Peihao Li,Jie Huang,Shuaishuai Zhang,Chunyang Qi

DOI: https://doi.org/10.1016/j.comnet.2024.110825

IF: 5.493

2024-01-01

Computer Networks

Abstract:Deploying AI models on edge computing platforms enhances real-time performance, reduces network dependency, and ensures data privacy on terminal devices. However, these advantages come with increased risks of model leakage and misuse due to the vulnerability of edge environments to physical and cyber attacks compared to cloud-based solutions. To mitigate these risks, we propose SecureEI, a proactive intellectual property protection method for AI models that leverages model splitting and data poisoning techniques. SecureEI divides the model into two components: DeviceNet, which processes input data into protected license data, and EdgeNet, which operates on the license data to perform the intended tasks. This method ensures that only the transformed license data yields high model accuracy, while original data remains unrecognizable, even under fine-tuning attacks. We further employ targeted training strategies and weight adjustments to enhance the model's resistance to potential attacks that aim to restore its recognition capabilities for original data. Evaluations on MNIST, Cifar10, and FaceScrub datasets demonstrate that SecureEI not only maintains high model accuracy on license data but also significantly bolsters defense against fine-tuning attacks, outperforming existing state-of-the-art techniques in safeguarding AI intellectual property on edge platforms.

Jinyin Chen,Haibin Zheng,Tao Liu,Rongchang Li,Yao Cheng,Xuhong Zhang,Shouling Ji

DOI: https://doi.org/10.48550/arXiv.2303.12397

2023-03-23

Abstract:With the development of deep learning processors and accelerators, deep learning models have been widely deployed on edge devices as part of the Internet of Things. Edge device models are generally considered as valuable intellectual properties that are worth for careful protection. Unfortunately, these models have a great risk of being stolen or illegally copied. The existing model protections using encryption algorithms are suffered from high computation overhead which is not practical due to the limited computing capacity on edge devices. In this work, we propose a light-weight, practical, and general Edge device model Pro tection method at neuron level, denoted as EdgePro. Specifically, we select several neurons as authorization neurons and set their activation values to locking values and scale the neuron outputs as the "asswords" during training. EdgePro protects the model by ensuring it can only work correctly when the "passwords" are met, at the cost of encrypting and storing the information of the "passwords" instead of the whole model. Extensive experimental results indicate that EdgePro can work well on the task of protecting on datasets with different modes. The inference time increase of EdgePro is only 60% of state-of-the-art methods, and the accuracy loss is less than 1%. Additionally, EdgePro is robust against adaptive attacks including fine-tuning and pruning, which makes it more practical in real-world applications. EdgePro is also open sourced to facilitate future research: <a class="link-external link-https" href="https://github.com/Leon022/Edg" rel="external noopener nofollow">this https URL</a>

Cryptography and Security,Artificial Intelligence

Xianfei Zhou,Kai Xu,Naiyu Wang,Jianlin Jiao,Ning Dong,Meng Han,Hao Xu

DOI: https://doi.org/10.1109/access.2021.3051945

IF: 3.9

2021-01-01

IEEE Access

Abstract:With the popular use of IoT devices, edge computing has been widely applied in the Internet of things (IoT) and regarded as a promising solution for its wide distribution, decentralization, low latency. At the same time, in response to the massive computing data and intelligent requirements of various applications in the IoT, artificial intelligence (AI) technology has also achieved rapid development. As a result, edge intelligence (EI) for the Internet of Things has attracted widespread attention. Driven by the requirement that making full use of data, machine learning (ML) models trained in EI are usually shared. However, there may be some security and privacy issues due to the openness and heterogeneity of edge intelligence. How to ensure flexible data access and data security as well as the accountability for edge nodes and users in EI model sharing have become important issues. In this article, we propose a Ciphertext Policy Attribute Based Proxy Re-encryption (CP-ABPRE) scheme with accountability to address the security and privacy issues in EI model sharing. In our scheme, a user can delegate the access right to others to make model access more flexible. Furthermore, each entity that may need to be held accountable is embedded a unique ID to achieve traceability. Finally, security analysis and performance evaluation are given to prove that our scheme is CPA secure and does not lose much efficiency with more features.

computer science, information systems,telecommunications,engineering, electrical & electronic

