma Santapuri,
Lalan Kumar,
Suriya Prakash Muthukrishnan,
Shubhendu Bhasin,
Sitikantha Roy
Abstract:
This paper presents an analysis of parametric characterization of a motor driven tendon-sheath actuator system for use in upper limb augmentation for applications such as rehabilitation, therapy, and industrial automation. The double tendon sheath system, which uses two sets of cables (agonist and antagonist side) guided through a sheath, is considered to produce smooth and natural-looking movemen…
▽ More
This paper presents an analysis of parametric characterization of a motor driven tendon-sheath actuator system for use in upper limb augmentation for applications such as rehabilitation, therapy, and industrial automation. The double tendon sheath system, which uses two sets of cables (agonist and antagonist side) guided through a sheath, is considered to produce smooth and natural-looking movements of the arm. The exoskeleton is equipped with a single motor capable of controlling both the flexion and extension motions. One of the key challenges in the implementation of a double tendon sheath system is the possibility of slack in the tendon, which can impact the overall performance of the system. To address this issue, a robust mathematical model is developed and a comprehensive parametric study is carried out to determine the most effective strategies for overcoming the problem of slack and improving the transmission. The study suggests that incorporating a series spring into the system's tendon leads to a universally applicable design, eliminating the need for individual customization. The results also show that the slack in the tendon can be effectively controlled by changing the pretension, spring constant, and size and geometry of spool mounted on the axle of motor.
△ Less
Submitted 10 September, 2023; v1 submitted 30 June, 2023;
originally announced June 2023.
-
Adaptive Gravity Compensation Control of a Cable-Driven Upper-Arm Soft Exosuit
Authors:
Joyjit Mukherjee,
Ankit Chatterjee,
Shreeshan Jena,
Nitesh Kumar,
Suriya Prakash Muthukrishnan,
Sitikantha Roy,
Shubhendu Bhasin
Abstract:
This paper proposes an adaptive gravity compensation (AGC) control strategy for a cable-driven upper-limb exosuit intended to assist the wearer with lifting tasks. Unlike most model-based control techniques used for this human-robot interaction task, the proposed control design does not assume knowledge of the anthropometric parameters of the wearer's arm and the payload. Instead, the uncertaintie…
▽ More
This paper proposes an adaptive gravity compensation (AGC) control strategy for a cable-driven upper-limb exosuit intended to assist the wearer with lifting tasks. Unlike most model-based control techniques used for this human-robot interaction task, the proposed control design does not assume knowledge of the anthropometric parameters of the wearer's arm and the payload. Instead, the uncertainties in human arm parameters, such as mass, length, and payload, are estimated online using an indirect adaptive control law that compensates for the gravity moment about the elbow joint. Additionally, the AGC controller is agnostic to the desired joint trajectory followed by the human arm. For the purpose of controller design, the human arm is modeled using a 1-DOF manipulator model. Further, a cable-driven actuator model is proposed that maps the assistive elbow torque to the actuator torque. The performance of the proposed method is verified through a co-simulation, wherein the control input realized in MATLAB is applied to the human bio-mechanical model in OpenSim under varying payload conditions. Significant reductions in human effort in terms of human muscle torque and metabolic cost are observed with the proposed control strategy. Further, simulation results show that the performance of the AGC controller converges to that of the gravity compensation (GC) controller, demonstrating the efficacy of AGC-based online parameter learning.
△ Less
Submitted 28 April, 2023;
originally announced April 2023.
