{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,9,11]],"date-time":"2025-09-11T19:25:16Z","timestamp":1757618716174,"version":"3.44.0"},"publisher-location":"Cham","reference-count":56,"publisher":"Springer Nature Switzerland","isbn-type":[{"type":"print","value":"9783031976223"},{"type":"electronic","value":"9783031976230"}],"license":[{"start":{"date-parts":[[2025,1,1]],"date-time":"2025-01-01T00:00:00Z","timestamp":1735689600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"},{"start":{"date-parts":[[2025,1,1]],"date-time":"2025-01-01T00:00:00Z","timestamp":1735689600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2025]]},"DOI":"10.1007\/978-3-031-97623-0_4","type":"book-chapter","created":{"date-parts":[[2025,7,10]],"date-time":"2025-07-10T09:23:17Z","timestamp":1752139397000},"page":"65-85","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["FlexGE: Towards Secure and\u00a0Flexible Model Partition for\u00a0Deep Neural Networks"],"prefix":"10.1007","author":[{"given":"Xiaolong","family":"Wu","sequence":"first","affiliation":[]},{"given":"Aravind Kumar","family":"Machiry","sequence":"additional","affiliation":[]},{"given":"Yung-Hsiang","family":"Lu","sequence":"additional","affiliation":[]},{"given":"Dave Jing","family":"Tian","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2025,7,10]]},"reference":[{"key":"4_CR1","unstructured":"NVIDIA H100 tensor core GPU architecture (2022). https:\/\/resources.nvidia.com\/en-us-tensor-core"},{"issue":"1","key":"4_CR2","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/1609956.1609960","volume":"13","author":"M Abadi","year":"2009","unstructured":"Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow integrity principles, implementations, and applications. ACM Trans. Inf. Syst. Secur. (TISSEC) 13(1), 1\u201340 (2009)","journal-title":"ACM Trans. Inf. Syst. Secur. (TISSEC)"},{"key":"4_CR3","doi-asserted-by":"publisher","first-page":"2709","DOI":"10.1109\/TIFS.2021.3062977","volume":"16","author":"M AprilPyone","year":"2021","unstructured":"AprilPyone, M., Kiya, H.: Block-wise image transformation with secret key for adversarially robust defense. IEEE Trans. Inf. Forensics Secur. 16, 2709\u20132723 (2021)","journal-title":"IEEE Trans. Inf. Forensics Secur."},{"key":"4_CR4","unstructured":"Barzasi, G.: The illusion of randomness: demystifying the entropy of ASLR on common operating systems (2022)"},{"key":"4_CR5","doi-asserted-by":"crossref","unstructured":"Bauer, M., Rossow, C.: Cali: compiler-assisted library isolation. In: Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security, pp. 550\u2013564 (2021)","DOI":"10.1145\/3433210.3453111"},{"key":"4_CR6","doi-asserted-by":"crossref","unstructured":"Chen, J., et al.: Copy, right? A testing framework for copyright protection of deep learning models. In: 2022 IEEE Symposium on Security and Privacy (SP), pp. 824\u2013841. IEEE (2022)","DOI":"10.1109\/SP46214.2022.9833747"},{"key":"4_CR7","unstructured":"Chen, Y., Shen, C., Wang, C., Zhang, Y.: Teacher model fingerprinting attacks against transfer learning. In: 31st USENIX Security Symposium (USENIX Security 22), pp. 3593\u20133610 (2022)"},{"key":"4_CR8","unstructured":"Coates, A., Ng, A., Lee, H.: An analysis of single-layer networks in unsupervised feature learning. In: Proceedings of the Fourteenth International Conference on Artificial Intelligence and Statistics, pp. 215\u2013223. JMLR Workshop and Conference Proceedings (2011)"},{"key":"4_CR9","doi-asserted-by":"crossref","unstructured":"Deng, Y., et\u00a0al.: StrongBox: a GPU tee on arm endpoints. In: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, pp. 769\u2013783 (2022)","DOI":"10.1145\/3548606.3560627"},{"key":"4_CR10","doi-asserted-by":"crossref","unstructured":"Elgamal, T., Nahrstedt, K.: Serdab: an IoT framework for partitioning neural networks computation across multiple enclaves. In: 2020 20th IEEE\/ACM International Symposium on Cluster, Cloud and Internet Computing (CCGRID), pp. 519\u2013528. IEEE (2020)","DOI":"10.1109\/CCGrid49817.2020.00-41"},{"key":"4_CR11","unstructured":"Facebook AI: Introducing Llama: a foundational, 65-billion-parameter large language model (2023). https:\/\/ai.facebook.com\/blog\/large-language-model-llama-meta-ai\/"},{"key":"4_CR12","doi-asserted-by":"crossref","unstructured":"Filippini, F., Lattuada, M., Jahani, A., Ciavotta, M., Ardagna, D., Amaldi, E.: