SHEATH: Defending Horizontal Collaboration for Distributed CNNs against Adversarial Noise

TL;DR

SHEATH addresses the vulnerability of horizontally collaborating HC CNNs on edge devices to adversarial noise by introducing a lightweight defense that detects perturbations in intermediate feature maps and recovers the original representations without requiring full knowledge of the target model. The framework combines a PseudoNet-based Detect module and a Recover module to minimize disruption and maintain accuracy across diverse CNN architectures and datasets, even under single- or multi-layer attacks. Empirical results show high detection performance with minimal overhead and substantial recovery gains, e.g., restoring accuracy from severely corrupted levels to near baseline in Gaussian and polarity-switch scenarios. This approach enables secure, privacy-preserving distributed CNN inference in AIoT settings where trusting all nodes is impractical, and it lays groundwork for robust HC deployments and hardware-accelerated implementations.

Abstract

As edge computing and the Internet of Things (IoT) expand, horizontal collaboration (HC) emerges as a distributed data processing solution for resource-constrained devices. In particular, a convolutional neural network (CNN) model can be deployed on multiple IoT devices, allowing distributed inference execution for image recognition while ensuring model and data privacy. Yet, this distributed architecture remains vulnerable to adversaries who want to make subtle alterations that impact the model, even if they lack access to the entire model. Such vulnerabilities can have severe implications for various sectors, including healthcare, military, and autonomous systems. However, security solutions for these vulnerabilities have not been explored. This paper presents a novel framework for Secure Horizontal Edge with Adversarial Threat Handling (SHEATH) to detect adversarial noise and eliminate its effect on CNN inference by recovering the original feature maps. Specifically, SHEATH aims to address vulnerabilities without requiring complete knowledge of the CNN model in HC edge architectures based on sequential partitioning. It ensures data and model integrity, offering security against adversarial attacks in diverse HC environments. Our evaluations demonstrate SHEATH's adaptability and effectiveness across diverse CNN configurations.

Figures (14)

• Figure 1: Horizontal CNN partitioning across IoT devices. Adversarial noise at "Conv3" results in a "fox" misclassification of a "cat" image. The adversary can launch multi-node (i.e., multi-layer) attacks, as shown on the "Conv1" and "Pool1" layers. Increased sparsity in deeper CNN layers intensifies the subtlety of these adversarial attacks, which makes them harder to detect.
• Figure 2: Model Accuracy vs. Noise Parameters in Feature Vector when (a) noise is injected in the third convolutional layer's feature maps and (b) noise is injected in two non-consecutive convolutional layers "Conv1" and "Conv3".
• Figure 3: Impact of noise injection in different layers of (a) EdgeCNN and (b) LeNet CNN architectures in an HC setup.
• Figure 4: Overview of the SHEATH Framework. SHEATH has two modules: (i) Detect and (ii) Recover. It is deployed on a trusted node in HC-based edge devices to defend against adversarial noise from propagating to the rest of the CNN model. Integrated within drone-based trusted nodes, SHEATH secures the untrusted node (IoT dev2) by taking input from the preceding trusted node (IoT dev3). In the case of noise detection, SHEATH forwards the recovered output to the subsequent layer (IoT dev4).
• Figure 5: Single-layer attack in HC-based edge devices.