## Diagram: Deep Learning Task vs. Side-Channel Attack ### Overview The image presents a diagram comparing a deep learning task with a side-channel attack. It illustrates the flow of data and processes in both scenarios, highlighting how a side-channel attack can be used to infer information about the deep learning model. ### Components/Axes * **Title:** Deep learning task vs. Side-channel attack * **Top Section (Deep learning task):** * Enclosed in a green dashed box labeled "Deep learning task". * Components: * "Images" (green box) * "AI device" (green box) * "Classification result" (green box) * **Bottom Section (Side-channel attack):** * Enclosed in a red dashed box labeled "Side-channel attack". * Components: * "Data acquisition circuit" (orange box) * "Power extraction data set" (orange box) * "SVM classifier" (orange box) * "Results" (orange box) * **Connecting Elements:** * Arrow from "Images" to "Data acquisition circuit" with a devil face icon. * Dotted arrow from "Classification result" to "DNN architecture" labeled "Model identification". * Arrow from "Results" to "DNN architecture" with an eye icon. ### Detailed Analysis * **Deep Learning Task Flow:** The deep learning task starts with "Images" as input, which are processed by an "AI device" to produce a "Classification result". * **Side-Channel Attack Flow:** The side-channel attack begins with a "Data acquisition circuit", which captures data related to the deep learning task. This data is used to create a "Power extraction data set". An "SVM classifier" processes this data to produce "Results". * **Attack Vector:** The arrow from "Images" to "Data acquisition circuit" with the devil face icon indicates that the side-channel attack is initiated during the image processing stage of the deep learning task. * **Model Identification:** The dotted arrow from "Classification result" to "DNN architecture" represents the normal model identification process. * **Inference:** The arrow from "Results" to "DNN architecture" with the eye icon suggests that the side-channel attack results can be used to infer information about the "DNN architecture". ### Key Observations * The diagram clearly distinguishes between the normal operation of a deep learning task and a side-channel attack targeting it. * The side-channel attack leverages power consumption data to infer information about the deep learning model. * The devil face icon emphasizes the malicious nature of the side-channel attack. ### Interpretation The diagram illustrates how a side-channel attack can compromise the security of a deep learning system. By monitoring the power consumption of the "AI device" during image processing, an attacker can extract sensitive information about the "DNN architecture". This information can then be used to reverse engineer the model, potentially leading to intellectual property theft or the development of adversarial attacks. The diagram highlights the importance of implementing countermeasures to protect deep learning systems against side-channel attacks.

\n ## Diagram: Deep Learning Model Identification via Side-Channel Attack ### Overview This diagram illustrates a system for identifying the architecture of a Deep Neural Network (DNN) used in a deep learning task through a side-channel attack. The diagram is divided into two main sections: a "Deep learning task" section (top, green dashed border) and a "Side-channel attack" section (bottom, red dashed border). Data flows from left to right within each section, and a connection exists between the output of the deep learning task and the input of the side-channel attack. ### Components/Axes The diagram consists of the following components: * **Deep learning task:** * "Images" (input) * "AI device" (processing unit) * "Classification result" (output) * "DNN architecture" (target of identification) * **Side-channel attack:** * "Data acquisition circuit" (input) * "Power extraction data set" (intermediate data) * "SVM classifier" (processing unit) * "Results" (output) * **Arrows:** Indicate the flow of data and information. * **Icons:** A devil face icon is positioned above the arrow connecting "Images" to "Data acquisition circuit", and an eye icon is positioned above the arrow connecting "Classification result" to "Results". * **Labels:** "Deep learning task" (top), "Model identification" (connecting the two sections), "Side-channel attack" (bottom). ### Detailed Analysis or Content Details The diagram shows a process where images are fed into an AI device, which produces a classification result. The underlying DNN architecture is the target of identification. Simultaneously, a side-channel attack is performed. The data acquisition circuit captures power consumption data during the deep learning task, creating a power extraction data set. This data set is then fed into an SVM classifier, which produces results that are used to identify the DNN architecture. The flow of information is as follows: 1. Images enter the "AI device" and are processed. 