In-memory computing (IMC) systems have great potential for accelerating data-intensive tasks such as deep neural networks (DNNs). As DNN models are generally highly proprietary, the neural network architectures become valuable targets for attacks. In IMC systems, since the whole model is mapped on chip and weight memory read can be restricted, the pre-mapped DNN model acts as a ``black box'' for users. However, the localized and stationary weight and data patterns may subject IMC systems to other attacks. In this paper, we propose a side-channel attack methodology on IMC architectures. We show that it is possible to extract model architectural information from power trace measurements without any prior knowledge of the neural network. We first developed a simulation framework that can emulate the dynamic power traces of the IMC macros. We then performed side-channel leakage analysis to reverse engineer model information such as the stored layer type, layer sequence, output channel/feature size and convolution kernel size from power traces of the IMC macros. Based on the extracted information, full networks can potentially be reconstructed without any knowledge of the neural network. Finally, we discuss potential countermeasures for building IMC systems that offer resistance to these model extraction attack.

翻译：内存计算（IMC）系统在加速深度神经网络（DNN）等数据密集型任务方面具有巨大潜力。由于DNN模型通常具有高度专有性，神经网络架构成为有价值的攻击目标。在IMC系统中，由于整个模型被映射到芯片上且权重内存读取可能受限，预映射的DNN模型对用户而言相当于一个“黑箱”。然而，局部化和静态的权重与数据模式可能使IMC系统遭受其他攻击。本文提出一种针对IMC架构的侧信道攻击方法。我们证明，无需对神经网络有任何先验知识，即可从功率轨迹测量中提取模型架构信息。我们首先开发了一个能够模拟IMC宏单元动态功率轨迹的仿真框架。随后进行侧信道泄漏分析，通过逆向工程从IMC宏单元的功率轨迹中提取模型信息，例如存储的层类型、层顺序、输出通道/特征尺寸以及卷积核大小。基于提取的信息，可能无需任何神经网络知识即可重建完整网络。最后，我们讨论了构建能够抵御此类模型提取攻击的IMC系统的潜在对策。