With the boom of edge intelligence, its vulnerability to adversarial attacks becomes an urgent problem. The so-called adversarial example can fool a deep learning model on the edge node to misclassify. Due to the property of transferability, the adversary can easily make a black-box attack using a local substitute model. Nevertheless, the limitation of resource of edge nodes cannot afford a complicated defense mechanism as doing on the cloud data center. To overcome the challenge, we propose a dynamic defense mechanism, namely EI-MTD. It first obtains robust member models with small size through differential knowledge distillation from a complicated teacher model on the cloud data center. Then, a dynamic scheduling policy based on a Bayesian Stackelberg game is applied to the choice of a target model for service. This dynamic defense can prohibit the adversary from selecting an optimal substitute model for black-box attacks. Our experimental result shows that this dynamic scheduling can effectively protect edge intelligence against adversarial attacks under the black-box setting.

中文翻译：

---

EI-MTD：针对对抗性攻击的边缘智能移动目标防御

随着边缘智能的蓬勃发展，其对对抗性攻击的脆弱性成为一个紧迫的问题。所谓的对抗样本可以欺骗边缘节点上的深度学习模型进行错误分类。由于具有可转移性，对手可以使用本地替代模型轻松进行黑盒攻击。然而，边缘节点资源的限制无法像云数据中心那样提供复杂的防御机制。为了克服这一挑战，我们提出了一种动态防御机制，即 EI-MTD。它首先从云数据中心上一个复杂的教师模型中通过差异化知识蒸馏得到小规模的鲁棒成员模型。然后，将基于贝叶斯 Stackelberg 博弈的动态调度策略应用于服务目标模型的选择。这种动态防御可以阻止对手为黑盒攻击选择最佳替代模型。我们的实验结果表明，这种动态调度可以在黑盒设置下有效地保护边缘智能免受对抗性攻击。