Trusted Execution Environments (TEEs) have become a promising solution to secure DNN models on edge devices. However, the existing solutions either provide inadequate protection or introduce large performance overhead. Taking both security and performance into consideration, this paper presents TBNet, a TEE-based defense framework that protects DNN model from a neural architectural perspective. Specifically, TBNet generates a novel Two-Branch substitution model, to respectively exploit (1) the computational resources in the untrusted Rich Execution Environment (REE) for latency reduction and (2) the physically-isolated TEE for model protection. Experimental results on a Raspberry Pi across diverse DNN model architectures and datasets demonstrate that TBNet achieves efficient model protection at a low cost.

翻译：可信执行环境已成为在边缘设备上保护深度神经网络模型的一种有前景的解决方案。然而，现有方案要么提供不充分的保护，要么引入较大的性能开销。综合考虑安全性与性能，本文提出了TBNet，一种基于TEE的防御框架，从神经架构角度保护DNN模型。具体而言，TBNet生成一种新颖的双分支替代模型，分别利用（1）不可信富执行环境中的计算资源以降低延迟，以及（2）物理隔离的TEE以保护模型。在树莓派上针对多种DNN模型架构和数据集的实验结果表明，TBNet以低成本实现了高效的模型保护。