Saved in:
Bibliographic Details
Main Authors: Rossolini, Giulio, Brau, Fabio, Biondi, Alessandro, Biggio, Battista, Buttazzo, Giorgio
Format: Preprint
Published: 2025
Subjects:
Online Access:https://arxiv.org/abs/2507.07259
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866908442919174144
author Rossolini, Giulio
Brau, Fabio
Biondi, Alessandro
Biggio, Battista
Buttazzo, Giorgio
author_facet Rossolini, Giulio
Brau, Fabio
Biondi, Alessandro
Biggio, Battista
Buttazzo, Giorgio
contents As machine learning models become increasingly deployed across the edge of internet of things environments, a partitioned deep learning paradigm in which models are split across multiple computational nodes introduces a new dimension of security risk. Unlike traditional inference setups, these distributed pipelines span the model computation across heterogeneous nodes and communication layers, thereby exposing a broader attack surface to potential adversaries. Building on these motivations, this work explores a previously overlooked vulnerability: even when both the edge and cloud components of the model are inaccessible (i.e., black-box), an adversary who intercepts the intermediate features transmitted between them can still pose a serious threat. We demonstrate that, under these mild and realistic assumptions, an attacker can craft highly transferable proxy models, making the entire deep learning system significantly more vulnerable to evasion attacks. In particular, the intercepted features can be effectively analyzed and leveraged to distill surrogate models capable of crafting highly transferable adversarial examples against the target model. To this end, we propose an exploitation strategy specifically designed for distributed settings, which involves reconstructing the original tensor shape from vectorized transmitted features using simple statistical analysis, and adapting surrogate architectures accordingly to enable effective feature distillation. A comprehensive and systematic experimental evaluation has been conducted to demonstrate that surrogate models trained with the proposed strategy, i.e., leveraging intermediate features, tremendously improve the transferability of adversarial attacks. These findings underscore the urgent need to account for intermediate feature leakage in the design of secure distributed deep learning systems.
format Preprint
id arxiv_https___arxiv_org_abs_2507_07259
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle Exploiting Edge Features for Transferable Adversarial Attacks in Distributed Machine Learning
Rossolini, Giulio
Brau, Fabio
Biondi, Alessandro
Biggio, Battista
Buttazzo, Giorgio
Machine Learning
Artificial Intelligence
As machine learning models become increasingly deployed across the edge of internet of things environments, a partitioned deep learning paradigm in which models are split across multiple computational nodes introduces a new dimension of security risk. Unlike traditional inference setups, these distributed pipelines span the model computation across heterogeneous nodes and communication layers, thereby exposing a broader attack surface to potential adversaries. Building on these motivations, this work explores a previously overlooked vulnerability: even when both the edge and cloud components of the model are inaccessible (i.e., black-box), an adversary who intercepts the intermediate features transmitted between them can still pose a serious threat. We demonstrate that, under these mild and realistic assumptions, an attacker can craft highly transferable proxy models, making the entire deep learning system significantly more vulnerable to evasion attacks. In particular, the intercepted features can be effectively analyzed and leveraged to distill surrogate models capable of crafting highly transferable adversarial examples against the target model. To this end, we propose an exploitation strategy specifically designed for distributed settings, which involves reconstructing the original tensor shape from vectorized transmitted features using simple statistical analysis, and adapting surrogate architectures accordingly to enable effective feature distillation. A comprehensive and systematic experimental evaluation has been conducted to demonstrate that surrogate models trained with the proposed strategy, i.e., leveraging intermediate features, tremendously improve the transferability of adversarial attacks. These findings underscore the urgent need to account for intermediate feature leakage in the design of secure distributed deep learning systems.
title Exploiting Edge Features for Transferable Adversarial Attacks in Distributed Machine Learning
topic Machine Learning
Artificial Intelligence
url https://arxiv.org/abs/2507.07259