SoK: Attack and Defense Landscape of Mobile On-device AI Systems
Pith reviewed 2026-07-02 11:43 UTC · model grok-4.3
The pith
This SoK creates the first systematic framework for attacks and defenses in mobile on-device AI systems.
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
The paper presents the first comprehensive systematization of knowledge on MoAI security by covering the security pillars, attack landscape, and defense landscape of MoAI systems while establishing the first systematic framework for understanding these landscapes and identifying unresolved research gaps.
What carries the argument
The systematic framework that categorizes MoAI security into pillars, attack landscape, and defense landscape.
Load-bearing premise
The published work surveyed is complete and representative enough to support a full categorization into pillars, attacks, and defenses without major omissions.
What would settle it
A substantial body of MoAI security research that cannot be placed into the proposed categories or a clear major omission that the survey missed.
Figures
read the original abstract
Mobile on-device AI (MoAI) systems that integrate locally deployed AI models with conventional mobile software components are emerging as a key paradigm for delivering intelligent functionality directly on end-user devices. By moving inference from remote cloud services to the local mobile environment, such systems enable privacy-preserving, low-latency, and offline-capable AI functionality, yet introduce new security risks arising from the local storage of AI models. This paper presents the first comprehensive systematization of knowledge on MoAI security, covering security pillars, attack landscape, and defense landscape of MoAI systems. We further identify unresolved gaps in current attack and defense research and point to promising directions for future research in this emerging area. Our work establishes the first systematic framework for understanding the attack and defense landscapes of MoAI systems, serving as a foundation for building secure MoAI systems and advancing research in this critical domain. Companion resources are available at https://github.com/Jinxhy/Awesome-MoAI-Security.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The paper claims to present the first comprehensive systematization of knowledge (SoK) on Mobile on-device AI (MoAI) security. It covers security pillars, the attack landscape, and the defense landscape of MoAI systems, identifies unresolved gaps in current attack and defense research, and establishes the first systematic framework for understanding these landscapes. Companion resources are available via a GitHub repository.
Significance. If the survey methodology is sound and the literature coverage complete, this would be a significant contribution as the first SoK in an emerging area. It would provide a useful framework and gap analysis to guide future work on secure MoAI systems. The public GitHub repository is a clear strength that supports community use and reproducibility of the surveyed resources.
major comments (1)
- [Abstract] Abstract: The central claim of presenting the 'first comprehensive' SoK depends on the surveyed body of work being representative. The abstract provides no explicit methodology for paper selection, search strategy, databases, keywords, time bounds, or inclusion/exclusion criteria. This detail is load-bearing for the comprehensiveness assertion; without it, the resulting categorization into pillars/attacks/defenses cannot be verified as complete rather than partial.
Simulated Author's Rebuttal
We thank the referee for the constructive feedback on our SoK manuscript. We address the single major comment below and agree that a revision is warranted.
read point-by-point responses
-
Referee: [Abstract] Abstract: The central claim of presenting the 'first comprehensive' SoK depends on the surveyed body of work being representative. The abstract provides no explicit methodology for paper selection, search strategy, databases, keywords, time bounds, or inclusion/exclusion criteria. This detail is load-bearing for the comprehensiveness assertion; without it, the resulting categorization into pillars/attacks/defenses cannot be verified as complete rather than partial.
Authors: We agree that the abstract does not currently include explicit details on the survey methodology, which is necessary to support the claim of comprehensiveness. The full manuscript contains a dedicated systematization methodology section that specifies the search strategy (systematic queries across Google Scholar, IEEE Xplore, ACM Digital Library, and arXiv), keywords (combinations of 'mobile on-device AI', 'on-device inference security', 'model extraction', 'adversarial attack', etc.), time bounds (primarily 2017–2024 with key earlier foundational works), and inclusion/exclusion criteria (peer-reviewed papers and preprints focused on attacks or defenses for locally deployed mobile AI models, excluding purely cloud-based or non-AI mobile security work). To address the referee's point, we will revise the abstract to concisely summarize this methodology so that the central claim can be properly evaluated. revision: yes
Circularity Check
No circularity: external literature survey with no internal derivations
full rationale
This is a systematization of knowledge (SoK) paper whose claims rest entirely on categorization of externally cited prior work rather than any internal equations, fitted parameters, or self-referential definitions. No derivation chain exists that could reduce a 'prediction' or 'result' to its own inputs by construction. The 'first comprehensive' framing depends on the external assumption of survey completeness, but this is not a circular reduction of the kind enumerated (self-definitional, fitted-input prediction, self-citation load-bearing, etc.). The work is self-contained against external benchmarks in the surveyed literature.
