Go to ICLR 2026 Conference homepageFILOsofer: A TEE-Shielded Model Partitioning Framework Based on Fisher Information-Guided LoRA Obfuscation
Keywords: ML Security, Model Stealing, TEE
TL;DR: A lightweight TSDP framework that secures DNNs against model stealing.
Abstract: On-device machine learning makes DNN models visible as a white-box to users, leaving them susceptible to stealing attacks. Trusted Execution Environments (TEEs) mitigate this risk by isolating model execution, but executing entire models within TEEs is inefficient and slow. To balance security and performance, TEE-Shielded DNN Partitioning (TSDP) executes privacy-insensitive parts on GPUs while confining privacy-critical components within TEEs.
This work demonstrates that existing TSDP approaches remain vulnerable under large query budgets (e.g., $>$500 queries) due to non-zero information leakage per query, enabling attackers to gradually construct accurate surrogate models. To address this, we propose FILOsofer (Fisher Information-Guided LoRA Obfuscation), which uses Fisher Information to perturb a small subset of key weights, rendering the exposed weights inaccurate and producing uniform outputs, thereby safeguarding the model even under unlimited queries. We then design a novel cross-layer LoRA to efficiently restore authorized-user performance, storing only LoRA parameters in the TEE to eliminate information leakage while minimizing the performance overhead. This lightweight design also allows seamless extension to LLMs. We evaluate \sys in both experimental and real-world settings, achieving over 10× improvement in security and more than 50× reduction in computational overhead compared to prior TSDP solutions.
Primary Area: alignment, fairness, safety, privacy, and societal considerations
Submission Number: 14388
Loading