Transactions on Cryptographic Hardware and Embedded Systems, Volume 2023
"Whispering MLaaS":
Exploiting Timing Channels to Compromise User Privacy in Deep Neural Networks
Shubhi Shukla
IIT Kharagpur, India
Manaar Alam
NYU Abu Dhabi, UAE
Sarani Bhattacharya
IMEC, Belgium
Pabitra Mitra
IIT Kharagpur, India
Debdeep Mukhopadhyay
IIT Kharagpur, India
Keywords: PyTorch Vulnerability, Timing Side-Channel, Differential Privacy
Abstract
While recent advancements of Deep Learning (DL) in solving complex real-world tasks have spurred their popularity, the usage of privacy-rich data for their training in varied applications has made them an overly-exposed threat surface for privacy violations. Moreover, the rapid adoption of cloud-based Machine-Learning-asa-Service (MLaaS) has broadened the threat surface to various remote side-channel attacks. In this paper, for the first time, we show one such privacy violation by observing a data-dependent timing side-channel (naming this to be Class-Leakage) originating from non-constant time branching operation in a widely popular DL framework, namely PyTorch. We further escalate this timing variability to a practical inference-time attack where an adversary with user level privileges and having hard-label black-box access to an MLaaS can exploit Class-Leakage to compromise the privacy of MLaaS users. DL models have also been shown to be vulnerable to Membership Inference Attack (MIA), where the primary objective of an adversary is to deduce whether any particular data has been used while training the model. Differential Privacy (DP) has been proposed in recent literature as a popular countermeasure against MIA, where inclusivity and exclusivity of a data-point in a dataset cannot be ascertained by definition. In this paper, we also demonstrate that the existence of a data-point within the training dataset of a DL model secured with DP can still be distinguished using the identified timing side-channel. In addition, we propose an efficient countermeasure to the problem by introducing constant-time branching operation that alleviates the Class-Leakage. We validate the approach using five pre-trained DL models trained on two standard benchmarking image classification datasets, CIFAR-10 and CIFAR-100, over two different computing environments having Intel Xeon and Intel i7 processors.
Publication
Transactions of Cryptographic Hardware and Embedded Systems, Volume 2023, Issue 2
PaperArtifact
Artifact number
tches/2023/a9
Artifact published
September 2, 2023
License
This work is licensed under the GNU General Public License version 3.
BibTeX How to cite
Shukla, S., Alam, M., Bhattacharya, S., Mitra, P., & Mukhopadhyay, D. (2023). “Whispering MLaaS”: Exploiting Timing Channels to Compromise User Privacy in Deep Neural Networks. IACR Transactions on Cryptographic Hardware and Embedded Systems, 2023(2), 587–613. https://doi.org/10.46586/tches.v2023.i2.587-613. Artifact at https://artifacts.iacr.org/tches/2023/a9.