SODA: Protecting Proprietary Information in On-Device Machine Learning Models

TL;DR

This paper addresses the risk of proprietary information leakage from ML models deployed on user devices. It proposes SODA, an end-to-end defense that uses an autoencoder-based detector and a leakage-rate metric to identify adversarial, query-based exploitation of on-device models, achieving high detection accuracy (89% in under 50 queries) with minimal service impact. The authors provide a taxonomy of on-device models, formalize a threat model, demonstrate two classes of leakage attacks on HAR and MNIST data, and validate SODA’s effectiveness and practicality on a Raspberry Pi prototype, including ONNX-based deployment and encryption. The work advances edge deployment security by delivering a generalizable, on-device solution that protects proprietary service criteria while maintaining latency, storage, and accuracy within acceptable bounds. Practical impact includes faster, private, and resilient on-device services with robust defenses against both output-diversity and decision-boundary leakage threats.

Abstract

The growth of low-end hardware has led to a proliferation of machine learning-based services in edge applications. These applications gather contextual information about users and provide some services, such as personalized offers, through a machine learning (ML) model. A growing practice has been to deploy such ML models on the user's device to reduce latency, maintain user privacy, and minimize continuous reliance on a centralized source. However, deploying ML models on the user's edge device can leak proprietary information about the service provider. In this work, we investigate on-device ML models that are used to provide mobile services and demonstrate how simple attacks can leak proprietary information of the service provider. We show that different adversaries can easily exploit such models to maximize their profit and accomplish content theft. Motivated by the need to thwart such attacks, we present an end-to-end framework, SODA, for deploying and serving on edge devices while defending against adversarial usage. Our results demonstrate that SODA can detect adversarial usage with 89% accuracy in less than 50 queries with minimal impact on service performance, latency, and storage.

Figures (7)

• Figure 1: Examples of leaking proprietary information via on-device ML models where $x'_i$ represents adversarial queries and shapes represent model output (e.g., service): (a) exploiting output diversity, and (b) exploiting decision boundaries of a particular service type (e.g., class).
• Figure 2: Results of random querying attacks on decision trees (DT), multi-class logistic regression models (LR) and deep neural networks (DNN) in white-box (WB) and black-box (BB) environments: (a) impact of query size on the classes recovered; (b) impact of the number of features queried among the model input on the classes recovered; and (c) impact of the number of unused features on runtime in the BB environment. The legend in (b) applies to all figures.
• Figure 3: Results of random noise perturbation attacks to exploit decision boundaries of decision tree (DT), multi-class logistic regression model (LR) and deep neural network (DNN): (a) impact of noise bounds on the number of exploitations; (b) euclidean distance between exploitable queries for each seed class; and (c) impact of the number of features perturbed on the percentage of exploitations. The legend in (b) applies to all figures.
• Figure 4: Overview of the proposed inference pipeline of SODA. The purple blocks represent the autoencoder, yellow block represents the service model, and the green blocks represent the detector mechanism where detector output $D_t$ is an aggregation of the query distance, $d(X_t)$, reconstruction error, $r(x_t)$, and output entropy, $o(Y_t)$. Processing in the gray box occurs in memory while the application is running on the edge device and is assumed to be inaccessible by the user.
• Figure 5: Overview of the model training and deployment in SODA. The application binary contains the program itself which runs in memory when the application is invoked. The application bundle contains the files the application uses, including list of encoded queries, prior model outputs and prior values of the adversarial detection layer.