Minkyung Park (University of Texas at Dallas), Zelun Kong (University of Texas at Dallas), Dave (Jing) Tian (Purdue University), Z. Berkay Celik (Purdue University), Chung Hwan Kim (University of Texas at Dallas)

Deep neural networks (DNNs) are integral to modern computing, powering applications such as image recognition, natural language processing, and audio analysis. The architectures of these models (e.g., the number and types of layers) are considered valuable intellectual property due to the significant expertise and computational effort required for their design. Although trusted execution environments (TEEs) like Intel SGX have been adopted to safeguard these models, recent studies on model extraction attacks have shown that side-channel attacks (SCAs) can still be leveraged to extract the architectures of DNN models. However, many existing model extraction attacks either do not account for TEE protections or are limited to specific model types, reducing their real-world applicability.

In this paper, we introduce DNN Latency Sequencing (DLS), a novel model extraction attack framework that targets DNN architectures running within Intel SGX enclaves. DLS employs SGX-Step to single-step model execution and collect fine-grained latency traces, which are then analyzed at both the function and basic block levels to reconstruct the model architecture. Our key insight is that DNN architectures inherently influence execution behavior, enabling accurate reconstruction from latency patterns. We evaluate DLS on models built with three widely used deep learning libraries, Darknet, TensorFlow Lite, and ONNX Runtime, and show that it achieves architecture recovery accuracies of 97.3%, 96.4%, and 93.6%, respectively. We further demonstrate that DLS enables advanced attacks, highlighting its practicality and effectiveness.

View More Papers

Light2Lie: Detecting Deepfake Images Using Physical Reflectance Laws

Kavita Kumari (Technical University of Darmstadt), Sasha Behrouzi (Technical University of Darmstadt), Alessandro Pegoraro (Technical University of Darmstadt), Ahmad-Reza Sadeghi (Technical University of Darmstadt)

Read More

ADGFUZZ: Assignment Dependency-Guided Fuzzing for Robotic Vehicles

Yuncheng Wang (Institute of Information Engineering, CAS, China and School of Cyber Security, University of Chinese Academy of Sciences, China), Yaowen Zheng (Institute of Information Engineering, CAS, China and School of Cyber Security, University of Chinese Academy of Sciences, China), Puzhuo Liu (Tsinghua University, China and Ant Group, China), Dongliang Fang (Institute of Information Engineering,…

Read More

VulSCA: A Community-Level SCA Approach for Accurate C/C++ Supply...

Yutao Hu (Huazhong University of Science and Technology), Chaofan Li (Huazhong University of Science and Technology), Yueming Wu (Huazhong University of Science and Technology), Yifeng Cai (Peking University), Deqing Zou (Huazhong University of Science and Technology)

Read More