一种面向NPU内存侧信道攻击的安全防护方案

doi:10.3969/j.issn.1671-1122.2025.06.012

摘要/Abstract

摘要：

随着人工智能技术的快速发展，NPU在智能手机、自动驾驶、边缘计算等领域的应用日益广泛。然而，现有的NPU架构在抵御内存侧信道攻击方面存在不足，攻击者可以通过分析内存访问模式逆向推导出DNN模型的结构和参数。为应对这一挑战，文章提出一种面向NPU内存侧信道攻击的安全防护方案——NPUGuard，该方案通过特征图划分和加密压缩引擎两个关键模块，从增加层边界、混淆数据地址和加密保护数据3个方面提供安全保障。实验结果表明，NPUGuard能够有效增加层边界，使攻击者通过内存侧信道攻击逆向推导的可能网络数量从24种增加到7.86×105种；基于混沌映射的数据加密压缩算法在加密数据的同时，可降低60%的存储空间。此外，NPUGuard仅带来5%的性能损失，处于可接受范围，有效平衡了安全与性能之间的关系。

关键词: 侧信道防护, NPU安全, 特征图划分, 数据加密压缩

Abstract:

With rapid advancement of artificial intelligence technology, neural processing units(NPU) have been widely adopted in smartphones, autonomous vehicles, and edge computing. However, existing NPU architectures demonstrated vulnerabilities against memory side-channel attacks, where attackers could reverse-engineer deep neural networks(DNN) model structures and parameters by analyzing memory access patterns. To address this issue, this paper proposed NPUGuard, a security protection scheme featuring two core modules: feature map partitioning module and encrypted compression engine. The solution enhanced security through three approaches: layer boundary expansion, data address obfuscation, and data encryption protection. Experimental results show that NPUGuard effectively increases layer boundaries, expanding potential reverse-engineered network configurations from 24 to 7.86×105. The chaos mapping-based encryption algorithm achieves 60% storage reduction while encrypting sensitive data. Moreover, NPUGuard introduces only 5% performance overhead, demonstrating effective balance between security enhancement and computational efficiency.

Key words: side-channel protection, NPU security, feature map partitioner, data encryption and compression

中图分类号:

TP309

胡文澳, 严飞, 张立强. 一种面向NPU内存侧信道攻击的安全防护方案[J]. 信息网络安全, 2025, 25(6): 977-987.

HU Wenao, YAN Fei, ZHANG Liqiang. A Security Protection Scheme against Memory Side-Channel Attacks on NPU[J]. Netinfo Security, 2025, 25(6): 977-987.