Jinyin Chen,Haibin Zheng,Tao Liu,Jiawei Liu,Yao Cheng,Xuhong Zhang,Shouling Ji

DOI: https://doi.org/10.1109/tdsc.2024.3365730

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:With the development of deep learning processors and accelerators, deep learning models have been widely deployed on edge devices as part of the Internet of Things. Edge device models are generally considered as valuable intellectual properties that are worth for careful protection. Unfortunately, these models have a great risk of being stolen or illegally copied. The existing model protections using encryption algorithms are suffered from high computation overhead which is not practical due to the limited computing capacity on edge devices. In this work, we propose a light-weight, practical, and general Edge device model Pro tection method at neuron level, denoted as EdgePro. Specifically, we select several neurons as authorization neurons and set their activation values to locking values and scale the neuron outputs as the "asswords" during training. EdgePro protects the model by ensuring it can only work correctly when the "passwords" are met, at the cost of encrypting and storing the information of the "passwords" instead of the whole model. Extensive experimental results indicate that EdgePro can work well on the task of protecting on datasets with different modes. The inference time increase of EdgePro is only 60% of state-of-the-art methods, and the accuracy loss is less than 1%. Additionally, EdgePro is robust against adaptive attacks including fine-tuning and pruning, which makes it more practical in real-world applications. EdgePro is also open sourced to facilitate future research: https://github.com/Leon022/Edg

Weiheng Chai,Brian Testa,Huantao Ren,Asif Salekin,Senem Velipasalar

2024-02-15

Abstract:Deep neural networks are extensively applied to real-world tasks, such as face recognition and medical image classification, where privacy and data protection are critical. Image data, if not protected, can be exploited to infer personal or contextual information. Existing privacy preservation methods, like encryption, generate perturbed images that are unrecognizable to even humans. Adversarial attack approaches prohibit automated inference even for authorized stakeholders, limiting practical incentives for commercial and widespread adaptation. This pioneering study tackles an unexplored practical privacy preservation use case by generating human-perceivable images that maintain accurate inference by an authorized model while evading other unauthorized black-box models of similar or dissimilar objectives, and addresses the previous research gaps. The datasets employed are ImageNet, for image classification, Celeba-HQ dataset, for identity classification, and AffectNet, for emotion classification. Our results show that the generated images can successfully maintain the accuracy of a protected model and degrade the average accuracy of the unauthorized black-box models to 11.97%, 6.63%, and 55.51% on ImageNet, Celeba-HQ, and AffectNet datasets, respectively.

Computer Vision and Pattern Recognition,Machine Learning

Peihao Li,Jie Huang,Shuaishuai Zhang,Chunyang Qi

DOI: https://doi.org/10.1145/3652583.3657612

2024-01-01

Abstract:Edge intelligence can significantly enhance the real-time performance and robustness of multimedia retrieval. However, its privacy and intellectual property security face various challenges. In this paper, we propose a model training framework based on the gradient optimization concept, synchronously optimizing model parameters and model license. This approach ensures that the trained model only correctly retrieves information for inputs containing the correct license, actively protecting its intellectual property by restricting its usability. Additionally, we devise a data irreversibility standardization method based on random perturbation to safeguard the privacy of both data and license. We conduct extensive experiments in edge intelligence scenarios, and the results demonstrate that, compared to the state-of-the-art approaches in this field, our method achieves accuracy closer to the baseline model. The injected license are more covertly secured, and the anti-fine-tuning capability is improved by an average of more than 25.1%.

Peihao Li,Jie Huang,Huaqing Wu,Zeping Zhang,Chunyang Qi

DOI: https://doi.org/10.1016/j.neunet.2024.106199

IF: 7.8

2024-03-06

Neural Networks

Abstract:With the widespread application of deep neural networks (DNNs), the risk of privacy breaches against DNN models is constantly on the rise, resulting in an increasing need for intellectual property (IP) protection for such models. Although neural network watermarking techniques are widely used to safeguard the IP of DNNs, they can only achieve passive protection and cannot actively prevent unauthorized users from illicit use or embezzlement of the trained DNN models. Therefore, the development of proactive protection techniques to prevent IP infringement is imperative. To this end, we propose SecureNet, a key-based access license framework for DNN models. The proposed approach involves injecting license keys into the model through backdoor learning, enabling correct model functionality only when the appropriate license key is included in the input. To ensure the reusability of DNN models, we also propose a license key replacement algorithm. In addition, based on SecureNet, we designed defense mechanisms against adversarial attacks and backdoor attacks, respectively. Furthermore, we introduce a fine-grained authorization method that enables flexible granting of model permissions to different users. We have designed four license-key schemes with different privileges, tailored to various scenarios. We evaluated SecureNet on five benchmark datasets including MNIST, Cifar10, Cifar100, FaceScrub, and CelebA, and assessed its performance on six classic DNN models: LeNet-5, VGG16, ResNet18, ResNet101, NFNet-F5, and MobileNetV3. The results demonstrate that our approach outperforms the state-of-the-art model parameter encryption methods by at least 95% in terms of computational efficiency. Additionally, it provides effective defense against adversarial attacks and backdoor attacks without compromising the model's overall performance.

