SPOILER: TEE-Shielded DNN Partitioning of On-Device Secure Inference with Poison Learning

Imagine you've built a secret recipe for the world's best chocolate cake. You want to sell this cake from a small food truck (your "edge device," like a smartphone) so customers can enjoy it anywhere. However, you're worried that a rival chef might sneak into your truck, peek at your recipe book, and steal your secret to sell their own copycat cakes.

This is the problem of Model Stealing in the world of AI. The "recipe" is a Deep Neural Network (DNN), and the "truck" is your device.

The Old Ways (And Why They Failed)

To protect your recipe, you tried two main strategies, but both had big flaws:

The "Whole Truck" Strategy (Training-Before-Partition):
You tried to lock the entire recipe book inside a super-secure, bulletproof safe (a TEE or Trusted Execution Environment) inside the truck.
- The Problem: The safe is heavy and slow to open. Every time a customer orders a cake, you have to wait for the safe to unlock, read a page, lock it, and then bake. It's so slow that customers leave before they get their cake.
The "Split Recipe" Strategy (Partition-Before-Training):
You decided to split the recipe. You put the most secret ingredients (like the secret spice blend) in the safe, and the common stuff (flour, sugar) on the open counter.
- The Problem: The chef on the open counter (the GPU) has to wait for the chef in the safe (the CPU) to finish their step before they can start the next one. They are stuck in a "lock-step" dance. If the safe chef is slow, the whole truck stops. Also, the rival chef can still figure out your secret spice blend just by watching how the open-counter chef reacts to the ingredients.

Enter SPOILER: The "Search-Before-Training" Revolution

The authors of this paper, SPOILER, came up with a brilliant new way to run your food truck. They call their method SPOILER (which stands for TEE-Shielded DNN Partitioning of On-Device Secure Inference with Poison Learning).

Here is how it works, using our food truck analogy:

1. The "Smart Search" (Hardware-Aware NAS)

Instead of just guessing where to split the recipe, SPOILER uses a super-smart robot architect to design a brand new, tiny, super-fast secret kitchen specifically for your truck's safe.

The Analogy: Imagine the robot realizes your truck's safe is small and has a weak battery. So, it designs a mini-kitchen that fits perfectly, uses very little power, and is built to work independently of the main kitchen.
The Result: The secret kitchen (TEE) and the main kitchen (REE/GPU) can now work at the same time. While the main chef is mixing the batter, the secret chef is simultaneously preparing the secret spice blend. No waiting! This makes the truck incredibly fast.

2. The "Poisoned Recipe" (Self-Poisoning Learning)

This is the coolest part. Even though the secret kitchen is small and isolated, the rival chef might still try to guess the secret spice blend by watching the main chef.

The Trick: SPOILER teaches the main chef to use a "poisoned" version of the common ingredients.
The Analogy: Imagine the main chef adds a harmless-looking but confusing ingredient to the batter. If a rival chef tries to copy the recipe using only the ingredients they can see on the open counter, the cake turns out terrible and inedible.
The Magic: The real cake only tastes amazing when you combine the "poisoned" batter from the main chef with the correct secret spice blend from the safe. Without the secret blend, the recipe is useless gibberish. This "poison" ensures that even if the rival steals the visible parts of the model, they can't make it work.

Why This Matters

Security: The rival chef can't steal your recipe because the visible parts are "poisoned" and don't work on their own.
Speed: Because the two kitchens work in parallel (at the same time) instead of taking turns, the truck serves customers much faster.
Flexibility: The robot architect designs the secret kitchen to fit any truck, whether it's a tiny scooter or a big van (different hardware constraints).

The Bottom Line

SPOILER is like a master chef who designs a secret kitchen that fits perfectly in a tiny safe, works in perfect sync with the main kitchen, and adds a "secret poison" to the public ingredients so that anyone trying to steal the recipe ends up with a burnt, tasteless mess. It solves the age-old problem of keeping AI models private without making them slow or clunky.

Here is a detailed technical summary of the paper "SPOILER: TEE-Shielded DNN Partitioning of On-Device Secure Inference with Poison Learning."

1. Problem Statement

Deploying Deep Neural Networks (DNNs) on edge devices (e.g., smartphones, IoT) exposes Intellectual Property (IP) to Model Stealing (MS) attacks. In a "white-box" environment where adversaries have physical access, they can clone model functionality.

Current Solutions & Limitations:
- Trusted Execution Environments (TEEs): While TEEs (like ARM TrustZone) protect weights, running the entire model inside a TEE is prohibitively slow (up to 50× latency) due to the lack of GPU acceleration.
- Training-Before-Partition (TBP): Splits a pre-trained model. Flaw: The exposed layers in the Rich Execution Environment (REE) retain semantic features, allowing attackers to steal the model via knowledge distillation. Obfuscation methods to fix this introduce heavy cryptographic overhead.
- Partition-Before-Training (PBT): Isolates TEE components before training. Flaw: Creates severe structural dependencies. The TEE (CPU) and REE (GPU) must execute in a lock-step or sequential manner, causing synchronization bottlenecks and GPU idling. Furthermore, these methods often fail to adapt to specific hardware constraints (memory limits).

