Machine learning (ML) models are known to be vulnerable to a number of attacks that target the integrity of their predictions or the privacy of their training data. To carry out these attacks, a black-box adversary must typically possess the ability to query the model and observe its outputs (e.g., labels). In this work, we demonstrate, for the first time, the ability to enhance such decision-based attacks. To accomplish this, we present an approach that exploits a novel side channel in which the adversary simply measures the execution time of the algorithm used to post-process the predictions of the ML model under attack. The leakage of inference-state elements into algorithmic timing side channels has never been studied before, and we have found that it can contain rich information that facilitates superior timing attacks that significantly outperform attacks based solely on label outputs. In a case study, we investigate leakage from the non-maximum suppression (NMS) algorithm, which plays a crucial role in the operation of object detectors. In our examination of the timing side-channel vulnerabilities associated with this algorithm, we identified the potential to enhance decision-based attacks. We demonstrate attacks against the YOLOv3 detector, leveraging the timing leakage to successfully evade object detection using adversarial examples, and perform dataset inference. Our experiments show that our adversarial examples exhibit superior perturbation quality compared to a decision-based attack. In addition, we present a new threat model in which dataset inference based solely on timing leakage is performed. To address the timing leakage vulnerability inherent in the NMS algorithm, we explore the potential and limitations of implementing constant-time inference passes as a mitigation strategy.

翻译：机器学习（ML）模型已知容易受到多种攻击，这些攻击针对其预测结果的完整性或训练数据的隐私性。为实施这些攻击，黑盒攻击者通常需要具备查询模型并观察其输出（如标签）的能力。在本工作中，我们首次证明了增强此类基于决策的攻击的可能性。为此，我们提出了一种利用新颖侧信道的方法——攻击者仅通过测量用于处理被攻击ML模型预测结果的算法执行时间即可实现攻击。推理状态元素向算法计时侧信道的泄漏此前从未被研究过，而我们发现该泄漏可能包含丰富信息，能够支撑显著优于仅依赖标签输出的超级计时攻击。在案例研究中，我们探究了非极大值抑制算法（NMS）的泄漏——该算法在目标检测器的运行中起关键作用。在考察该算法相关计时侧信道漏洞时，我们识别出增强基于决策的攻击的潜力。我们展示了针对YOLOv3检测器的攻击，利用计时泄漏成功实施对抗性样本规避目标检测，并进行数据集推断。实验表明，与基于决策的攻击相比，我们的对抗性样本具有更优的扰动质量。此外，我们提出了一种新的威胁模型，即仅基于计时泄漏进行数据集推断。为应对NMS算法固有的计时泄漏漏洞，我们探讨了实现恒定时间推断传递作为缓解策略的潜力与局限性。