{"id":"https://openalex.org/W4391182416","doi":"https://doi.org/10.1109/asianhost59942.2023.10409396","title":"NNLeak: An AI-Oriented DNN Model Extraction Attack through Multi-Stage Side Channel Analysis","display_name":"NNLeak: An AI-Oriented DNN Model Extraction Attack through Multi-Stage Side Channel Analysis","publication_year":2023,"publication_date":"2023-12-13","ids":{"openalex":"https://openalex.org/W4391182416","doi":"https://doi.org/10.1109/asianhost59942.2023.10409396"},"language":"en","primary_location":{"id":"doi:10.1109/asianhost59942.2023.10409396","is_oa":false,"landing_page_url":"https://doi.org/10.1109/asianhost59942.2023.10409396","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2023 Asian Hardware Oriented Security and Trust Symposium (AsianHOST)","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5049620882","display_name":"Ya Gao","orcid":"https://orcid.org/0000-0002-5296-5918"},"institutions":[{"id":"https://openalex.org/I162868743","display_name":"Tianjin University","ror":"https://ror.org/012tb2g32","country_code":"CN","type":"education","lineage":["https://openalex.org/I162868743"]}],"countries":["CN"],"is_corresponding":true,"raw_author_name":"Ya Gao","raw_affiliation_strings":["Tianjin University,School of Microelectronics","School of Microelectronics, Tianjin University"],"affiliations":[{"raw_affiliation_string":"Tianjin University,School of Microelectronics","institution_ids":["https://openalex.org/I162868743"]},{"raw_affiliation_string":"School of Microelectronics, Tianjin University","institution_ids":["https://openalex.org/I162868743"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5060297615","display_name":"Haocheng Ma","orcid":"https://orcid.org/0000-0002-7118-9379"},"institutions":[{"id":"https://openalex.org/I162868743","display_name":"Tianjin University","ror":"https://ror.org/012tb2g32","country_code":"CN","type":"education","lineage":["https://openalex.org/I162868743"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Haocheng Ma","raw_affiliation_strings":["Tianjin University,School of Microelectronics","School of Microelectronics, Tianjin University"],"affiliations":[{"raw_affiliation_string":"Tianjin University,School of Microelectronics","institution_ids":["https://openalex.org/I162868743"]},{"raw_affiliation_string":"School of Microelectronics, Tianjin University","institution_ids":["https://openalex.org/I162868743"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5102608761","display_name":"Mingkai Yan","orcid":null},"institutions":[{"id":"https://openalex.org/I162868743","display_name":"Tianjin University","ror":"https://ror.org/012tb2g32","country_code":"CN","type":"education","lineage":["https://openalex.org/I162868743"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Mingkai Yan","raw_affiliation_strings":["Tianjin University,School of Microelectronics","School of Microelectronics, Tianjin University"],"affiliations":[{"raw_affiliation_string":"Tianjin University,School of Microelectronics","institution_ids":["https://openalex.org/I162868743"]},{"raw_affiliation_string":"School of Microelectronics, Tianjin University","institution_ids":["https://openalex.org/I162868743"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5012948983","display_name":"Jiaji He","orcid":"https://orcid.org/0000-0003-1443-9279"},"institutions":[{"id":"https://openalex.org/I162868743","display_name":"Tianjin University","ror":"https://ror.org/012tb2g32","country_code":"CN","type":"education","lineage":["https://openalex.org/I162868743"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Jiaji He","raw_affiliation_strings":["Tianjin University,School of Microelectronics","School of Microelectronics, Tianjin University"],"affiliations":[{"raw_affiliation_string":"Tianjin University,School of Microelectronics","institution_ids":["https://openalex.org/I162868743"]},{"raw_affiliation_string":"School of Microelectronics, Tianjin University","institution_ids":["https://openalex.org/I162868743"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5100952126","display_name":"Yiqiang Zhao","orcid":"https://orcid.org/0000-0002-4564-952X"},"institutions":[{"id":"https://openalex.org/I162868743","display_name":"Tianjin University","ror":"https://ror.org/012tb2g32","country_code":"CN","type":"education","lineage":["https://openalex.org/I162868743"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Yiqiang Zhao","raw_affiliation_strings":["Tianjin University,School of Microelectronics","School of Microelectronics, Tianjin University"],"affiliations":[{"raw_affiliation_string":"Tianjin University,School of Microelectronics","institution_ids":["https://openalex.org/I162868743"]},{"raw_affiliation_string":"School of Microelectronics, Tianjin University","institution_ids":["https://openalex.org/I162868743"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5017464942","display_name":"Yier