This work exposes a side-channel leakage vulnerability in dataflow-based CNN inference accelerators, wherein model architecture information is unintentionally revealed through hardware memory access patterns. Addressing the black-box scenario—where an adversary infers CNN topology without access to model weights—we present the first systematic modeling of the correlation between spatiotemporal data reuse patterns in dataflow mappings and observable memory access behavior. We propose a memory-access side-channel–based CNN architecture reverse-engineering method that extracts key architectural fingerprints—including layer type, number of channels, and kernel dimensions—from memory trace sequences. Our approach successfully reconstructs complete topologies of representative models (LeNet, AlexNet, VGG16, and YOLOv2). This study constitutes the first empirical demonstration that dataflow accelerators inherently leak architectural information, revealing a critical hardware-level privacy vulnerability. It provides both a foundational security warning and a rigorous evaluation benchmark for privacy-sensitive hardware design.

Convolutional Neural Networks (CNNs) are widely used in various domains, including image recognition, medical diagnosis and autonomous driving. Recent advances in dataflow-based CNN accelerators have enabled CNN inference in resource-constrained edge devices. These dataflow accelerators utilize inherent data reuse of convolution layers to process CNN models efficiently. Concealing the architecture of CNN models is critical for privacy and security. This paper evaluates memory-based side-channel information to recover CNN architectures from dataflow-based CNN inference accelerators. The proposed attack exploits spatial and temporal data reuse of the dataflow mapping on CNN accelerators and architectural hints to recover the structure of CNN models. Experimental results demonstrate that our proposed side-channel attack can recover the structures of popular CNN models, namely Lenet, Alexnet, VGGnet16, and YOLOv2.