A method and device for obtaining a deep neural network structure based on a physical side channel of a display card

By collecting and processing the physical side-channel signals of the graphics card during the execution of deep neural network inference, the problem of relying on shared software environments and intrusive analysis in existing technologies is solved, and the acquisition of deep neural network structures in diverse application scenarios is realized, which has high feasibility and concealment.

CN122197957APending Publication Date: 2026-06-12SHANGHAI UNIVERSITY OF FINANCE AND ECONOMICS

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
SHANGHAI UNIVERSITY OF FINANCE AND ECONOMICS
Filing Date
2026-01-28
Publication Date
2026-06-12

AI Technical Summary

Technical Problem

Existing technologies for acquiring deep neural network structures rely on shared software environments or intrusive analysis, which limits their applicability and feasibility. They are also highly dependent on the operating environment, making it difficult to effectively acquire structural information in diverse application scenarios.

Method used

By acquiring physical side-channel signals, such as electromagnetic side-channel signals, during the execution of deep neural network inference by the graphics card, and extracting temporal features after preprocessing, the structural information of the deep neural network can be obtained. The structure can be acquired by using electromagnetic side-channel signals, magnetic side-channel signals, or a combination thereof.

Benefits of technology

Without interfering with the normal operation of the model or relying on a shared software environment, it achieves effective acquisition of deep neural network structures, has high feasibility and stealth, is applicable to different models of graphics cards and network types, and expands the scope of application.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122197957A_ABST
    Figure CN122197957A_ABST
Patent Text Reader

Abstract

The application discloses a kind of based on graphic card physical side channel's deep neural network structure acquisition method and device, by utilizing the physical side channel signal generated in the execution of deep neural network inference process of graphic card, it is realized without relying on shared software environment, without needing invasive analysis means premise, to the acquisition of deep neural network structure related information.Based on physical side channel carries out structure acquisition, avoids the limitation of operating system isolation mechanism and permission control to analysis process, significantly expands the applicable scope of structure acquisition method, can complete structure acquisition process without interfering with the normal operation of target deep neural network, reduces the influence to target system stability and security policy, with higher implementability and concealment.Original noise is larger by the targeted pre-processing and feature construction of physical side channel signal, and physical signal is converted into time sequence feature related to the execution process of deep neural network.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of deep neural network security and model analysis technology, specifically to a method and apparatus for obtaining deep neural network structures based on the physical side channel of a graphics card. Background Technology

[0002] With the rapid development of artificial intelligence technology, deep neural networks have been widely applied in fields such as computer vision, speech recognition, autonomous driving, and medical image analysis. In the following text, unless otherwise specified, "model" refers to a deep neural network model. In actual deployment, deep neural networks typically run on high-performance computing devices such as graphics cards, and their network structure (including layer topology and hyperparameter configurations for each layer) is often protected as a crucial technical asset. During model execution, traditional software interfaces and debugging tools typically cannot directly obtain the model's internal structural information, while decompiling or intrusive analysis of the model itself may affect its normal operation or even violate security policies or usage constraints. Therefore, inferring the structure of deep neural networks without interfering with the model's normal function and without relying on explicit interfaces has become an important research problem in the fields of model security assessment and intellectual property protection.

[0003] In existing technologies, some studies have attempted to indirectly analyze the model execution process using side-channel methods such as cache behavior analysis, memory access characteristic analysis, and performance interface monitoring. However, existing technologies have the following shortcomings:

[0004] 1) Existing side-channel analysis methods typically rely on shared software or hardware environments, making them susceptible to limitations imposed by system isolation mechanisms. Most existing methods analyze the model execution process based on shared caches, shared memory, or specific performance monitoring interfaces, usually requiring the analysis module and the target deep neural network to run in a shared software or hardware environment. In this specification, the "target deep neural network" refers to a deep neural network that performs inference on a graphics card, and whose structural information is to be acquired. When the target system enables strict operating system isolation, virtualization mechanisms, or access control policies, the applicability and stability of the above methods will be significantly affected, making them difficult to widely apply in practical deployment scenarios.

[0005] 2) Existing methods have shortcomings in terms of feasibility and concealment, making it difficult to obtain structural information without interfering with model operation. Some side-channel analysis schemes require reliance on intrusive monitoring methods or modifications to the target system, resulting in high implementation costs and potential impacts on the normal operation of the model, or even detection or blocking by security mechanisms, thus limiting their practical value in model security assessment and intellectual property protection scenarios.