computer science, artificial intelligence,neurosciences

Hewang Nie,Songfeng Lu

DOI: https://doi.org/10.1007/s10489-024-05746-x

IF: 5.3

2024-01-01

Applied Intelligence

Abstract:In the realm of edge AI systems where deep learning is paramount, protecting the intellectual property (IP) of multimodal neural network models is crucial. Current watermarking solutions often bypass the intricacies of multimodal models and the unique constraints of edge environments. Addressing this, a novel watermarking scheme specifically devised for multimodal neural networks is introduced, marking a significant stride in securing these models against IP theft and unauthorized use. A discrete watermark is ingeniously embedded within each modality of a multimodal model, synthesizing a comprehensive watermark that spans the entire model. This method ensures IP protection across varied data types without hampering the model’s performance or imposing undue computational demands, making it ideal for resource-limited edge devices. By leveraging the redundancies inherent in multimodal data, watermarks are embedded efficiently, maintaining model integrity and operational effectiveness. A robust verification mechanism is implemented, accurately identifying watermark presence across modalities with minimal computational overhead. Empirical validation on a benchmark dataset demonstrates the method’s efficacy in embedding watermarks discreetly while preserving the model’s original task performance, showing a 1 to 4

Minghua Hou,Linlin Tang,Shuhan Qi,Yang Liu

DOI: https://doi.org/10.1109/ICDIS55630.2022.00019

2022-01-01

Abstract:Sharing neural network models in some platforms and communities has become a popular trend, but they will inevitably suffer from malicious theft of models, If the attacker knows the structure and weights of the model, the model can be easily modified, how to protect the intellectual property rights of the deep models has become a serious problem. The appearance of model watermarking provides a technical possibility for the intellectual property protection of neural network models, and it provides us a reliable method of verifying model ownership when the model's intellectual property rights are infringed. Based on previous work, this paper proposes a new watermarking method for image processing models, which embeds the watermark information into the two chroma channels of the YCbCr color space of image processing model's output images. The proposed method can verify the model ownership in black-box case, which has strong robustness and resistance to common model compression and model fine-tuning attacks.

Pengbo Wang,Boyin Zhang,Shigeng Zhang,Xuan Liu

DOI: https://doi.org/10.1109/ispa-bdcloud-socialcom-sustaincom59178.2023.00056

2023-01-01

Abstract:As computer performance advances and deep learning models proliferate, their applications expand, but concerns arise due to their opaque nature and security issues. Edge intelligence requires more from these models but faces limitations like insufficient computing power and memory. Existing research on model compression mainly focuses on the trade-off between compression and accuracy, neglecting deployment at the edge and its impact on factors beyond accuracy. Furthermore, evaluation methods for model performance and robustness in compression techniques are underdeveloped. To address these issues, this paper introduces a comprehensive framework for evaluating edge intelligence deep learning models. It conducts a thorough assessment of these models on common image classification datasets, comparing their performance with three compression algorithms and analyzing their security implications. The proposed framework aims to provide a holistic assessment of deep learning models, promoting trustworthy edge intelligence, enabling secure deployments, and enhancing understanding of model decision-making processes.

Ge Ren,Jun Wu,Gaolei Li,Shenghong Li

DOI: https://doi.org/10.48550/arXiv.2103.08472

2021-03-15

Abstract:The smartphone and laptop can be unlocked by face or fingerprint recognition, while neural networks which confront numerous requests every day have little capability to distinguish between untrustworthy and credible users. It makes model risky to be traded as a commodity. Existed research either focuses on the intellectual property rights ownership of the commercialized model, or traces the source of the leak after pirated models appear. Nevertheless, active identifying users legitimacy before predicting output has not been considered yet. In this paper, we propose Model-Lock (M-LOCK) to realize an end-to-end neural network with local dynamic access control, which is similar to the automatic locking function of the smartphone to prevent malicious attackers from obtaining available performance actively when you are away. Three kinds of model training strategy are essential to achieve the tremendous performance divergence between certified and suspect input in one neural network. Extensive experiments based on MNIST, FashionMNIST, CIFAR10, CIFAR100, SVHN and GTSRB datasets demonstrated the feasibility and effectiveness of the proposed scheme.

