{"id":"https://openalex.org/W2909159593","doi":"https://doi.org/10.1109/asianhost.2018.8607161","title":"Preventing Neural Network Model Exfiltration in Machine Learning Hardware Accelerators","display_name":"Preventing Neural Network Model Exfiltration in Machine Learning Hardware Accelerators","publication_year":2018,"publication_date":"2018-12-01","ids":{"openalex":"https://openalex.org/W2909159593","doi":"https://doi.org/10.1109/asianhost.2018.8607161","mag":"2909159593"},"language":"en","primary_location":{"id":"doi:10.1109/asianhost.2018.8607161","is_oa":false,"landing_page_url":"https://doi.org/10.1109/asianhost.2018.8607161","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2018 Asian Hardware Oriented Security and Trust Symposium (AsianHOST)","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5088525918","display_name":"Mihailo Isakov","orcid":null},"institutions":[{"id":"https://openalex.org/I111088046","display_name":"Boston University","ror":"https://ror.org/05qwgg493","country_code":"US","type":"education","lineage":["https://openalex.org/I111088046"]},{"id":"https://openalex.org/I4210142473","display_name":"Adapti (Slovenia)","ror":"https://ror.org/04sdpvy45","country_code":"SI","type":"company","lineage":["https://openalex.org/I4210142473"]}],"countries":["SI","US"],"is_corresponding":false,"raw_author_name":"Mihailo Isakov","raw_affiliation_strings":["Adaptive and Secure Computing Systems Laboratory, Boston University"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Adaptive and Secure Computing Systems Laboratory, Boston University","institution_ids":["https://openalex.org/I4210142473","https://openalex.org/I111088046"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5021505206","display_name":"Lake Bu","orcid":"https://orcid.org/0000-0002-9450-6533"},"institutions":[{"id":"https://openalex.org/I111088046","display_name":"Boston University","ror":"https://ror.org/05qwgg493","country_code":"US","type":"education","lineage":["https://openalex.org/I111088046"]},{"id":"https://openalex.org/I4210142473","display_name":"Adapti (Slovenia)","ror":"https://ror.org/04sdpvy45","country_code":"SI","type":"company","lineage":["https://openalex.org/I4210142473"]}],"countries":["SI","US"],"is_corresponding":false,"raw_author_name":"Lake Bu","raw_affiliation_strings":["Adaptive and Secure Computing Systems Laboratory, Boston University"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Adaptive and Secure Computing Systems Laboratory, Boston University","institution_ids":["https://openalex.org/I4210142473","https://openalex.org/I111088046"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5047482490","display_name":"Hai Cheng","orcid":"https://orcid.org/0000-0002-6082-8139"},"institutions":[{"id":"https://openalex.org/I111088046","display_name":"Boston University","ror":"https://ror.org/05qwgg493","country_code":"US","type":"education","lineage":["https://openalex.org/I111088046"]},{"id":"https://openalex.org/I4210142473","display_name":"Adapti (Slovenia)","ror":"https://ror.org/04sdpvy45","country_code":"SI","type":"company","lineage":["https://openalex.org/I4210142473"]}],"countries":["SI","US"],"is_corresponding":false,"raw_author_name":"Hai Cheng","raw_affiliation_strings":["Adaptive and Secure Computing Systems Laboratory, Boston University"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Adaptive and Secure Computing Systems Laboratory, Boston University","institution_ids":["https://openalex.org/I4210142473","https://openalex.org/I111088046"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5069200437","display_name":"Michel A. Kinsy","orcid":"https://orcid.org/0000-0002-1432-6939"},"institutions":[{"id":"https://openalex.org/I111088046","display_name":"Boston University","ror":"https://ror.org/05qwgg493","country_code":"US","type":"education","lineage":["https://openalex.org/I111088046"]},{"id":"https://openalex.org/I4210142473","display_name":"Adapti (Slovenia)","ror":"https://ror.org/04sdpvy45","country_code":"SI","type":"company","lineage":["https://openalex.org/I4210142473"]}],"countries":["SI","US"],"is_corresponding":false,"raw_author_name":"Michel