Artificial Intelligence (AI) is at the heart of modern computing, driving advancements in industries ranging from autonomous systems to enterprise security. However, as AI models become more sophisticated, so do the threats targeting them.
A team of researchers at North Carolina State University (NCSU) recently demonstrated a new technique for extracting AI models from hardware accelerators using electro-magnetic side-channel analysis (SCA). This article explores their findings and highlights how Keysight’s Side-Channel Analysis tools aided in validating and executing their attack.
Understanding the Threat: AI Model Extraction via Side-Channel Analysis
The NCSU research team, consisting of Ashley Kurian, Anuj Dubey, Ferhat Yaman and Aydin Aysu, published a white paper in the Journal of Transactions on Cryptographic Hardware and Embedded Systems (TCHES), describing a side-channel attack that enables adversaries to recover AI models running on specialized hardware accelerators. This paper presented the first successful model extraction attack on the Google Edge Tensor Processing Unit (TPU), a commercially available machine learning accelerator. Specifically, they demonstrated a hyperparameter-stealing attack capable of extracting all layer configurations, including layer type, number of nodes, kernel/filter sizes, number of filters, strides, padding, and activation functions. Unlike traditional software-based attacks, this approach exploits unintended data leaks—such as power consumption fluctuations and electromagnetic emissions—to infer AI model parameters. These side-channel leakages can provide an attacker with enough information to reconstruct proprietary models, posing a significant risk to organizations deploying AI-driven solutions in sensitive environments.
Why AI Model Security Matters
The security of AI models extends beyond proprietary intellectual property protection. AI-driven systems in finance, healthcare, and defense depend on the integrity and confidentiality of their models to maintain trust and operational effectiveness. If an adversary can extract and manipulate a model, it could introduce vulnerabilities that could lead to adversarial inputs, biased decision-making, or unauthorized replication of proprietary technology. Addressing these risks requires not only robust cryptographic defenses but also regular security testing to uncover potential weaknesses before attackers do.
Image: Complete (a) and closer (b) view of the experimental setup. The schematic view (c) shows the signal connections in the setup.
To successfully execute their attack, the NCSU team required precise measurement and analysis of side-channel emissions. Keysight’s industry-leading Side-Channel Analysis tools provided the high-fidelity data acquisition and signal processing capabilities necessary for the research team to identify and exploit key vulnerabilities. Specifically:
- High-Resolution Signal Capture – Keysight’s transceiver DS1001A enabled the research team to monitor and capture the subtle power fluctuations associated with AI inference operations.
- Noise Filtering & Data Processing – AI model extraction relies on isolating meaningful side-channel signals from environmental noise. Keysight’s signal processing and filtering techniques allowed researchers to refine their datasets, improving the accuracy of their attack.
- Time-Synchronized Measurements – Aligning power traces with AI inference operations is critical for successful model extraction. Keysight’s synchronization tools ensured precise timing correlation, helping researchers reconstruct model parameters with greater efficiency.
The research team utilized several Keysight tools to conduct their side-channel analysis effectively:
- EM Probe Station – This system, features a High Precision Electromagnetic (EM) probe DS1203A and the motorized, precision XYZ stage DS1010A, and was used to acquire electromagnetic (EM) emanations from the Edge TPU. By moving over the surface of the Edge TPU, the EM Probe helped find highly active circuits, or hotspots. The signals picked up on a hotspot comprise the measurements for simple or differential electromagnetic analysis. The XYZ table was used to help the team do automated scanning of the chip surface in order to find the optimal measurement location.
- Inspector Software – Used to configure measurements, collect data, and analyze side-channel emissions from the Edge TPU, the Inspector software helped the research team streamline their workflow, enabling precise extraction of model parameters.
- icWaves & Transceiver – The Pattern Based Signal Generator icWaves DS1002A generated a trigger pulse after detecting a pattern in the EM signal collected from the Edge TPU. The transceiver DS1001A performed frequency modulation, effectively filtering signals in real time. This enabled the research team to reduce the noise of signals that were picked up from the EM probe.
The NCSU research team noted:
“Keysight’s implementation security evaluation tools played a crucial role in our TPUXtract project, providing high-fidelity side-channel analysis capabilities that enabled precise hyperparameter extraction from AI accelerators. Their advanced instrumentation and signal processing techniques significantly enhanced our ability to assess the security of AI hardware against sophisticated leakage-based attacks.” – Aydin Aysu Associate Professor NCSU
By leveraging Keysight’s side-channel analysis solutions, the NCSU team was able to demonstrate a real-world attack scenario that underscores the importance of securing AI models against hardware-based threats
Strengthening AI Security: Next Steps for Industry Leaders
While AI model extraction via side-channel analysis presents new challenges, proactive security testing remains the most effective defense. Organizations developing AI-driven hardware and software solutions should consider incorporating device side-channel resistance testing into their security validation processes. Keysight provides industry-leading tools and expertise to help organizations assess and mitigate these risks.
Key Recommendations:
- Integrate side-channel security testing early – Evaluating hardware and software security before deployment helps identify vulnerabilities before they can be exploited.
- Adopt AI model obfuscation techniques – Implementing cryptographic techniques such as differential privacy and homomorphic encryption can enhance AI model resilience.
- Collaborate with security experts – Partnering with industry leaders like Keysight Device Security Lab ensures access to state-of-the-art security testing methodologies.
For more information on how Keysight can help secure your AI-driven systems, contact us at [email protected].