Please use this identifier to cite or link to this item:
Title: Mercury: an automated remote side-channel attack to Nvidia deep learning accelerator
Authors: Yan, Xiaobei
Lou, Xiaoxuan
Xu, Guowen
Qiu, Han
Guo, Shangwei
Chang, Chip Hong
Zhang, Tianwei
Keywords: Computer and Information Science
Issue Date: 2023
Source: Yan, X., Lou, X., Xu, G., Qiu, H., Guo, S., Chang, C. H. & Zhang, T. (2023). Mercury: an automated remote side-channel attack to Nvidia deep learning accelerator. 2023 International Conference on Field-Programmable Technology (ICFPT), 188-197.
Project: NRF2018NCRNCR009-0001 
Conference: 2023 International Conference on Field-Programmable Technology (ICFPT)
Abstract: DNN accelerators have been widely deployed in many scenarios to speed up the inference process and reduce the energy consumption. One big concern about the usage of the accelerators is the confidentiality of the deployed models: model inference execution on the accelerators could leak side-channel information, which enables an adversary to preciously recover the model details. Such model extraction attacks can not only compromise the intellectual property of DNN models, but also facilitate some adversarial attacks. Although previous works have demonstrated a number of side-channel techniques to extract models from DNN accelerators, they are not practical for two reasons. (1) They only target simplified accelerator implementations, which have limited practicality in the real world. (2) They require heavy human analysis and domain knowledge. To overcome these limitations, this paper presents Mercury, the first automated remote side-channel attack against the off-the-shelf Nvidia DNN accelerator. The key insight of Mercury is to model the side-channel extraction process as a sequence-to-sequence problem. The adversary can leverage a time-to-digital converter (TDC) to remotely collect the power trace of the target model's inference. Then he uses a learning model to automatically recover the architecture details of the victim model from the power trace without any prior knowledge. The adversary can further use the attention mechanism to localize the leakage points that contribute most to the attack. Evaluation results indicate that Mercury can keep the error rate of model extraction below 1%.
ISBN: 979-8-3503-5911-4
ISSN: 2837-0449
DOI: 10.1109/ICFPT59805.2023.00026
Schools: School of Computer Science and Engineering 
Rights: © 2023 IEEE. All rights reserved. This article may be downloaded for personal use only. Any other use requires prior permission of the copyright holder. The Version of Record is available online at
Fulltext Permission: open
Fulltext Availability: With Fulltext
Appears in Collections:SCSE Conference Papers

Files in This Item:
File Description SizeFormat 
_DR_NTU_An_Automated_Remote_Side_channel_Attack_to_FPGA_based_DNN_Accelerators.pdf2.97 MBAdobe PDFThumbnail

Page view(s)

Updated on Jul 18, 2024


Updated on Jul 18, 2024

Google ScholarTM




Items in DR-NTU are protected by copyright, with all rights reserved, unless otherwise indicated.