A. Kinsy","raw_affiliation_strings":["Adaptive and Secure Computing Systems Laboratory, Boston University"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Adaptive and Secure Computing Systems Laboratory, Boston University","institution_ids":["https://openalex.org/I4210142473","https://openalex.org/I111088046"]}]}],"institutions":[],"countries_distinct_count":2,"institutions_distinct_count":4,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":1.6896,"has_fulltext":false,"cited_by_count":17,"citation_normalized_percentile":{"value":0.8853677,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":{"min":90,"max":98},"biblio":{"volume":null,"issue":null,"first_page":"62","last_page":"67"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.9998999834060669,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.9998999834060669,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9986000061035156,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12122","display_name":"Physical Unclonable Functions (PUFs) and Hardware Security","score":0.9965999722480774,"subfield":{"id":"https://openalex.org/subfields/1708","display_name":"Hardware and Architecture"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.8092619776725769},{"id":"https://openalex.org/keywords/software-deployment","display_name":"Software deployment","score":0.6688023209571838},{"id":"https://openalex.org/keywords/side-channel-attack","display_name":"Side channel attack","score":0.5902040600776672},{"id":"https://openalex.org/keywords/artificial-neural-network","display_name":"Artificial neural network","score":0.49693563580513},{"id":"https://openalex.org/keywords/embedded-system","display_name":"Embedded system","score":0.4857197403907776},{"id":"https://openalex.org/keywords/proxy","display_name":"Proxy (statistics)","score":0.44649189710617065},{"id":"https://openalex.org/keywords/encryption","display_name":"Encryption","score":0.44349685311317444},{"id":"https://openalex.org/keywords/threat-model","display_name":"Threat model","score":0.42856454849243164},{"id":"https://openalex.org/keywords/machine-learning","display_name":"Machine learning","score":0.39868488907814026},{"id":"https://openalex.org/keywords/artificial-intelligence","display_name":"Artificial intelligence","score":0.3692300319671631},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.359658420085907},{"id":"https://openalex.org/keywords/cryptography","display_name":"Cryptography","score":0.2992551922798157},{"id":"https://openalex.org/keywords/operating-system","display_name":"Operating system","score":0.2248099148273468}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8092619776725769},{"id":"https://openalex.org/C105339364","wikidata":"https://www.wikidata.org/wiki/Q2297740","display_name":"Software deployment","level":2,"score":0.6688023209571838},{"id":"https://openalex.org/C49289754","wikidata":"https://www.wikidata.org/wiki/Q2267081","display_name":"Side channel attack","level":3,"score":0.5902040600776672},{"id":"https://openalex.org/C50644808","wikidata":"https://www.wikidata.org/wiki/Q192776","display_name":"Artificial neural network","level":2,"score":0.49693563580513},{"id":"https://openalex.org/C149635348","wikidata":"https://www.wikidata.org/wiki/Q193040","display_name":"Embedded system","level":1,"score":0.4857197403907776},{"id":"https://openalex.org/C2780148112","wikidata":"https://www.wikidata.org/wiki/Q1432581","display_name":"Proxy (statistics)","level":2,"score":0.44649189710617065},{"id":"https://openalex.org/C148730421","wikidata":"https://www.wikidata.org/wiki/Q141090","display_name":"Encryption","level":2,"score":0.44349685311317444},{"id":"https://openalex.org/C140547941","wikidata":"https://www.wikidata.org/wiki/Q7797194","display_name":"Threat model","level":2,"score":0.42856454849243164},{"id":"https://openalex.org/C119857082","wikidata":"https://www.wikidata.org/wiki/Q2539","display_name":"Machine