Recent Deep Learning (DL) advancements in solving complex real-world tasks have led to its widespread adoption in practical applications. However, this opportunity comes with significant underlying risks, as many of these models rely on privacy-sensitive data for training in a variety of applications, making them an overly-exposed threat surface for privacy violations. Furthermore, the widespread use of cloud-based Machine-Learning-as-a-Service (MLaaS) for its robust infrastructure support has broadened the threat surface to include a variety of remote side-channel attacks. In this paper, we first identify and report a novel data-dependent timing side-channel leakage (termed Class Leakage) in DL implementations originating from non-constant time branching operation in a widely used DL framework PyTorch. We further demonstrate a practical inference-time attack where an adversary with user privilege and hard-label black-box access to an MLaaS can exploit Class Leakage to compromise the privacy of MLaaS users. DL models are vulnerable to Membership Inference Attack (MIA), where an adversary's objective is to deduce whether any particular data has been used while training the model. In this paper, as a separate case study, we demonstrate that a DL model secured with differential privacy (a popular countermeasure against MIA) is still vulnerable to MIA against an adversary exploiting Class Leakage. We develop an easy-to-implement countermeasure by making a constant-time branching operation that alleviates the Class Leakage and also aids in mitigating MIA. We have chosen two standard benchmarking image classification datasets, CIFAR-10 and CIFAR-100 to train five state-of-the-art pre-trained DL models, over two different computing environments having Intel Xeon and Intel i7 processors to validate our approach.

翻译：近期深度学习在解决复杂现实任务方面取得的进展已使其广泛应用于实际场景中。然而，这一机遇伴随着显著的内在风险——许多模型在各类应用中依赖隐私敏感数据进行训练，导致其成为隐私泄露的过度暴露威胁面。此外，基于云的机器学习即服务（MLaaS）因其强大的基础设施支持而广泛普及，进一步拓宽了威胁面，使攻击面涵盖多种远程侧信道攻击。本文首先发现并报告了深度学习实现中存在的一种新型数据依赖性时间侧信道泄漏（称为类别泄漏），其根源在于广泛使用的深度学习框架PyTorch中非常量时间分支操作。我们进一步展示了一种实用的推理时攻击：具备用户权限且仅拥有模型硬标签黑盒访问权限的攻击者能够利用类别泄漏危害MLaaS用户的隐私。深度学习模型易受成员推理攻击（MIA），此类攻击中攻击者的目标是推断特定数据是否被用于模型训练。本文作为独立案例研究，证明即便采用差分隐私（一种流行的MIA防御措施）保护的深度学习模型，在面对利用类别泄漏的对手时仍易受MIA攻击。我们通过构建常量时间分支操作开发了易于实现的防御措施，该措施既能缓解类别泄漏，也有助于减轻MIA威胁。我们选用CIFAR-10和CIFAR-100两个标准图像分类基准数据集，在配备英特尔至强和酷睿i7处理器的两种计算环境下训练五种前沿预训练深度学习模型，以验证我们的方法。