[0006] 3) Existing methods are highly dependent on the operating environment and hardware platform, and have limited versatility and scalability. Because existing technologies are usually designed for specific hardware architectures, driver interfaces or system configurations, their applicability to different graphics cards, different implementation frameworks or different types of deep neural networks is poor, making it difficult to meet the needs of obtaining model structures in diverse application scenarios.

[0007] Based on the above shortcomings, it is necessary to propose a technical solution that does not rely on a shared software environment and can directly utilize the physical side-channel signals naturally generated by the graphics card during the execution of deep neural network inference to obtain structure-related information, so as to achieve effective acquisition of deep neural network structure. Summary of the Invention

[0008] To address the limitations of existing technologies that rely on shared software environments or intrusive analysis methods to obtain deep neural network structure information, and which have limited versatility and feasibility, the present invention aims to provide a method and apparatus for obtaining deep neural network structure based on the physical side channel of a graphics card. This method and apparatus can effectively obtain information related to the structure of deep neural networks without interfering with the normal operation of the target deep neural network or relying on explicit interfaces.

[0009] To achieve the above-mentioned objectives, the present invention adopts the following technical solution:

[0010] This invention discloses a method for obtaining a deep neural network structure based on the physical side channel of a graphics card, comprising the following steps:

[0011] During the execution of the target deep neural network inference by the graphics card, the physical side channel signal generated by the graphics card is collected;

[0012] The physical side channel signal is preprocessed to obtain the timing features used for structure acquisition;

[0013] Based on temporal features, structural information related to the execution process of the deep neural network is obtained, and this structural information is output as the structural acquisition result of the deep neural network.

[0014] As a further improvement, the physical side channel signal described in this invention is an electromagnetic side channel signal, a magnetic side channel signal, a current side channel signal, or a combination of two or more of them.

[0015] As a further improvement, the preprocessing described in this invention includes at least one of filtering, normalization, and time alignment of the physical side channel signal.

[0016] As a further improvement, the structural information described in this invention is structure-related information that reflects the overall structural characteristics of the deep neural network.

[0017] As a further improvement, the method described in this invention is carried out without affecting the normal operation of the target deep neural network.

[0018] This invention discloses a device for acquiring deep neural network structures based on the physical side channel of a graphics card, comprising:

[0019] The side-channel acquisition module is used to acquire the physical side-channel signals generated by the graphics card during the execution of the target deep neural network inference.

[0020] The preprocessing module is used to preprocess the physical side channel signals to obtain the timing features used for structure acquisition;

[0021] The structure acquisition module is used to acquire structural information related to the execution process of the deep neural network based on temporal features, and output the structural information as the structure acquisition result of the deep neural network.

[0022] As a further improvement, the physical side channel signal of the present invention includes electromagnetic side channel signal, magnetic side channel signal, current side channel signal, or a combination of two or more of them.

[0023] As a further improvement, the preprocessing module of the present invention is configured to perform at least one of filtering, normalization, time alignment, and feature extraction.

[0024] As a further improvement, the structure acquisition module of the present invention is configured to acquire structure-related information that reflects the overall structural features of the deep neural network.

[0025] As a further improvement, the device described in this invention can acquire information related to deep neural network structures without needing to be deployed close to a graphics card.

[0026] Compared with the prior art, the present invention has the following beneficial effects:

[0027] 1. This invention utilizes the physical side-channel signals generated by a graphics card during deep neural network inference to acquire information related to the structure of a deep neural network without relying on a shared software environment or requiring intrusive analysis methods. Compared to side-channel analysis methods that rely on cache behavior, memory access characteristics, or performance interfaces, this invention acquires the structure based on physical side-channels, avoiding the limitations imposed by operating system isolation mechanisms and access control on the analysis process, and significantly expanding the applicability of the structure acquisition method.

[0028] 2. This invention can complete the structure acquisition process without interfering with the normal operation of the target deep neural network, reducing the impact on the stability and security strategy of the target system, and has high feasibility and concealment.