Jin","orcid":"https://orcid.org/0000-0002-8791-0597"},"institutions":[{"id":"https://openalex.org/I126520041","display_name":"University of Science and Technology of China","ror":"https://ror.org/04c4dkn09","country_code":"CN","type":"education","lineage":["https://openalex.org/I126520041","https://openalex.org/I19820366"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Yier Jin","raw_affiliation_strings":["University of Science and Technology of China"],"affiliations":[{"raw_affiliation_string":"University of Science and Technology of China","institution_ids":["https://openalex.org/I126520041"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":6,"corresponding_author_ids":["https://openalex.org/A5049620882"],"corresponding_institution_ids":["https://openalex.org/I162868743"],"apc_list":null,"apc_paid":null,"fwci":0.5245,"has_fulltext":false,"cited_by_count":3,"citation_normalized_percentile":{"value":0.73248076,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":{"min":96,"max":97},"biblio":{"volume":null,"issue":null,"first_page":"1","last_page":"6"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10951","display_name":"Cryptographic Implementations and Security","score":0.9995999932289124,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10951","display_name":"Cryptographic Implementations and Security","score":0.9995999932289124,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12122","display_name":"Physical Unclonable Functions (PUFs) and Hardware Security","score":0.9873999953269958,"subfield":{"id":"https://openalex.org/subfields/1708","display_name":"Hardware and Architecture"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9549000263214111,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.8050717115402222},{"id":"https://openalex.org/keywords/side-channel-attack","display_name":"Side channel attack","score":0.6937358379364014},{"id":"https://openalex.org/keywords/field-programmable-gate-array","display_name":"Field-programmable gate array","score":0.6614203453063965},{"id":"https://openalex.org/keywords/exploit","display_name":"Exploit","score":0.5936737060546875},{"id":"https://openalex.org/keywords/artificial-neural-network","display_name":"Artificial neural network","score":0.5654098391532898},{"id":"https://openalex.org/keywords/artificial-intelligence","display_name":"Artificial intelligence","score":0.5382793545722961},{"id":"https://openalex.org/keywords/classifier","display_name":"Classifier (UML)","score":0.52732914686203},{"id":"https://openalex.org/keywords/feature-extraction","display_name":"Feature extraction","score":0.49164849519729614},{"id":"https://openalex.org/keywords/machine-learning","display_name":"Machine learning","score":0.45612087845802307},{"id":"https://openalex.org/keywords/multilayer-perceptron","display_name":"Multilayer perceptron","score":0.4389134347438812},{"id":"https://openalex.org/keywords/perceptron","display_name":"Perceptron","score":0.41505467891693115},{"id":"https://openalex.org/keywords/focus","display_name":"Focus (optics)","score":0.4121229648590088},{"id":"https://openalex.org/keywords/deep-learning","display_name":"Deep learning","score":0.4109160304069519},{"id":"https://openalex.org/keywords/pattern-recognition","display_name":"Pattern recognition (psychology)","score":0.4088952839374542},{"id":"https://openalex.org/keywords/embedded-system","display_name":"Embedded system","score":0.21261447668075562},{"id":"https://openalex.org/keywords/algorithm","display_name":"Algorithm","score":0.12122994661331177},{"id":"https://openalex.org/keywords/cryptography","display_name":"Cryptography","score":0.1083914041519165}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8050717115402222},{"id":"https://openalex.org/C49289754","wikidata":"https://www.wikidata.org/wiki/Q2267081","display_name":"Side channel attack","level":3,"score":0.6937358379364014},{"id":"https://openalex.org/C42935608","wikidata":"https://www.wikidata.org/wiki/Q190411","display_name":"Field-programmable gate array","level":2,"score":0.6614203453063965},{"id":"https://openalex.org/C165696696","wikidata":"https://www.wikidata.org/wiki/Q11287","display_name":"Exploit","level":2,"score":0.5936737060546875},{"id":"https://openalex.org/C50644808","wikidata":"https://www.wikidata.org/wiki/Q192776","display_name":"Artificial neural network","level":2,"score":0.5654098391532898},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.5382793545722961},{"id":"https://openalex.org/C95623464","wikidata":"https://www.wikidata.org/wiki/Q1096149","display_name":"Classifier (UML)","level":2,"score":0.52732914686203},{"id":"https://openalex.org/C52622490","wikidata":"https://www.wikidata.org/wiki/Q1026626","display_name":"Feature extraction","level":2,"score":0.49164849519729614},{"id":"https://openalex.org/C119857082","wikidata":"https://www.wikidata.org/wiki/Q2539","display_name":"Machine