Human-Computer Interaction,Cryptography and Security,Machine Learning

Mingyi Zhou,Xiang Gao,Jing Wu,John C. Grundy,Xiao Chen,Chunyang Chen,Li Li

2023-01-01

Abstract:More and more edge devices and mobile apps are leveraging deep learning (DL) capabilities. Deploying such models on devices -- referred to as on-device models -- rather than as remote cloud-hosted services, has gained popularity as it avoids transmitting user's data off of the device and for high response time. However, on-device models can be easily attacked, as they can be accessed by unpacking corresponding apps and the model is fully exposed to attackers. Recent studies show that adversaries can easily generate white-box-like attacks for an on-device model or even inverse its training data. To protect on-device models from white-box attacks, we propose a novel technique called model obfuscation. Specifically, model obfuscation hides and obfuscates the key information -- structure, parameters and attributes -- of models by renaming, parameter encapsulation, neural structure obfuscation, shortcut injection, and extra layer injection. We have developed a prototype tool ModelObfuscator to automatically obfuscate on-device TFLite models. Our experiments show that this proposed approach can dramatically improve model security by significantly increasing the overhead of extracting models' inner information, without increasing the latency of DL models. Our proposed on-device model obfuscation has the potential to be a fundamental technique for on-device model deployment. Our prototype tool is publicly available at https://github.com/AnonymousAuthor000/Code2536.

Weizhong Qiang,Renwan Liu,Hai Jin

DOI: https://doi.org/10.1016/j.future.2021.06.037

IF: 7.307

2021-01-01

Future Generation Computer Systems

Abstract:As the IoT has developed, edge computing has played an increasingly important role in the IoT ecosystem. The edge computing paradigm offers low latency and high computing performance, which is conducive to machine learning tasks such as object detection in autonomous driving. However, data privacy risks in edge computing still exist and the existing privacy-preserving methods are not satisfactory due to the large computational overhead and unbearable accuracy loss. We have designed a privacy-preserving machine learning framework for both user and cloud data. Users and the cloud provide data for inference and training respectively, and the privacy protection of these two aspects is both considered in this paper. Users provide test data and want to access the data-processing models in cloud for inference, and the cloud provides the training data used for training an eligible model. For user data, in order to maintain the overall performance of the machine learning framework while using homomorphic encryption, instead of providing encrypted data to all machine learning tasks, we divide the neural network into two parts, with one part kept on the trusted edge and provided with plaintext, and the other deployed on the untrusted cloud and provided with encrypted input. For cloud data, we apply the binary neural network, a network with the binarized value of weights. This method is practical for narrowing the confidence score gap (between the training and test sets) predicted by the model, which accounts most for a successful exploratory attack on training data. Experiments demonstrate that the results of the adversary's membership inference attack are close to random guessing, and the accuracy is only slightly affected. Compared with the unencrypted network on VGG19, when the network is split from conv4_1 to fc8, the efficiency of using HE is only 100 to 30 times slower. (C) 2021 Elsevier B.V. All rights reserved.

