[1] Y. Liu and et al. A Survey on Side-Channelbased Reverse Engineering Attacks on Deep Neural Networks. In 2022 IEEE 4th International Conference on Artificial Intelligence Circuits and Systems (AICAS), pages 312–315. IEEE, June 2022.
[2] M. M´endez Real and R. Salvador. Physical SideChannel Attacks on Embedded Neural Networks: A Survey. Applied Sciences, 11(15):6790, July 2021.
[3] M. Isakov, V. Gadepally, K. M. Gettings, and M. A. Kinsy. Survey of Attacks and Defenses on Edge-Deployed Neural Networks. arXiv, 2019.
[5] P. Horv´ath, D. Lauret, Z. Liu, and L. Batina. SoK: Neural Network Extraction Through Physical Side Channels. In Proceedings of the 33rd USENIX Conference on Security Symposium, SEC ’24, USA, 2024. USENIX Association.
[6] M. Sweney and D. Milmo. OpenAI ‘reviewing’ allegations that its AI models were used to make DeepSeek. The Guardian, January 2025. https://www.theguardian.com/technology/ 2025/jan/29/openai-chatgpt-deepseekchina-us-ai-models.
[7] S. Mittal, H. Gupta, and S. Srivastava. A Survey on Hardware Security of DNN Models and Accelerators. Journal of Systems Architecture, 117:102163, 2021.
[8] S. Picek, G. Perin, L. Mariot, L. Wu, and L. Batina. SoK: Deep Learning-based Physical Side-channel Analysis. ACM Computing Surveys, 55(11):1–35, 2023. .
[9] T. Nayan, Q. Guo, M. A. Duniawi, M. Botacin, S. Uluagac, and R. Sun. SoK: All You Need to Know About On-device ML Model Extraction - The Gap Between Research and Practice. In Proceedings of the 33rd USENIX Conference on Security Symposium, pages 1–18. USENIX Association, 2024.
[10] M. Yan, C. W. Fletcher, and J. Torrellas. Cache Telepathy: Leveraging Shared Resource Attacks to Learn DNN Architectures. In Proceedings of the 29th USENIX Conference on Security Symposium, SEC’20, USA, 2020. USENIX Association.
[11] J. Wei, Y. Zhang, Z. Zhou, Z. Li, and M. A. Al Faruque. Leaky DNN: Stealing Deep-Learning Model Secret with GPU Context-Switching SideChannel. In 2020 50th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pages 125–137. IEEE, June 2020.
[12] Y. Liu and A. Srivastava. GANRED: GANbased Reverse Engineering of DNNs via Cache Side-Channel. In Proceedings of the 2020 ACM SIGSAC Conference on Cloud Computing Security Workshop, pages 41–52. ACM, Nov. 2020.
[13] Z. Gao, J. Hu, F. Guo, Y. Zhang, Y. Han, S. Liu, H. Li, and Z. Lv. I Know What You Said: Unveiling Hardware Cache Side-Channels in Local Large Language Model Inference (Version 3). arXiv, 2025.
[14] A. Adiletta and B. Sunar. Spill The Beans: Exploiting CPU Cache Side-Channels to Leak Tokens from Large Language Models (Version 1). arXiv, 2025.
[15] X. Hu and et al. DeepSniffer: A DNN Model Extraction Framework Based on Learning Architectural Hints. In Proceedings of the Twenty-Fifth International Conference on Architectural Support for Programming Languages and Operating Systems, pages 385–399. ACM, Mar. 2020.
[16] Y. Gao, H. Qiu, Z. Zhang, B. Wang, H. Ma, A. Abuadbba, M. Xue, A. Fu, and S. Nepal. DeepTheft: Stealing DNN Model Architectures through Power Side Channel. In 2024 IEEE Symposium on Security and Privacy (SP), pages 3311–3326. IEEE, 2024.
[17] A. Chaudhuri, S. Shukla, S. Bhattacharya, and D. Mukhopadhyay. “Energon”: Unveiling Transformers from GPU Power and Thermal SideChannels (Version 1). arXiv, 2025.
