In recent years, Deep Neural Networks (DNNs) have become increasingly integral to IoT-based environments, enabling realtime visual computing. However, the limited computational capacity of these devices has motivated the adoption of collaborative DNN inference, where the IoT device offloads part of the inference-related computation to a remote server. Such offloading often requires dynamic DNN partitioning information to be exchanged among the participants over an unsecured network or via relays/hops, leading to novel privacy vulnerabilities. In this paper, we propose AdVAR-DNN, an adversarial variational autoencoder (VAE)-based misclassification attack, leveraging classifiers to detect model information and a VAE to generate untraceable manipulated samples, specifically designed to compromise the collaborative inference process. AdVAR-DNN attack uses the sensitive information exchange vulnerability of collaborative DNN inference and is black-box in nature in terms of having no prior knowledge about the DNN model and how it is partitioned. Our evaluation using the most popular object classification DNNs on the CIFAR-100 dataset demonstrates the effectiveness of AdVAR-DNN in terms of high attack success rate with little to no probability of detection.

翻译：近年来，深度神经网络在物联网环境中日益普及，实现了实时视觉计算。然而，这些设备有限的计算能力催生了协作式深度神经网络推理的采用——物联网设备将部分推理相关计算卸载至远程服务器。此类卸载通常需要在不可信网络上或通过中继/跳点交换动态网络分区信息，从而引发新型隐私漏洞。本文提出AdVAR-DNN——一种基于对抗变分自编码器的误分类攻击方法，利用分类器检测模型信息，并通过变分自编码器生成不可追踪的操纵样本，专门用于破坏协作推理过程。AdVAR-DNN攻击利用了协作式深度神经网络推理中敏感信息交换的脆弱性，其本质属黑盒攻击——即攻击者对目标深度神经网络模型结构及其分区方式无先验知识。基于CIFAR-100数据集上主流图像分类深度神经网络的评估表明，AdVAR-DNN在实现高攻击成功率的同时，几乎不存在被检测风险。