attack 2026

Kraken: Higher-order EM Side-Channel Attacks on DNNs in Near and Far Field

Peter Horvath 1, Ilia Shumailov 2, Lukasz Chmielewski 3, Lejla Batina 1, Yuval Yarom 4

1 Radboud University

2 AI Security Company

3 Masaryk University

4 Ruhr University

0 citations
α

Published on arXiv

2603.02891

Model Theft

OWASP ML Top 10 — ML05

Key Finding

Demonstrates for the first time that DNN weights can be extracted from GPU Tensor Core units via near-field EM side-channel attacks, and that LLM weight leakage is detectable at 100cm through glass in far-field settings.

Kraken

Novel technique introduced

The multi-million dollar investment required for modern machine learning (ML) has made large ML models a prime target for theft. In response, the field of model stealing has emerged. Attacks based on physical side-channel information have shown that DNN model extraction is feasible, even on CUDA Cores in a GPU. For the first time, our work demonstrates parameter extraction on the specialized GPU's Tensor Core units, most commonly used GPU units nowadays due to their superior performance, via near-field physical side-channel attacks. Previous work targeted only the general-purpose CUDA Cores in the GPU, the functional units that have been part of the GPU since its inception. Our method is tailored to the GPU architecture to accurately estimate energy consumption and derive efficient attacks via Correlation Power Analysis (CPA). Furthermore, we provide an exploratory analysis of hyperparameter and weight leakage from LLMs in far field and demonstrate that the GPU's electromagnetic radiation leaks even 100 cm away through a glass obstacle.

Key Contributions

  • First EM side-channel weight extraction attack targeting GPU Tensor Core units (previously only CUDA Cores had been targeted), using Correlation Power Analysis (CPA) tailored to Tensor Core energy consumption modeling
  • Near-field attack demonstrating accurate parameter extraction from DNNs running on modern GPUs with Tensor Core acceleration
  • Exploratory far-field analysis showing LLM hyperparameter and weight leakage via EM radiation at distances up to 100cm through a glass obstacle

🛡️ Threat Analysis

Model Theft

The explicit goal is model parameter (weight) extraction — stealing the model itself via physical EM side-channel analysis. Side-channel attacks to extract model parameters are explicitly listed under ML05. The adversary recovers DNN weights and LLM hyperparameters by observing GPU electromagnetic radiation during inference, targeting IP theft of the model.

Details

Domains
visionnlp
Model Types
cnnllmtransformer
Threat Tags
physicalinference_timegrey_box
Applications
dnn model ip protectionllm weight extractiongpu-accelerated inference
Read PDF arXiv

Similar Papers

attack

StolenLoRA: Exploring LoRA Extraction Attacks via Synthetic Data

2025 0 cit.
Model Theft
69%
defense

CREDIT: Certified Ownership Verification of Deep Neural Networks Against Model Extraction Attacks

2026 0 cit.
Model Theft
62%
defense

Amulet: Fast TEE-Shielded Inference for On-Device Model Protection

2025 0 cit.
Model Theft
62%
attack

Vulnerabilities in Partial TEE-Shielded LLM Inference with Precomputed Noise

2026 0 cit.
Model Theft
59%
attack

"Energon": Unveiling Transformers from GPU Power and Thermal Side-Channels

2025 0 cit.
Model TheftInput Manipulation Attack
58%
survey

A Systematic Survey of Model Extraction Attacks and Defenses: State-of-the-Art and Perspectives

2025 0 cit.
Model Theft
58%
defense

Rotation, Scale, and Translation Resilient Black-box Fingerprinting for Intellectual Property Protection of EaaS Models

2025 0 cit.
Model Theft
56%
defense

A PUF-Based Approach for Copy Protection of Intellectual Property in Neural Network Models

2026 0 cit.
Model Theft
53%