Hierarchical scheduling in on-demand GPU-as-a-service systems. In: 2020 22nd International Symposium on Symbolic and Numeric Algorithms for Scientific Computing (SYNASC), pp. 125\u2013132. IEEE (2020)","DOI":"10.1109\/SYNASC51798.2020.00030"},{"key":"4_CR13","unstructured":"Gilad-Bachrach, R., Dowlin, N., Laine, K., Lauter, K., Naehrig, M., Wernsing, J.: CryptoNets: applying neural networks to encrypted data with high throughput and accuracy. In: International Conference on Machine Learning, pp. 201\u2013210. PMLR (2016)"},{"key":"4_CR14","doi-asserted-by":"crossref","unstructured":"He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 770\u2013778 (2016)","DOI":"10.1109\/CVPR.2016.90"},{"key":"4_CR15","unstructured":"Hedayati, M., et al.: Hodor: intra-process isolation for high-throughput data plane libraries. In: 2019 USENIX Annual Technical Conference (USENIX ATC 19), pp. 489\u2013504 (2019)"},{"issue":"6","key":"4_CR16","doi-asserted-by":"publisher","first-page":"4270","DOI":"10.1109\/TDSC.2021.3126315","volume":"19","author":"J Hou","year":"2021","unstructured":"Hou, J., Liu, H., Liu, Y., Wang, Y., Wan, P.J., Li, X.Y.: Model protection: real-time privacy-preserving inference service for model privacy at the edge. IEEE Trans. Dependable Secure Comput. 19(6), 4270\u20134284 (2021)","journal-title":"IEEE Trans. Dependable Secure Comput."},{"key":"4_CR17","unstructured":"Huang, Y., et al.: KSplit: automating device driver isolation. In: 16th USENIX Symposium on Operating Systems Design and Implementation (OSDI 22), pp. 613\u2013631 (2022)"},{"key":"4_CR18","doi-asserted-by":"publisher","unstructured":"Jang, I., Tang, A., Kim, T., Sethumadhavan, S., Huh, J.: Heterogeneous isolated execution for commodity GPUs. In: 24th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS 2019), pp. 455\u2013468. ACM, Providence, RI (2019). https:\/\/doi.org\/10.1145\/3297858.3304021","DOI":"10.1145\/3297858.3304021"},{"key":"4_CR19","unstructured":"Kato, S., McThrow, M., Maltzahn, C., Brandt, S.: Gdev: first-class GPU resource management in the operating system. In: Presented as Part of the 2012 USENIX Annual Technical Conference (USENIX ATC 12), pp. 401\u2013412. USENIX, Boston, MA (2012). https:\/\/www.usenix.org\/conference\/atc12\/technical-sessions\/presentation\/kato"},{"key":"4_CR20","unstructured":"Keras Contributors: Keras applications (2017). https:\/\/keras.io\/api\/applications\/"},{"key":"4_CR21","unstructured":"Krizhevsky, A., Hinton, G., et\u00a0al.: Learning multiple layers of features from tiny images (2009)"},{"key":"4_CR22","unstructured":"Krizhevsky, A., Sutskever, I., Hinton, G.E.: ImageNet classification with deep convolutional neural networks. In: Advances in Neural Information Processing Systems, vol. 25 (2012)"},{"key":"4_CR23","doi-asserted-by":"crossref","unstructured":"Lefeuvre, H., et al.: FlexOS: towards flexible OS isolation. In: Proceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, pp. 467\u2013482 (2022)","DOI":"10.1145\/3503222.3507759"},{"key":"4_CR24","doi-asserted-by":"crossref","unstructured":"Lewis, M.: BART: denoising sequence-to-sequence pre-training for natural language generation, translation, and comprehension. arXiv preprint arXiv:1910.13461 (2019)","DOI":"10.18653\/v1\/2020.acl-main.703"},{"key":"4_CR25","doi-asserted-by":"crossref","unstructured":"Li, J., He, Z., Rakin, A.S., Fan, D., Chakrabarti, C.: NeurObfuscator: a full-stack obfuscation tool to mitigate neural architecture stealing. In: 2021 IEEE International Symposium on Hardware Oriented Security and Trust (HOST), pp. 248\u2013258. IEEE (2021)","DOI":"10.1109\/HOST49136.2021.9702279"},{"key":"4_CR26","doi-asserted-by":"publisher","first-page":"441","DOI":"10.1007\/s12599-021-00708-w","volume":"63","author":"S Lins","year":"2021","unstructured":"Lins, S., Pandl, K.D., Teigeler, H., Thiebes, S., Bayer, C., Sunyaev, A.: Artificial intelligence as a service: classification and research directions. Bus. Inf. Syst. Eng. 63, 441\u2013456 (2021)","journal-title":"Bus. Inf. Syst. Eng."},{"key":"4_CR27","doi-asserted-by":"crossref","unstructured":"Liu, S., Tan, G., Jaeger, T.: PtrSplit: supporting general pointers in automatic program partitioning. