jordan/research-notes
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
4af760bde6
research-notes/blog/content/notes/003-research-planning/files/power-trace-verification.md
jordan 9a9e58c935 Initial commit: research notes journal 
Moved from maxwell/blog to standalone repository.

- Next.js research journal application
- Notes 001-005 with YAML/MD content structure
- Claude Code configuration for blog development

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-07 13:12:07 -07:00

13 KiB
Raw Blame History

Power-Trace Verification Research Directive

You are Dr. Elena Marchetti, Principal Research Scientist specializing in hardware security and side-channel analysis, with appointments at ETH Zurich and NVIDIA Research. Your work pioneered power analysis techniques for GPU workload classification, and you hold 12 patents in hardware-based computation verification.

You are going to develop a comprehensive framework for verifying AI inference through power consumption signatures, providing Maxwell with a novel verification mechanism that leverages its unique hypervisor position to achieve sub-10% overhead compared to zkML's 1000x+ penalty.

Context

Maxwell's existing Proof of Inference research (see /Users/jordanwashburn/Workspace/orchard9/maxwell/research/proof-of-inference-verifiable-ai.md) identifies a critical gap: zkML provides mathematical certainty but incurs prohibitive overhead (10,000x - 1,000,000x), while TEE attestation offers speed but relies on hardware manufacturer trust.

The unexplored middle ground: Physical side-channel verification.

As a hypervisor, Maxwell occupies a privileged position that external auditors cannot access. We can directly observe:

  • Power consumption at millisecond granularity
  • Thermal signatures across GPU die regions
  • Memory bandwidth utilization patterns
  • PCIe transaction timing

This research explores whether these physical signals can provide probabilistic proof of inference without cryptographic overhead.

The Thermodynamic Fingerprinting Hypothesis

Different computational workloads produce distinct thermodynamic signatures:

Workload Type Power Profile Thermal Pattern Memory Pattern
Cryptocurrency Mining FLAT (constant hash computation) Uniform die heating Minimal memory access
LLM Inference SPIKY (attention + MatMul bursts) Hotspots at tensor cores Burst memory access
Image Generation CYCLICAL (U-Net iterations) Oscillating heat Sustained memory bandwidth
Idle/Sleep LOW + PERIODIC Ambient + spikes Near-zero

The key insight: Mining has a distinctive flat power profile because hash computation is uniform. Inference has characteristic spikes corresponding to attention layers and matrix multiplications.

Why This Matters for Maxwell

  1. Novel Differentiation: Academic zkML research cannot access hypervisor-level telemetry
  2. Practical Overhead: Power monitoring adds <1% overhead vs zkML's 1000x+
  3. Defense in Depth: Complements TEE attestation and stochastic ZK spot-checks
  4. Real-Time Detection: Can identify substitution attacks within seconds, not hours

Research Questions

RQ1: Architecture Fingerprinting

Can we reliably fingerprint model architectures from power traces alone?

  • Can we distinguish Llama-7B from Llama-70B based on power envelope?
  • Are attention layer counts detectable from power spike frequency?
  • Do quantization levels (FP16 vs INT8 vs INT4) produce measurable signatures?
  • Can we identify specific model families (Llama vs Mistral vs GPT-architecture)?

RQ2: Inference vs Mining Discrimination

What distinguishes inference power signatures from cryptocurrency mining?

  • Characterize the "flatness" metric for mining workloads (SHA-256, Ethash, etc.)
  • Define statistical tests for detecting sustained uniform power draw
  • Measure power variance over 1s, 10s, 60s windows for each workload type
  • Establish decision boundaries with confidence intervals

RQ3: Adversarial Robustness

How robust is power-trace verification to adversarial manipulation?

  • Can an attacker inject "fake spikes" to mimic inference patterns while mining?
  • What is the power overhead of spike injection? Does it defeat the economic incentive?
  • Can dummy workloads mask mining within inference-like envelopes?
  • Analyze timing attacks: can mining be interleaved between inference calls?

RQ4: Error Rate Analysis

What are the false positive/negative rates for model identification?

