As training artificial intelligence (AI) models is a lengthy and hence costly process, leakage of such a model's internal parameters is highly undesirable. In the case of AI accelerators, side-channel information leakage opens up the threat scenario of extracting the internal secrets of pre-trained models. Therefore, sufficiently elaborate methods for design verification as well as fault and security evaluation at the electronic system level are in demand. In this paper, we propose estimating information leakage from the early design steps of AI accelerators to aid in a more robust architectural design. We first introduce the threat scenario before diving into SystemC as a standard method for early design evaluation and how this can be applied to threat modeling. We present two successful side-channel attack methods executed via SystemC-based power modeling: correlation power analysis and template attack, both leading to total information leakage. The presented models are verified against an industry-standard netlist-level power estimation to prove general feasibility and determine accuracy. Consequently, we explore the impact of additive noise in our simulation to establish indicators for early threat evaluation. The presented approach is again validated via a model-vs-netlist comparison, showing high accuracy of the achieved results. This work hence is a solid step towards fast attack deployment and, subsequently, the design of attack-resilient AI accelerators.

翻译：由于训练人工智能模型耗时且成本高昂，此类模型内部参数的泄露极为不利。对于AI加速器而言，侧信道信息泄露开启了提取预训练模型内部秘密的威胁场景。因此，在电子系统层面需要足够精细的设计验证以及故障与安全评估方法。本文提出从AI加速器早期设计阶段估计信息泄露，以辅助构建更稳健的架构设计。我们首先介绍威胁场景，随后深入探讨SystemC作为早期设计评估的标准方法及其在威胁建模中的应用。我们展示了两种通过基于SystemC的功率建模实现的成功侧信道攻击方法：相关功耗分析与模板攻击，两者均导致完全信息泄露。所提模型与行业标准的网表级功耗估算进行了验证，以证明总体可行性并确定精度。进而，我们在仿真中探索了加性噪声的影响，以建立早期威胁评估的指标。所提方法再次通过模型与网表的比较得到验证，结果显示所获结果具有高精度。因此，本工作是朝着快速实施攻击以及后续设计抗攻击AI加速器迈出的坚实一步。