A Tale of Two Models: Constructing Evasive Attacks on Edge Models

TL;DR

This paper introduces DIVA, an evasive attack exploiting differences in edge-adapted models to generate adversarial inputs that deceive edge models while remaining undetectable by the original models, highlighting security concerns.

Contribution

The paper presents DIVA, a novel attack method specifically targeting edge-adapted models by leveraging their output differences, which is more evasive than existing attacks like PGD.

Findings

DIVA is only slightly less effective than PGD in attacking adapted models.

DIVA is significantly more likely to evade detection by the original model.

DIVA outperforms PGD in semi-blackbox detection scenarios.

Abstract

Full-precision deep learning models are typically too large or costly to deploy on edge devices. To accommodate to the limited hardware resources, models are adapted to the edge using various edge-adaptation techniques, such as quantization and pruning. While such techniques may have a negligible impact on top-line accuracy, the adapted models exhibit subtle differences in output compared to the original model from which they are derived. In this paper, we introduce a new evasive attack, DIVA, that exploits these differences in edge adaptation, by adding adversarial noise to input data that maximizes the output difference between the original and adapted model. Such an attack is particularly dangerous, because the malicious input will trick the adapted model running on the edge, but will be virtually undetectable by the original model, which typically serves as the authoritative model version, used for validation, debugging and retraining. We compare DIVA to a state-of-the-art attack, PGD, and show that DIVA is only 1.7-3.6% worse on attacking the adapted model but 1.9-4.2 times more likely not to be detected by the the original model under a whitebox and semi-blackbox setting, compared to PGD.