Analog compute-in-memory (CIM) systems are promising for deep neural network (DNN) inference acceleration due to their energy efficiency and high throughput. However, as the use of DNNs expands, protecting user input privacy has become increasingly important. In this paper, we identify a potential security vulnerability wherein an adversary can reconstruct the user's private input data from a power side-channel attack, under proper data acquisition and pre-processing, even without knowledge of the DNN model. We further demonstrate a machine learning-based attack approach using a generative adversarial network (GAN) to enhance the data reconstruction. Our results show that the attack methodology is effective in reconstructing user inputs from analog CIM accelerator power leakage, even at large noise levels and after countermeasures are applied. Specifically, we demonstrate the efficacy of our approach on an example of U-Net inference chip for brain tumor detection, and show the original magnetic resonance imaging (MRI) medical images can be successfully reconstructed even at a noise-level of 20% standard deviation of the maximum power signal value. Our study highlights a potential security vulnerability in analog CIM accelerators and raises awareness of using GAN to breach user privacy in such systems.

翻译：模拟存内计算系统因其能效高和吞吐量大的优势，在深度神经网络推理加速领域颇具前景。然而，随着深度神经网络应用的普及，保护用户输入隐私已变得愈发重要。本文发现了一种潜在安全漏洞：攻击者通过适当的数据采集与预处理，即使不掌握深度神经网络模型，也能利用功耗侧信道攻击重构用户的私有输入数据。我们进一步提出一种基于生成对抗网络的机器学习攻击方法，以提升数据重构性能。结果表明，该攻击方法能有效从模拟存内计算加速器的功耗泄露中重构用户输入，即使在噪声水平较高或已施加防护措施的情况下仍然有效。具体而言，我们以脑肿瘤检测的U-Net推理芯片为例，展示了该方法能够在最大功耗信号值的标准差达20%的噪声水平下，成功重构原始磁共振医学图像。本研究揭示了模拟存内计算加速器中的潜在安全漏洞，并引发学界对利用生成对抗网络攻击此类系统用户隐私问题的关注。