Goal: Develop a framework that simultaneously ensures Security (prevents model stealing), Efficiency (low latency, parallel execution), Feasibility (fits within TEE memory constraints), and Generality (works across CNNs and Transformers).

2. Methodology: The SPOILER Framework

The authors propose SPOILER, which introduces a new paradigm called Search-Before-Training (SBT). This approach fundamentally decouples the TEE sub-network from the backbone architecture.

A. Core Design Principles

Logical Isolation (P1): The REE must not contain any layers capable of learning semantic features. This eliminates the need for costly obfuscation.
Parallel Execution (P2): TEE and REE computations must be decoupled to run asynchronously, minimizing data transfer and synchronization overhead.
Hardware Awareness (P3): The partitioning strategy must be automatically optimized for specific device constraints (memory, power) rather than using static heuristics.

B. Key Components

1. Hardware-Aware Neural Architecture Search (NAS)

Objective: Discover an optimal TEE sub-network configuration ( $a^*$ ) that maximizes accuracy while strictly adhering to hardware constraints (e.g., secure memory limits).
Search Space: A unified space supporting both CNNs and Transformers. It uses lightweight blocks (spatial/channel mixing) and parameter-free adapters to compress intermediate features without adding learnable parameters in the REE.
Optimization: Uses Bayesian Optimization with Sparse Axis-Aligned Subspace Gaussian Processes (SAAS-GP) to navigate the vast configuration space efficiently.
Parallel Latency Model: The system calculates latency based on a "handshake" mechanism where the total time is determined by the maximum execution time between the backbone (GPU) and sub-network (CPU) intervals, enabling true parallelism.

2. Self-Poisoning Learning

Challenge: The TEE sub-network is extremely lightweight (due to memory constraints), which typically degrades accuracy.
Solution: A novel training strategy that "poisons" the exposed backbone.
Mechanism: The training loss function includes an adversarial penalty term:
$\mathcal{L}_{total} = \beta \cdot \mathcal{L}_{CE} + (1-\beta) \cdot \mathcal{L}_{KD} - \lambda \cdot \mathcal{L}_{CE}(M_b(x), y)$
- The term $-\lambda \cdot \mathcal{L}_{CE}$ actively minimizes the accuracy of the standalone backbone ( $M_b$ ).
- This forces the backbone to become functionally incoherent without the TEE component.
- The combined model ( $M_c$ ) learns to rely on the specialized, complementary representations from the TEE sub-network, maintaining high overall accuracy while rendering the exposed weights useless to an attacker.

3. Key Contributions

SBT Paradigm: Shifts from fixed partitioning to a dynamic "Search-Before-Training" approach that decouples the TEE sub-network from the backbone topology.
Hardware-Aware NAS: Introduces a search framework specifically designed for TEE constraints (memory, CPU-only execution) to find optimal lightweight sub-networks.
Self-Poisoning Strategy: Proposes a learning mechanism that enforces logical isolation by making the exposed REE components functionally useless without the TEE, effectively neutralizing model stealing attacks without obfuscation.
Comprehensive Evaluation: Demonstrates state-of-the-art trade-offs across security, latency, and accuracy on diverse architectures (VGG, ResNet, ViT) and datasets.

4. Experimental Results

Experiments were conducted on NVIDIA Jetson Orin (simulating edge devices) with various power modes and datasets (CIFAR-10/100, TinyImageNet).

Security (Model Stealing Resistance):
- SPOILER drastically reduced the accuracy of attacker surrogate models.
- Example: On ResNet-18 (CIFAR-10), SPOILER reduced surrogate accuracy to 12.36%, compared to 34.44% for the best existing baseline (GroupCover) and 95.44% for the unprotected model.
- The exposed backbone became functionally incoherent, performing worse than random guessing in many cases.
Efficiency (Latency):
- SPOILER enabled asynchronous parallel execution, significantly outperforming sequential PBT methods (like DarkneTZ, TEESlice).
- In some cases (e.g., VGG16-BN on CIFAR-100), SPOILER was even faster than the unshielded GPU-only baseline because the lightweight sub-network could finish before the heavy backbone completed.
- It avoided Out-Of-Memory (OOM) errors that plagued other methods when isolating layers.
Accuracy:
- SPOILER achieved accuracy comparable to or better than fully fine-tuned unprotected models.
- Notably, on ResNet-18 (TinyImageNet), SPOILER improved accuracy by ~7.4% over the baseline, proving that the "poisoning" and specialized sub-network can enhance performance.
Feasibility:
- Successfully adapted to varying power modes (15W to MAXN) and hardware constraints by tuning the adversarial factor ( $\lambda$ ), finding "sweet spots" that balance security and accuracy.

5. Significance

SPOILER represents a paradigm shift in secure edge AI. By moving away from static partitioning and heavy obfuscation, it solves the "efficiency vs. security" trade-off that has plagued TEE-based inference.

Practical Impact: It enables the deployment of proprietary, high-value AI models on consumer edge devices without fear of IP theft, while maintaining low latency and high accuracy.
Technical Innovation: The combination of Hardware-Aware NAS and Self-Poisoning Learning provides a robust, generalizable solution that works across different model architectures (CNNs and Transformers) and hardware constraints.