Edge-Only Universal Adversarial Attacks in Distributed Learning

TL;DR

<3-5 sentence high-level summary> The paper targets a realistic vulnerability in split inference by allowing an attacker to access only the edge portion of a distributed model during inference. It develops edge-only universal adversarial perturbations for both targeted and untargeted objectives, leveraging learned feature separations at edge layers to craft perturbations that transfer to the unknown cloud component. Experiments on ImageNet (and ViT/CIFAR-10 variants) show strong transferability across CNNs and transformers, with performance approaching white-box UAPs in untargeted settings and meaningful targeted effects dependent on edge depth. The work highlights the need for defenses at the edge-cloud interface and motivates future research into edge-layer robustness and cross-partition security.

Abstract

Distributed learning frameworks, which partition neural network models across multiple computing nodes, enhance efficiency in collaborative edge-cloud systems, but may also introduce new vulnerabilities to evasion attacks, often in the form of adversarial perturbations. In this work, we present a new threat model that explores the feasibility of generating universal adversarial perturbations (UAPs) when the attacker has access only to the edge portion of the model, consisting of its initial network layers. Unlike traditional attacks that require full model knowledge, our approach shows that adversaries can induce effective mispredictions in the unknown cloud component by manipulating key feature representations at the edge. Following the proposed threat model, we introduce both edge-only untargeted and targeted formulations of UAPs designed to control intermediate features before the split point. Our results on ImageNet demonstrate strong attack transferability to the unknown cloud part, and we compare the proposed method with classical white-box and black-box techniques, highlighting its effectiveness. Additionally, we analyze the capability of an attacker to achieve targeted adversarial effects with edge-only knowledge, revealing intriguing behaviors across multiple networks. By introducing the first adversarial attacks with edge-only knowledge in split inference, this work underscores the importance of addressing partial model access in adversarial robustness, encouraging further research in this area.

Figures (13)

• Figure 1: Comparison between threat models. Left: the proposed edge-based attack, where the adversary has access to the edge portion of the split model. Right: a standard black-box setting, where the adversary relies on a surrogate model $s$ to craft transferable attacks.
• Figure 2: Scheme of the proposed targeted edge-only universal attack (Secs. \ref{['ss:learning_class']} and \ref{['ss:opt_uap']}). The attacker has full control only over the edge part, from which can exploit the output of its layers to train binary classifiers $g^l$ that learn feature separations characterizing reference target samples. This is then exploited to run an adversarial optimization that crafts a universal attack transferable to the cloud part of the model.
• Figure 3: Models accuracy with edge-only universal adversarial attacks (white part) with $\epsilon=10/255$ (a) and $\epsilon=16/255$ (b) across different edge-sizes. Classic UAP formulation Zhang_data-free, both in a targeted and untargeted forms, are shown in the grey area for comparisons.
• Figure 4: Target success rate across attack performed with $\epsilon=10/255$ for different edge depths and different target classes.
• Figure 5: Impact of the targeted edge-only UAP ($\epsilon = 10/255$) in the layers’embedding space with t-SNE . Visualizations of MobileNetV2 (top) and ResNet50 (bottom) features show 50 samples from the target class (“brain coral,” blue) and 1000 samples from other classes (red). A new test sample (yellow) and its edge-only targeted perturbed versions (green), generated at different depths (numbers).