TY - GEN
T1 - NeurObfuscator
T2 - 2021 IEEE International Symposium on Hardware Oriented Security and Trust, HOST 2021
AU - Li, Jingtao
AU - He, Zhezhi
AU - Rakin, Adnan Siraj
AU - Fan, Deliang
AU - Chakrabarti, Chaitali
N1 - Publisher Copyright:
© 2021 IEEE.
PY - 2021
Y1 - 2021
N2 - Neural network stealing attacks have posed grave threats to neural network model deployment. Such attacks can be launched by extracting neural architecture information, such as layer sequence and dimension parameters, through leaky side-channels. To mitigate such attacks, we propose NeurObfuscator, a full-stack obfuscation tool to obfuscate the neural network architecture while preserving its functionality with very limited performance overhead. At the heart of this tool is a set of obfuscating knobs, including layer branching, layer widening, selective fusion and schedule pruning, that increase the number of operators, reduce/increase the latency, and number of cache and DRAM accesses. A genetic algorithm-based approach is adopted to orchestrate the combination of obfuscating knobs to achieve the best obfuscating effect on the layer sequence and dimension parameters so that the architecture information cannot be successfully extracted. Results on sequence obfuscation show that the proposed tool obfuscates a ResNet-18 ImageNet model to a totally different architecture (with 44 layer difference) without affecting its functionality with only 2% overall latency overhead. For dimension obfuscation, we demonstrate that an example convolution layer with 64 input and 128 output channels can be obfuscated to generate a layer with 207 input and 93 output channels with only a 2% latency overhead.
AB - Neural network stealing attacks have posed grave threats to neural network model deployment. Such attacks can be launched by extracting neural architecture information, such as layer sequence and dimension parameters, through leaky side-channels. To mitigate such attacks, we propose NeurObfuscator, a full-stack obfuscation tool to obfuscate the neural network architecture while preserving its functionality with very limited performance overhead. At the heart of this tool is a set of obfuscating knobs, including layer branching, layer widening, selective fusion and schedule pruning, that increase the number of operators, reduce/increase the latency, and number of cache and DRAM accesses. A genetic algorithm-based approach is adopted to orchestrate the combination of obfuscating knobs to achieve the best obfuscating effect on the layer sequence and dimension parameters so that the architecture information cannot be successfully extracted. Results on sequence obfuscation show that the proposed tool obfuscates a ResNet-18 ImageNet model to a totally different architecture (with 44 layer difference) without affecting its functionality with only 2% overall latency overhead. For dimension obfuscation, we demonstrate that an example convolution layer with 64 input and 128 output channels can be obfuscated to generate a layer with 207 input and 93 output channels with only a 2% latency overhead.
KW - Architecture Stealing
KW - Neural Network
KW - Obfuscation
KW - Side-channel attack
UR - http://www.scopus.com/inward/record.url?scp=85126755401&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85126755401&partnerID=8YFLogxK
U2 - 10.1109/HOST49136.2021.9702279
DO - 10.1109/HOST49136.2021.9702279
M3 - Conference contribution
AN - SCOPUS:85126755401
T3 - Proceedings of the 2021 IEEE International Symposium on Hardware Oriented Security and Trust, HOST 2021
SP - 248
EP - 258
BT - Proceedings of the 2021 IEEE International Symposium on Hardware Oriented Security and Trust, HOST 2021
PB - Institute of Electrical and Electronics Engineers Inc.
Y2 - 13 December 2021 through 14 December 2021
ER -