learning","level":1,"score":0.39868488907814026},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.3692300319671631},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.359658420085907},{"id":"https://openalex.org/C178489894","wikidata":"https://www.wikidata.org/wiki/Q8789","display_name":"Cryptography","level":2,"score":0.2992551922798157},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.2248099148273468}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1109/asianhost.2018.8607161","is_oa":false,"landing_page_url":"https://doi.org/10.1109/asianhost.2018.8607161","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2018 Asian Hardware Oriented Security and Trust Symposium (AsianHOST)","raw_type":"proceedings-article"}],"best_oa_location":null,"sustainable_development_goals":[{"score":0.5299999713897705,"display_name":"Peace, Justice and strong institutions","id":"https://metadata.un.org/sdg/16"}],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":31,"referenced_works":["https://openalex.org/W1821462560","https://openalex.org/W1826232489","https://openalex.org/W2072717808","https://openalex.org/W2170993700","https://openalex.org/W2461943168","https://openalex.org/W2516141709","https://openalex.org/W2620512600","https://openalex.org/W2785781448","https://openalex.org/W2788502731","https://openalex.org/W2789304371","https://openalex.org/W2905117322","https://openalex.org/W2913450159","https://openalex.org/W2949140995","https://openalex.org/W2962883027","https://openalex.org/W2963073614","https://openalex.org/W2963106566","https://openalex.org/W2963145956","https://openalex.org/W2963165251","https://openalex.org/W2963771448","https://openalex.org/W2964318098","https://openalex.org/W2969695741","https://openalex.org/W4294506858","https://openalex.org/W6638658418","https://openalex.org/W6729966448","https://openalex.org/W6747838042","https://openalex.org/W6748318149","https://openalex.org/W6748544737","https://openalex.org/W6749023905","https://openalex.org/W6751219861","https://openalex.org/W6758739231","https://openalex.org/W6763152210"],"related_works":["https://openalex.org/W2770234245","https://openalex.org/W96612179","https://openalex.org/W4229499248","https://openalex.org/W2566006169","https://openalex.org/W1567818861","https://openalex.org/W2987774938","https://openalex.org/W2887442533","https://openalex.org/W3171718976","https://openalex.org/W4387031668","https://openalex.org/W3036438193"],"abstract_inverted_index":{"Machine":[0],"learning":[1,80],"(ML)":[2],"models":[3,26,59,81],"are":[4,11,27],"often":[5],"trained":[6],"using":[7,19],"private":[8],"datasets":[9],"that":[10],"very":[12],"expensive":[13],"to":[14,45,55,138],"collect,":[15],"or":[16,34,43,118,126],"highly":[17],"sensitive,":[18],"large":[20],"amounts":[21],"of":[22,78,90,100,105],"computing":[23],"power.":[24],"The":[25],"commonly":[28],"exposed":[29],"either":[30,115],"through":[31,122],"online":[32],"APIs,":[33],"used":[35],"in":[36,40],"hardware":[37,83],"devices":[38,84],"deployed":[39],"the":[41,46,74,101,116,119],"field":[42],"given":[44],"end":[47],"users.":[48],"This":[49],"provides":[50],"an":[51,111,136],"incentive":[52],"for":[53,63],"adversaries":[54],"steal":[56],"these":[57],"ML":[58,106],"as":[60,89,135],"a":[61],"proxy":[62],"gathering":[64],"datasets.":[65],"While":[66],"API-based":[67],"model":[68,117,120],"exfiltration":[69],"has":[70],"been":[71,87],"studied":[72],"before,":[73],"theft":[75],"and":[76,103,130,140],"protection":[77],"machine":[79],"on":[82],"have":[85],"not":[86],"explored":[88],"now.":[91],"In":[92],"this":[93,97],"work,":[94],"we":[95],"examine":[96],"important":[98],"aspect":[99],"design":[102],"deployment":[104],"models.":[107],"We":[108],"illustrate":[109],"how":[110],"attacker":[112],"may":[113],"acquire":[114],"architecture":[121],"memory":[123],"probing,":[124],"side-channels,":[125],"crafted":[127],"input":[128],"attacks,":[129],"propose":[131],"(1)":[132],"power-efficient":[133],"obfuscation":[134],"alternative":[137],"encryption,":[139],"(2)":[141],"timing":[142],"side-channel":[143],"countermeasures.":[144]},"counts_by_year":[{"year":2025,"cited_by_count":2},{"year":2024,"cited_by_count":2},{"year":2023,"cited_by_count":1},{"year":2022,"cited_by_count":2},{"year":2021,"cited_by_count":5},{"year":2020,"cited_by_count":4},{"year":2019,"cited_by_count":1}],"updated_date":"2026-06-11T09:08:48.828518","created_date":"2025-10-10T00:00:00"}