[0029] 3. This invention transforms the original noisy physical signal into temporal features related to the execution process of the deep neural network by performing targeted preprocessing and feature construction on the physical side channel signal, thus providing a reliable foundation for the subsequent acquisition of structural information.

[0030] 4. The method and apparatus provided by this invention are not limited to specific operating environments and graphics card platforms, and can be adapted to different models of graphics cards and different types of deep neural networks, exhibiting good versatility and scalability. By performing unified functional processing and feature construction on physical side-channel signals, this invention provides a general technical foundation for various structural parsing strategies, facilitating flexible deployment in different application scenarios.

[0031] 5. This invention provides a new technical approach for the security assessment and intellectual property protection of deep neural networks. It enables the effective acquisition of model structure-related information without the need to obtain the model source code or call explicit interfaces, and has high practical application value. Attached Figure Description

[0032] Figure 1 This is a flowchart illustrating the method for obtaining the deep neural network structure based on the physical side channel of a graphics card as described in this invention.

[0033] Figure 2 This is a schematic diagram of the deep neural network structure acquisition device based on the physical side channel of the graphics card as described in this invention. Detailed Implementation

[0034] The following description, in conjunction with the accompanying drawings, details a specific embodiment of a method and apparatus for obtaining a deep neural network structure based on a graphics card physical side channel according to the present invention. It should be noted that the following embodiments are merely illustrative of the technical solution of the present invention and do not constitute a limitation on the scope of protection of the present invention. Without departing from the core idea of ​​the present invention, those skilled in the art can make various modifications or substitutions, all of which should fall within the scope of protection of the present invention.

[0035] Example 1: A method for obtaining deep neural network structures based on the physical side channel of a graphics card

[0036] like Figure 1 As shown, this embodiment provides a method for obtaining a deep neural network structure based on the physical side channel of a graphics card. The method includes the following steps:

[0037] Step S1: Physical side channel signal acquisition

[0038] During the execution of deep neural network inference tasks on the target graphics card, a physical side channel acquisition device is set up outside the graphics card to collect the physical side channel signals naturally generated by the graphics card during operation.

[0039] In this embodiment, the physical side-channel signal is a radiating electromagnetic side-channel signal generated by the graphics card during the execution of deep neural network inference. This type of signal originates from the high-frequency current changes and corresponding electromagnetic radiation generated by the internal circuitry of the graphics card when performing computational tasks. It can be observed by external devices without contacting the graphics card hardware, relying on software interfaces, system calls, or debugging permissions.

[0040] In one specific implementation, the electromagnetic side-channel signal is acquired via a general-purpose software-defined radio platform. The software-defined radio platform is configured to receive electromagnetic radiation signals generated by the graphics card during operation at a center frequency of 5 GHz, and to continuously sample the received radio frequency signals at a sampling rate of 8 MHz.

[0041] In this embodiment, the software-defined radio platform utilizes a 5 GHz local oscillator signal to receive electromagnetic radio frequency signals. The signal undergoes down-conversion processing, outputting the corresponding complex I / Q baseband sampling signals to form a time-domain complex signal sequence representing the graphics card's inference execution process. It is used for subsequent signal processing and structural analysis.

[0042] It should be noted that the above-mentioned center frequency and sampling rate settings are only one specific implementation method, and the present invention is not limited to this parameter configuration. Those skilled in the art can adjust the sampling frequency band and sampling parameters according to the graphics card model, sampling distance, and actual electromagnetic environment, without affecting the basic principles and technical effects of the present invention.

[0043] Furthermore, in this embodiment, the physical side-channel acquisition process does not require disassembling, modifying, or touching the internal circuitry of the graphics card, nor does it require deploying any additional programs in the target system, thus ensuring non-invasiveness and concealment of the target system.

[0044] Step S2: Physical side channel signal preprocessing

[0045] Since the acquired electromagnetic side channel signal usually contains pulse interference from other electronic devices and environmental electromagnetic noise, in this embodiment, the electromagnetic side channel signal acquired in step S1 is subjected to multi-stage noise suppression and feature processing to obtain stable time-series feature data suitable for structure acquisition.

