NeurObfuscator: A Full-stack Obfuscation Tool to Mitigate Neural Architecture Stealing

Jingtao Li, Zhezhi He, Adnan Siraj Rakin, Deliang Fan, Chaitali Chakrabarti

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Neural network stealing attacks have posed grave threats to neural network model deployment. Such attacks can be launched by extracting neural architecture information, such as layer sequence and dimension parameters, through leaky side-channels. To mitigate such attacks, we propose NeurObfuscator, a full-stack obfuscation tool to obfuscate the neural network architecture while preserving its functionality with very limited performance overhead. At the heart of this tool is a set of obfuscating knobs, including layer branching, layer widening, selective fusion and schedule pruning, that increase the number of operators, reduce/increase the latency, and number of cache and DRAM accesses. A genetic algorithm-based approach is adopted to orchestrate the combination of obfuscating knobs to achieve the best obfuscating effect on the layer sequence and dimension parameters so that the architecture information cannot be successfully extracted. Results on sequence obfuscation show that the proposed tool obfuscates a ResNet-18 ImageNet model to a totally different architecture (with 44 layer difference) without affecting its functionality with only 2% overall latency overhead. For dimension obfuscation, we demonstrate that an example convolution layer with 64 input and 128 output channels can be obfuscated to generate a layer with 207 input and 93 output channels with only a 2% latency overhead.

Original languageEnglish (US)
Title of host publicationProceedings of the 2021 IEEE International Symposium on Hardware Oriented Security and Trust, HOST 2021
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages248-258
Number of pages11
ISBN (Electronic)9781665413572
DOIs
StatePublished - 2021
Event2021 IEEE International Symposium on Hardware Oriented Security and Trust, HOST 2021 - Virtual, Online, United States
Duration: Dec 13 2021Dec 14 2021

Publication series

NameProceedings of the 2021 IEEE International Symposium on Hardware Oriented Security and Trust, HOST 2021

Conference

Conference2021 IEEE International Symposium on Hardware Oriented Security and Trust, HOST 2021
Country/TerritoryUnited States
CityVirtual, Online
Period12/13/2112/14/21

Keywords

  • Architecture Stealing
  • Neural Network
  • Obfuscation
  • Side-channel attack

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Hardware and Architecture
  • Safety, Risk, Reliability and Quality

Fingerprint

Dive into the research topics of 'NeurObfuscator: A Full-stack Obfuscation Tool to Mitigate Neural Architecture Stealing'. Together they form a unique fingerprint.

Cite this