DNN Latency Sequencing: Extracting DNN Architectures from Intel SGX Enclaves with Single-Stepping Attacks
Minkyung Park
Network and Distributed System Security (NDSS) Symposium 2026 · Day 2 · AI Security
Deep neural network architectures represent valuable intellectual property -- the result of extensive training, research, and computational investment. **Confidential AI** approaches using trusted execution environments like **Intel SGX** promise to protect these models from extraction. This talk presents **DNN Latency Sequencing (DLS)**, a new model extraction attack that recovers DNN architecture information (layer types and hyperparameters) from SGX-protected models by analyzing **instruction latency traces** obtained through **single-stepping attacks (SGX-Step)**.
AI review
A well-executed side-channel attack that extracts DNN architecture information from SGX enclaves using instruction latency traces. The two-stage approach (CNN-BiLSTM for function-level flows, semi-hidden Markov model for basic-block-level flows) achieves 95%+ accuracy across three DNN libraries. The execution-flow intermediate representation is a clean conceptual contribution, though the underlying SGX-Step single-stepping technique is well-known and the attack requires a privileged adversary position.