[0046] (1) Impulse noise removal

[0047] In one specific implementation, a Hampel filter is used to process the pulse noise present in the electromagnetic side-channel signal. Specifically, the electromagnetic side-channel signal is traversed using a sliding time window of 0.1 ms, and the median m and standard deviation of the signal are calculated within each sliding window. When the deviation of a sampling point from the median m exceeds 3 times the standard deviation (i.e., 3... When the sampling point is identified as abnormal impulse noise, it is replaced with the median value within the window, thereby effectively removing impulse interference.

[0048] (2) Signal normalization processing

[0049] In one implementation, to reduce the impact of differences in acquisition distance, antenna orientation, and amplification gain on signal amplitude, the electromagnetic side-channel signal after impulse noise removal is subjected to Z-score normalization. This normalization operation ensures that signals under different acquisition conditions have a consistent amplitude scale.

[0050] (3) Moving average filtering

[0051] Before downsampling, in one implementation, a moving average filter is applied to the normalized signal to further suppress high-frequency noise and prevent aliasing.

[0052] Specifically, 800 consecutive sampling points (corresponding to a time length of 0.1 ms) are used as a moving average window to smooth the signal. The length of this moving average window is consistent with the subsequent downsampling factor to ensure the consistency of the signal processing flow over time.

[0053] (4) Downsampling

[0054] In one specific implementation, to reduce the computational complexity of the subsequent structure acquisition module, the electromagnetic side channel signal after moving average processing is downsampled.

[0055] Specifically, the signal sampling rate is downsampled from 8 MHz to 10 kHz, corresponding to a downsampling factor of 800. This downsampling operation significantly reduces the data size while preserving the temporal variation characteristics closely related to the deep neural network inference process executed by the graphics card.

[0056] (5) Median filtering

[0057] In one implementation, in order to further suppress residual noise in the downsampled signal while maintaining the signal edge characteristics, median filtering is applied to the downsampled signal.

[0058] Specifically, a median filter with a window length of 3 sampling points is used to process the signal point by point, thereby obtaining a smoother and more stable time-series signal representation.

[0059] After the above multi-stage noise suppression, normalization, smoothing and downsampling processing, an electromagnetic side channel timing characteristic signal with good stability that is highly correlated with the deep neural network inference process executed by the target graphics card is obtained, which is used for subsequent acquisition of structure-related information.

[0060] Step S3: Obtaining structure-related information and outputting structure acquisition results

[0061] Based on the temporal feature signal obtained in step S2, the execution process of the target deep neural network is analyzed, structural information related to the execution process of the target deep neural network is obtained, and the corresponding structural acquisition results are output.

[0062] In this embodiment, structural information is used to characterize the overall execution structure features of the target deep neural network on the graphics card, reflecting the stable execution pattern and organizational characteristics formed by the deep neural network during inference.

[0063] In one implementation, the acquisition of structural information includes: analyzing the timing characteristic signal of the electromagnetic side channel in the time dimension, identifying the feature change patterns related to the deep neural network inference execution process, and constructing a structural representation reflecting the execution structure of the deep neural network based on the change patterns.

[0064] In one implementation, structural representation can be used to characterize the overall structural features of a deep neural network, including but not limited to the network's hierarchical organization characteristics, execution order characteristics, or computational phase partitioning characteristics.

[0065] It should be noted that this embodiment does not limit the specific analytical algorithm or model structure used to obtain structural information. Any method that can extract structural features related to the execution process of the deep neural network based on the above-mentioned electromagnetic side channel timing feature signals can be applied to this invention.

[0066] In this embodiment, the structural information is organized according to a predetermined format and output as the structural acquisition result of the deep neural network for subsequent application scenarios such as model security assessment, system analysis, or technical asset protection.

[0067] Example 2: Structure Acquisition Device Based on Graphics Card Physical Side Channel

[0068] like Figure 2 As shown, this embodiment also provides a device for obtaining deep neural network structures based on the physical side channel of a graphics card, including:

[0069] (1) Side channel acquisition module

[0070] Used to collect physical side-channel signals generated by the graphics card during the execution of deep neural network inference.

[0071] Physical side-channel signals are physical signals that can be observed without the need for software interfaces, system calls, or debugging privileges. They originate from the hardware activity of the graphics card when performing computing tasks.

[0072] In one alternative implementation, the side-channel acquisition module may include a signal receiving unit based on software radio or other physical signal acquisition equipment, for receiving and digitally sampling electromagnetic side-channel signals generated during the operation of the graphics card.

