Područje interesa Odjela za računalnu inteligenciju je teorija, oblikovanje, primjena i razvoj biološki i lingvistički motiviranih računalnih paradigmi s naglaskom na neuronske mreže, konekcijske sustave, genetičke algoritme, evolucijsko programiranje, neizrazite sustave i hibridne inteligentne sustave koji su temeljeni na ovim paradigmama.
Odjel za računalnu inteligenciju
Odjel za računalnu inteligenciju Hrvatske sekcije IEEE poziva Vas na predavanje
CSI NN: Reverse Engineering of Neural Network Architectures Through Electromagnetic Side Channel
koje će održati doc. dr. sc. Stjepan Picek u petak, 29. studenog 2019. u 12:30 u prostoriji D346 Fakulteta elektrotehnike i računarstva Sveučilišta u Zagrebu. Predviđeno trajanje predavanja je 45 minuta, a više informacija o predavanju i predavaču pročitajte u opširnijem sadržaju obavijesti.
Abstract:
Machine learning has become mainstream across industries. Numerous examples prove the validity of it for security applications. In this work, we investigate how to reverse engineer a neural network by using side-channel information such as timing and electromagnetic (EM) emanations. To this end, we consider multilayer perceptrons and convolutional neural networks as the machine learning architectures of choice and assume a non-invasive and passive attacker capable of measuring those kinds of leakages.
We conduct all experiments on real data and commonly used neural network architectures in order to properly assess the applicability and extendability of those attacks. Practical results are shown on an ARM Cortex-M3 microcontroller, which is a platform often used in pervasive applications using neural networks such as wearables, surveillance cameras, etc. Our experiments show that a side-channel attacker is capable of obtaining the following information: the activation functions used in the architecture, the number of layers and neurons in the layers, the number of output classes, and weights in the neural network. Thus, the attacker can effectively reverse engineer the network using side-channel information such as timing or EM.
We conduct all experiments on real data and commonly used neural network architectures in order to properly assess the applicability and extendability of those attacks. Practical results are shown on an ARM Cortex-M3 microcontroller, which is a platform often used in pervasive applications using neural networks such as wearables, surveillance cameras, etc. Our experiments show that a side-channel attacker is capable of obtaining the following information: the activation functions used in the architecture, the number of layers and neurons in the layers, the number of output classes, and weights in the neural network. Thus, the attacker can effectively reverse engineer the network using side-channel information such as timing or EM.
Short bio:
Stjepan Picek is an assistant professor in the Cybersecurity group at TU Delft, The Netherlands. His research interests are security/cryptography, machine learning, and evolutionary computation. Prior to the assistant professor position, Stjepan was a postdoctoral researcher at MIT, USA and KU Leuven, Belgium. Stjepan finished his PhD in 2015 with a topic on cryptology and evolutionary computation techniques. Stjepan also has several years of experience working in industry and government. Up to now, Stjepan gave more than 15 invited talks at conferences and summer schools and published more than 80 refereed papers. Stjepan is a member of the organization committee for International Summer School in Cryptography and president of the Croatian IEEE CIS Chapter. He is a general co-chair for Eurocrypt 2020, program committee member and reviewer for a number of conferences and journals, and a member of several professional societies.