Axiom & Free-Parameter Ledger
axioms (1)
- domain assumption Existing publications on mobile on-device AI security collectively cover the relevant attack and defense space in a manner that permits exhaustive categorization.
Reference graph
Works this paper leans on
-
[1]
https://developer.apple.com/documentation/avfoundation/avc am-building-a-camera-app, 2026
Avcam. https://developer.apple.com/documentation/avfoundation/avc am-building-a-camera-app, 2026
2026
-
[2]
developer.android.com/media/camera/camerax, 2026
Camerax. developer.android.com/media/camera/camerax, 2026
2026
-
[3]
developer.apple.com/machine-learning/core-ml/, 2026
Coreml. developer.apple.com/machine-learning/core-ml/, 2026
2026
-
[4]
https://executorch.ai/, 2026
Executorch. https://executorch.ai/, 2026
2026
-
[5]
https://developers.google.com/edge/litert-lm/mode ls/gemma-4, 2026
Google gemma 4. https://developers.google.com/edge/litert-lm/mode ls/gemma-4, 2026
2026
-
[6]
https://developers.google.com/edge/litert/next/tenso r-sdk, 2026
Google tensor. https://developers.google.com/edge/litert/next/tenso r-sdk, 2026
2026
-
[7]
https://ai.google.dev/edge/litert, 2026
Litert. https://ai.google.dev/edge/litert, 2026
2026
-
[8]
https://developer.apple.com/documentation/coreml/m lfeaturevalue, 2026
Mlfeaturevalue. https://developer.apple.com/documentation/coreml/m lfeaturevalue, 2026
2026
-
[9]
https://apple.fandom.com/wiki/Neural Engine, 2026
Neural engine. https://apple.fandom.com/wiki/Neural Engine, 2026
2026
-
[10]
https://developers.googleblog.com/on-device-genai -in-chrome-chromebook-plus-and-pixel-watch-with-litert-lm/, 2026
On-device genai. https://developers.googleblog.com/on-device-genai -in-chrome-chromebook-plus-and-pixel-watch-with-litert-lm/, 2026
2026
-
[11]
https://developers.google.com/edge/lit ert/conversion/tensorflow/build/ondevice training, 2026
On-device training with litert. https://developers.google.com/edge/lit ert/conversion/tensorflow/build/ondevice training, 2026
2026
-
[12]
https://onnx.ai/, 2026
Open neural network exchange. https://onnx.ai/, 2026
2026
-
[13]
www.qualcomm.com/processors/hexagon, 2026
Qualcomm hexagon. www.qualcomm.com/processors/hexagon, 2026
2026
-
[14]
https://ai.google.dev/edge/api/tflite/java/org/tensorflow/ lite/support/image/TensorImage, 2026
Tensorimage. https://ai.google.dev/edge/api/tflite/java/org/tensorflow/ lite/support/image/TensorImage, 2026
2026
-
[15]
Offline model guard: secure and private ml on mobile devices
Sebastian P Bayerl, Tommaso Frassetto, Patrick Jauernig, Korbinian Riedhammer, Ahmad-Reza Sadeghi, Thomas Schneider, Emmanuel Stapf, and Christian Weinert. Offline model guard: secure and private ml on mobile devices. InProceedings of the 23rd Conference on Design, Automation and Test in Europe, pages 460–465, 2020
2020
-
[16]
Efficient compositional multi-tasking for on-device large language models
Ondrej Bohdal, Mete Ozay, Jijoong Moon, Kyenghun Lee, Hyeonmok Ko, and Umberto Michieli. Efficient compositional multi-tasking for on-device large language models. InProceedings of the 2025 Conference on Empirical Methods in Natural Language Processing, pages 28129–28153, 2025
2025
-
[17]
Sanctuary: Arming trustzone with user-space enclaves
Ferdinand Brasser, David Gens, Patrick Jauernig, Ahmad-Reza Sadeghi, and Emmanuel Stapf. Sanctuary: Arming trustzone with user-space enclaves. InNDSS, volume 100, page 102, 2019
2019
-
[18]
Improving end-to-end neural diarization using conversational summary representations
