Electromagnetic Side-Channel Analysis of Deep-Learning Architectures on Reconfigurable Edge Hardware

Files
SHARMA-THESIS-2025.pdf (13.57 MB)
Author(s)
Sharma, Sudarshan
Advisor(s)
Editor(s)
Associated Organization(s)
Organizational Unit
Organizational Unit
Daniel Guggenheim School of Aerospace Engineering
The Daniel Guggenheim School of Aeronautics was established in 1931, with a name change in 1962 to the School of Aerospace Engineering
Series
Collections
Theses and Dissertations
Supplementary to:
Permanent Link
https://hdl.handle.net/1853/78708
Abstract
The use of Machine Learning (ML) models on edge devices has gained significant attention in recent years due to their low latency and increased privacy guarantees. Edge Artificial Intelligence (Edge AI) devices are tailored toward specific applications, and a considerable amount of resources are spent to optimize the end product. Therefore, the value of the underlying model architecture lies in its status as valuable Intellectual Property (IP). In addition, adversaries can potentially launch severe attacks, such as Denial of Service (DoS) or misuse attacks, by stealing the model architecture through adversarial examples. As a result, safeguarding the confidentiality and security of the model architecture is imperative to prevent potential attacks and misuse by adversaries. In this thesis, we investigate the Electromagnetic (EM) Side-Channel (SC) analysis of Neural Network (NN) architectures and present SNATCH, a profiling-based Side-Channel Attack (SCA) designed to extract the architecture of a neural network running on a proprietary Machine Learning Accelerator (MLA) — the Deep Processing Unit (DPU) Intellectual Property (IP) developed by Xilinx. We use Electromagnetic (EM) Side-Channel (SC) leakage from the Field-Programmable Gate Array (FPGA) running Machine Learning (ML) models on a clone device to create a profiler and then attack the victim's device to steal the Neural Network (NN) architecture. SNATCH focuses on stealing the architecture layer-wise rather than architecture-wise, which makes it a more scalable method for extracting the Neural Network (NN) architecture. We show the generalization of our attack by testing our profiler on Electromagnetic (EM) traces from unseen architectures. Furthermore, we also assess the transferability of SNATCH by evaluating the profiler on Electromagnetic (EM) traces from a different device. Finally, we create a reconstruction error tuple metric to quantitatively analyze the network architecture reconstruction quality of the profiler.
Sponsor
Date
2025-07-28
Extent
Resource Type
Text
Resource Subtype
Thesis
Rights Statement
Rights URI