When NAS Meets Watermarking: Ownership Verification of DNN Models via Cache Side Channels

We present a novel watermarking scheme to verify the ownership of DNN models. Existing solutions embedded watermarks into the model parameters, which were proven to be removable and detectable by an adversary to invalidate the protection. In contrast, we propose to implant watermarks into the model architectures. We design new algorithms based on Neural Architecture Search (NAS) to generate watermarked architectures, which are unique enough to represent the ownership, while maintaining high model usability. We further leverage cache side channels to extract and verify watermarks from the black-box models at inference. Theoretical analysis and extensive evaluations show our scheme has negligible impact on the model performance, and exhibits strong robustness against various model transformations

Mercury: An Automated Remote Side-channel Attack to Nvidia Deep Learning Accelerator

DNN accelerators have been widely deployed in many scenarios to speed up the inference process and reduce the energy consumption. One big concern about the usage of the accelerators is the confidentiality of the deployed models: model inference execution on the accelerators could leak side-channel information, which enables an adversary to preciously recover the model details. Such model extraction attacks can not only compromise the intellectual property of DNN models, but also facilitate some adversarial attacks. Although previous works have demonstrated a number of side-channel techniques to extract models from DNN accelerators, they are not practical for two reasons. (1) They only target simplified accelerator implementations, which have limited practicality in the real world. (2) They require heavy human analysis and domain knowledge. To overcome these limitations, this paper presents Mercury, the first automated remote side-channel attack against the off-the-shelf Nvidia DNN accelerator. The key insight of Mercury is to model the side-channel extraction process as a sequence-to-sequence problem. The adversary can leverage a time-to-digital converter (TDC) to remotely collect the power trace of the target model's inference. Then he uses a learning model to automatically recover the architecture details of the victim model from the power trace without any prior knowledge. The adversary can further use the attention mechanism to localize the leakage points that contribute most to the attack. Evaluation results indicate that Mercury can keep the error rate of model extraction below 1%

Study on the breakdown characteristics of multiple-reignition secondary arcs on EHV/UHV transmission lines

A long-gap AC arc with a length of more than ten meters (secondary arc) are normally generated at the short-circuit arc channel after a single-phase-to-ground fault. In previous studies, arc breakdowns of secondary arcs have mainly been considered as electrical breakdowns, ignoring the role of heat in the arc channel. Besides, the extinction-reignition theory of secondary arc, i.e., dielectric strength recovery theory, still lack the support of experimental data. In this study, based on the equivalent experiments performed in the laboratory, the influences of compensation degree of transmission lines, initial recovery voltage gradient of air gap, test current, wind speed, and wind direction on the breakdown characteristics of secondary arcs are studied and statistically analyzed. The laws of the transient recovery voltage (TRV) and of the rate of rise of recovery voltage (RRRV) also studied by considering the influencing factors mentioned above. The results of this study will provide a more complete experimental basis for the theory of extinction–reignition of secondary arcs and a deeper understanding of the transient characteristics of arc breakdow

A survey of microarchitectural side-channel vulnerabilities, attacks, and defenses in cryptography

Side-channel attacks have become a severe threat to the confidentiality of computer applications and systems. One popular type of such attacks is the microarchitectural attack, where the adversary exploits the hardware features to break the protection enforced by the operating system and steal the secrets from the program. In this article, we systematize microarchitectural side channels with a focus on attacks and defenses in cryptographic applications. We make three contributions. (1) We survey past research literature to categorize microarchitectural side-channel attacks. Since these are hardware attacks targeting software, we summarize the vulnerable implementations in software, as well as flawed designs in hardware. (2) We identify common strategies to mitigate microarchitectural attacks, from the application, OS, and hardware levels. (3) We conduct a large-scale evaluation on popular cryptographic applications in the real world and analyze the severity, practicality, and impact of side-channel vulnerabilities. This survey is expected to inspire sidechannel research community to discover new attacks, and more importantly, propose new defense solutions against them.National Research Foundation (NRF)Submitted/Accepted versionThis project is supported by the National Research Foundation, Singapore, under its National Cybersecurity R&D Pro- gramme (CHFA-GC1-AW03), and NTU Start-up grant

Imperceptible misclassification attack on deep learning accelerator by glitch injection

The convergence of edge computing and deep learning empowers endpoint hardwares or edge devices to perform inferences locally with the help of deep neural network (DNN) accelerator. This trend of edge intelligence invites new attack vectors, which are methodologically different from the well-known software oriented deep learning attacks like the input of adversarial examples. Current studies of threats on DNN hardware focus mainly on model parameters interpolation. Such kind of manipulation is not stealthy as it will leave non-erasable traces or create conspicuous output patterns. In this paper, we present and investigate an imperceptible misclassification attack on DNN hardware by introducing infrequent instantaneous glitches into the clock signal. Comparing with falsifying model parameters by permanent faults, corruption of targeted intermediate results of convolution layer(s) by disrupting associated computations intermittently leaves no trace. We demonstrated our attack on nine state-of-the-art ImageNet models running on Xilinx FPGA based deep learning accelerator. With no knowledge about the models, our attack can achieve over 98% misclassification on 8 out of 9 models with only 10% glitches launched into the computation clock cycles. Given the model details and inputs, all the test images applied to ResNet50 can be successfully misclassified with no more than 1.7% glitch injection.Ministry of Education (MOE)Accepted versionThis research is supported by Singapore Ministry of Education AcRF Tier 1 Grant No. 2018-T1-001-131