-
A Desynchronization-Based Countermeasure Against Side-Channel Analysis of Neural Networks
Authors:
Jakub Breier,
Dirmanto Jap,
Xiaolu Hou,
Shivam Bhasin
Abstract:
Model extraction attacks have been widely applied, which can normally be used to recover confidential parameters of neural networks for multiple layers. Recently, side-channel analysis of neural networks allows parameter extraction even for networks with several multiple deep layers with high effectiveness. It is therefore of interest to implement a certain level of protection against these attack…
▽ More
Model extraction attacks have been widely applied, which can normally be used to recover confidential parameters of neural networks for multiple layers. Recently, side-channel analysis of neural networks allows parameter extraction even for networks with several multiple deep layers with high effectiveness. It is therefore of interest to implement a certain level of protection against these attacks. In this paper, we propose a desynchronization-based countermeasure that makes the timing analysis of activation functions harder. We analyze the timing properties of several activation functions and design the desynchronization in a way that the dependency on the input and the activation type is hidden. We experimentally verify the effectiveness of the countermeasure on a 32-bit ARM Cortex-M4 microcontroller and employ a t-test to show the side-channel information leakage. The overhead ultimately depends on the number of neurons in the fully-connected layer, for example, in the case of 4096 neurons in VGG-19, the overheads are between 2.8% and 11%.
△ Less
Submitted 25 March, 2023;
originally announced March 2023.
-
BiCurNet: Pre-Movement EEG based Neural Decoder for Biceps Curl Trajectory Estimation
Authors:
Manali Saini,
Anant Jain,
Lalan Kumar,
Suriya Prakash Muthukrishnan,
Shubhendu Bhasin,
Sitikantha Roy
Abstract:
Kinematic parameter (KP) estimation from early electroencephalogram (EEG) signals is essential for positive augmentation using wearable robot. However, work related to early estimation of KPs from surface EEG is sparse. In this work, a deep learning-based model, BiCurNet, is presented for early estimation of biceps curl using collected EEG signal. The model utilizes light-weight architecture with…
▽ More
Kinematic parameter (KP) estimation from early electroencephalogram (EEG) signals is essential for positive augmentation using wearable robot. However, work related to early estimation of KPs from surface EEG is sparse. In this work, a deep learning-based model, BiCurNet, is presented for early estimation of biceps curl using collected EEG signal. The model utilizes light-weight architecture with depth-wise separable convolution layers and customized attention module. The feasibility of early estimation of KPs is demonstrated using brain source imaging. Computationally efficient EEG features in spherical and head harmonics domain is utilized for the first time for KP prediction. The best Pearson correlation coefficient (PCC) between estimated and actual trajectory of $0.7$ is achieved when combined EEG features (spatial and harmonics domain) in delta band is utilized. Robustness of the proposed network is demonstrated for subject-dependent and subject-independent training, using EEG signals with artifacts.
△ Less
Submitted 26 October, 2023; v1 submitted 10 January, 2023;
originally announced January 2023.
-
What Do Graph Convolutional Neural Networks Learn?
Authors:
Sannat Singh Bhasin,
Vaibhav Holani,
Divij Sanjanwala
Abstract:
Graph neural networks (GNNs) have gained traction over the past few years for their superior performance in numerous machine learning tasks. Graph Convolutional Neural Networks (GCN) are a common variant of GNNs that are known to have high performance in semi-supervised node classification (SSNC), and work well under the assumption of homophily. Recent literature has highlighted that GCNs can achi…
▽ More
Graph neural networks (GNNs) have gained traction over the past few years for their superior performance in numerous machine learning tasks. Graph Convolutional Neural Networks (GCN) are a common variant of GNNs that are known to have high performance in semi-supervised node classification (SSNC), and work well under the assumption of homophily. Recent literature has highlighted that GCNs can achieve strong performance on heterophilous graphs under certain "special conditions". These arguments motivate us to understand why, and how, GCNs learn to perform SSNC. We find a positive correlation between similarity of latent node embeddings of nodes within a class and the performance of a GCN. Our investigation on underlying graph structures of a dataset finds that a GCN's SSNC performance is significantly influenced by the consistency and uniqueness in neighborhood structure of nodes within a class.
△ Less
Submitted 5 July, 2022;
originally announced July 2022.