Jianfeng Zhang,Wensheng Zhang,Jingdong Xu

DOI: https://doi.org/10.3233/jcs-220042

2022-01-01

Journal of Computer Security

Abstract:Due to the limited capabilities of user devices, such as smart phones, and the Internet of Things (IoT), edge intelligence is being recognized as a promising paradigm to enable effective analysis of the data generated by these devices with complex artificial intelligence (AI) models, and it often entails either fully or partially offloading the computation of neural networks from user devices to edge computing servers. To protect users’ data privacy in the process, most existing researches assume that the private (sensitive) attributes of user data are known in advance when designing privacy-protection measures. This assumption is restrictive in real life, and thus limits the application of these methods. Inspired by the research in image steganography and cyber deception, in this paper, we propose StegEdge, a conceptually novel approach to this challenge. StegEdge takes as input the user-generated image and a randomly selected “cover” image that does not pose any privacy concern (e.g., downloaded from the Internet), and extracts the features such that the utility tasks can still be conducted by the edge computing servers, while potential adversaries seeking to reconstruct/recover the original user data or analyze sensitive attributes from the extracted features sent from users to the server, will largely acquire information of the cover image. Thus, users’ data privacy is protected via a form of deception. Empirical results conducted on the CelebA and ImageNet datasets show that, at the same level of accuracy for utility tasks, StegEdge reduces the adversaries’ accuracy of predicting sensitive attributes by up to 38% compared with other methods, while also defending against adversaries seeking to reconstruct user data from the extracted features.

Zheng Li,Chengyu Hu,Yang Zhang,Shanqing Guo

DOI: https://doi.org/10.48550/arXiv.1903.01743

2019-03-05

Cryptography and Security

Abstract:Deep learning techniques have made tremendous progress in a variety of challenging tasks, such as image recognition and machine translation, during the past decade. Training deep neural networks is computationally expensive and requires both human and intellectual resources. Therefore, it is necessary to protect the intellectual property of the model and externally verify the ownership of the model. However, previous studies either fail to defend against the evasion attack or have not explicitly dealt with fraudulent claims of ownership by adversaries. Furthermore, they can not establish a clear association between the model and the creator's identity. To fill these gaps, in this paper, we propose a novel intellectual property protection (IPP) framework based on blind-watermark for watermarking deep neural networks that meet the requirements of security and feasibility. Our framework accepts ordinary samples and the exclusive logo as inputs, outputting newly generated samples as watermarks, which are almost indistinguishable from the origin, and infuses these watermarks into DNN models by assigning specific labels, leaving the backdoor as the basis for our copyright claim. We evaluated our IPP framework on two benchmark datasets and 15 popular deep learning models. The results show that our framework successfully verifies the ownership of all the models without a noticeable impact on their primary task. Most importantly, we are the first to successfully design and implement a blind-watermark based framework, which can achieve state-of-art performances on undetectability against evasion attack and unforgeability against fraudulent claims of ownership. Further, our framework shows remarkable robustness and establishes a clear association between the model and the author's identity.

Pengrui Liu,Xiaohan Yuan,Wei Wang,Xiangrui Xu,Tao Li,Junyong Wang,Bin Wang,Witold Pedrycz

DOI: https://doi.org/10.1109/tce.2024.3510747

2024-01-01

IEEE Transactions on Consumer Electronics

Abstract:Data-driven models are widely employed in Mobile Edge Computing to satisfy the demands of Emerging Consumer Applications. However, previous work demonstrates that data-driven models are susceptible to security threats like Backdoor and Evasion Attacks or privacy threats like Membership Inference Attacks. Numerous existing methods for mitigating these threats have been proposed. However, these methods focus solely on enhancing model security or only on improving model privacy. Ideally, data-driven models should enhance model security and privacy simultaneously. In this paper, we propose methods that combine individual security-enhancing and privacy-enhancing methods to mitigate the security and privacy threats of data-driven models simultaneously. We evaluate the effectiveness of individual security-enhancing methods, individual privacy-enhancing methods, and our methods in simultaneously enhancing model security and privacy. Our comprehensive experimental analysis reveals two-fold insights. First, individual security-enhancing methods can either enhance or diminish model privacy, while individual privacy-enhancing methods face challenges in enhancing model security. Second, our methods improve the effectiveness of simultaneously enhancing model security and privacy compared to the individual methods.

Ge Ren,Jun Wu,Gaolei Li,Shenghong Li,Mohsen Guizani

DOI: https://doi.org/10.1109/tdsc.2022.3222972

2022-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Artificial intelligence (AI)-based cybersecurity services offer significant promise in many scenarios, including malware detection, content supervision, and so on. Meanwhile, many commercial and government applications have raised the need for intellectual property protection of using deep neural network (DNN). Existing studies (e.g., watermarking techniques) on intellectual property protection only aim at inserting secret information into DNNs, allowing producers to detect whether the given DNN infringes on their own copyrights. However, since the availability protection of learning models is rarely considered, the piracy model can still work with high accuracy. In this paper, a novel model locking (M-LOCK) scheme for the DNN is proposed to enhance its availability protection, where the DNN produces poor accuracy if a specific token is absent, while it maps only the tokenized inputs into correct predictions. The proposed scheme performs the verification process during the DNN inference operation, actively protecting models' intellectual property copyright at each query. Specifically, to train the token-sensitive decision-making boundaries of DNNs, a data poisoning-based model manipulation (DPMM) method is also proposed, which minimizes the correlation between the dummy outputs and correct predictions. Extensive experiments demonstrate the proposed scheme could achieve high reliability and effectiveness across various benchmark datasets as well as typical model protection methods.