Samuel J Broughton and Lahiru Samarakoon. Improving end-to-end neural diarization using conversational summary representations. In Proc. Interspeech 2023, pages 3157–3161, 2023
2023
-
[19]
Cheating your apps: Black-box adversarial attacks on deep learning apps.Journal of Software: Evolution and Process, 36(4):e2528, 2024
Hongchen Cao, Shuai Li, Yuming Zhou, Ming Fan, Xuejiao Zhao, and Yutian Tang. Cheating your apps: Black-box adversarial attacks on deep learning apps.Journal of Software: Evolution and Process, 36(4):e2528, 2024
2024
-
[20]
Guardiann: Fast and secure on- device inference in trustzone using embedded sram and cryptographic hardware
Jinwoo Choi, Jaeyeon Kim, Chaemin Lim, Suhyun Lee, Jinho Lee, Dokyung Song, and Youngsok Kim. Guardiann: Fast and secure on- device inference in trustzone using embedded sram and cryptographic hardware. InProceedings of the 23rd ACM/IFIP International Mid- dleware Conference, pages 15–28, 2022
2022
-
[21]
Understanding real-world threats to deep learning models in android apps
Zizhuang Deng, Kai Chen, Guozhu Meng, Xiaodong Zhang, Ke Xu, and Yao Cheng. Understanding real-world threats to deep learning models in android apps. InProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, pages 785– 799, 2022
2022
-
[22]
Hybridtee: Secure mobile dnn execution using hybrid trusted execution environment
Akshay Gangal, Mengmei Ye, and Sheng Wei. Hybridtee: Secure mobile dnn execution using hybrid trusted execution environment. In2020 Asian Hardware Oriented Security and Trust Symposium (AsianHOST), pages 1–6. IEEE, 2020
2020
-
[23]
Secure and efficient mobile dnn using trusted execution environments
Bin Hu, Yan Wang, Jerry Cheng, Tianming Zhao, Yucheng Xie, Xiaonan Guo, and Yingying Chen. Secure and efficient mobile dnn using trusted execution environments. InProceedings of the 2023 ACM Asia Conference on Computer and Communications Security, pages 274–285, 2023
2023
-
[24]
A first look at on-device models in ios apps.ACM Transactions on Software Engineering and Methodology, 33(1):1–30, 2023
Han Hu, Yujin Huang, Qiuyuan Chen, Terry Yue Zhuo, and Chunyang Chen. A first look at on-device models in ios apps.ACM Transactions on Software Engineering and Methodology, 33(1):1–30, 2023
2023
-
[25]
Mmguard: Automatically protecting on-device deep learning models in android apps
Jiayi Hua, Yuanchun Li, and Haoyu Wang. Mmguard: Automatically protecting on-device deep learning models in android apps. In2021 IEEE Security and Privacy Workshops (SPW), pages 71–77. IEEE, 2021
2021
-
[26]
Malmodel: Hiding malicious payload in mo- bile deep learning models with black-box backdoor attack.Automated Software Engineering, 33(1):28, 2026
Jiayi Hua, Kailong Wang, Meizhen Wang, Guangdong Bai, Xiapu Luo, and Haoyu Wang. Malmodel: Hiding malicious payload in mo- bile deep learning models with black-box backdoor attack.Automated Software Engineering, 33(1):28, 2026
2026
-
[27]
Smart app attack: hacking deep learning models in android apps.IEEE Transactions on Information Forensics and Security, 17:1827–1840, 2022
Yujin Huang and Chunyang Chen. Smart app attack: hacking deep learning models in android apps.IEEE Transactions on Information Forensics and Security, 17:1827–1840, 2022
2022
-
[28]
Robustness of on- device models: Adversarial attack to deep learning models on android apps
Yujin Huang, Han Hu, and Chunyang Chen. Robustness of on- device models: Adversarial attack to deep learning models on android apps. In2021 IEEE/ACM 43rd International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP), pages 101–110. IEEE, 2021