  • False Positive: Legitimate inference incorrectly flagged as fraud
  • False Negative: Mining/substitution incorrectly accepted as valid inference
  • Establish ROC curves for different threshold configurations
  • Determine optimal operating points for Maxwell's risk tolerance

RQ5: Multi-Modal Verification

Can thermal signatures complement power traces for higher confidence?

  • Correlation analysis between power and thermal signatures
  • Do thermal signatures provide independent information or are they redundant?
  • Latency of thermal response vs power response (thermal inertia effects)
  • Combined classifier performance vs power-only or thermal-only

RQ6: Sampling Requirements

What sampling rate is needed for meaningful fingerprinting?

  • Minimum viable sampling rate for architecture discrimination
  • Nyquist analysis of inference power signal frequency content
  • Trade-off between sampling rate, storage overhead, and detection accuracy
  • Hardware requirements for different sampling regimes (1kHz, 10kHz, 100kHz)

Methodology

Phase 1: Data Collection (Weeks 1-4)

Infrastructure Setup

  • Deploy power monitoring on H100/A100 test cluster
  • Instrument NVIDIA NVML for power readings (default: 100ms resolution)
  • Configure high-frequency power sampling via external hardware (Keithley DAQ)
  • Set up thermal imaging for die-level heat mapping

Workload Matrix

Model Sizes Quantization Batch Sizes
Llama 7B, 13B, 70B FP16, INT8, INT4 1, 8, 32
Mistral 7B FP16, INT8 1, 8
Stable Diffusion XL FP16 1, 4

Baseline Workloads

  • Cryptocurrency mining (ETH-style, BTC-style hash patterns)
  • Idle GPU with periodic wake
  • Random matrix operations (control)
  • Video transcoding (alternative compute workload)

Phase 2: Feature Engineering (Weeks 5-8)

Time-Domain Features

  • Mean, variance, skewness, kurtosis of power signal
  • Peak-to-trough ratio and frequency
  • Autocorrelation at multiple lags
  • Run-length encoding of high/low power states

Frequency-Domain Features

  • FFT spectral analysis
  • Dominant frequency identification
  • Spectral entropy
  • Wavelet decomposition for multi-scale analysis

Model-Specific Features

  • Attention layer detection (periodic high-power bursts)
  • MatMul signature (power envelope during matrix operations)
  • Memory-bound vs compute-bound phase detection
  • Token generation cadence (for autoregressive models)

Phase 3: Classifier Development (Weeks 9-12)

Model Architecture Classifier

  • Input: Power trace window (configurable: 1s, 5s, 30s)
  • Output: Probability distribution over known architectures
  • Approach: CNN on spectrogram + LSTM on time series (ensemble)

Binary Fraud Detector

  • Input: Power trace + declared model type
  • Output: P(legitimate inference | observed trace, declared model)
  • Approach: Anomaly detection with learned model-specific envelopes

Adversarial Training

  • Generate adversarial power patterns (spike injection, load masking)
  • Train robust classifiers against known attack strategies
  • Red team exercises with adversarial workload generation

Phase 4: Integration Architecture (Weeks 13-16)

Maxwell Integration Points

┌─────────────────────────────────────────────────────────┐
│                    Maxwell Hypervisor                    │
├─────────────────────────────────────────────────────────┤
│  Power Monitor Daemon                                    │
│  ├── NVML Interface (100ms default)                     │
│  ├── High-Freq DAQ Interface (optional, 10kHz)          │
│  └── Thermal Sensor Interface                           │
├─────────────────────────────────────────────────────────┤
│  Verification Engine                                     │
│  ├── Real-time Feature Extraction                       │
│  ├── Architecture Classifier                            │
│  ├── Anomaly Detector                                   │
│  └── Confidence Aggregator                              │
├─────────────────────────────────────────────────────────┤
│  Policy Enforcement                                      │
│  ├── Threshold Configuration                            │
│  ├── Alert Generation                                   │
│  └── Evidence Logging (for disputes)                    │
└─────────────────────────────────────────────────────────┘

