Remote Identification of Neural Network FPGA Accelerators by Power Fingerprints

Machine learning acceleration has become increasingly popular in recent years, with machine learning-as-a-service (MLaaS) scenarios offering convenient and efficient ways to access pre-trained neural network models on devices such as cloud FPGAs. However, the ease of access and use also raises conce...

Full description

Saved in:
Bibliographic Details
Main Authors: Meyers, Vincent, Hefenbrock, Michael, Gnad, Dennis, Tahoori, Mehdi
Format: Conference Proceeding
Language:English
Subjects:
Artificial neural networks
ip protection
neural network fingerprinting
Power demand
Power measurement
power side-channel
Semiconductor device measurement
Temperature measurement
Voltage fluctuations
Voltage measurement
Online Access:Request full text
Tags: Add Tag
No Tags, Be the first to tag this record!
cited_by
cites
container_end_page 264
container_issue
container_start_page 259
container_title
container_volume
creator Meyers, Vincent
Hefenbrock, Michael
Gnad, Dennis
Tahoori, Mehdi
description Machine learning acceleration has become increasingly popular in recent years, with machine learning-as-a-service (MLaaS) scenarios offering convenient and efficient ways to access pre-trained neural network models on devices such as cloud FPGAs. However, the ease of access and use also raises concerns over model theft or misuse through model manipulation. To address these concerns, this paper proposes a method for identifying neural network models in MLaaS scenarios by their unique power consumption. Current fingerprinting methods for neural networks rely on input/output pairs or characteristic of the decision boundary, which might not always be accessible in more complex systems. Our proposed method utilizes unique power characteristics of the black-box neural network accelerator to extract a fingerprint by measuring the voltage fluctuations of the device when querying specially crafted inputs. We take advantage of the fact that the power consumption of the accelerator varies depending on the input being processed. For evaluation of our method we conduct 200 fingerprint extraction and matching experiments and the results confirm that the proposed method can distinguish between correct and incorrect models in 100% of the cases. Furthermore, we show that the fingerprint is robust to environmental and chip-to-chip variations.
doi_str_mv 10.1109/FPL60245.2023.00044
format conference_proceeding
fullrecord <record><control><sourceid>ieee_CHZPO</sourceid><recordid>TN_cdi_ieee_primary_10296323</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>10296323</ieee_id><sourcerecordid>10296323</sourcerecordid><originalsourceid>FETCH-LOGICAL-i204t-c63182f33e477f1f8e7b1117dd7e094281806a9c0cb3eae1ec9530d686d907793</originalsourceid><addsrcrecordid>eNotjctKAzEUQKMgWGq_QBf5gan35p1lKU4tDLaIrkuauSPRdkYykdK_t6Crszmcw9g9whwR_GO9bQwIpecChJwDgFJXbOatd1KDVKhRX7MJemUqVM7dstk4fl400Mo6bSZs80rHoRBft9SX1KUYShp6PnT8hX5yOFxQTkP-4vV2teCLGOlAOZQhj3x_5tvhRJnXqf-g_J1TX8Y7dtOFw0izf07Ze_30tnyums1qvVw0VRKgShWNRCc6KUlZ22HnyO4R0batJfBKOHRggo8Q95ICIUWvJbTGmdaDtV5O2cNfNxHR7vI-hnzeIQhvpJDyFxFST0o</addsrcrecordid><sourcetype>Publisher</sourcetype><iscdi>true</iscdi><recordtype>conference_proceeding</recordtype></control><display><type>conference_proceeding</type><title>Remote Identification of Neural Network FPGA Accelerators by Power Fingerprints</title><source>IEEE Xplore All Conference Series</source><creator>Meyers, Vincent ; Hefenbrock, Michael ; Gnad, Dennis ; Tahoori, Mehdi</creator><creatorcontrib>Meyers, Vincent ; Hefenbrock, Michael ; Gnad, Dennis ; Tahoori, Mehdi</creatorcontrib><description>Machine learning acceleration has become increasingly popular in recent years, with machine learning-as-a-service (MLaaS) scenarios offering convenient and efficient ways to access pre-trained neural network models on devices such as cloud FPGAs. However, the ease of access and use also raises concerns over model theft or misuse through model manipulation. To address these concerns, this paper proposes a method for identifying neural network models in MLaaS scenarios by their unique power consumption. Current fingerprinting methods for neural networks rely on input/output pairs or characteristic of the decision boundary, which might not always be accessible in more complex systems. Our proposed method utilizes unique power characteristics of the black-box neural network accelerator to extract a fingerprint by measuring the voltage fluctuations of the device when querying specially crafted inputs. We take advantage of the fact that the power consumption of the accelerator varies depending on the input being processed. For evaluation of our method we conduct 200 fingerprint extraction and matching experiments and the results confirm that the proposed method can distinguish between correct and incorrect models in 100% of the cases. Furthermore, we show that the fingerprint is robust to environmental and chip-to-chip variations.