Xiang Zhang PhD Proposal Review

Title:Confidentiality and Privacy Preserving:  Intertwining Deep Learning and  Side-channel Analysis

Meeting ID: 976 4324 8925 Passcode: 779251

Committee Members:
Prof. Yunsi Fei (Advisor)
Prof. Adam Ding
Prof. Lili Su

Abstract:
In the past decade, deep learning-empowered technologies have significantly permeated our daily lives, revolutionizing diverse application domains with superb performance.  In hardware security, deep learning has been employed for power or electromagnetic side-channel analysis (SCA) and protection, and the security of deep learning implementations starts gaining traction.

This dissertation delves into the intertwining deep learning techniques and side-channel analysis.  It addresses two critical questions: how to extend deep learning to other types of SCAs; what confidentiality and privacy vulnerabilities deep learning models have.

Our research work first explores deep learning-assisted cache side-channel attacks and introduces innovative countermeasures grounded in the principles of adversarial samples against deep learning. We first design a novel high-frequency cache monitor,  which runs concurrent to the victim execution and collects run-time timing traces, while previous cache monitors are only able to collect timing samples. Such timing traces facilitate follow-on non-profiled Differential Deep Learning Analysis (DDLA) for secret retrieval. We also propose a novel countermeasure against the new DDLA, leveraging the concept of adversarial examples, which deliberately introduces obfuscation operations in the victim program so as to generate ‘adversarial’ timing traces and therefore circumvent the follow-on DDLA.

The second part of the dissertation addresses the vulnerability of deep neural network (DNN) implementations and presents novel methodologies for enhancing user privacy. It introduces a technique for extracting deep learning models through software-based power side channels. By manipulating model inputs and leveraging the on-chip Intel Running Average Power Limit (RAPL) sensors reporting, the entire model parameters can be extracted when the model inference is executed on modern processors. To protect both the model confidentiality and the input privacy, this dissertation proposes to obfuscate the model inputs while preserving the end-to-end functionality. It introduces an encoder to transform the inputs before feeding the DNN model, and appends a decoder after the model outputs to recover the intended results. The approach, compared to traditional encryption or masking techniques, is more efficient and can effectively protect both user privacy and model confidentiality.

The overall goal of the dissertation is to further investigate the power of deep learning in SCA and countermeasure and safeguard secure DNN implementations.