Side channel attacks for architecture extraction of neural networks

Side channel attacks (SCAs) on neural networks (NNs) are particularly efficient for retrieving secret information from NNs. We differentiate multiple types of threat scenarios regarding what kind of information is available before the attack and its purpose: recovering hyperparameters (the architecture) of the targeted NN, its weights (parameters), or its inputs. In this survey article, we consider the most relevant attacks to extract the architecture of CNNs. We also categorize SCAs, depending on access with respect to the victim: physical, local, or remote. Attacks targeting the architecture via local SCAs are most common. As of today, physical access seems necessary to retrieve the weights of an NN. We notably describe cache attacks, which are local SCAs aiming to extract the NN's underlying architecture. Few countermeasures have emerged; these are presented at the end of the survey.