Practical Side-Channel Based Model Extraction Attack on Tree-Based Machine Learning Algorithm

Machine learning algorithms have been widely applied to solve various type of problems and applications. Among those, decision tree based algorithms have been considered for small Internet-of-Things (IoT) implementation, due to their simplicity. It has be

  • PDF / 753,036 Bytes
  • 13 Pages / 439.37 x 666.142 pts Page_size
  • 84 Downloads / 197 Views

DOWNLOAD

REPORT


Nanyang Technological University, Singapore, Singapore {djap,sbhasin}@ntu.edu.sg 2 Tohoku University/CREST, Sendai, Japan {ville,ito,ueno,homma}@riec.tohoku.ac.jp

Abstract. Machine learning algorithms have been widely applied to solve various type of problems and applications. Among those, decision tree based algorithms have been considered for small Internet-of-Things (IoT) implementation, due to their simplicity. It has been shown in a recent publication, that Bonsai, a small tree-based algorithm, can be successfully fitted in a small 8-bit microcontroller. However, the security of machine learning algorithm has also been a major concern, especially with the threat of secret parameter recovery which could lead to breach of privacy. With machine learning taking over a significant proportion of industrial tasks, the security issue has become a matter of concern. Recently, secret parameter recovery for neural network based algorithm using physical side-channel leakage has been proposed. In the paper, we investigate the security of widely used decision tree algorithms running on ARM Cortex M3 platform against electromagnetic (EM) side-channel attacks. We show that by focusing on each building block function or component, one could perform divide-and-conquer approach to recover the secret parameters. To demonstrate the attack, we first report the recovery of secret parameters of Bonsai, such as, sparse projection parameters, branching function and node predictors. After the recovery of these parameters, the attacker can then reconstruct the whole architecture.

1

Introduction

With the growing trend of machine learning (ML) across various fields and application, the security of ML has been thoroughly scrutinized. Recently, a new type attack against ML using side-channel attacks (SCA) have been reported [1,5,11]. These attacks have shown it is possible to recover the trained ML model which is usually intellectual property, and the leak of which leads to monetary losses. Attacks that enable the theft of ML intellectual property have only be shown for complex ML algorithms like multilayer perceptron (MLP) or convolutional neural network (CNN). However, security of other widely used algorithms for c Springer Nature Switzerland AG 2020  J. Zhou et al. (Eds.): ACNS 2020 Workshops, LNCS 12418, pp. 93–105, 2020. https://doi.org/10.1007/978-3-030-61638-0_6

94

D. Jap et al.

resource constrained platforms is still highly unexplored. To highlight the importance, ML algorithm, such as decision trees are widely used in industrial environments, especially in Industrial internet of things (IIoT), for anomaly detection and quality assurance of the supply chain. Under industry 4.0, IIoT relies upon small edge devices deployed over industrial site to perform crucial tasks. For example, quality assessment of manufactured products is often done with in the supply line by small sensor modules running ML algorithms. Given the task, reaction time and available resources on sensors, simpler ML algorithms are often used like decision trees.