[18] K. Lee, M. Ashok, S. Maji, R. Agrawal, A. Joshi, M. Yan, J. S. Emer, and A. P. Chandrakasan. Secure Machine Learning Hardware: Challenges and Progress [Feature]. IEEE Circuits and Systems Magazine, 25(1):8–34, 2025.
[19] Z. Liu, Y. Yuan, Y. Chen, S. Hu, T. Li, and S. Wang. DeepCache: Revisiting Cache SideChannel Attacks in Deep Neural Networks Executables. In Proceedings of the 2024 ACM SIGSAC Conference on Computer and Communications Security, pages 4495–4508. ACM, Dec. 2024.
[20] H. Wang, S. M. Hafiz, K. Patwari, C.-N. Chuah, Z. Shafiq, and H. Homayoun. Stealthy Inference Attack on DNN via Cache-based Side-Channel Attacks. In 2022 Design, Automation & Test in Europe Conference & Exhibition (DATE), pages 1515–1520. IEEE, Mar. 2022.
[21] P. Horvath, L. Chmielewski, L. Weissbart, L. Batina, and Y. Yarom. BarraCUDA: Edge GPUs Do Leak DNN Weights. arXiv preprint, Dec. 2023. https://arxiv.org/abs/ 2312.07783.
[22] Y. Sun, G. Jiang, X. Liu, P. He, and S.-K. Lam. Layer Sequence Extraction of Optimized DNNs Using Side-Channel Information Leaks. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, 43(10):3102–3115, 2024.
[23] S. B. Dutta, H. Naghibijouybari, A. Gupta, N. Abu-Ghazaleh, A. Marquez, and K. Barker. Spy in the GPU-box: Covert and Side Channel Attacks on Multi-GPU Systems. In Proceedings of the 50th Annual International Symposium on Computer Architecture (ISCA ’23), pages 1–13. ACM, 2023.
[24] W. Hua, Z. Zhang, and G. E. Suh. Reverse Engineering Convolutional Neural Networks Through Side-channel Information Leaks. In 2018 55th ACM/ESDA/IEEE Design Automation Conference (DAC). IEEE, June 2018.
[25] L. Wei, B. Luo, Y. Li, Y. Liu, and Q. Xu. I Know What You See: Power Side-Channel Attack on Convolutional Neural Network Accelerators. In Proceedings of the 34th Annual Computer Security Applications Conference, pages 393–406. ACM, Dec. 2018.
[26] S. Tian, S. Moini, D. Holcomb, R. Tessier, and J. Szefer. A Practical Remote Power Attack on Machine Learning Accelerators in Cloud FPGAs. In 2023 Design, Automation & Test in Europe Conference & Exhibition (DATE), pages 1–6. IEEE, 2023.
[27] L. Huegle, M. Gotthard, V. Meyers, J. Krautter, D. R. E. Gnad, and M. B. Tahoori. Power2Picture: Using Generative CNNs for Input Recovery of Neural Network Accelerators through Power Side-Channels on FPGAs. In 2023 IEEE 31st Annual International Symposium on Field-Programmable Custom Computing Machines (FCCM), pages 155–161. IEEE, 2023.
[28] L. Wu, L. Wu, Z. Ba, and X. Zhang. An Input Recovery Side-Channel Attack on DNN Accelerator with Three-Dimensional Power Surface. In 2025 IEEE International Symposium on Hardware Oriented Security and Trust (HOST), pages 1–11. IEEE, 2025.
[29] Y. Gao, H. Ma, M. Yan, J. He, Y. Zhao, and Y. Jin. NNLeak: An AI-Oriented DNN Model Extraction Attack through Multi-Stage Side Channel Analysis. In 2023 Asian Hardware Oriented Security and Trust Symposium (AsianHOST), pages 1–6. IEEE, 2023.
[30] S. Hong and et al. Security Analysis of Deep Neural Networks Operating in the Presence of Cache Side-Channel Attacks. arXiv preprint, 2018. https://doi.org/10.48550/ ARXIV.1810.03487.
