Leveraging Neural Trojan Side-Channels for Output Exfiltration
Neural networks have become pivotal in advancing applications across various domains, including healthcare, finance, surveillance, and autonomous systems. To achieve low latency and high efficiency, field-programmable gate arrays (FPGAs) are increasingly being employed as accelerators for neural net...
Saved in:
| Main Authors: | , , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
MDPI AG
2025-01-01
|
| Series: | Cryptography |
| Subjects: | |
| Online Access: | https://www.mdpi.com/2410-387X/9/1/5 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1849341591418830848 |
|---|---|
| author | Vincent Meyers Michael Hefenbrock Dennis Gnad Mehdi Tahoori |
| author_facet | Vincent Meyers Michael Hefenbrock Dennis Gnad Mehdi Tahoori |
| author_sort | Vincent Meyers |
| collection | DOAJ |
| description | Neural networks have become pivotal in advancing applications across various domains, including healthcare, finance, surveillance, and autonomous systems. To achieve low latency and high efficiency, field-programmable gate arrays (FPGAs) are increasingly being employed as accelerators for neural network inference in cloud and edge devices. However, the rising costs and complexity of neural network training have led to the widespread use of outsourcing of training, pre-trained models, and machine learning services, raising significant concerns about security and trust. Specifically, malicious actors may embed neural Trojans within NNs, exploiting them to leak sensitive data through side-channel analysis. This paper builds upon our prior work, where we demonstrated the feasibility of embedding Trojan side-channels in neural network weights, enabling the extraction of classification results via remote power side-channel attacks. In this expanded study, we introduced a broader range of experiments to evaluate the robustness and effectiveness of this attack vector. We detail a novel training methodology that enhanced the correlation between power consumption and network output, achieving up to a 33% improvement in reconstruction accuracy over benign models. Our approach eliminates the need for additional hardware, making it stealthier and more resistant to conventional hardware Trojan detection methods. We provide comprehensive analyses of attack scenarios in both controlled and variable environmental conditions, demonstrating the scalability and adaptability of our technique across diverse neural network architectures, such as MLPs and CNNs. Additionally, we explore countermeasures and discuss their implications for the design of secure neural network accelerators. To the best of our knowledge, this work is the first to present a passive output recovery attack on neural network accelerators, without explicit trigger mechanisms. The findings emphasize the urgent need to integrate hardware-aware security protocols in the development and deployment of neural network accelerators. |
| format | Article |
| id | doaj-art-2c46427822f449dc8a657b3648ae0a8e |
| institution | Kabale University |
| issn | 2410-387X |
| language | English |
| publishDate | 2025-01-01 |
| publisher | MDPI AG |
| record_format | Article |
| series | Cryptography |
| spelling | doaj-art-2c46427822f449dc8a657b3648ae0a8e2025-08-20T03:43:36ZengMDPI AGCryptography2410-387X2025-01-0191510.3390/cryptography9010005Leveraging Neural Trojan Side-Channels for Output ExfiltrationVincent Meyers0Michael Hefenbrock1Dennis Gnad2Mehdi Tahoori3Department of Computer Science, Karlsruhe Institute of Technology (KIT), 76131 Karlsruhe, GermanyRevoAI GmbH, 76131 Karlsruhe, GermanyDepartment of Computer Science, Karlsruhe Institute of Technology (KIT), 76131 Karlsruhe, GermanyDepartment of Computer Science, Karlsruhe Institute of Technology (KIT), 76131 Karlsruhe, GermanyNeural networks have become pivotal in advancing applications across various domains, including healthcare, finance, surveillance, and autonomous systems. To achieve low latency and high efficiency, field-programmable gate arrays (FPGAs) are increasingly being employed as accelerators for neural network inference in cloud and edge devices. However, the rising costs and complexity of neural network training have led to the widespread use of outsourcing of training, pre-trained models, and machine learning services, raising significant concerns about security and trust. Specifically, malicious actors may embed neural Trojans within NNs, exploiting them to leak sensitive data through side-channel analysis. This paper builds upon our prior work, where we demonstrated the feasibility of embedding Trojan side-channels in neural network weights, enabling the extraction of classification results via remote power side-channel attacks. In this expanded study, we introduced a broader range of experiments to evaluate the robustness and effectiveness of this attack vector. We detail a novel training methodology that enhanced the correlation between power consumption and network output, achieving up to a 33% improvement in reconstruction accuracy over benign models. Our approach eliminates the need for additional hardware, making it stealthier and more resistant to conventional hardware Trojan detection methods. We provide comprehensive analyses of attack scenarios in both controlled and variable environmental conditions, demonstrating the scalability and adaptability of our technique across diverse neural network architectures, such as MLPs and CNNs. Additionally, we explore countermeasures and discuss their implications for the design of secure neural network accelerators. To the best of our knowledge, this work is the first to present a passive output recovery attack on neural network accelerators, without explicit trigger mechanisms. The findings emphasize the urgent need to integrate hardware-aware security protocols in the development and deployment of neural network accelerators.https://www.mdpi.com/2410-387X/9/1/5neural network acceleratorspower side-channelneural TrojanTrojan side-channel |
| spellingShingle | Vincent Meyers Michael Hefenbrock Dennis Gnad Mehdi Tahoori Leveraging Neural Trojan Side-Channels for Output Exfiltration Cryptography neural network accelerators power side-channel neural Trojan Trojan side-channel |
| title | Leveraging Neural Trojan Side-Channels for Output Exfiltration |
| title_full | Leveraging Neural Trojan Side-Channels for Output Exfiltration |
| title_fullStr | Leveraging Neural Trojan Side-Channels for Output Exfiltration |
| title_full_unstemmed | Leveraging Neural Trojan Side-Channels for Output Exfiltration |
| title_short | Leveraging Neural Trojan Side-Channels for Output Exfiltration |
| title_sort | leveraging neural trojan side channels for output exfiltration |
| topic | neural network accelerators power side-channel neural Trojan Trojan side-channel |
| url | https://www.mdpi.com/2410-387X/9/1/5 |
| work_keys_str_mv | AT vincentmeyers leveragingneuraltrojansidechannelsforoutputexfiltration AT michaelhefenbrock leveragingneuraltrojansidechannelsforoutputexfiltration AT dennisgnad leveragingneuraltrojansidechannelsforoutputexfiltration AT mehditahoori leveragingneuraltrojansidechannelsforoutputexfiltration |