How to steal an AI model without actually hacking anything

AI models can be surprisingly stolen – as long as you somehow manage to sniff out the model’s electromagnetic signature. While repeatedly insisting that they do not, in fact, want to help people attack neural networks, North Carolina State University researchers describe such a technique in a new card. All they needed was an electromagnetic probe, several pre-trained open-source AI models, and a Google Edge Tensor Processing Unit (TPU). Their method involves analyzing electromagnetic radiation while a TPU chip is actively working.

“It is quite expensive to build and train a neural network,” said the study’s lead author and Ph.D. student Ashley Kurian in a call with Gizmodo. “It is an intellectual property that a company owns, and it takes a significant amount of time and computer resources. For example, ChatGPT – it is made of billions of parameters, which is a kind of secret. When someone steals, ChatGPT is his. You know, they don’t have to pay for it, and they might as well sell it.

Theft is already a high-profile concern in the AI ​​world. However, it is usually the other way around, as AI developers train their models on copyrighted works without permission from their human creators. This model is excessive sparkling processes and also tools to help artists struggle “poisoning” the art generators.

“Electromagnetic data from the sensor essentially gives us a ‘signature’ of AI processing behavior,” Kurian explained in a declarationcalling it “the easy part”. But to decipher the model’s hyperparameters—its architecture and definition details—they had to compare electromagnetic field data with data captured while other AI models were running on the same type of chip.

By doing so, “they will be able to determine the architecture and the specific features – known as layer details – we need to make a copy of the AI ​​model,” explained Kurian, who added that they could do so with “99.91% of accuracy”. ” To do this, the researchers had physical access to the chip both for testing and for the execution of other models. They also worked directly with Google to help the company determine the extent to which its chips were attackable.

Kurian speculated that capturing models running on smartphones, for example, would also be possible — but their super-compact design would make it inherently more complicated to monitor electromagnetic signals.

“Side-channel attacks on edge devices are nothing new,” Mehmet Sencan, a security researcher at AI standards Atlas Computing, told Gizmodo. But this particular technique “of extracting entire hyperparameters of the model architecture is significant”. Because AI hardware “performs inference in plain text”, Sencan explained, “anyone who implements their models on the board or in any server that is not physically secured should assume that their architectures can be extracted from an extensive probe” .