FeatureBleed: Inferring Private Enriched Attributes From Sparsity-Optimized AI Accelerators

📅 2026-02-20
📈 Citations: 0
Influential: 0
📄 PDF

career value

223K/year
🤖 AI Summary
This work reveals a previously unexplored hardware-level privacy vulnerability in AI accelerators, where sparsity optimizations—such as zero-skipping designed to enhance performance—leak private input features through timing side channels, thereby compromising data confidentiality. The study proposes the first generic, cross-platform timing attack that infers hidden features with high accuracy using only execution time, without relying on traditional side channels like power consumption, voltage fluctuations, or cache behavior. Evaluated across diverse platforms including Intel AVX/AMX and NVIDIA A100, and models ranging from DNNs to CNNs, the attack achieves up to 98.87% accuracy advantage on medical and socioeconomic datasets. To mitigate this threat, the authors design a lightweight padding-based defense that incurs only a 7.24% average performance overhead without increasing power consumption.

Technology Category

Application Category

📝 Abstract
Backend enrichment is now widely deployed in sensitive domains such as product recommendation pipelines, healthcare, and finance, where models are trained on confidential data and retrieve private features whose values influence inference behavior while remaining hidden from the API caller. This paper presents the first hardware-level backend retrieval data-stealing attack, showing that accelerator optimizations designed for performance can directly undermine data confidentiality and bypass state-of-the-art privacy defenses. Our attack, FEATUREBLEED, exploits zero-skipping in AI accelerators to infer private backend-retrieved features solely through end-to-end timing, without relying on power analysis, DVFS manipulation, or shared-cache side channels. We evaluate FEATUREBLEED on three datasets spanning medical and non-medical domains: Texas-100X (clinical records), OrganAMNIST (medical imaging), and Census-19 (socioeconomic data). We further evaluate FEATUREBLEED across three hardware backends (Intel AVX, Intel AMX, and NVIDIA A100) and three model architectures (DNNs, CNNs, and hybrid CNN-MLP pipelines), demonstrating that the leakage generalizes across CPU and GPU accelerators, data modalities, and application domains, with an adversarial advantage of up to 98.87 percentage points. Finally, we identify the root cause of the leakage as sparsity-driven zero-skipping in modern hardware. We quantify the privacy-performance-power trade-off: disabling zero-skipping increases Intel AMX per-operation energy by up to 25 percent and incurs 100 percent performance overhead. We propose a padding-based defense that masks timing leakage by equalizing responses to the worst-case execution time, achieving protection with only 7.24 percent average performance overhead and no additional power cost.
Problem

Research questions and friction points this paper is trying to address.

backend enrichment
private features
timing side channel
AI accelerators
data confidentiality
Innovation

Methods, ideas, or system contributions that make the work stand out.

zero-skipping
timing side channel
backend enrichment
AI accelerator
privacy-performance trade-off
🔎 Similar Papers