Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Artificial intelligence models can be surprisingly stealthy – if you somehow manage to sniff out the model’s electromagnetic signature. While repeatedly stressing that they don’t actually want to help people attack neural networks, researchers at North Carolina State University have described one such technique. new paper. All they needed was an electromagnetic probe, several pre-trained, open-source AI models and a Google Edge Tensor Processing Unit (TPU). Their method involves analyzing the electromagnetic radiation of a TPU chip while it is actively moving.
“It’s quite expensive to build and train a neural network,” said the study’s lead author and NC State Ph.D. Student Ashley Kurian in a call with Gizmodo. “It’s an intellectual property that’s owned by a company, and it takes a significant amount of time and computing resources. For example, ChatGPT—it’s made up of billions of parameters, which are kind of secret. When someone steals it, ChatGPT is theirs. You know, they don’t have to pay for it and they can sell it.”
Theft is already a high-profile concern in the AI ​​world. Yet, it’s usually the other way around, as AI developers train their models on copyrighted works without permission from their human creators. This is the overwhelming pattern Sparking case and even tools from Help artists fight back “Poison” by industrial generators.
“Electromagnetic data from sensors essentially gives us a ‘signature’ of AI processing behavior,” Kurian explained. statementThis is called the “easy part”. But to understand the model’s hyperparameters—its architecture and defining details—they had to compare electromagnetic field data with data captured when other AI models ran on the same chip.
By doing so, they were able to “determine the architecture and specific features – known as layer details – that our AI model needs to create a copy,” explained Kurian, who added that they “could do this with 99.91% accuracy.” ” To top it off, the researchers had physical access to the chip to search and run other models. They worked directly with Google to help determine if the company’s chips were vulnerable.
Kurian speculated that capturing moving models on a smartphone, for example, would also be possible — but their super-compact design would naturally make monitoring electromagnetic signals more complicated.
“Side channel attacks on edge devices are nothing new,” Mehmet Senkan, a security researcher at AI standards nonprofit Atlas Computing, told Gizmodo. But this particular technique is “significant in extracting the hyperparameters of the entire model architecture.” Because AI hardware “performs inferences in plaintext,” Senkan explains, “anyone who deploys their models at the edge or on a server that’s not physically secure has to assume that their architectures can be figured out by massive searches.”