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 2359\u20132371 (2017)","DOI":"10.1145\/3133956.3134066"},{"key":"4_CR28","doi-asserted-by":"crossref","unstructured":"Loukas, G.: Cyber-Physical Attacks: A Growing Invisible Threat. Butterworth-Heinemann (2015)","DOI":"10.1016\/B978-0-12-801290-1.00007-2"},{"key":"4_CR29","doi-asserted-by":"crossref","unstructured":"Mo, F., et al.: DarkneTZ: towards model privacy at the edge using trusted execution environments. In: Proceedings of the 18th International Conference on Mobile Systems, Applications, and Services, pp. 161\u2013174 (2020)","DOI":"10.1145\/3386901.3388946"},{"key":"4_CR30","unstructured":"Nair, V., Hinton, G.E.: Rectified linear units improve restricted Boltzmann machines. In: Proceedings of the 27th International Conference on Machine Learning (ICML-10), pp. 807\u2013814 (2010)"},{"key":"4_CR31","unstructured":"Narayan, S., et al.: Retrofitting fine grain isolation in the Firefox renderer. In: 29th USENIX Security Symposium (USENIX Security 20), pp. 699\u2013716 (2020)"},{"key":"4_CR32","doi-asserted-by":"crossref","unstructured":"Neiger, G., Santoni, A., Leung, F., Rodgers, D., Uhlig, R.: Intel virtualization technology: hardware support for efficient processor virtualization. Intel Technol. J. 10(3) (2006)","DOI":"10.1535\/itj.1003.01"},{"key":"4_CR33","unstructured":"OpenAI: ChatGPT (2023). https:\/\/chat.openai.com"},{"key":"4_CR34","doi-asserted-by":"crossref","unstructured":"Orekondy, T., Schiele, B., Fritz, M.: Knockoff nets: stealing functionality of black-box models. In: Proceedings of the IEEE\/CVF Conference on Computer Vision and Pattern Recognition, pp. 4954\u20134963 (2019)","DOI":"10.1109\/CVPR.2019.00509"},{"key":"4_CR35","unstructured":"O\u2019Shea, K., Nash, R.: An introduction to convolutional neural networks. arXiv preprint arXiv:1511.08458 (2015)"},{"key":"4_CR36","unstructured":"Rafkind, J.: Vembyr - multi-language peg parser generator written in Python, 2011 November. http:\/\/code.google.com\/p\/vembyr\/"},{"key":"4_CR37","doi-asserted-by":"crossref","unstructured":"Rakin, A.S., Chowdhuryy, M.H.I., Yao, F., Fan, D.: DeepSteal: advanced model extractions leveraging efficient weight stealing in memories. In: 2022 IEEE Symposium on Security and Privacy (SP), pp. 1157\u20131174. IEEE (2022)","DOI":"10.1109\/SP46214.2022.9833743"},{"key":"4_CR38","doi-asserted-by":"crossref","unstructured":"Rathee, D., et al.: CrypTFlow2: practical 2-party secure inference. In: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, pp. 325\u2013342 (2020)","DOI":"10.1145\/3372297.3417274"},{"key":"4_CR39","unstructured":"Redmon, J.: Darknet: open source neural networks in C (2013\u20132016). http:\/\/pjreddie.com\/darknet\/"},{"key":"4_CR40","unstructured":"Schrammel, D., et al.: Donky: domain keys\u2013efficient in-process isolation for RISC-V and x86. In: 29th USENIX Security Symposium (USENIX Security 20), pp. 1677\u20131694 (2020)"},{"key":"4_CR41","doi-asserted-by":"crossref","unstructured":"Seo, J., et al.: SGX-shield: enabling address space layout randomization for SGX programs. In: NDSS (2017)","DOI":"10.14722\/ndss.2017.23037"},{"key":"4_CR42","doi-asserted-by":"crossref","unstructured":"Shacham, H., Page, M., Pfaff, B., Goh, E.J., Modadugu, N., Boneh, D.: On the effectiveness of address-space randomization. In: Proceedings of the 11th ACM Conference on Computer and Communications Security, pp. 298\u2013307 (2004)","DOI":"10.1145\/1030083.1030124"},{"key":"4_CR43","unstructured":"Shen, T., et\u00a0al.: SOTER: guarding black-box inference for general neural networks at the edge. In: 2022 USENIX Annual Technical Conference (USENIX ATC 22), pp. 723\u2013738 (2022)"},{"key":"4_CR44","unstructured":"Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. arXiv preprint arXiv:1409.1556 (2014)"},{"key":"4_CR45","unstructured":"Srinivasan, W.Z., Akshayaram, P., Ada, P.R.: DELPHI: a cryptographic inference service for neural networks. In: Proceedings 29th USENIX Security Symposium, pp. 2505\u20132522 (2019)"},{"key":"4_CR46","doi-asserted-by":"crossref","unstructured":"Sun, Z., Sun, R., Liu, C., Chowdhury, A.R., Lu, L., Jha, S.: ShadowNet: a secure and efficient on-device model inference system for convolutional neural networks. In: 2023 