Catch the Star: Weight Recovery Attack Using Side-Channel Star Map Against DNN Accelerator

Abstract

The rapid development of Artificial Intelligence (AI) technology must be connected to the arithmetic support of high-performance hardware. However, when the deep neural network (DNN) accelerator performs inference tasks at the edge end, the sensitive data of DNN will generate leakage through side-channel information. The adversary can recover the model structure and weight parameters of DNN by using the side-channel information, which seriously affects the protection of necessary intellectual property (IP) of DNN, so the hardware security of the DNN accelerator is critical. In the current research of Side-channel attack (SCA) for matrix multiplication units, such as systolic arrays, the linear multiplication operation leads to a more extensive weights search space for the SCA, and extracting all the weight parameters requires higher attack conditions. This article proposes a new power SCA method, which includes a Collision-Correlation Power Analysis (Collision-CPA) and Correlation-based Weight Search Algorithm (C-WSA) to address the problem. The Collision-CPA reduces the attack conditions for the SCA by building multiple Hamming Distance (HD)-based power leakage models for the systolic array. Meanwhile, the C-WSA dramatically reduces the weights search space. In addition, the concept of a Side-channel star map (SCSM) is proposed for the first time in this article, and the adversary can quickly and accurately locate the correct weight information in the SCSM. Through experiments, we recover all the weight parameters of a $3\times 3$ systolic array based on 100000 power traces, in which the weight search space is reduced by up to 97.7%. For the DNN accelerator at the edge, especially the systolic array structure, our proposed novel SCA aligns more with practical attack scenarios, with lower attack conditions, and higher attack efficiency.