2021
-
[29]
Typhon unleashed: Practical adversarial weight attacks against on-device deep learning models.IEEE Transactions on Dependable and Secure Computing, 2026
Yujin Huang, Xingliang Yuan, Chunyang Chen, and Seong Oun Hwang. Typhon unleashed: Practical adversarial weight attacks against on-device deep learning models.IEEE Transactions on Dependable and Secure Computing, 2026
2026
-
[30]
Themis: Towards practical intellectual property protection for post-deployment on-device deep learning models
Yujin Huang, Zhi Zhang, Qingchuan Zhao, Xingliang Yuan, and Chunyang Chen. Themis: Towards practical intellectual property protection for post-deployment on-device deep learning models. In 34th USENIX security symposium (USENIX Security 25), 2025
2025
-
[31]
Tinyml security: Explor- ing vulnerabilities in resource-constrained machine learning systems
Jacob Huckelberry, Yuke Zhang, Allison Sansone, James Mickens, Peter A Beerel, and Vijay Janapa Reddi. Tinyml security: Explor- ing vulnerabilities in resource-constrained machine learning systems. arXiv preprint arXiv:2411.07114, 2024
-
[32]
Confidential execution of deep learning inference at the untrusted edge with arm trustzone
Md Shihabul Islam, Mahmoud Zamani, Chung Hwan Kim, Latifur Khan, and Kevin W Hamlen. Confidential execution of deep learning inference at the untrusted edge with arm trustzone. InProceedings of the Thirteenth ACM Conference on Data and Application Security and Privacy, pages 153–164, 2023
2023
-
[33]
Ding Li, Ziqi Zhang, Mengyu Yao, Yifeng Cai, Yao Guo, and Xi- angqun Chen. Teeslice: Protecting sensitive neural network models in trusted execution environments when attackers have pre-trained mod- els.ACM Transactions on Software Engineering and Methodology, 34(6):1–49, 2025
2025
-
[34]
Redlc: Learning-driven reverse engi- neering for deep learning compilers
Minghui Li, Yang Li, Hao Han, Xiaopeng Ke, Tongyu Wang, Fengyuan Xu, and Liming Fang. Redlc: Learning-driven reverse engi- neering for deep learning compilers. In2024 IEEE 35th International Symposium on Software Reliability Engineering (ISSRE), pages 204–
-
[35]
Efficient layout- guided image inpainting for mobile use
Wenbo Li, Yi Wei, Yilin Shen, and Hongxia Jin. Efficient layout- guided image inpainting for mobile use. InProceedings of the IEEE/CVF Winter Conference on Applications of Computer Vision, pages 8450–8459, 2024
2024
-
[36]
Deeppayload: Black-box backdoor attack on deep learning models through neural payload injection
Yuanchun Li, Jiayi Hua, Haoyu Wang, Chunyang Chen, and Yunxin Liu. Deeppayload: Black-box backdoor attack on deep learning models through neural payload injection. In2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE), pages 263–274. IEEE, 2021
2021
-
[37]
Model extraction attack against on-device deep learning with power side channel
Jialin Liu and Han Wang. Model extraction attack against on-device deep learning with power side channel. In2024 25th International Symposium on Quality Electronic Design (ISQED), pages 1–5. IEEE, 2024
2024
-
[38]
Secdeep: Secure and performant on-device deep learning inference framework for mobile and iot devices
Renju Liu, Luis Garcia, Zaoxing Liu, Botong Ou, and Mani Sri- vastava. Secdeep: Secure and performant on-device deep learning inference framework for mobile and iot devices. InProceedings of the International Conference on Internet-of-Things Design and Implementation, pages 67–79, 2021