</description><identifier>EISSN: 1946-1488</identifier><identifier>EISBN: 9798350341515</identifier><identifier>DOI: 10.1109/FPL60245.2023.00044</identifier><identifier>CODEN: IEEPAD</identifier><language>eng</language><publisher>IEEE</publisher><subject>Artificial neural networks ; ip protection ; neural network fingerprinting ; Power demand ; Power measurement ; power side-channel ; Semiconductor device measurement ; Temperature measurement ; Voltage fluctuations ; Voltage measurement</subject><ispartof>2023 33rd International Conference on Field-Programmable Logic and Applications (FPL), 2023, p.259-264</ispartof><woscitedreferencessubscribed>false</woscitedreferencessubscribed></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/10296323$$EHTML$$P50$$Gieee$$H</linktohtml><link.rule.ids>309,310,776,780,785,786,27904,54533,54910</link.rule.ids><linktorsrc>$$Uhttps://ieeexplore.ieee.org/document/10296323$$EView_record_in_IEEE$$FView_record_in_$$GIEEE</linktorsrc></links><search><creatorcontrib>Meyers, Vincent</creatorcontrib><creatorcontrib>Hefenbrock, Michael</creatorcontrib><creatorcontrib>Gnad, Dennis</creatorcontrib><creatorcontrib>Tahoori, Mehdi</creatorcontrib><title>Remote Identification of Neural Network FPGA Accelerators by Power Fingerprints</title><title>2023 33rd International Conference on Field-Programmable Logic and Applications (FPL)</title><addtitle>FPL</addtitle><description>Machine learning acceleration has become increasingly popular in recent years, with machine learning-as-a-service (MLaaS) scenarios offering convenient and efficient ways to access pre-trained neural network models on devices such as cloud FPGAs. However, the ease of access and use also raises concerns over model theft or misuse through model manipulation. To address these concerns, this paper proposes a method for identifying neural network models in MLaaS scenarios by their unique power consumption. Current fingerprinting methods for neural networks rely on input/output pairs or characteristic of the decision boundary, which might not always be accessible in more complex systems. Our proposed method utilizes unique power characteristics of the black-box neural network accelerator to extract a fingerprint by measuring the voltage fluctuations of the device when querying specially crafted inputs. We take advantage of the fact that the power consumption of the accelerator varies depending on the input being processed. For evaluation of our method we conduct 200 fingerprint extraction and matching experiments and the results confirm that the proposed method can distinguish between correct and incorrect models in 100% of the cases. Furthermore, we show that the fingerprint is robust to environmental and chip-to-chip variations.</description><subject>Artificial neural networks</subject><subject>ip protection</subject><subject>neural network fingerprinting</subject><subject>Power demand</subject><subject>Power measurement</subject><subject>power side-channel</subject><subject>Semiconductor device measurement</subject><subject>Temperature measurement</subject><subject>Voltage fluctuations</subject><subject>Voltage measurement</subject><issn>1946-1488</issn><isbn>9798350341515</isbn><fulltext>true</fulltext><rsrctype>conference_proceeding</rsrctype><creationdate>2023</creationdate><recordtype>conference_proceeding</recordtype><sourceid>6IE</sourceid><recordid>eNotjctKAzEUQKMgWGq_QBf5gan35p1lKU4tDLaIrkuauSPRdkYykdK_t6Crszmcw9g9whwR_GO9bQwIpecChJwDgFJXbOatd1KDVKhRX7MJemUqVM7dstk4fl400Mo6bSZs80rHoRBft9SX1KUYShp6PnT8hX5yOFxQTkP-4vV2teCLGOlAOZQhj3x_5tvhRJnXqf-g_J1TX8Y7dtOFw0izf07Ze_30tnyums1qvVw0VRKgShWNRCc6KUlZ22HnyO4R0batJfBKOHRggo8Q95ICIUWvJbTGmdaDtV5O2cNfNxHR7vI-hnzeIQhvpJDyFxFST0o</recordid><startdate>20230904</startdate><enddate>20230904</enddate><creator>Meyers, Vincent</creator><creator>Hefenbrock, Michael</creator><creator>Gnad, Dennis</creator><creator>Tahoori, Mehdi</creator><general>IEEE</general><scope>6IE</scope><scope>6IL</scope><scope>CBEJK</scope><scope>RIE</scope><scope>RIL</scope></search><sort><creationdate>20230904</creationdate><title>Remote Identification of Neural Network FPGA Accelerators by Power Fingerprints</title><author>Meyers, Vincent ; Hefenbrock, Michael ; Gnad, Dennis ; Tahoori, Mehdi</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-i204t-c63182f33e477f1f8e7b1117dd7e094281806a9c0cb3eae1ec9530d686d907793</frbrgroupid><rsrctype>conference_proceedings</rsrctype><prefilter>conference_proceedings</prefilter><language>eng</language><creationdate>2023</creationdate><topic>Artificial neural networks</topic><topic>ip protection</topic><topic>neural network fingerprinting</topic><topic>Power demand</topic><topic>Power measurement</topic><topic>power side-channel</topic><topic>Semiconductor device measurement</topic><topic>Temperature measurement</topic><topic>Voltage fluctuations</topic><topic>Voltage measurement</topic><toplevel>online_resources</toplevel><creatorcontrib>Meyers, Vincent</creatorcontrib><creatorcontrib>Hefenbrock, Michael</creatorcontrib><creatorcontrib>Gnad, Dennis</creatorcontrib><creatorcontrib>Tahoori, Mehdi</creatorcontrib><collection>IEEE Electronic Library (IEL) Conference Proceedings</collection><collection>IEEE Proceedings Order Plan All Online (POP All Online) 1998-present by volume</collection><collection>IEEE Xplore All Conference Proceedings</collection><collection>IEEE Xplore</collection><collection>IEEE Proceedings Order Plans (POP All) 1998-Present</collection></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Meyers, Vincent</au><au>Hefenbrock, Michael</au><au>Gnad, Dennis</au><au>Tahoori, Mehdi</au><format>book</format><genre>proceeding</genre><ristype>CONF</ristype><atitle>Remote Identification of Neural Network FPGA Accelerators by Power Fingerprints</atitle><btitle>2023 33rd International Conference on Field-Programmable Logic and Applications (FPL)</btitle><stitle>FPL</stitle><date>2023-09-04</date><risdate>2023</risdate><spage>259</spage><epage>264</epage><pages>259-264</pages><eissn>1946-1488</eissn><eisbn>9798350341515</eisbn><coden>IEEPAD</coden><abstract>Machine learning acceleration has become increasingly popular in recent years, with machine learning-as-a-service (MLaaS) scenarios offering convenient and efficient ways to access pre-trained neural network models on devices such as cloud FPGAs. However, the ease of access and use also raises concerns over model theft or misuse through model manipulation. To address these concerns, this paper proposes a method for identifying neural network models in MLaaS scenarios by their unique power consumption. Current fingerprinting methods for neural networks rely on input/output pairs or characteristic of the decision boundary, which might not always be accessible in more complex systems. Our proposed method utilizes unique power characteristics of the black-box neural network accelerator to extract a fingerprint by measuring the voltage fluctuations of the device when querying specially crafted inputs. We take advantage of the fact that the power consumption of the accelerator varies depending on the input being processed. For evaluation of our method we conduct 200 fingerprint extraction and matching experiments and the results confirm that the proposed method can distinguish between correct and incorrect models in 100% of the cases. Furthermore, we show that the fingerprint is robust to environmental and chip-to-chip variations.</abstract><pub>IEEE</pub><doi>10.1109/FPL60245.2023.00044</doi><tpages>6</tpages></addata></record>
fulltext fulltext_linktorsrc
identifier EISSN: 1946-1488
ispartof 2023 33rd International Conference on Field-Programmable Logic and Applications (FPL), 2023, p.259-264
issn 1946-1488
language eng
recordid cdi_ieee_primary_10296323
source IEEE Xplore All Conference Series
subjects Artificial neural networks
ip protection
neural network fingerprinting
Power demand
Power measurement
power side-channel
Semiconductor device measurement
Temperature measurement
Voltage fluctuations
Voltage measurement
title Remote Identification of Neural Network FPGA Accelerators by Power Fingerprints
url http://sfxeu10.hosted.exlibrisgroup.com/loughborough?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-28T02%3A27%3A29IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-ieee_CHZPO&rft_val_fmt=info:ofi/fmt:kev:mtx:book&rft.genre=proceeding&rft.atitle=Remote%20Identification%20of%20Neural%20Network%20FPGA%20Accelerators%20by%20Power%20Fingerprints&rft.btitle=2023%2033rd%20International%20Conference%20on%20Field-Programmable%20Logic%20and%20Applications%20(FPL)&rft.au=Meyers,%20Vincent&rft.date=2023-09-04&rft.spage=259&rft.epage=264&rft.pages=259-264&rft.eissn=1946-1488&rft.coden=IEEPAD&rft_id=info:doi/10.1109/FPL60245.2023.00044&rft.eisbn=9798350341515&rft_dat=%3Cieee_CHZPO%3E10296323%3C/ieee_CHZPO%3E%3Cgrp_id%3Ecdi_FETCH-LOGICAL-i204t-c63182f33e477f1f8e7b1117dd7e094281806a9c0cb3eae1ec9530d686d907793%3C/grp_id%3E%3Coa%3E%3C/oa%3E%3Curl%3E%3C/url%3E&rft_id=info:oai/&rft_id=info:pmid/&rft_ieee_id=10296323&rfr_iscdi=true