Inferring DNN layer-types through a Hardware Performance Counters based Side Channel Attack

Recent trends of the use of deep neural networks (DNNs) in mission-critical applications have increased the threats of microarchitectural attacks on DNN models. Recently, researchers have proposed techniques for inferring the DNN model based on microarchitecture-level clues. However, existing techniques require prior knowledge of victim models, lack generality, or provide incomplete information of the victim model architecture. This paper proposes an attack that leaks the layer-type of DNNs using hardware performance monitoring counters (PMCs). Our attack works by profiling low-level hardware events and then analyzes this data using machine learning algorithms. We also apply techniques for removing the class imbalance in the PMC traces and for removing the noise. We present microarchitectural insights (hardware PMCs such as cache accesses/misses, branch instructions, and total instructions) that correlate with the characteristics of DNN layers. The extracted models are also helpful for crafting adversarial inputs. Our attack does not require any prior knowledge of the DNN architecture and still infers the layer-types of the DNN with high accuracy (above 90%). We have released the traces for public use at https://github.com/bhargavarch/DNN_RevEngg_PMC_Dataset.