With ‘TPUXtract,’ Attackers Can Steal Orgs’ AI Models
In the realm of machine learning and artificial intelligence, security threats are ever-evolving. Recently, a method known as “TPUXtract” has emerged, demonstrating the capability to replicate neural networks using electromagnetic signals emitted by the chips they’re run on. This discovery highlights a new challenge for maintaining the confidentiality of AI models.
Researchers from North Carolina State University’s Department of Electrical and Computer Engineering developed TPUXtract. Utilizing specialized equipment worth thousands of dollars and a pioneering technique called “online template-building,” the team could infer the hyperparameters—key settings that determine the structure and functionality—of a convolutional neural network (CNN) on a Google Edge Tensor Processing Unit (TPU) with a near-perfect accuracy of 99.91%.
The potential impact of TPUXtract is significant, as it allows cyberattackers to recreate an entire AI model without any prior knowledge. A complete model duplication coupled with access to the actual training data could facilitate intellectual property theft or lead to subsequent cyberattacks.
The practical demonstration involved a Google Coral Dev Board, a compact machine learning (ML) platform suitable for edge devices, Internet of Things (IoT) applications, medical devices, and more. At the heart of this board is the Edge Tensor Processing Unit (TPU)—an application-specific integrated circuit (ASIC) optimized for complex ML tasks.
All electronic devices emit electromagnetic (EM) radiation as a byproduct of their operations, influenced by the calculations they conduct. Knowing this, the research team placed an EM probe directly over the TPU, eliminating obstructions like cooling fans, and focused on the chip section emitting the most substantial EM signals. They supplied the board with input data and captured the leaked signals, marking the start of their analysis.
Initially, the researchers observed that before processing any data, a neural network compresses—or quantizes—its input data. Only when the data becomes suitable for TPU processing do the EM signals significantly rise, signifying the beginning of computations.
Mapping the electromagnetic signature of a model begins with understanding its layered structure. Neural networks consist of multiple layers, each carrying specific computational roles and node counts. Importantly, the characteristics of one layer affect the EM signature of the subsequent layers. Therefore, analyzing the network’s composition as one entity is complex.
A neural network with ‘N’ layers could have ‘K’ possible configurations per layer, exponentially increasing the computational costs to N raised to K. The team analyzed networks ranging from 28 to 242 layers, estimating that K equaled 5,528 possible configurations for any given layer.
By deconstructing the problem, the researchers could isolate and examine each layer individually. For this, they constructed “templates”—simulated networks with various hyperparameter configurations—and recorded the resulting signals for data processing. The closest match to the original model was deemed correct, allowing the process to continue layer by layer.
Remarkably, within a day, the team could duplicate a neural network that developers needed weeks or months to train. This efficiency underscores TPUXtract’s potential as a tool for competitors or adversaries wishing to bypass extensive development efforts, like creating a replica of an existing model such as ChatGPT.
While the process is complex and requires costly and specialized equipment, it is within reach for well-financed organizations, or rival companies looking to cut costs on development through unauthorized replication.
Theft of intellectual property is merely one of the possible motives for such initiatives. Understanding the mechanics of popular AI models could enable malicious entities to identify and exploit cybersecurity weaknesses effectively.
To mitigate these risks, the researchers recommend AI developers incorporate noise within the inference processes, either through dummy operations or by varying the processing sequence. These defensive measures complicate electromagnetic analysis, a necessary move to safeguard against this developing form of model theft.
The innovation of TPUXtract signifies a pressing need for strengthening AI model security, as it reflects broader vulnerabilities inherent in machine learning technologies. Moving forward, defensive tactics must evolve in parallel with these sophisticated methods of attack.