2. The "AI device" outputs a "Classification result". 3. The "Classification result" is used to identify the "DNN architecture". 4. The "Data acquisition circuit" monitors the "AI device" during processing. 5. The "Data acquisition circuit" generates a "Power extraction data set". 6. The "Power extraction data set" is input into the "SVM classifier". 7. The "SVM classifier" outputs "Results". The devil face icon suggests a malicious intent or attack on the system, while the eye icon suggests observation or monitoring. ### Key Observations The diagram highlights the vulnerability of deep learning models to side-channel attacks. The attacker doesn't directly access the model parameters but infers them by analyzing the power consumption of the device during operation. The use of an SVM classifier suggests a machine learning approach to analyze the power data and identify patterns related to the DNN architecture. ### Interpretation This diagram demonstrates a security threat to deep learning systems. The attacker leverages the physical characteristics of the hardware (power consumption) to gain information about the model's internal structure. This is a significant concern, as it could allow an adversary to reverse-engineer a proprietary model or compromise its security. The diagram suggests a two-pronged approach: a standard deep learning task and a parallel side-channel attack. The attacker aims to correlate the classification results with the power consumption patterns to deduce the DNN architecture. The use of an SVM classifier indicates that the attacker is employing machine learning techniques to analyze the side-channel data. The icons of the devil and the eye emphasize the adversarial nature of the attack and the monitoring aspect, respectively. This diagram is a conceptual illustration of a potential attack vector and doesn't provide specific data or numerical values. It serves as a high-level overview of the attack process.

\n ## Diagram: Deep Learning Task and Side-Channel Attack Flow ### Overview The image is a technical flowchart diagram illustrating a two-part process: a legitimate "Deep learning task" and a malicious "Side-channel attack" that targets it. The diagram shows how an attacker can use physical side-channel information (power consumption) to infer the architecture of a Deep Neural Network (DNN) being used for image classification. ### Components/Axes The diagram is divided into two main sections, visually separated by dashed boxes and color-coding. **1. Top Section: Deep Learning Task (Green Dashed Box)** * **Title:** "Deep learning task" (centered above the box). * **Components (Green Boxes, left to right):** * `Images` * `AI device` * `Classification result` * **Flow:** Solid black arrows connect the components in sequence: `Images` → `AI device` → `Classification result`. * **Output:** A dotted black arrow labeled `Model identification` points from the `Classification result` box to an orange box outside the dashed line labeled `DNN architecture`. **2. Bottom Section: Side-channel Attack (Red Dashed Box)** * **Title:** "Side-channel attack" (centered below the box). * **Components (Orange Boxes, left to right):** * `Data acquisition circuit` * `Power extraction data set` * `SVM classifier` * `Results` * **Flow:** Solid black arrows connect the components in sequence: `Data acquisition circuit` → `Power extraction data set` → `SVM classifier` → `Results`. **3. Inter-Section Connections & Symbols** * **Attack Vector:** A thick, solid black arrow points downward from the `Images` box in the top section to the `Data acquisition circuit` box in the bottom section. Next to this arrow is a red devil emoji (😈), symbolizing a malicious attack. * **Inference Path:** A thick, solid black arrow points upward from the `Results` box in the bottom section to the `DNN architecture` box. Next to this arrow is an eye emoji (👁️), symbolizing observation or inference. ### Detailed Analysis The diagram depicts a cause-and-effect relationship between a standard AI workflow and a security exploit. * **Legitimate Process:** An AI system processes input `Images` on an `AI device` to produce a `Classification result`. This process inherently uses a specific `DNN architecture`. * **Attack Process:** An attacker uses a `Data acquisition circuit` to measure physical signals (implied to be power consumption) from the AI device while it processes images. This raw data is processed into a `Power extraction data set`. This dataset is then fed into a Support Vector Machine (`SVM classifier`) to analyze patterns. The output `Results` of this analysis are used to infer or identify the target `DNN architecture`. * **Spatial Grounding:** The attack components are positioned directly below the corresponding legitimate components they target. The `Data acquisition circuit` is below `Images`, and the final `Results` feed back up to the `DNN architecture`, creating a closed loop of attack and inference. ### Key Observations 1. **Attack Target:** The attack does not target the input images or the final classification result directly. Instead, it targets the intermediate physical implementation (the "AI device") to extract information about the model's structure (`DNN architecture`). 