2021
-
[39]
Deepcache: Revisiting cache side-channel attacks in deep neural networks executables
Zhibo Liu, Yuanyuan Yuan, Yanzuo Chen, Sihang Hu, Tianxiang Li, and Shuai Wang. Deepcache: Revisiting cache side-channel attacks in deep neural networks executables. InProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security, pages 4495–4508, 2024
2024
-
[40]
Mir- rornet: A tee-friendly framework for secure on-device dnn inference
Ziyu Liu, Yukui Luo, Shijin Duan, Tong Zhou, and Xiaolin Xu. Mir- rornet: A tee-friendly framework for secure on-device dnn inference. In2023 IEEE/ACM International Conference on Computer Aided Design (ICCAD), pages 1–9. IEEE, 2023
2023
-
[41]
Quantization backdoors to deep learning commercial frame- works.IEEE Transactions on Dependable and Secure Computing, 21(3):1155–1172, 2023
Hua Ma, Huming Qiu, Yansong Gao, Zhi Zhang, Alsharif Abuadbba, Minhui Xue, Anmin Fu, Jiliang Zhang, Said F Al-Sarawi, and Derek Abbott. Quantization backdoors to deep learning commercial frame- works.IEEE Transactions on Dependable and Secure Computing, 21(3):1155–1172, 2023
2023
-
[42]
Darknetz: towards model privacy at the edge using trusted execution environments
Fan Mo, Ali Shahin Shamsabadi, Kleomenis Katevas, Soteris Demetriou, Ilias Leontiadis, Andrea Cavallaro, and Hamed Haddadi. Darknetz: towards model privacy at the edge using trusted execution environments. InProceedings of the 18th International Conference on Mobile Systems, Applications, and Services, pages 161–174, 2020
2020
-
[43]
A novel obfuscation method based on majority logic for preventing unauthorized access to binary deep neural networks
Alireza Mohseni, Mohammad Hossein Moaiyeri, and Moham- mad Javad Adel. A novel obfuscation method based on majority logic for preventing unauthorized access to binary deep neural networks. Scientific Reports, 15(1):24416, 2025
2025
-
[44]
Asgard: Protecting on-device deep neural networks with virtualization-based trusted execution environments
Myungsuk Moon, Minhee Kim, Joonkyo Jung, and Dokyung Song. Asgard: Protecting on-device deep neural networks with virtualization-based trusted execution environments. InProceedings 2025 Network and Distributed System Security Symposium, 2025
2025
-
[45]
In33rd USENIX Security Symposium (USENIX Security 24), pages 5233–5250, 2024
Tushar Nayan, Qiming Guo, Mohammed Al Duniawi, Marcus Botacin, Selcuk Uluagac, and Ruimin Sun.{SoK}: All you need to know about{On-Device}{ML}model extraction-the gap between research and practice. In33rd USENIX Security Symposium (USENIX Security 24), pages 5233–5250, 2024
2024
-
[46]
Demistify: Identifying on- device machine learning models stealing and reuse vulnerabilities in mobile apps
Pengcheng Ren, Chaoshun Zuo, Xiaofeng Liu, Wenrui Diao, Qingchuan Zhao, and Shanqing Guo. Demistify: Identifying on- device machine learning models stealing and reuse vulnerabilities in mobile apps. InProceedings of the 46th IEEE/ACM International Conference on Software Engineering, pages 1–13, 2024
2024
-
[47]
Beyond the model: Data pre-processing attack to deep learning models in android apps
Ye Sang, Yujin Huang, Shuo Huang, and Helei Cui. Beyond the model: Data pre-processing attack to deep learning models in android apps. InProceedings of the 2023 Secure and Trustworthy Deep Learning Systems Workshop, pages 1–9, 2023
2023
-
[48]
Leap: Trustzone based developer-friendly tee for intelligent mobile apps.IEEE Transactions on Mobile Computing, 22(12):7138–7155, 2022
