Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

TBNet: A Neural Architectural Defense Framework Facilitating DNN Model Protection in Trusted Execution Environments

Ziyu Liu, Tong Zhou, Yukui Luo, Xiaolin Xu

TL;DR

TBNet tackles the security-performance dilemma of deploying DNNs in edge TEEs by introducing a two-branch substitution model: a secure branch in the TE​E and an unsecured branch in REE. It transfers partial knowledge from the victim model to the secure branch, and iteratively prunes both branches while rolling back the REE branch to create architectural divergence, thereby protecting IP while preserving accuracy. The method yields substantial hardware efficiency gains (memory up to 2.45×, latency up to 1.22×) and robust protection against model theft and fine-tuning, demonstrated on Raspberry Pi with CIFAR-10/100 across VGG and ResNet variants. These results suggest TBNet enables practical, secure, low-overhead DNN deployment for edge devices without sacrificing performance.

Abstract

Trusted Execution Environments (TEEs) have become a promising solution to secure DNN models on edge devices. However, the existing solutions either provide inadequate protection or introduce large performance overhead. Taking both security and performance into consideration, this paper presents TBNet, a TEE-based defense framework that protects DNN model from a neural architectural perspective. Specifically, TBNet generates a novel Two-Branch substitution model, to respectively exploit (1) the computational resources in the untrusted Rich Execution Environment (REE) for latency reduction and (2) the physically-isolated TEE for model protection. Experimental results on a Raspberry Pi across diverse DNN model architectures and datasets demonstrate that TBNet achieves efficient model protection at a low cost.

TBNet: A Neural Architectural Defense Framework Facilitating DNN Model Protection in Trusted Execution Environments

TL;DR

TBNet tackles the security-performance dilemma of deploying DNNs in edge TEEs by introducing a two-branch substitution model: a secure branch in the TE​E and an unsecured branch in REE. It transfers partial knowledge from the victim model to the secure branch, and iteratively prunes both branches while rolling back the REE branch to create architectural divergence, thereby protecting IP while preserving accuracy. The method yields substantial hardware efficiency gains (memory up to 2.45×, latency up to 1.22×) and robust protection against model theft and fine-tuning, demonstrated on Raspberry Pi with CIFAR-10/100 across VGG and ResNet variants. These results suggest TBNet enables practical, secure, low-overhead DNN deployment for edge devices without sacrificing performance.

Abstract

Trusted Execution Environments (TEEs) have become a promising solution to secure DNN models on edge devices. However, the existing solutions either provide inadequate protection or introduce large performance overhead. Taking both security and performance into consideration, this paper presents TBNet, a TEE-based defense framework that protects DNN model from a neural architectural perspective. Specifically, TBNet generates a novel Two-Branch substitution model, to respectively exploit (1) the computational resources in the untrusted Rich Execution Environment (REE) for latency reduction and (2) the physically-isolated TEE for model protection. Experimental results on a Raspberry Pi across diverse DNN model architectures and datasets demonstrate that TBNet achieves efficient model protection at a low cost.
Paper Structure (20 sections, 1 equation, 4 figures, 3 tables, 1 algorithm)

This paper contains 20 sections, 1 equation, 4 figures, 3 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Background and Related Works
  3. Trusted Execution Environment
  4. Threat Model
  5. Limitations of Prior Arts
  6. Proposed Framework: TBNet
  7. Design Requirements
  8. Step ①: Two-branch Model Initialization
  9. Step ②: Knowledge Transfer
  10. Step ③-⑤: Iterative Two-branch Pruning
  11. Step ⑥: Rollback Finalization
  12. Experimental Evaluation
  13. Performance and Security Evaluation
  14. Protection Against Model Fine-tuning
  15. Hardware Efficiency
  16. ...and 5 more sections

Figures (4)

  • Figure 1: Workflow of the framework. Step ①: TBNet takes the victim model as the unsecured branch ($M_{R}$), then initializes a secure branch ($M_{T}$) that has the same model architecture as $M_{R}$. Step ② transfers the knowledge of the victim model (i,e., now $M_{R}$) to $M_{T}$. Step ③-⑤ apply iterative two-branch pruning to hide the architecture of the victim model and to obtain a lightweight $M_{T}$ to ease storage and computational burden in TEE. Step ⑥ employs rollback to introduce an architectural distinction between $M_{R}$ and $M_{T}$.
  • Figure 2: Accuracy of attackers fine-tuning the $M_{R}$ of VGG18 under varying dataset availability.
  • Figure 3: The comparison of memory usage in TEE.
  • Figure 4: Distribution of BN weights in $M_{T}$ and $M_{R}$ after knowledge transfer.