Edge-Only Universal Adversarial Attacks in Distributed Learning

TL;DR

This paper introduces a novel threat model for distributed learning systems where attackers only have access to the edge part of the model, demonstrating effective universal adversarial attacks that transfer to the cloud component.

Contribution

It presents the first edge-only universal adversarial perturbation method for split neural networks, highlighting vulnerabilities with partial model knowledge in distributed learning.

Findings

Edge-only UAPs effectively transfer to cloud models.

Attack success demonstrated on ImageNet.

Targeted attacks reveal complex behaviors across networks.

Abstract

Distributed learning frameworks, which partition neural network models across multiple computing nodes, enhance efficiency in collaborative edge-cloud systems, but may also introduce new vulnerabilities to evasion attacks, often in the form of adversarial perturbations. In this work, we present a new threat model that explores the feasibility of generating universal adversarial perturbations (UAPs) when the attacker has access only to the edge portion of the model, consisting of its initial network layers. Unlike traditional attacks that require full model knowledge, our approach shows that adversaries can induce effective mispredictions in the unknown cloud component by manipulating key feature representations at the edge. Following the proposed threat model, we introduce both edge-only untargeted and targeted formulations of UAPs designed to control intermediate features before the split point. Our results on ImageNet demonstrate strong attack transferability to the unknown cloud part, and we compare the proposed method with classical white-box and black-box techniques, highlighting its effectiveness. Additionally, we analyze the capability of an attacker to achieve targeted adversarial effects with edge-only knowledge, revealing intriguing behaviors across multiple networks. By introducing the first adversarial attacks with edge-only knowledge in split inference, this work underscores the importance of addressing partial model access in adversarial robustness, encouraging further research in this area.