Deep Neural Network (DNN) models are often deployed in resource-sharing clouds as Machine Learning as a Service (MLaaS) to provide inference services.To steal model architectures that are of valuable intellectual properties, a class of attacks has been proposed via different side-channel leakage, posing a serious security challenge to MLaaS. Also targeting MLaaS, we propose a new end-to-end attack, DeepTheft, to accurately recover complex DNN model architectures on general processors via the RAPL-based power side channel. However, an attacker can acquire only a low sampling rate (1 KHz) of the time-series energy traces from the RAPL interface, rendering existing techniques ineffective in stealing large and deep DNN models. To this end, we design a novel and generic learning-based framework consisting of a set of meta-models, based on which DeepTheft is demonstrated to have high accuracy in recovering a large number (thousands) of models architectures from different model families including the deepest ResNet152. Particularly, DeepTheft has achieved a Levenshtein Distance Accuracy of 99.75% in recovering network structures, and a weighted average F1 score of 99.60% in recovering diverse layer-wise hyperparameters. Besides, our proposed learning framework is general to other time-series side-channel signals. To validate its generalization, another existing side channel is exploited, i.e., CPU frequency. Different from RAPL, CPU frequency is accessible to unprivileged users in bare-metal OSes. By using our generic learning framework trained against CPU frequency traces, DeepTheft has shown similarly high attack performance in stealing model architectures.

翻译：深度神经网络模型常作为机器学习即服务（MLaaS）部署于资源共享云中提供推理服务。为窃取具有重要知识产权的模型架构，已有基于不同侧信道泄漏的攻击方法被提出，对MLaaS构成严重安全挑战。本文同样针对MLaaS，提出新型端到端攻击DeepTheft，通过基于RAPL的功耗侧信道在通用处理器上精确恢复复杂DNN模型架构。然而，攻击者仅能从RAPL接口获取低采样率（1 KHz）的时序能量轨迹，导致现有技术难以窃取大规模深度DNN模型。为此，我们设计了一种新颖且通用的学习型框架，包含一组元模型，基于此框架的DeepTheft在恢复来自不同模型族（包括最深层的ResNet152）的大量（数千个）模型架构时展现出高精度。具体而言，DeepTheft在恢复网络结构时达到了99.75%的Levenshtein距离准确率，在恢复多样化逐层超参数时实现了99.60%的加权平均F1分数。此外，我们提出的学习框架可推广至其他时间序列侧信道信号。为验证其泛化性，我们利用了另一种现有侧信道——CPU频率。与RAPL不同，CPU频率在裸机操作系统中对非特权用户可访问。通过使用针对CPU频率轨迹训练的通用学习框架，DeepTheft在窃取模型架构时同样展现出高攻击性能。