2. **Methodology:** The attack uses a classic side-channel analysis pipeline: data acquisition → feature extraction (power traces) → machine learning classification (SVM) → result interpretation. 3. **Information Flow:** The diagram shows two parallel flows: the intended data flow (images to classification) and the adversarial information flow (power traces to architecture identification). The devil and eye emojis clearly mark the malicious intent and the observational goal, respectively. 4. **Component Isolation:** The use of separate dashed boxes (green for legitimate, red for attack) and distinct box colors (green vs. orange) effectively isolates the two systems for clear analysis. ### Interpretation This diagram illustrates a significant security vulnerability in hardware implementations of deep learning models. It demonstrates that the physical side effects of computation (like power draw) can leak sensitive information about the software model being executed. * **What it means:** Even if the model's weights and parameters are kept secret, its architectural "fingerprint" can be stolen through careful measurement and analysis. This is a form of model extraction or reverse engineering. * **Why it matters:** Such attacks can compromise intellectual property, enable adversarial attacks tailored to a specific architecture, or undermine security in sensitive applications where model secrecy is required. * **Underlying Principle:** The diagram embodies the core principle of side-channel attacks: exploiting the gap between a system's abstract logical function (running a DNN) and its physical implementation (consuming power in a pattern correlated with that function). The SVM classifier acts as the tool that bridges this gap, learning the mapping from power patterns to architectural features.

## Diagram: Deep Learning Task vs. Side-Channel Attack Workflow ### Overview The diagram contrasts two parallel processes: 1. **Legitimate Deep Learning Task** (top section, green boxes) 2. **Side-Channel Attack** (bottom section, orange boxes) Both processes interact with a shared "DNN Architecture" component, with the attack aiming to reverse-engineer the model. --- ### Components/Axes #### Top Section (Deep Learning Task): - **Images** → **AI Device** → **Classification Result** - Arrows indicate sequential flow. - Dashed line labeled **"Model identification"** connects to **DNN Architecture**. - Eye icon with upward arrow suggests model transparency or monitoring. #### Bottom Section (Side-Channel Attack): - **Data Acquisition Circuit** → **Power Extraction Dataset** → **SVM Classifier** → **Results** - Red dashed line labeled **"Side-channel attack"** connects the two sections. - Devil emoji (😈) symbolizes malicious intent. #### Shared Elements: - **DNN Architecture**: Central target for both processes. - **Legend**: - Green boxes = Legitimate workflow. - Orange boxes = Attack workflow. --- ### Detailed Analysis 1. **Legitimate Workflow**: - Images are processed by an AI device to produce classification results. - The model architecture is inferred from the classification outcome (dashed line). 2. **Attack Workflow**: - A data acquisition circuit extracts power consumption data during AI operations. - The power data is analyzed using an SVM classifier to reconstruct the DNN architecture. - The devil emoji emphasizes the adversarial nature of this process. 3. **Interaction**: - The attack aims to reverse-engineer the DNN architecture (via power data) to replicate or exploit the model. - The eye icon implies potential detection mechanisms for such attacks. --- ### Key Observations - **Color Coding**: Green (legitimate) vs. Orange (attack) visually distinguishes the two processes. - **Dashed Lines**: Indicate indirect relationships (e.g., model identification via classification results). - **Icons**: - Devil (😈) = Malicious intent. - Eye = Surveillance or detection. --- ### Interpretation This diagram illustrates a **security vulnerability** in AI systems: - **Legitimate Use**: Focuses on input (images) → processing (AI device) → output (classification). - **Attack Vector**: Exploits physical side channels (power consumption) to extract model architecture details. - **Implications**: - Attackers can reconstruct DNN architectures without access to training data or code. - The SVM classifier in the attack workflow suggests machine learning is used to map power traces to model structures. - The eye icon hints at countermeasures (e.g., anomaly detection in power usage). The diagram underscores the need for **hardware-aware security** in AI deployments to prevent model theft via side-channel attacks.