Train to Defend: First Defense Against Cryptanalytic Neural Network Parameter Extraction Attacks

๐Ÿ“… 2025-09-20
๐Ÿ“ˆ Citations: 0
โœจ Influential: 0
๐Ÿ“„ PDF

career value

187K/year
๐Ÿค– AI Summary
Neural network parameters are vulnerable to cryptanalysis-based model extraction attacks. To address this, this paper proposes, for the first time, an endogenous security defense mechanism: during training, a neuron-weight aggregation regularizer is introduced to minimize intra-layer weight distances, thereby eliminating parameter uniqueness and disrupting parameter-recovery pathways. The method incurs no additional inference-area or latency overhead and seamlessly integrates with standard training pipelines. Theoretically, we establish a quantitative analytical framework for attack success probability. Experimentally, the approach degrades model accuracy by less than 1% across diverse architectures and datasets, andโ€”unlike baseline methods (which suffer complete extraction within 14 minutes to 4 hours)โ€”resists sustained extraction attempts entirely. It thus significantly outperforms existing defenses in both robustness and efficiency.

Technology Category

Application Category

๐Ÿ“ Abstract
Neural networks are valuable intellectual property due to the significant computational cost, expert labor, and proprietary data involved in their development. Consequently, protecting their parameters is critical not only for maintaining a competitive advantage but also for enhancing the model's security and privacy. Prior works have demonstrated the growing capability of cryptanalytic attacks to scale to deeper models. In this paper, we present the first defense mechanism against cryptanalytic parameter extraction attacks. Our key insight is to eliminate the neuron uniqueness necessary for these attacks to succeed. We achieve this by a novel, extraction-aware training method. Specifically, we augment the standard loss function with an additional regularization term that minimizes the distance between neuron weights within a layer. Therefore, the proposed defense has zero area-delay overhead during inference. We evaluate the effectiveness of our approach in mitigating extraction attacks while analyzing the model accuracy across different architectures and datasets. When re-trained with the same model architecture, the results show that our defense incurs a marginal accuracy change of less than 1% with the modified loss function. Moreover, we present a theoretical framework to quantify the success probability of the attack. When tested comprehensively with prior attack settings, our defense demonstrated empirical success for sustained periods of extraction, whereas unprotected networks are extracted between 14 minutes to 4 hours.
Problem

Research questions and friction points this paper is trying to address.

Protecting neural network parameters from cryptanalytic extraction attacks
Eliminating neuron uniqueness required for successful parameter extraction
Developing zero-overhead defense during inference with minimal accuracy impact
Innovation

Methods, ideas, or system contributions that make the work stand out.

Regularization term minimizes neuron weight distances
Extraction-aware training eliminates neuron uniqueness
Zero area-delay overhead during inference
๐Ÿ”Ž Similar Papers
No similar papers found.