Robot Technology News
ROBO SPACE
 Researchers demonstrate new technique for stealing AI models
illustration only
Researchers demonstrate new technique for stealing AI models
 by Matt Shipman for NCSU News
 Raleigh NC (SPX) Dec 16, 2024

Researchers have demonstrated the ability to steal an artificial intelligence (AI) model without hacking into the device where the model was running. The technique is novel in that it works even when the thief has no prior knowledge of the software or architecture that support the AI.

"AI models are valuable, we don't want people to steal them," says Aydin Aysu, co-author of a paper on the work and an associate professor of electrical and computer engineering at North Carolina State University. "Building a model is expensive and requires significant computing sources. But just as importantly, when a model is leaked, or stolen, the model also becomes more vulnerable to attacks - because third parties can study the model and identify any weaknesses."

"As we note in the paper, model stealing attacks on AI and machine learning devices undermine intellectual property rights, compromise the competitive advantage of the model's developers, and can expose sensitive data embedded in the model's behavior," says Ashley Kurian, first author of the paper and a Ph.D. student at NC State.

In this work, the researchers stole the hyperparameters of an AI model that was running on a Google Edge Tensor Processing Unit (TPU).

"In practical terms, that means we were able to determine the architecture and specific characteristics - known as layer details - we would need to make a copy of the AI model," says Kurian.

"Because we stole the architecture and layer details, we were able to recreate the high-level features of the AI," Aysu says. "We then used that information to recreate the functional AI model, or a very close surrogate of that model."

The researchers used the Google Edge TPU for this demonstration because it is a commercially available chip that is widely used to run AI models on edge devices - meaning devices utilized by end users in the field, as opposed to AI systems that are used for database applications.

"This technique could be used to steal AI models running on many different devices," Kurian says. "As long as the attacker knows the device they want to steal from, can access the device while it is running an AI model, and has access to another device with the same specifications, this technique should work."

The technique used in this demonstration relies on monitoring electromagnetic signals. Specifically, the researchers placed an electromagnetic probe on top of a TPU chip. The probe provides real-time data on changes in the electromagnetic field of the TPU during AI processing.

"The electromagnetic data from the sensor essentially gives us a 'signature' of the AI processing behavior," Kurian says. "That's the easy part."

To determine the AI model's architecture and layer details, the researchers compare the electromagnetic signature of the model to a database of other AI model signatures made on an identical device - meaning another Google Edge TPU, in this case.

How can the researchers "steal" an AI model for which they don't already have a signature? That's where things get tricky.

The researchers have a technique that allows them to estimate the number of layers in the targeted AI model. Layers are a series of sequential operations that the AI model performs, with the result of each operation informing the following operation. Most AI models have 50 to 242 layers.

"Rather than trying to recreate a model's entire electromagnetic signature, which would be computationally overwhelming, we break it down by layer," Kurian says. "We already have a collection of 5,000 first-layer signatures from other AI models. So we compare the stolen first layer signature to the first layer signatures in our database to see which one matches most closely.

"Once we've reverse-engineered the first layer, that informs which 5,000 signatures we select to compare with the second layer," Kurian says. "And this process continues until we've reverse-engineered all of the layers and have effectively made a copy of the AI model."

In their demonstration, the researchers showed that this technique was able to recreate a stolen AI model with 99.91% accuracy.

"Now that we've defined and demonstrated this vulnerability, the next step is to develop and implement countermeasures to protect against it," says Aysu.

The paper, "TPUXtract: An Exhaustive Hyperparameter Extraction Framework," is published online by the Conference on Cryptographic Hardware and Embedded Systems. The paper was co-authored by Anuj Dubey, a former Ph.D. student at NC State, and Ferhat Yaman, a former graduate student at NC State. The work was done with support from the National Science Foundation, under grant number 1943245.

Research Report:"TPUXtract: An Exhaustive Hyperparameter Extraction Framework"

Related Links
 NC State University
 All about the robots on Earth and beyond!