NASPY: automated extraction of automated machine learning models

We present NASPY, an end-to-end adversarial framework to extract the networkarchitecture of deep learning models from Neural Architecture Search (NAS). Existing works about model extraction attacks mainly focus on conventional DNN models with very simple operations, or require heavy manual analysis with lots of domain knowledge. In contrast, NASPY introduces seq2seq models to automatically identify novel and complicated operations (e.g., separable convolution,dilated convolution) from hardware side-channel sequences. We design two models (RNN-CTC and transformer), which can achieve only 3.2% and 11.3% error rates for operation prediction. We further present methods to recover the model hyper-parameters and topology from the operation sequence . With these techniques, NASPY is able to extract the complete NAS model architecture with high fidelity and automation, which are rarely analyzed before.Ministry of Education (MOE)Nanyang Technological UniversityNational Research Foundation (NRF)Submitted/Accepted versionThis project is in part supported by Singapore National Research Foundation under its National Cybersecurity R&D Programme (NCR Award NRF2018NCR-NCR009-0001), Singapore Ministry of Education (MOE) AcRF Tier 1 RS02/19, and NTU Start-up grant. Any opinions, findings and conclusions or recommendations expressed in this paper are those of the authors and do not reflect the views of National Research Foundation, Singapore

Capacity Calculation of Shunt Active Power Filters for Electric Vehicle Charging Stations Based on Harmonic Parameter Estimation and Analytical Modeling

The influence of electric vehicle charging stations on power grid harmonics is becoming increasingly significant as their presence continues to grow. This paper studies the operational principles of the charging current in the continuous and discontinuous modes for a three-phase uncontrolled rectification charger with a passive power factor correction link, which is affected by the charging power. A parameter estimation method is proposed for the equivalent circuit of the charger by using the measured characteristic AC (Alternating Current) voltage and current data combined with the charging circuit constraints in the conduction process, and this method is verified using an experimental platform. The sensitivity of the current harmonics to the changes in the parameters is analyzed. An analytical harmonic model of the charging station is created by separating the chargers into groups by type. Then, the harmonic current amplification caused by the shunt active power filter is researched, and the analytical formula for the overload factor is derived to further correct the capacity of the shunt active power filter. Finally, this method is validated through a field test of a charging station

Short-Circuit Calculation in Distribution Networks with Distributed Induction Generators

This paper presents an improved current source equivalent model method to determine the short-circuit current of a distribution system with multiple fixed-speed and variable-speed induction generators (IGs). The correlation coefficients of flux components between stator and rotor under the unsymmetrical fault are analyzed using the positive and negative sequence steady-state equivalent circuits of an IG. The terminal voltage and current responses of fixed-speed and variable-speed IGs with and without the rotor slip changes under different penetration levels are compared to investigate the coupling relation between the short-circuit currents of IGs and the nodal voltages in the distribution network. Then the transient equivalent potential of an IG at the grid fault instant is derived. Sequence components of the short-circuit current in the network can be determined using the proposed technique. The correctness of the proposed method is verified using dynamic simulation.Published versio

Suffer together, bond together: Brain-to-brain synchronization and mutual affective empathy when sharing painful experiences

Previous behavioral studies have shown that sharing painful experiences can strengthen social bonds and promote mutual prosociality, yet the neural mechanisms underlying this phenomenon remain unclear. We hypothesized that sharing a painful experience induces brain-to-brain synchronization and mutual empathy for each other's pain between pain-takers and pain-observers, which then leads to enhanced social bonding. To test this hypothesis, we adopted an electroencephalographic (EEG) hyper-scanning technique to assess neuronal and behavioral activity during a Pain-Sharing task in which high- or low-intensity pain stimulation was randomly delivered to one participant of a dyad on different experimental trials. Single-brain analysis showed that sensorimotor α-oscillation power was suppressed more when expecting high-intensity pain than when expecting low-intensity pain similarly for self-directed or partner-directed pain. Dual-brain analysis revealed that expecting high-intensity pain induced greater brain-to-brain synchronization of sensorimotor α-oscillation phases between pain-takers and pain-observers than did expecting low-intensity pain. Mediation analysis further revealed that brain-to-brain synchronization of sensorimotor α-oscillations mediated the effects of pain-stimulation intensity on mutual affective sharing for partner-directed pain. This mutual affective empathy during the task predicted the social bonding, as indexed by prosocial inclinations measured after the task. These results support the hypothesis that sharing a painful experience triggers emotional resonance between pairs of individuals through brain-to-brain synchronization of neuronal α-oscillations recorded over the sensorimotor cortex, and this emotional resonance further strengthens social bonds and motivates prosocial behavior within pairs of individuals