-
Machine learning using longitudinal prescription and medical claims for the detection of nonalcoholic steatohepatitis (NASH)
Authors:
Ozge Yasar,
Patrick Long,
Brett Harder,
Hanna Marshall,
Sanjay Bhasin,
Suyin Lee,
Mark Delegge,
Stephanie Roy,
Orla Doyle,
Nadea Leavitt,
John Rigg
Abstract:
Objectives To develop and evaluate machine learning models to detect suspected undiagnosed nonalcoholic steatohepatitis (NASH) patients for diagnostic screening and clinical management.
Methods In this retrospective observational noninterventional study using administrative medical claims data from 1,463,089 patients, gradient-boosted decision trees were trained to detect likely NASH patients fr…
▽ More
Objectives To develop and evaluate machine learning models to detect suspected undiagnosed nonalcoholic steatohepatitis (NASH) patients for diagnostic screening and clinical management.
Methods In this retrospective observational noninterventional study using administrative medical claims data from 1,463,089 patients, gradient-boosted decision trees were trained to detect likely NASH patients from an at-risk patient population with a history of obesity, type 2 diabetes mellitus (T2DM), metabolic disorder, or nonalcoholic fatty liver (NAFL). Models were trained to detect likely NASH in all at-risk patients or in the subset without a prior NAFL diagnosis (non-NAFL at-risk patients). Models were trained and validated using retrospective medical claims data and assessed using area under precision recall and receiver operating characteristic curves (AUPRCs, AUROCs).
Results The 6-month incidence of NASH in claims data was 1 per 1,437 at-risk patients and 1 per 2,127 non-NAFL at-risk patients. The model trained to detect NASH in all at-risk patients had an AUPRC of 0.0107 (95% CI 0.0104 - 0.011) and an AUROC of 0.84. At 10% recall, model precision was 4.3%, which is 60x above NASH incidence. The model trained to detect NASH in non-NAFL patients had an AUPRC of 0.003 (95% CI 0.0029 - 0.0031) and an AUROC of 0.78. At 10% recall, model precision was 1%, which is 20x above NASH incidence.
Conclusion The low incidence of NASH in medical claims data corroborates the pattern of NASH underdiagnosis in clinical practice. Claims-based machine learning could facilitate the detection of probable NASH patients for diagnostic testing and disease management.
△ Less
Submitted 7 March, 2022;
originally announced March 2022.
-
DeepFreeze: Cold Boot Attacks and High Fidelity Model Recovery on Commercial EdgeML Device
Authors:
Yoo-Seung Won,
Soham Chatterjee,
Dirmanto Jap,
Arindam Basu,
Shivam Bhasin
Abstract:
EdgeML accelerators like Intel Neural Compute Stick 2 (NCS) can enable efficient edge-based inference with complex pre-trained models. The models are loaded in the host (like Raspberry Pi) and then transferred to NCS for inference. In this paper, we demonstrate practical and low-cost cold boot based model recovery attacks on NCS to recover the model architecture and weights, loaded from the Raspbe…
▽ More
EdgeML accelerators like Intel Neural Compute Stick 2 (NCS) can enable efficient edge-based inference with complex pre-trained models. The models are loaded in the host (like Raspberry Pi) and then transferred to NCS for inference. In this paper, we demonstrate practical and low-cost cold boot based model recovery attacks on NCS to recover the model architecture and weights, loaded from the Raspberry Pi. The architecture is recovered with 100% success and weights with an error rate of 0.04%. The recovered model reports maximum accuracy loss of 0.5% as compared to original model and allows high fidelity transfer of adversarial examples. We further extend our study to other cold boot attack setups reported in the literature with higher error rates leading to accuracy loss as high as 70%. We then propose a methodology based on knowledge distillation to correct the erroneous weights in recovered model, even without access to original training data. The proposed attack remains unaffected by the model encryption features of the OpenVINO and NCS framework.
△ Less
Submitted 3 August, 2021;
originally announced August 2021.