Mingyi Zhou,Xiang Gao,Jing Wu,John Grundy,Xiao Chen,Chunyang Chen,Li Li

DOI: https://doi.org/10.48550/arXiv.2306.06112

2023-06-01

Cryptography and Security

Abstract:More and more edge devices and mobile apps are leveraging deep learning (DL) capabilities. Deploying such models on devices -- referred to as on-device models -- rather than as remote cloud-hosted services, has gained popularity because it avoids transmitting user data off of the device and achieves high response time. However, on-device models can be easily attacked, as they can be accessed by unpacking corresponding apps and the model is fully exposed to attackers. Recent studies show that attackers can easily generate white-box-like attacks for an on-device model or even inverse its training data. To protect on-device models from white-box attacks, we propose a novel technique called model obfuscation. Specifically, model obfuscation hides and obfuscates the key information -- structure, parameters and attributes -- of models by renaming, parameter encapsulation, neural structure obfuscation obfuscation, shortcut injection, and extra layer injection. We have developed a prototype tool ModelObfuscator to automatically obfuscate on-device TFLite models. Our experiments show that this proposed approach can dramatically improve model security by significantly increasing the difficulty of parsing models inner information, without increasing the latency of DL models. Our proposed on-device model obfuscation has the potential to be a fundamental technique for on-device model deployment. Our prototype tool is publicly available at: https://github.com/zhoumingyi/ModelObfuscator.

Guowen Xu,Hongwei Li,Yuan Zhang,Xiaodong Lin,Robert H. Deng,Xuemin Shen

DOI: https://doi.org/10.1109/icpads51040.2020.00084

2020-01-01

Abstract:Cloud-based deep learning (DL) solutions have been widely used in applications ranging from image recognition to speech recognition. Meanwhile, as commercial software and services, such solutions have raised the need for intellectual property rights protection of the underlying DL models. Water-marking is the mainstream of existing solutions to address this concern, by primarily embedding pre-defined secrets in a model's training process. However, existing efforts almost exclusively focus on detecting whether a target model is pirated, without considering traitor tracing. In this paper, we present SecureMark_DL, which enables a model owner to embed a unique fingerprint for every customer within parameters of a DL model, extract and verify the fingerprint from a pirated model, and hence trace the rogue customer who illegally distributed his model for profits. We demonstrate that SecureMark_DL is robust against various attacks including fingerprints collusion and network transformation (e.g., model compression and model fine-tuning) Extensive experiments conducted on MNIST and CIFAR10 datasets, as well as various types of deep neural network show the superiority of SecureMark_DL in terms of training accuracy and robustness against various types of attacks.

Mengda Yang,Wenzhe Yi,Juan Wang,Hongxin Hu,Xiaoyang Xu,Ziang Li

DOI: https://doi.org/10.1016/j.future.2024.03.008

IF: 7.307

2024-03-03

Future Generation Computer Systems

Abstract:The proliferation of artificial intelligence and edge computing has led to an increase in the deployment of proprietary deep learning models on third-party edge servers or devices to power mission-critical applications. However, this trend raises concerns about model privacy, particularly on untrusted edge platforms. Protecting model privacy in such scenarios requires addressing challenges such as untrustworthy model deployment environments, resource-constrained Trusted Execution Environments (TEE), and vulnerability to privacy inference attacks. To address these challenges, this paper proposes Penetralium , a system-algorithm jointly optimized model inference system on edge computing platforms. Penetralium runs models in the TEE by building an underlying computational engine. We propose an adaptive decomposition algorithm that builds a computing pipeline for models, which adapts to the underlying trusted components. Additionally, Penetralium uses a lightweight confidence score perturbation policy to protect against advanced privacy inference attacks on deep learning models. Experimental results demonstrate that Penetralium provides strong security guarantees with reasonable performance. The system not only reduces inference latency and memory consumption overhead but also improves the overall robustness of the system against advanced attacks.

computer science, theory & methods