Exploiting Edge Features for Transferable Adversarial Attacks in Distributed Machine Learning

TL;DR

This paper reveals a new security vulnerability in distributed edge-based machine learning, showing that intercepting intermediate features enables highly transferable adversarial attacks, highlighting the need for better security measures.

Contribution

It introduces a novel exploitation strategy for black-box distributed models that reconstructs original features to craft transferable adversarial examples, exposing a critical security flaw.

Findings

Intercepted features enable effective surrogate model training.

Surrogate models significantly improve attack transferability.

Distributed models are more vulnerable due to feature leakage.

Abstract

As machine learning models become increasingly deployed across the edge of internet of things environments, a partitioned deep learning paradigm in which models are split across multiple computational nodes introduces a new dimension of security risk. Unlike traditional inference setups, these distributed pipelines span the model computation across heterogeneous nodes and communication layers, thereby exposing a broader attack surface to potential adversaries. Building on these motivations, this work explores a previously overlooked vulnerability: even when both the edge and cloud components of the model are inaccessible (i.e., black-box), an adversary who intercepts the intermediate features transmitted between them can still pose a serious threat. We demonstrate that, under these mild and realistic assumptions, an attacker can craft highly transferable proxy models, making the entire deep learning system significantly more vulnerable to evasion attacks. In particular, the intercepted features can be effectively analyzed and leveraged to distill surrogate models capable of crafting highly transferable adversarial examples against the target model. To this end, we propose an exploitation strategy specifically designed for distributed settings, which involves reconstructing the original tensor shape from vectorized transmitted features using simple statistical analysis, and adapting surrogate architectures accordingly to enable effective feature distillation. A comprehensive and systematic experimental evaluation has been conducted to demonstrate that surrogate models trained with the proposed strategy, i.e., leveraging intermediate features, tremendously improve the transferability of adversarial attacks. These findings underscore the urgent need to account for intermediate feature leakage in the design of secure distributed deep learning systems.