[0073] (2) Preprocessing module

[0074] It is used to perform filtering, normalization, and time alignment on physical side channel signals to obtain stable timing characteristics.

[0075] The preprocessing module performs noise suppression and feature enhancement on the original physical side channel signal, enabling the processed signal to stably reflect the overall execution characteristics during the deep neural network inference process performed by the graphics card.

[0076] Preferably, the preprocessing module can perform one or more of the following processing operations on the physical side channel signal: filtering, normalization, time alignment, smoothing, downsampling, or median filtering.

[0077] The above processing steps reduce the impact of environmental noise, differences in acquisition conditions, and hardware interference on the structure acquisition process.

[0078] (3) Structure Acquisition Module

[0079] Based on the temporal feature signals output by the preprocessing module, this method analyzes the execution mode of the graphics card during the execution of the target deep neural network inference process, obtains structural information related to the execution process of the deep neural network, and outputs the structural information as the structural acquisition result of the deep neural network.

[0080] Structural information is used to characterize the overall execution structure of the target deep neural network on the graphics card, reflecting the stable computational patterns and organizational characteristics formed by the deep neural network during inference.

[0081] The structure acquisition module does not rely on access to the source code, parameter files, or runtime environment of the target deep neural network model during the acquisition of structural information, nor does it require explicit intervention in the internal operating mechanism of the graphics card. The modules described above can be implemented either in hardware or through a hardware-software co-operation approach. The modules are connected via data interfaces to form a complete structure acquisition device.

[0082] The above modules can be implemented in hardware, software, or a combination of hardware and software. The modules are connected through data interfaces to form a complete deep neural network structure acquisition device.

[0083] In specific implementation, the side channel acquisition method, signal preprocessing process, and structural information acquisition method in the structure acquisition device can be configured and implemented with reference to the method implementation method in Embodiment 1.

[0084] The above description is merely a specific embodiment of the present invention, but the scope of protection of the present invention is not limited thereto. Any variations or substitutions that can be easily conceived by those skilled in the art within the scope of the technology disclosed in the present invention should be included within the scope of protection of the present invention. Therefore, the scope of protection of the present invention should be determined by the scope of the claims.

Claims

1. A method for obtaining the structure of a deep neural network based on the physical side channel of a graphics card, characterized in that, Includes the following steps: During the execution of the target deep neural network inference by the graphics card, the physical side channel signal generated by the graphics card is collected; The physical side channel signal is preprocessed to obtain the timing features used for structure acquisition; Based on the temporal features, structural information related to the execution process of the deep neural network is obtained, and the structural information is output as the structural acquisition result of the deep neural network.

2. The method according to claim 1, characterized in that, The physical side channel signal is an electromagnetic side channel signal, a magnetic side channel signal, a current side channel signal, or a combination of two or more of them.

3. The method according to claim 2, characterized in that, The preprocessing includes at least one of filtering, normalization, and time alignment of the physical side channel signal.

4. The method according to claim 3, characterized in that, The structural information refers to structure-related information that reflects the overall structural characteristics of the deep neural network.

5. The method according to claim 4, characterized in that, The method is implemented without affecting the normal operation of the target deep neural network.

6. A device for acquiring deep neural network structures based on the physical side channel of a graphics card, characterized in that, include: The side-channel acquisition module is used to acquire the physical side-channel signal generated by the graphics card during the execution of the target deep neural network inference. The preprocessing module is used to preprocess the physical side channel signal to obtain the timing features used for structure acquisition; The structure acquisition module is used to acquire structural information related to the execution process of the deep neural network based on the temporal features, and output the structural information as the structure acquisition result of the deep neural network.

7. The apparatus according to claim 6, characterized in that, The physical side channel signal includes electromagnetic side channel signal, magnetic side channel signal, current side channel signal, or a combination of two or more of them.

8. The apparatus according to claim 6, characterized in that, The preprocessing module is configured to perform at least one of the following operations: filtering, normalization, time alignment, and feature extraction.

9. The apparatus according to claim 6, 7, or 8, characterized in that, The structure acquisition module is configured to acquire structure-related information that reflects the overall structural features of the deep neural network.

10. The apparatus according to claim 9, characterized in that, The device can acquire information related to the deep neural network structure without needing to be deployed close to the graphics card.