English

Exploiting Edge Features for Transferable Adversarial Attacks in Distributed Machine Learning

Machine Learning 2025-07-11 v1 Artificial Intelligence

Abstract

As machine learning models become increasingly deployed across the edge of internet of things environments, a partitioned deep learning paradigm in which models are split across multiple computational nodes introduces a new dimension of security risk. Unlike traditional inference setups, these distributed pipelines span the model computation across heterogeneous nodes and communication layers, thereby exposing a broader attack surface to potential adversaries. Building on these motivations, this work explores a previously overlooked vulnerability: even when both the edge and cloud components of the model are inaccessible (i.e., black-box), an adversary who intercepts the intermediate features transmitted between them can still pose a serious threat. We demonstrate that, under these mild and realistic assumptions, an attacker can craft highly transferable proxy models, making the entire deep learning system significantly more vulnerable to evasion attacks. In particular, the intercepted features can be effectively analyzed and leveraged to distill surrogate models capable of crafting highly transferable adversarial examples against the target model. To this end, we propose an exploitation strategy specifically designed for distributed settings, which involves reconstructing the original tensor shape from vectorized transmitted features using simple statistical analysis, and adapting surrogate architectures accordingly to enable effective feature distillation. A comprehensive and systematic experimental evaluation has been conducted to demonstrate that surrogate models trained with the proposed strategy, i.e., leveraging intermediate features, tremendously improve the transferability of adversarial attacks. These findings underscore the urgent need to account for intermediate feature leakage in the design of secure distributed deep learning systems.

Keywords

Cite

@article{arxiv.2507.07259,
  title  = {Exploiting Edge Features for Transferable Adversarial Attacks in Distributed Machine Learning},
  author = {Giulio Rossolini and Fabio Brau and Alessandro Biondi and Battista Biggio and Giorgio Buttazzo},
  journal= {arXiv preprint arXiv:2507.07259},
  year   = {2025}
}

Comments

under review

R2 v1 2026-07-01T03:53:55.114Z