SPOILER: TEE-Shielded DNN Partitioning of On-Device Secure Inference with Poison Learning
This work is significant for organizations deploying DNNs on edge devices, as it offers a method to protect intellectual property from model-stealing attacks without sacrificing performance, addressing a critical privacy and efficiency bottleneck.
This paper addresses the challenge of securing on-device deep neural network (DNN) inference against model-stealing attacks while maintaining efficiency. The authors propose SPOILER, a search-before-training framework that decouples the TEE sub-network from the backbone using hardware-aware neural architecture search (NAS) and introduces self-poisoning learning. This approach achieves state-of-the-art trade-offs in security, latency, and accuracy for CNNs and Transformers.
Deploying deep neural networks (DNNs) on edge devices exposes valuable intellectual property to model-stealing attacks. While TEE-shielded DNN partitioning (TSDP) mitigates this by isolating sensitive computations, existing paradigms fail to simultaneously satisfy privacy and efficiency. The training-before-partition paradigm suffers from intrinsic privacy leakage, whereas the partition-before-training paradigm incurs severe latency due to structural dependencies that hinder parallel execution. To overcome these limitations, we propose SPOILER, a novel search-before-training framework that fundamentally decouples the TEE sub-network from the backbone via hardware-aware neural architecture search (NAS). SPOILER identifies a lightweight TEE architecture strictly optimized for hardware constraints, maximizing parallel efficiency. Furthermore, we introduce self-poisoning learning to enforce logical isolation, rendering the exposed backbone functionally incoherent without the TEE component. Extensive experiments on CNNs and Transformers demonstrate that SPOILER achieves state-of-the-art trade-offs between security, latency, and accuracy.