Lizhi Sun, Shuocheng Wang, Hao Wu, Yuhang Gong, Fengyuan Xu, Yunxin Liu, Hao Han, and Sheng Zhong. Leap: Trustzone based developer-friendly tee for intelligent mobile apps.IEEE Transactions on Mobile Computing, 22(12):7138–7155, 2022
2022
-
[49]
Tensorshield: Safeguarding on-device inference by shielding critical dnn tensors with tee
Tong Sun, Bowen Jiang, Hailong Lin, Borui Li, Yixiao Teng, Yi Gao, and Wei Dong. Tensorshield: Safeguarding on-device inference by shielding critical dnn tensors with tee. InProceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security, pages 1008–1022, 2025
2025
-
[50]
Tsqp: Safeguarding real-time inference for quantization neural networks on edge devices
Yu Sun, Gaojian Xiong, Jianhua Liu, Zheng Liu, and Jian Cui. Tsqp: Safeguarding real-time inference for quantization neural networks on edge devices. In2025 IEEE Symposium on Security and Privacy (SP), pages 2114–2132. IEEE, 2025
2025
-
[51]
Shadownet: A secure and efficient on-device model inference system for convolutional neural networks
Zhichuang Sun, Ruimin Sun, Changming Liu, Amrita Roy Chowd- hury, Long Lu, and Somesh Jha. Shadownet: A secure and efficient on-device model inference system for convolutional neural networks. In2023 IEEE Symposium on Security and Privacy (SP), pages 1596–
-
[52]
Mind your weight (s): A large-scale study on insufficient machine learning model protection in mobile apps
Zhichuang Sun, Ruimin Sun, Long Lu, and Alan Mislove. Mind your weight (s): A large-scale study on insufficient machine learning model protection in mobile apps. In30th USENIX security symposium (USENIX security 21), pages 1955–1972, 2021
1955
-
[53]
Game of arrows: On the ({In-) Security}of weight obfuscation for{On-Device}{TEE- Shielded}{LLM}partition algorithms
Pengli Wang, Bingyou Dong, Yifeng Cai, Zheng Zhang, Junlin Liu, Huanran Xue, Ye Wu, Yao Zhang, and Ziqi Zhang. Game of arrows: On the ({In-) Security}of weight obfuscation for{On-Device}{TEE- Shielded}{LLM}partition algorithms. In34th USENIX Security Symposium (USENIX Security 25), pages 279–298, 2025
2025
-
[54]
Tz-llm: Protecting on-device large language models with arm trustzone
Xunjie Wang, Jiacheng Shi, Zihan Zhao, Yang Yu, Zhichao Hua, and Jinyu Gu. Tz-llm: Protecting on-device large language models with arm trustzone. InProceedings of the 21st European Conference on Computer Systems, pages 657–674, 2026
2026
-
[55]
Energy- latency attacks to on-device neural networks via sponge poisoning
Zijian Wang, Shuo Huang, Yujin Huang, and Helei Cui. Energy- latency attacks to on-device neural networks via sponge poisoning. InProceedings of the 2023 Secure and Trustworthy Deep Learning Systems Workshop, pages 1–11, 2023
2023
-
[56]
Stealthy backdoor attack to real-world models in android apps.arXiv preprint arXiv:2501.01263, 2025
Jiali Wei, Ming Fan, Xicheng Zhang, Wenjing Jiao, Haijun Wang, and Ting Liu. Stealthy backdoor attack to real-world models in android apps.arXiv preprint arXiv:2501.01263, 2025
-
[57]
Sok: towards security and safety of edge ai.arXiv preprint arXiv:2410.05349, 2024
Tatjana Wingarz, Anne Lauscher, Janick Edinger, Dominik Kaaser, Stefan Schulte, and Mathias Fischer. Sok: towards security and safety of edge ai.arXiv preprint arXiv:2410.05349, 2024
-
[58]
Tim: Enabling large-scale white- box testing on in-app deep learning models.IEEE Transactions on Information Forensics and Security, 19:8188–8203, 2024