Subscribe Free To Our Daily Newsletters
Tweet

RELATED CONTENT
The following news reports may link to other Space Media Network websites.
ROBO SPACE
BalBot stability enhanced by design tweaks to mass and ball size
 Sydney, Australia (SPX) Dec 16, 2024
 Robotics researchers have unveiled a novel approach to improving the stability and performance of BallBot, a robot designed to balance on a single ball. The study, conducted by the Faculty of Mechanical Engineering at the University of Danang - University of Science and Technology, reveals that small changes in the robot's body mass and the ball's dimensions can significantly enhance its balance and maneuverability. These findings could pave the way for more stable and reliable robots suited for real-wo ... read more
ROBO SPACE
'Alarming' US mystery drones confound officials; Chinese man arrested for UAV overflight of US base

 Pentagon: No evidence of Iranian 'mothership' launching drones over New Jersey

 CobraJet autonomous interceptor offers low-cost drone defense solution

 N.J. lawmaker calls for 'limited' state of emergency over unexplained drone sightings
ROBO SPACE
Stretchable, flexible, recyclable. This plastic is fantastic

 Speaking crystal AI predicts atomic arrangements to aid material discovery

 Metal scrap upcycled into high-value alloys with solid phase manufacturing

 Researchers uncover strong light-matter interactions in quantum spin liquids
ROBO SPACE
Precise control of quantum states with extreme ultraviolet lasers

 Rethinking the quantum chip

 Researchers design new materials for advanced chip manufacturing

 Bringing the power of tabletop precision lasers for quantum science to the chip scale
ROBO SPACE
GE Vernova SMR reactor advances to Step 2 of UK regulatory approval process

 Teletrix launches commercial AR platform for advanced radiation training

 Framatome partners with Japan on sodium-cooled fast reactor development

 Australia's opposition says nuclear plan cheaper than renewables
ROBO SPACE
Rapes, torture, killings -- a litany of abuses blamed on Assad forces

 NATO chief says Russia, Iran 'share responsibility' for Assad crimes; Tortured bodies in hospital near Damascus

 Syria chemical weapons: 'large quantities' and major questions

 US 'appalled' by alleged Russia use of banned gas in Ukraine
ROBO SPACE
Russia says 'massive' strike on Ukraine a response to Kyiv's ATACMS use

 Brazil trumpets emission cut plans at UN top court

 Earning money while supporting power grid stability

 Ukraine says energy sector 'under massive enemy attack'
ROBO SPACE
Transforming fusion from a scientific curiosity into a powerful clean energy source

 Fusion advances with innovative stellarator research

 Improving fusion plasma predictions with multi-fidelity data science models

 Battery-like memory withstands extreme heat for future applications
ROBO SPACE
China boosts Lunar and Mars mission capabilities with advanced Long March rockets

 Long March 12 set for inaugural launch from Hainan space center

 China inflatable space capsule aces orbital test

 Tianzhou 7 completes cargo Mission, Tianzhou 8 docks with Tiangong
Subscribe Free To Our Daily Newsletters




The content herein, unless otherwise known to be public domain, are Copyright 1995-2024 - Space Media Network. All websites are published in Australia and are solely subject to Australian law and governed by Fair Use principals for news reporting and research purposes. AFP, UPI and IANS news wire stories are copyright Agence France-Presse, United Press International and Indo-Asia News Service. ESA news reports are copyright European Space Agency. All NASA sourced material is public domain. Additional copyrights may apply in whole or part to other bona fide parties. All articles labeled "by Staff Writers" include reports supplied to Space Media Network by industry news wires, PR agencies, corporate press officers and the like. Such articles are individually curated and edited by Space Media Network staff on the basis of the report's information value to our industry and professional readership. Advertising does not imply endorsement, agreement or approval of any opinions, statements or information provided by Space Media Network on any Web page published or hosted by Space Media Network. General Data Protection Regulation (GDPR) Statement Our advertisers use various cookies and the like to deliver the best ad banner available at one time. All network advertising suppliers have GDPR policies (Legitimate Interest) that conform with EU regulations for data collection. By using our websites you consent to cookie based advertising. If you do not agree with this then you must stop using the websites from May 25, 2018. Privacy Statement. Additional information can be found here at About Us.