图/表 13

图1

图2

图3

图4

表1

图5

图6

图7

图8

表2

图9

图10

图11

参考文献 26

[1]	ZOTING S. Artificial Intelligence(AI) in Hardware Market Size, Share, and Trends 2025 to 2034[EB/OL]. [2025-01-10]. https://www.precedenceresearch.com/artificial-intelligence-in-hardware-market.
[2]	WANG Xingbin, HOU Rui, ZHU Yifan, et al. NPUFort: A Secure Architecture of DNN Accelerator against Model Inversion Attack[C]// ACM. 16th ACM International Conference on Computing Frontiers. New York: ACM, 2019: 190-196.
[3]	ZUO Pengfei, HUA Yu, LIANG Ling, et al. Sealing Neural Network Models in Encrypted Deep Learning Accelerators[C]// IEEE. 2021 58th ACM/IEEE Design Automation Conference(DAC). New York: IEEE, 2021: 1255-1260.
[4]	WEERASENA H, MISHRA P. Revealing CNN Architectures via Side-channel Analysis in Dataflow-Based Inference Accelerators[J]. ACM Transactions on Embedded Computing Systems, 2024, 23(6): 1-25.
[5]	HUA Weizhe, ZHANG Zhiru, SUH G E. Reverse Engineering Convolutional Neural Networks through Side-Channel Information Leaks[C]// ACM. 55th Annual Design Automation Conference. New York: ACM, 2018: 1-6.
[6]	YANG Dingqing, NAIR P J, LIS M. HuffDuff: Stealing Pruned DNNs from Sparse Accelerators[C]// ACM. The 28th ACM International Conference on Architectural Support for Programming Languages and Operating Systems. New York: ACM, 2023: 385-399.
[7]	HU Xing, LIANG Ling, LI Shuangchen, et al. DeepSniffer: A DNN Model Extraction Framework Based on Learning Architectural Hints[C]// ACM. The Twenty-Fifth International Conference on Architectural Support for Programming Languages and Operating Systems. New York: ACM, 2020: 385-399.
[8]	HUANG Yongbing, CHEN Licheng, CUI Zehan, et al. HMTT: A Hybrid Hardware/Software Tracing System for Bridging the DRAM Access Trace’s Semantic Gap[J]. ACM Transactions on Architecture and Code Optimization(TACO), 2014, 11(1): 1-25.
[9]	FLETCHER C W, REN Ling, KWON A, et al. A Low-Latency, Low-Area Hardware Oblivious RAM Controller[C]// IEEE. 2015 IEEE 23rd Annual International Symposium on Field-Programmable Custom Computing Machines. New York: IEEE, 2015: 215-222.
[10]	LIU Yuntao, DACHMAN-SOLED D, SRIVASTAVA A. Mitigating Reverse Engineering Attacks on Deep Neural Networks[C]// IEEE. 2019 IEEE Computer Society Annual Symposium on VLSI (ISVLSI). New York: IEEE, 2019: 657-662.
[11]	LI Jingtao, HE Zhezhi, RAKIN A S, et al. Neurobfuscator: A Full-stack Obfuscation Tool to Mitigate Neural Architecture Stealing[C]// IEEE. 2021 IEEE International Symposium on Hardware Oriented Security and Trust(HOST). New York: IEEE, 2021: 248-258.
[12]	CHE Yuezhi, WANG Rujia. DNNCloak: Secure DNN Models against Memory Side-Channel Based Reverse Engineering Attacks[C]// IEEE. 2022 IEEE 40th International Conference on Computer Design(ICCD). New York: IEEE, 2022: 89-96.
[13]	CHEN Yuxin, YANG Tianyu, EMER J, et al. Eyeriss v2: A Flexible Accelerator for Emerging Deep Neural Networks on Mobile Devices[J]. IEEE Journal on Emerging and Selected Topics in Circuits and Systems, 2019, 9(2): 292-308. doi: 10.1109/JETCAS.2019.2910232
[14]	LIU Fangxin, YANG Ning, LI Haoming, et al. SPARK: Scalable and Precision-Aware Acceleration of Neural Networks via Efficient Encoding[C]// IEEE. 2024 IEEE International Symposium on High-Performance Computer Architecture(HPCA). New York: IEEE, 2024: 1029-1042.
[15]	YAN Mengjia, FLETCHER C W, TORRELLAS J. Cache Telepathy: Leveraging Shared Resource Attacks to Learn DNN Architectures[C]// USENIX. 29th USENIX Security Symposium(USENIX Security 20). Berkeley: USENIX, 2020: 2003-2020.
[16]	GAO Yansong, QIU Huming, ZHANG Zhi, et al. DeepTheft: Stealing DNN Model Architectures through Power Side Channel[C]// IEEE. 2024 IEEE Symposium on Security and Privacy(SP). New York: IEEE, 2024: 3311-3326.
[17]	WEI Junyi, ZHANG Yicheng, ZHOU Zhe, et al. Leaky DNN: Stealing Deep-Learning Model Secret with GPU Context-Switching Side-Channel[C]// IEEE. 2020 50th Annual IEEE/IFIP International Conference on Dependable Systems and Networks(DSN). New York: IEEE, 2020: 125-137.
[18]	MAIA H T, XIAO Chang, LI Dingzeyu, et al. Can One Hear the Shape of a Neural Network: Snooping the GPU via Magnetic Side Channel[C]// USENIX. 31th USENIX Security Symposium(USENIX Security 22). Berkeley: USENIX, 2022: 4383-4400.
[19]	RAKIN A S, CHOWDHURYY M H I, YAO Fan, et al. DeepSteal: Advanced Model Extractions Leveraging Efficient Weight Stealing in Memories[C]// IEEE. 2022 IEEE Symposium on Security and Privacy(SP). New York: IEEE, 2022: 1157-1174.
[20]	SUN Yu, XIONG Gaojian, LIU Xiao, et al. A Survey on Trusted Execution Environment Based Secure Inference[J]. Netinfo Security, 2024, 24(12): 1799-1818.
	孙钰, 熊高剑, 刘潇, 等. 基于可信执行环境的安全推理研究进展[J]. 信息网络安全, 2024, 24(12):1799-1818.
[21]	LEE S, KIM J, NA S, et al. TNPU: Supporting Trusted Execution with Tree-less Integrity Protection for Neural Processing Unit[C]// IEEE. 2022 IEEE International Symposium on High-Performance Computer Architecture(HPCA). New York: IEEE, 2022: 229-243.
[22]	SHRIVASTAVA N, SARANGI S R. Securator: A Fast and Secure Neural Processing Unit[C]// IEEE. 2023 IEEE International Symposium on High-Performance Computer Architecture(HPCA). New York: IEEE, 2023: 1127-1139.
[23]	FENG Erhu, FENG Dahu, DU Dong, et al. sNPU: Trusted Execution Environments on Integrated NPUs[C]// IEEE. 2024 ACM/IEEE 51st Annual International Symposium on Computer Architecture(ISCA). New York: IEEE, 2024: 708-723.
[24]	ZHAO Geng, MA Yingjie, DONG Youheng. New Progress in Research and Application of Chaotic Cryptography Theory[J]. Netinfo Security, 2024, 24(2): 203-216.
	赵耿, 马英杰, 董有恒. 混沌密码理论研究与应用新进展[J]. 信息网络安全, 2024, 24(2):203-216.
[25]	SAMAJDAR A, JOSEPH J M, ZHU Yuhao, et al. A Systematic Methodology for Characterizing Scalability of DNN Accelerators Using Scale-sim[C]// IEEE. 2020 IEEE International Symposium on Performance Analysis of Systems and Software(ISPASS). New York: IEEE, 2020: 58-68.
[26]	LEE J, PARK S, MO S, et al. Layer-adaptive Sparsity for the Magnitude-Based Pruning[C]// ICLR. The Ninth International Conference on Learning Representations. Vienna: ICLR, 2021: 1-19.

混沌映射	映射函数	参数
Tent	${{x}_{i+1}}=\frac{{{x}_{i}}}{a}~,x\in \left( 0,a \right);{{x}_{i+1}}=\frac{{{x}_{i}}}{1-a},x\in \left[ a,1 \right)$	a = 0.49
Logisitc	${{x}_{i+1}}=a\times {{x}_{i}}\times \left( 1-{{x}_{i}} \right)$	a = 3.98
Sine	${{x}_{i+1}}=\frac{4}{a}\times \sin \left( \text{ }\!\!\pi\!\!\text{ }{{x}_{i}} \right)$	a = 4
Chebyshev	${{x}_{i+1}}=\cos \left( a\times {{\cos }^{-1}}{{x}_{i}} \right)$	a = 4
Cubic	${{x}_{i+1}}=a\times {{x}_{i}}\times \left( 1-x_{i}^{2} \right)$	a = 2.595