[31] S. Hong, M. Davinroy, Y. Kaya, D. DachmanSoled, and T. Dumitra¸s. How to 0wn NAS in Your Spare Time. arXiv preprint, 2020. . https: //doi.org/10.48550/ARXIV.2002.06776.
[32] S. Maji, K. Lee, and A. P. Chandrakasan. SparseLeakyNets: Classification Prediction Attack Over Sparsity-Aware Embedded Neural Networks Using Timing Side-Channel Information. IEEE Computer Architecture Letters, 23(1):133– 136, 2024.
[33] G. Wang, C. Zhou, Y. Wang, B. Chen, H. Guo, and Q. Yan. Beyond Boundaries: A Comprehensive Survey of Transferable Attacks on AI Systems. arXiv preprint, 2023. https://doi.org/ 10.48550/ARXIV.2311.11796.
[34] J. Sharma, S. S. Ojha, and R. Dubey. Exploring Flush+Reload Side Channel Attack Vulnerabilities: Detection and Countermeasures. In 2023 2nd International Conference on Automation, Computing and Renewable Systems (ICACRS), volume 17, pages 717–723. IEEE, 2023.
[35] A. Albalawi. On Preventing and Mitigating Cache Based Side-Channel Attacks on AES System in Virtualized Environments. Computer and Information Science (CIS), 17(1):9, Feb. 2024.
[36] L. Batina, S. Bhasin, D. Jap, and S. Picek. CSI NN: Reverse Engineering of Neural Network Architectures Through Electromagnetic Side Channel. In Proceedings of the 28th USENIX Conference on Security Symposium, SEC’19, pages 515–532, USA, 2019. USENIX Association.
[37] A. Dubey, R. Cammarota, and A. Aysu. MaskedNet: The First Hardware Inference Engine Aiming Power Side-Channel Protection. In 2020 IEEE International Symposium on Hardware Oriented Security and Trust (HOST), pages 197– 208. IEEE, Dec. 2020.
[38] M. Brosch, M. Probst, M. Glaser, and G. Sigl. A Masked Hardware Accelerator for Feed-Forward Neural Networks With Fixed-Point Arithmetic. IEEE Transactions on Very Large Scale Integration (VLSI) Systems, 32(2):231–244, 2024.
[39] Q. Fang, L. Lin, H. Zhang, T. Wang, and M. Alioto. Voltage Scaling-Agnostic Counteraction of Side-Channel Neural Net Reverse Engineering via Machine Learning Compensation and Multi-Level Shuffling. In 2023 IEEE Symposium on VLSI Technology and Circuits (VLSI Technology and Circuits). IEEE, June 2023.
[40] X. Yan, C. H. Chang, and T. Zhang. Defense Against ML-based Power Side-Channel Attacks on DNN Accelerators with Adversarial Attacks. arXiv preprint, Dec. 2023. https://arxiv.org/ abs/2312.04035.
[41] N. Lungu, B. B. Dash, M. R. Mishra, L. Barik, A. Tripathy, and S. S. Patra. GPUSecBench: Evaluating the Cache Side-Channel Resilience of a GPU Security Execution Pipeline. In 2024 Second International Conference on Intelligent Cyber Physical Systems and Internet of Things (ICoICI), pages 564–571. IEEE, 2024.
[42] T. Joshi, A. Kawalay, A. Jamkhande, and A. Joshi. Hybrid Deep Learning Model for Multiple Cache Side Channel Attacks Detection: A Comparative Analysis. arXiv preprint, Jan. 2025.
https://arxiv.org/abs/2501.17123.
[43] H. Wang, H. Sayadi, S. Rafatirad, A. Sasan, and H. Homayoun. SCARF: Detecting Side-Channel Attacks at Real-time using Low-level Hardware Features. In 2020 IEEE 26th International Symposium on On-Line Testing and Robust System Design (IOLTS). IEEE, July 2020.
[44] H. Kim, C. Hahn, H. J. Kim, Y. Shin, and J. Hur. Deep Learning-Based Detection for Multiple Cache Side-Channel Attacks. IEEE Transactions on Information Forensics and Security, 19:1672–1686, 2024.