-
Mitigating Power Attacks through Fine-Grained Instruction Reordering
Authors:
Yun Chen,
Ali Hajiabadi,
Romain Poussier,
Andreas Diavastos,
Shivam Bhasin,
Trevor E. Carlson
Abstract:
Side-channel attacks are a security exploit that take advantage of information leakage. They use measurement and analysis of physical parameters to reverse engineer and extract secrets from a system. Power analysis attacks in particular, collect a set of power traces from a computing device and use statistical techniques to correlate this information with the attacked application data and source c…
▽ More
Side-channel attacks are a security exploit that take advantage of information leakage. They use measurement and analysis of physical parameters to reverse engineer and extract secrets from a system. Power analysis attacks in particular, collect a set of power traces from a computing device and use statistical techniques to correlate this information with the attacked application data and source code. Counter measures like just-in-time compilation, random code injection and instruction descheduling obfuscate the execution of instructions to reduce the security risk. Unfortunately, due to the randomness and excess instructions executed by these solutions, they introduce large overheads in performance, power and area.
In this work we propose a scheduling algorithm that dynamically reorders instructions in an out-of-order processor to provide obfuscated execution and mitigate power analysis attacks with little-to-no effect on the performance, power or area of the processor. We exploit the time between operand availability of critical instructions (slack) to create high-performance random schedules without requiring additional instructions or static prescheduling. Further, we perform an extended security analysis using different attacks. We highlight the dangers of using incorrect adversarial assumptions, which can often lead to a false sense of security. In that regard, our advanced security metric demonstrates improvements of 34$\times$, while our basic security evaluation shows results up to 261$\times$. Moreover, our system achieves performance within 96% on average, of the baseline unprotected processor.
△ Less
Submitted 23 July, 2021;
originally announced July 2021.
-
SNIFF: Reverse Engineering of Neural Networks with Fault Attacks
Authors:
Jakub Breier,
Dirmanto Jap,
Xiaolu Hou,
Shivam Bhasin,
Yang Liu
Abstract:
Neural networks have been shown to be vulnerable against fault injection attacks. These attacks change the physical behavior of the device during the computation, resulting in a change of value that is currently being computed. They can be realized by various fault injection techniques, ranging from clock/voltage glitching to application of lasers to rowhammer. In this paper we explore the possibi…
▽ More
Neural networks have been shown to be vulnerable against fault injection attacks. These attacks change the physical behavior of the device during the computation, resulting in a change of value that is currently being computed. They can be realized by various fault injection techniques, ranging from clock/voltage glitching to application of lasers to rowhammer. In this paper we explore the possibility to reverse engineer neural networks with the usage of fault attacks. SNIFF stands for sign bit flip fault, which enables the reverse engineering by changing the sign of intermediate values. We develop the first exact extraction method on deep-layer feature extractor networks that provably allows the recovery of the model parameters. Our experiments with Keras library show that the precision error for the parameter recovery for the tested networks is less than $10^{-13}$ with the usage of 64-bit floats, which improves the current state of the art by 6 orders of magnitude. Additionally, we discuss the protection techniques against fault injection attacks that can be applied to enhance the fault resistance.
△ Less
Submitted 28 February, 2023; v1 submitted 23 February, 2020;
originally announced February 2020.
-
Enhancing Fault Tolerance of Neural Networks for Security-Critical Applications
Authors:
Manaar Alam,
Arnab Bag,
Debapriya Basu Roy,
Dirmanto Jap,
Jakub Breier,
Shivam Bhasin,
Debdeep Mukhopadhyay
Abstract:
Neural Networks (NN) have recently emerged as backbone of several sensitive applications like automobile, medical image, security, etc. NNs inherently offer Partial Fault Tolerance (PFT) in their architecture; however, the biased PFT of NNs can lead to severe consequences in applications like cryptography and security critical scenarios. In this paper, we propose a revised implementation which enh…
▽ More
Neural Networks (NN) have recently emerged as backbone of several sensitive applications like automobile, medical image, security, etc. NNs inherently offer Partial Fault Tolerance (PFT) in their architecture; however, the biased PFT of NNs can lead to severe consequences in applications like cryptography and security critical scenarios. In this paper, we propose a revised implementation which enhances the PFT property of NN significantly with detailed mathematical analysis. We evaluated the performance of revised NN considering both software and FPGA implementation for a cryptographic primitive like AES SBox. The results show that the PFT of NNs can be significantly increased with the proposed methodology.