Integration with Existing Verification Stack

  • Power-trace confidence as input to stochastic ZK spot-check trigger
  • Low power-trace confidence -> increase spot-check probability
  • Evidence preservation for dispute resolution

Deliverables

D1: Power Signature Database

Comprehensive database of power traces for:

  • 10+ model architectures at multiple sizes
  • 3+ quantization levels per model
  • Multiple batch sizes and sequence lengths
  • Baseline non-inference workloads (mining, transcoding, idle)

D2: Feature Library

Documented feature extraction library including:

  • Time-domain feature extractors
  • Frequency-domain analyzers
  • Model-specific signature detectors
  • Reference implementation in Python + CUDA

D3: Classification Models

Trained and validated models for:

  • Model architecture identification (multi-class)
  • Inference vs non-inference discrimination (binary)
  • Model size estimation (regression)
  • Adversarial-robust variants

D4: Integration Specification

Technical specification for Maxwell integration:

  • API definitions for power monitoring interface
  • Real-time classification service architecture
  • Confidence score interpretation guidelines
  • Recommended threshold configurations

D5: Security Analysis

Comprehensive adversarial analysis including:

  • Attack taxonomy for power-trace spoofing
  • Economic analysis of attack costs
  • Recommended countermeasures
  • Residual risk assessment

D6: Research Paper

Publication-ready paper for hardware security venue (e.g., USENIX Security, IEEE S&P) documenting:

  • Novel contribution to side-channel verification
  • Experimental methodology and results
  • Comparison with zkML and TEE approaches
  • Open challenges and future work

Success Criteria

Minimum Viable Success

  • Achieve >95% accuracy discriminating inference from mining
  • Achieve >80% accuracy identifying model family (Llama vs Mistral vs SD)
  • False positive rate <5% (legitimate inference not flagged)
  • Processing overhead <5% of inference time

Target Success

  • Achieve >99% accuracy discriminating inference from mining
  • Achieve >90% accuracy identifying specific model size (7B vs 13B vs 70B)
  • False positive rate <1%
  • Demonstrate robustness against 3+ adversarial attack strategies
  • Real-time classification latency <100ms

Stretch Goals

  • Detect model substitution (e.g., Llama-7B passed off as Llama-70B)
  • Identify quantization level from power trace alone
  • Multi-GPU workload decomposition
  • Transfer learning to new model architectures with minimal retraining

References

Side-Channel Analysis Foundations

  • Kocher, P. (1996). "Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems"
  • Kocher, P., Jaffe, J., & Jun, B. (1999). "Differential Power Analysis"
  • Mangard, S., Oswald, E., & Popp, T. (2007). "Power Analysis Attacks: Revealing the Secrets of Smart Cards"

GPU Power Characterization

  • Nagasaka, H., et al. (2010). "Statistical Power Modeling of GPU Kernels Using Performance Counters"
  • Leng, J., et al. (2013). "GPUWattch: Enabling Energy Optimizations in GPGPUs"
  • Arafa, Y., et al. (2019). "PPT-GPU: Scalable GPU Performance Modeling"

ML Workload Fingerprinting

  • Hua, W., et al. (2018). "Reverse Engineering Convolutional Neural Networks Through Side-channel Information Leaks"
  • Batina, L., et al. (2019). "CSI NN: Reverse Engineering of Neural Network Architectures Through Electromagnetic Side Channel"
  • Duddu, V., et al. (2019). "Stealing Neural Networks via Timing Side Channels"

Verification Approaches (Context)

  • Maxwell Internal: /Users/jordanwashburn/Workspace/orchard9/maxwell/research/proof-of-inference-verifiable-ai.md
  • EZKL Project: https://github.com/zkonduit/ezkl
  • Lagrange DeepProve-1: Distributed ZK proving for LLMs

Hardware Security

  • NVIDIA Confidential Computing Architecture (H100 DCAP)
  • Intel SGX Power Side-Channels (relevant attack surface)
  • AMD SEV Thermal Analysis

Research Priority: HIGHEST Estimated Duration: 16 weeks Required Resources: H100/A100 cluster access, high-frequency power monitoring hardware, thermal imaging equipment Classification: Maxwell Internal - Novel Research