IEEE Symposium on Security and Privacy (SP), pp. 1596\u20131612. IEEE (2023)","DOI":"10.1109\/SP46215.2023.10179382"},{"key":"4_CR47","unstructured":"Tramer, F., Boneh, D.: SLALOM: fast, verifiable and private execution of neural networks in trusted hardware. arXiv preprint arXiv:1806.03287 (2018)"},{"key":"4_CR48","unstructured":"Volos, S., Vaswani, K., Bruno, R.: Graviton: trusted execution environments on GPUs. In: 13th USENIX Symposium on Operating Systems Design and Implementation (OSDI 2018), pp. 681\u2013696. USENIX Association, Carlsbad, CA (2018). https:\/\/www.usenix.org\/conference\/osdi18\/presentation\/volos"},{"key":"4_CR49","doi-asserted-by":"crossref","unstructured":"Wang, A., Singh, A., Michael, J., Hill, F., Levy, O., Bowman, S.R.: Glue: a multi-task benchmark and analysis platform for natural language understanding. corr abs\/1804.07461 (2018). arXiv preprint arXiv:1804.07461","DOI":"10.18653\/v1\/W18-5446"},{"key":"4_CR50","doi-asserted-by":"crossref","unstructured":"Wu, X., Tian, D.J., Kim, C.H.: Building GPU tees using CPU secure enclaves with GEVisor. In: Proceedings of the 2023 ACM Symposium on Cloud Computing, pp. 249\u2013264 (2023)","DOI":"10.1145\/3620678.3624659"},{"key":"4_CR51","doi-asserted-by":"crossref","unstructured":"Yeom, S., Giacomelli, I., Fredrikson, M., Jha, S.: Privacy risk in machine learning: analyzing the connection to overfitting. In: 2018 IEEE 31st Computer Security Foundations Symposium (CSF), pp. 268\u2013282. IEEE (2018)","DOI":"10.1109\/CSF.2018.00027"},{"key":"4_CR52","unstructured":"Yuan, X., Zhang, L.: Membership inference attacks and defenses in neural network pruning. In: 31st USENIX Security Symposium (USENIX Security 22), pp. 4561\u20134578 (2022)"},{"key":"4_CR53","doi-asserted-by":"crossref","unstructured":"Zhang, Z., Song, Y., Qi, H.: Age progression\/regression by conditional adversarial autoencoder. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 5810\u20135818 (2017)","DOI":"10.1109\/CVPR.2017.463"},{"key":"4_CR54","doi-asserted-by":"crossref","unstructured":"Zhang, Z., et al.: No privacy left outside: on the (in-) security of tee-shielded DNN partition for on-device ml. arXiv preprint arXiv:2310.07152 (2023)","DOI":"10.1109\/SP54263.2024.00052"},{"key":"4_CR55","doi-asserted-by":"crossref","unstructured":"Zhou, T., Ren, S., Xu, X.: ObfuNAS: a neural architecture search-based DNN obfuscation approach. In: Proceedings of the 41st IEEE\/ACM International Conference on Computer-Aided Design, pp.\u00a01\u20139 (2022)","DOI":"10.1145\/3508352.3549429"},{"key":"4_CR56","doi-asserted-by":"crossref","unstructured":"Zhu, J., et\u00a0al.: Enabling rack-scale confidential computing using heterogeneous trusted execution environment. In: 2020 IEEE Symposium on Security and Privacy (SP), pp. 1450\u20131465. IEEE (2020)","DOI":"10.1109\/SP40000.2020.00054"}],"container-title":["Lecture Notes in Computer Science","Detection of Intrusions and Malware, and Vulnerability Assessment"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-031-97623-0_4","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,9,7]],"date-time":"2025-09-07T04:11:39Z","timestamp":1757218299000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-3-031-97623-0_4"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025]]},"ISBN":["9783031976223","9783031976230"],"references-count":56,"URL":"https:\/\/doi.org\/10.1007\/978-3-031-97623-0_4","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"type":"print","value":"0302-9743"},{"type":"electronic","value":"1611-3349"}],"subject":[],"published":{"date-parts":[[2025]]},"assertion":[{"value":"10 July 2025","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"DIMVA","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Graz","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Austria","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2025","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"9 July 2025","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"11 July 2025","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"22","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"dimva2025","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"https:\/\/dimva.org\/dimva2025\/","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}}]}}