△ Less
Submitted 5 February, 2019;
originally announced February 2019.
-
CSI Neural Network: Using Side-channels to Recover Your Artificial Neural Network Information
Authors:
Lejla Batina,
Shivam Bhasin,
Dirmanto Jap,
Stjepan Picek
Abstract:
Machine learning has become mainstream across industries. Numerous examples proved the validity of it for security applications. In this work, we investigate how to reverse engineer a neural network by using only power side-channel information. To this end, we consider a multilayer perceptron as the machine learning architecture of choice and assume a non-invasive and eavesdropping attacker capabl…
▽ More
Machine learning has become mainstream across industries. Numerous examples proved the validity of it for security applications. In this work, we investigate how to reverse engineer a neural network by using only power side-channel information. To this end, we consider a multilayer perceptron as the machine learning architecture of choice and assume a non-invasive and eavesdropping attacker capable of measuring only passive side-channel leakages like power consumption, electromagnetic radiation, and reaction time.
We conduct all experiments on real data and common neural net architectures in order to properly assess the applicability and extendability of those attacks. Practical results are shown on an ARM CORTEX-M3 microcontroller. Our experiments show that the side-channel attacker is capable of obtaining the following information: the activation functions used in the architecture, the number of layers and neurons in the layers, the number of output classes, and weights in the neural network. Thus, the attacker can effectively reverse engineer the network using side-channel information.
Next, we show that once the attacker has the knowledge about the neural network architecture, he/she could also recover the inputs to the network with only a single-shot measurement. Finally, we discuss several mitigations one could use to thwart such attacks.
△ Less
Submitted 22 October, 2018;
originally announced October 2018.
-
DeepLaser: Practical Fault Attack on Deep Neural Networks
Authors:
Jakub Breier,
Xiaolu Hou,
Dirmanto Jap,
Lei Ma,
Shivam Bhasin,
Yang Liu
Abstract:
As deep learning systems are widely adopted in safety- and security-critical applications, such as autonomous vehicles, banking systems, etc., malicious faults and attacks become a tremendous concern, which potentially could lead to catastrophic consequences. In this paper, we initiate the first study of leveraging physical fault injection attacks on Deep Neural Networks (DNNs), by using laser inj…
▽ More
As deep learning systems are widely adopted in safety- and security-critical applications, such as autonomous vehicles, banking systems, etc., malicious faults and attacks become a tremendous concern, which potentially could lead to catastrophic consequences. In this paper, we initiate the first study of leveraging physical fault injection attacks on Deep Neural Networks (DNNs), by using laser injection technique on embedded systems. In particular, our exploratory study targets four widely used activation functions in DNNs development, that are the general main building block of DNNs that creates non-linear behaviors -- ReLu, softmax, sigmoid, and tanh. Our results show that by targeting these functions, it is possible to achieve a misclassification by injecting faults into the hidden layer of the network. Such result can have practical implications for real-world applications, where faults can be introduced by simpler means (such as altering the supply voltage).
△ Less
Submitted 29 September, 2018; v1 submitted 15 June, 2018;
originally announced June 2018.
-
Modification of GTD from Flat File Format to OLAP for Data Mining
Authors:
Karanjit Singh,
Shuchita Bhasin
Abstract:
This document is part of original research work by the authors in a bid to explore new fields for applying Data Mining Techniques. The sample data is part of a large data set from University of Maryland (UMD) and outlines how more meaningful patterns can be discovered by preprocessing the data in the form of OLAP cubes.
This document is part of original research work by the authors in a bid to explore new fields for applying Data Mining Techniques. The sample data is part of a large data set from University of Maryland (UMD) and outlines how more meaningful patterns can be discovered by preprocessing the data in the form of OLAP cubes.
△ Less
Submitted 26 August, 2011;
originally announced August 2011.
