@inproceedings{656fdaf5ef0c470db8d41b883b4c44f4,
title = "DeepFreeze: Cold Boot Attacks and High Fidelity Model Recovery on Commercial EdgeML Device",
abstract = "EdgeML accelerators like Intel Neural Compute Stick 2 (NCS) can enable efficient edge-based inference with complex pre-trained models. The models are loaded in the host (like Raspberry Pi) and then transferred to NCS for inference. In this paper, we demonstrate practical and low-cost cold boot based model recovery attacks on NCS to recover the model architecture and weights, loaded from the Raspberry Pi. The architecture is recovered with 100% success and weights with an error rate of 0.04%. The recovered model reports maximum accuracy loss of 0.5% as compared to original model and allows high fidelity transfer of adversarial examples. We further extend our study to other cold boot attack setups reported in the literature with higher error rates leading to accuracy loss as high as 70%. We then propose a methodology based on knowledge distillation to correct the erroneous weights in recovered model, even without access to original training data. The proposed attack remains unaffected by the model encryption features of the OpenVINO and NCS framework.",
keywords = "Cold Boot Attack, EdgeML, Intel Neural Compute Stick 2, Model Recovery",
author = "Yoo-Seung Won and Soham Chatterjee and Dirmanto Jap and Arindam Basu and Shivam Bhasin",
year = "2021",
doi = "10.1109/ICCAD51958.2021.9643512",
language = "English",
isbn = "9781665445085",
series = "IEEE/ACM International Conference on Computer-Aided Design, Digest of Technical Papers, ICCAD",
publisher = "IEEE",
booktitle = "2021 IEEE/ACM International Conference on Computer-Aided Design (ICCAD)",
address = "United States",
edition = "40th",
note = "40th IEEE/ACM International Conference on Computer-Aided Design (ICCAD 2021) ; Conference date: 01-11-2021 Through 04-11-2021",
}