ML Security PapersMirageNet:A Secure, Efficient, and Scalable On-Device Model Protection in Heterogeneous TEE and GPU System
Huadi Zheng , Li Cheng , Yan Ding
Published on arXiv
2601.13826
Model Theft
OWASP ML Top 10 — ML05
Key Finding
ConvShatter reduces inference latency overhead by 16% compared to GroupCover while preserving model accuracy and resisting weight-sorting-based partial-obfuscation bypass attacks.
ConvShatter
Novel technique introduced
As edge devices gain stronger computing power, deploying high-performance DNN models on untrusted hardware has become a practical approach to cut inference latency and protect user data privacy. Given high model training costs and user experience requirements, balancing model privacy and low runtime overhead is critical. TEEs offer a viable defense, and prior work has proposed heterogeneous GPU-TEE inference frameworks via parameter obfuscation to balance efficiency and confidentiality. However, recent studies find partial obfuscation defenses ineffective, while robust schemes cause unacceptable latency. To resolve these issues, we propose ConvShatter, a novel obfuscation scheme that achieves low latency and high accuracy while preserving model confidentiality and integrity. It leverages convolution linearity to decompose kernels into critical and common ones, inject confounding decoys, and permute channel/kernel orders. Pre-deployment, it performs kernel decomposition, decoy injection and order obfuscation, storing minimal recovery parameters securely in the TEE. During inference, the TEE reconstructs outputs of obfuscated convolutional layers. Extensive experiments show ConvShatter substantially reduces latency overhead with strong security guarantees; versus comparable schemes, it cuts overhead by 16% relative to GroupCover while maintaining accuracy on par with the original model.
Key Contributions
- ConvShatter obfuscation scheme that exploits convolution linearity to decompose kernels into critical/common components, inject confounding decoy kernels, and permute channel/kernel orders — protecting model weights on untrusted edge hardware
- Hybrid TEE-GPU inference architecture where the TEE stores only minimal recovery parameters and reconstructs obfuscated layer outputs at inference time, reducing overhead versus full-TEE execution
- 16% latency overhead reduction compared to GroupCover while maintaining original model accuracy and providing stronger resistance to weight-sorting-based model extraction attacks
🛡️ Threat Analysis
ConvShatter is explicitly a defense against model theft: it protects DNN weight/parameter intellectual property from adversaries who gain white-box access to edge-deployed models. The threat model involves black-box model extraction attacks as the residual threat, and the scheme prevents direct model reconstruction by obfuscating kernel weights through decomposition, decoy injection, and order permutation with TEE-stored recovery secrets.