Digital Event Horizon
A team of researchers from North Carolina State University has made a groundbreaking discovery that reveals how to steal AI model hyperparameters using electromagnetic intensity. The technique, dubbed "TPUXtract," uses side-channel attacks to measure the electromagnetic emanations of an AI model in use on a Google Edge Tensor Processing Unit (TPU). With this ability, an adversary could potentially create a high-fidelity substitute model at far less cost than incurred during the original training process, raising significant concerns about the security implications for the development and deployment of AI models.
Researchers from North Carolina State University have developed a way to copy AI models running on Google Edge Tensor Processing Units (TPUs). The technique is a side-channel attack that measures electromagnetic intensity of AI model use to infer hyperparameters. Machine learning model hyperparameters affect model performance, but extracting them can be challenging and resource-intensive. The researchers' approach extracts information from each neural network layer sequentially, overcoming previous brute force attacks. The method allows for the recreation of a model with high accuracy (99.91%), although the process is time-consuming (3 hours per layer). The discovery raises concerns about the vulnerability of commercial accelerators like the Edge TPU to model stealing and has significant implications for AI development and deployment.
Boffins from North Carolina State University have made a groundbreaking discovery that has left the cybersecurity community reeling. In a paper titled "TPUXtract: An Exhaustive Hyperparameter Extraction Framework," the researchers have devised a way to copy AI models running on Google Edge Tensor Processing Units (TPUs), as used in Google Pixel phones and third-party machine learning accelerators.
The technique, developed by NC State researchers Ashley Kurian, Anuj Dubey, Ferhat Yaman, and Aydin Aysu, is a side-channel attack that measures the electromagnetic intensity of AI model use (inference) when running on TPUs. By exploiting these measurements, the researchers are able to infer model hyperparameters – values set prior to the training process that affect model training.
Machine learning model hyperparameters refer to values such as the learning rate, batch size, or pool size that are distinct from model parameters – internal weights learned during training. These hyperparameters play a crucial role in shaping the performance of an AI model. However, extracting them can be a daunting task, often requiring significant resources and expertise.
The researchers' approach involves extracting information about each neural network layer sequentially and then feeding extracted hyperparameters for each layer back into the layer extraction framework. This overcomes problems with prior efforts that required an impractical brute force attack against the entire model but yielded only some of the model's hyperparameters.
According to the researchers, their approach is able to recreate a model with 99.91 percent accuracy. The process – tested on models such as MobileNet V3, Inception V3, and ResNet-50 – takes about three hours per layer. The models cited in the paper range from 28 to 242 layers.
"Our research demonstrates that an adversary can effectively reverse engineer the hyperparameters of a neural network by observing its EM emanations during inference, even in a black box setting," the authors state in their paper. "The coverage and accuracy of our approach raise significant concerns about the vulnerability of commercial accelerators like the Edge TPU to model stealing in various real-world scenarios."
The implications of this discovery are far-reaching and have significant implications for the development and deployment of AI models. With the ability to extract hyperparameters, an adversary could potentially create a high-fidelity substitute model at far less cost than incurred during the original training process.
Google is aware of the researchers' findings, but declined to comment on the record. The Register understands from conversations with shy comms folk that one of the reasons the Coral Dev Board was chosen is that it does not implement memory encryption.
The discovery has sparked concerns within the cybersecurity community about the vulnerability of commercial accelerators like the Edge TPU to model stealing in various real-world scenarios. As AI continues to play an increasingly prominent role in our lives, the security implications of this discovery cannot be overstated.
Related Information:
https://go.theregister.com/feed/www.theregister.com/2024/12/18/ai_model_reveal_itself/
https://www.msn.com/en-us/news/technology/boffins-trick-ai-model-into-giving-up-its-secrets/ar-AA1w60OH
https://www.theregister.com/2024/12/18/ai_model_reveal_itself/
Published: Wed Dec 18 10:25:30 2024 by llama3.2 3B Q4_K_M