learning","level":1,"score":0.45612087845802307},{"id":"https://openalex.org/C179717631","wikidata":"https://www.wikidata.org/wiki/Q2991667","display_name":"Multilayer perceptron","level":3,"score":0.4389134347438812},{"id":"https://openalex.org/C60908668","wikidata":"https://www.wikidata.org/wiki/Q690207","display_name":"Perceptron","level":3,"score":0.41505467891693115},{"id":"https://openalex.org/C192209626","wikidata":"https://www.wikidata.org/wiki/Q190909","display_name":"Focus (optics)","level":2,"score":0.4121229648590088},{"id":"https://openalex.org/C108583219","wikidata":"https://www.wikidata.org/wiki/Q197536","display_name":"Deep learning","level":2,"score":0.4109160304069519},{"id":"https://openalex.org/C153180895","wikidata":"https://www.wikidata.org/wiki/Q7148389","display_name":"Pattern recognition (psychology)","level":2,"score":0.4088952839374542},{"id":"https://openalex.org/C149635348","wikidata":"https://www.wikidata.org/wiki/Q193040","display_name":"Embedded system","level":1,"score":0.21261447668075562},{"id":"https://openalex.org/C11413529","wikidata":"https://www.wikidata.org/wiki/Q8366","display_name":"Algorithm","level":1,"score":0.12122994661331177},{"id":"https://openalex.org/C178489894","wikidata":"https://www.wikidata.org/wiki/Q8789","display_name":"Cryptography","level":2,"score":0.1083914041519165},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.0},{"id":"https://openalex.org/C121332964","wikidata":"https://www.wikidata.org/wiki/Q413","display_name":"Physics","level":0,"score":0.0},{"id":"https://openalex.org/C120665830","wikidata":"https://www.wikidata.org/wiki/Q14620","display_name":"Optics","level":1,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1109/asianhost59942.2023.10409396","is_oa":false,"landing_page_url":"https://doi.org/10.1109/asianhost59942.2023.10409396","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2023 Asian Hardware Oriented Security and Trust Symposium (AsianHOST)","raw_type":"proceedings-article"}],"best_oa_location":null,"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":13,"referenced_works":["https://openalex.org/W1973695593","https://openalex.org/W2154909745","https://openalex.org/W2951308087","https://openalex.org/W2984453562","https://openalex.org/W3082834449","https://openalex.org/W3114482311","https://openalex.org/W3118164462","https://openalex.org/W3120524050","https://openalex.org/W3213781409","https://openalex.org/W3214131340","https://openalex.org/W4221015304","https://openalex.org/W4224217153","https://openalex.org/W6766787143"],"related_works":["https://openalex.org/W4214838992","https://openalex.org/W2794898833","https://openalex.org/W2076543106","https://openalex.org/W2523437662","https://openalex.org/W89844371","https://openalex.org/W2019891950","https://openalex.org/W2085842814","https://openalex.org/W4286643620","https://openalex.org/W4387048144","https://openalex.org/W2492135063"],"abstract_inverted_index":{"Side":[0],"channel":[1],"analysis":[2,97,108],"(SCA)":[3],"attacks":[4,22,36,64],"have":[5],"become":[6],"emerging":[7],"threats":[8],"to":[9,62,66,79,99,112],"AI":[10,43,57,86],"algorithms":[11],"and":[12,147],"deep":[13],"neural":[14],"network":[15],"(DNN)":[16],"models.":[17],"However,":[18],"most":[19],"existing":[20],"SCA":[21,35,63],"focus":[23],"on":[24,28,37,42,56,84,136],"extracting":[25,38],"models":[26,40,83,125,159],"deployed":[27,41],"embedded":[29],"devices,":[30],"such":[31],"as":[32],"microcontrollers.":[33],"Accurate":[34],"DNN":[39,82,124,141,158],"accelerators":[44,58],"are":[45],"largely":[46],"missing,":[47],"leaving":[48],"researchers":[49],"with":[50],"an":[51,127],"(improper)":[52],"assumption":[53],"that":[54,152],"DNNs":[55],"may":[59],"be":[60],"immune":[61],"due":[65],"their":[67],"complexity.":[68],"In":[69],"this":[70,90],"paper,":[71],"we":[72],"propose":[73],"a":[74,104],"novel":[75],"method,":[76],"namely":[77],"NNLeak":[78,92,118,133,153],"extract":[80,156],"complete":[81,157],"FPGA-based":[85],"accelerators.":[87],"To":[88],"achieve":[89],"goal,":[91],"first":[93],"exploits":[94],"simple":[95],"power":[96,107,162],"(SPA)":[98],"identify":[100],"model":[101,114],"architecture.":[102],"Then":[103],"multi-stage":[105],"correlation":[106],"(CPA)":[109],"is":[110,134],"designed":[111],"recover":[113],"weights":[115],"accurately.":[116],"Finally,":[117],"determines":[119],"the":[120],"activation":[121],"functions":[122],"of":[123,132,139],"through":[126],"AI-oriented":[128],"classifier.":[129],"The":[130],"efficacy":[131],"validated":[135],"FPGA":[137],"implementations":[138],"two":[140],"models,":[142],"including":[143],"multilayer":[144],"perceptron":[145],"(MLP)":[146],"LeNet.":[148],"Experimental":[149],"results":[150],"show":[151],"can":[154],"successfully":[155],"within":[160],"2000":[161],"traces.":[163]},"counts_by_year":[{"year":2025,"cited_by_count":3}],"updated_date":"2025-11-06T03:46:38.306776","created_date":"2025-10-10T00:00:00"}