Hao Wu, Yuhang Gong, Xiaopeng Ke, Hanzhong Liang, Fengyuan Xu, Yunxin Liu, and Sheng Zhong. Tim: Enabling large-scale white- box testing on in-app deep learning models.IEEE Transactions on Information Forensics and Security, 19:8188–8203, 2024
2024
-
[59]
FlexServe: A Fast and Secure LLM Serving System for Mobile Devices with Flexible Resource Isolation
Yinpeng Wu, Yitong Chen, Lixiang Wang, Jinyu Gu, Zhichao Hua, and Yubin Xia. Flexserve: A fast and secure llm serving system for mobile devices with flexible resource isolation.arXiv preprint arXiv:2603.09046, 2026
work page internal anchor Pith review Pith/arXiv arXiv 2026
-
[60]
A first look at deep learning apps on smartphones
Mengwei Xu, Jiawei Liu, Yuanqiang Liu, Felix Xiaozhu Lin, Yunxin Liu, and Xuanzhe Liu. A first look at deep learning apps on smartphones. InThe World Wide Web Conference, pages 2125–2136, 2019
2019
-
[61]
Groupcover: A secure, efficient and scalable inference framework for on-device model protection based on tees
Zheng Zhang, Na Wang, Ziqi Zhang, Yao Zhang, Tianyi Zhang, Jianwei Liu, and Ye Wu. Groupcover: A secure, efficient and scalable inference framework for on-device model protection based on tees. InForty-first international conference on machine learning, 2024
2024
-
[62]
No privacy left outside: On the (in-) security of tee-shielded dnn partition for on-device ml
Ziqi Zhang, Chen Gong, Yifeng Cai, Yuanyuan Yuan, Bingyan Liu, Ding Li, Yao Guo, and Xiangqun Chen. No privacy left outside: On the (in-) security of tee-shielded dnn partition for on-device ml. In 2024 IEEE Symposium on Security and Privacy (SP), pages 3327–
2024
-
[63]
Huadi Zheng, Li Cheng, and Yan Ding. Miragenet: A secure, efficient, and scalable on-device model protection in heterogeneous tee and gpu system.arXiv preprint arXiv:2601.13826, 2026
-
[64]
Dynamo: Protecting mobile dl models through coupling obfuscated dl operators
Mingyi Zhou, Xiang Gao, Xiao Chen, Chunyang Chen, John Grundy, and Li Li. Dynamo: Protecting mobile dl models through coupling obfuscated dl operators. InProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering, pages 204–215, 2024
2024
-
[65]
Model-less is the best model: Generating pure code implementations to replace on-device dl models
Mingyi Zhou, Xiang Gao, Pei Liu, John Grundy, Chunyang Chen, Xiao Chen, and Li Li. Model-less is the best model: Generating pure code implementations to replace on-device dl models. InProceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis, pages 174–185, 2024
2024
-
[66]
Modelobfuscator: Obfuscating model information to protect deployed ml-based systems
Mingyi Zhou, Xiang Gao, Jing Wu, John Grundy, Xiao Chen, Chunyang Chen, and Li Li. Modelobfuscator: Obfuscating model information to protect deployed ml-based systems. InProceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis, pages 1005–1017, 2023
2023
-
[67]
Investigating white-box attacks for on-device models
Mingyi Zhou, Xiang Gao, Jing Wu, Kui Liu, Hailong Sun, and Li Li. Investigating white-box attacks for on-device models. In Proceedings of the IEEE/ACM 46th International Conference on Software Engineering, pages 1–12, 2024
2024
-
[68]
Nnsplitter: an active defense solution for dnn model via automated weight obfuscation
Tong Zhou, Yukui Luo, Shaolei Ren, and Xiaolin Xu. Nnsplitter: an active defense solution for dnn model via automated weight obfuscation. InInternational Conference on Machine Learning, pages 42614–42624. PMLR, 2023
2023
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.