{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,7,11]],"date-time":"2026-07-11T17:30:42Z","timestamp":1783791042592,"version":"3.55.0"},"reference-count":163,"publisher":"Association for Computing Machinery (ACM)","issue":"6","funder":[{"DOI":"10.13039\/501100018537","name":"National Science and Technology Major Project","doi-asserted-by":"crossref","award":["2022ZD0119103"],"award-info":[{"award-number":["2022ZD0119103"]}],"id":[{"id":"10.13039\/501100018537","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Softw. Eng. Methodol."],"published-print":{"date-parts":[[2025,7,31]]},"abstract":"<jats:p>\n            Trusted Execution Environments (TEEs) are used to safeguard on-device models. However, directly employing TEEs to secure the entire DNN model is challenging due to the limited computational speed. Utilizing GPU can accelerate DNN\u2019s computation speed but widely available commercial GPUs usually lack security protection. To this end, scholars introduce\n            <jats:italic toggle=\"yes\">TEE-Shielded DNN Partition<\/jats:italic>\n            (TSDP), a method that protects privacy-sensitive weights within TEEs and offloads insensitive weights to GPUs. Nevertheless, current methods do not consider the presence of a knowledgeable adversary who can access abundant publicly available pre-trained models and datasets. This article investigates the security of the existing methods against such a knowledgeable adversary and reveals their inability to fulfill their security promises. Consequently, we introduce a novel partition before training strategy, which effectively separates privacy-sensitive weights from other components of the model. Our evaluation demonstrates that our approach can offer full model protection with a computational cost reduced by a factor of 10. In addition to traditional CNN models, we also demonstrate the scalability to large language models. Our approach can compress the private functionalities of the large language model to lightweight slices and achieve the same level of protection as the shielding-whole-model baseline.\n          <\/jats:p>","DOI":"10.1145\/3707453","type":"journal-article","created":{"date-parts":[[2024,12,18]],"date-time":"2024-12-18T12:05:27Z","timestamp":1734523527000},"page":"1-49","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":17,"title":["<scp>TEESlice<\/scp>\n            : Protecting Sensitive Neural Network Models in Trusted Execution Environments when Attackers Have Pre-Trained Models"],"prefix":"10.1145","volume":"34","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-7558-9137","authenticated-orcid":false,"given":"Ding","family":"Li","sequence":"first","affiliation":[{"name":"School of Computer Science, Peking University, Beijing, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-8493-0261","authenticated-orcid":false,"given":"Ziqi","family":"Zhang","sequence":"additional","affiliation":[{"name":"School of Computer Science, Peking University, Beijing, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0009-0005-8220-3470","authenticated-orcid":false,"given":"Mengyu","family":"Yao","sequence":"additional","affiliation":[{"name":"School of Computer Science, Peking University, Beijing, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0049-6670","authenticated-orcid":false,"given":"Yifeng","family":"Cai","sequence":"additional","affiliation":[{"name":"School of Computer Science, Peking University, Beijing, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-5064-5286","authenticated-orcid":false,"given":"Yao","family":"Guo","sequence":"additional","affiliation":[{"name":"School of Computer Science, Peking University, Beijing, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7366-5906","authenticated-orcid":false,"given":"Xiangqun","family":"Chen","sequence":"additional","affiliation":[{"name":"School of Computer Science, Peking University, Beijing, China"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"320","published-online":{"date-parts":[[2025,7]]},"reference":[{"key":"e_1_3_2_2_2","unstructured":"tribhuvanesh\/knockoffnets. 2019. Knockoff nets demo code. Retrieved from https:\/\/github.com\/tribhuvanesh\/knockoffnets"},{"key":"e_1_3_2_3_2","unstructured":"liuyugeng\/ML-Doctor. 2022. ML-doctor demo code. Retrieved from https:\/\/github.com\/liuyugeng\/ML-Doctor"},{"key":"e_1_3_2_4_2","unstructured":"2022. One-Time Pad. Retrieved from https:\/\/en.wikipedia.org\/wiki\/One-time_pad"},{"key":"e_1_3_2_5_2","unstructured":"Source. 2023. Android 7.0 compatibility definition. Retrieved from https:\/\/source.android.com\/docs\/compatibility\/7.0\/android-7.0-cdd#9"},{"key":"e_1_3_2_6_2","unstructured":"ziqi-zhang\/TEESlice-artifact. 2023. Artifact. Retrieved from https:\/\/github.com\/ziqi-zhang\/TEESlice-artifact"},{"key":"e_1_3_2_7_2","unstructured":"2023. Full supplementary. Retrieved from https:\/\/sites.google.com\/view\/tsdp-teeslice\/home"},{"key":"e_1_3_2_8_2","unstructured":"Raspberry Pi 3. 2023. OP-TEE documentation Raspberry Pi 3. Retrieved from https:\/\/optee.readthedocs.io\/en\/latest\/building\/devices\/rpi3.html"},{"key":"e_1_3_2_9_2","unstructured":"Anonymous GitHub. 2024. Artifact for LLM. Retrieved from https:\/\/anonymous.4open.science\/r\/TEESlice_LLM"},{"key":"e_1_3_2_10_2","unstructured":"Tiago Alves. 2004. Trustzone: Integrated hardware and software security. White paper (2004) 12 pages."},{"key":"e_1_3_2_11_2","unstructured":"Arm. 2021. Introducing Arm confidential compute architecture. Retrieved from https:\/\/developer.arm.com\/documentation\/den0125\/0200\/Arm-CCA-Extensions"},{"key":"e_1_3_2_12_2","doi-asserted-by":"publisher","DOI":"10.1145\/3508398.3511503"},{"key":"e_1_3_2_13_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-28865-9_40"},{"key":"e_1_3_2_14_2","doi-asserted-by":"publisher","DOI":"10.1002\/cpe.4130"},{"key":"e_1_3_2_15_2","first-page":"15453","volume-title":"Advances in Neural Information Processing Systems 32: Annual Conference on Neural Information Processing Systems 2019 (NeurIPS \u201919)","author":"Bagdasaryan Eugene","year":"2019","unstructured":"Eugene Bagdasaryan, Omid Poursaeed, and Vitaly Shmatikov. 2019. Differential privacy has disparate impact on model accuracy. In Advances in Neural Information Processing Systems 32: Annual Conference on Neural Information Processing Systems 2019 (NeurIPS \u201919). Hanna M. Wallach, Hugo Larochelle, Alina Beygelzimer, Florence d\u2019Alch\u00e9-Buc, Emily B. Fox, and Roman Garnett (Eds.), 15453\u201315462. Retrieved from https:\/\/proceedings.neurips.cc\/paper\/2019\/hash\/fc0de4e0396fff257ea362983c2dda5a-Abstract.html"},{"key":"e_1_3_2_16_2","first-page":"371","volume-title":"2020 USENIX Annual Technical Conference (USENIX ATC \u201920)","author":"Bateni Soroush","year":"2020","unstructured":"Soroush Bateni and Cong Liu. 2020. NeuOS: A latency-predictable multi-dimensional optimization framework for DNN-driven autonomous systems. In 2020 USENIX Annual Technical Conference (USENIX ATC \u201920). Ada Gavrilovska and Erez Zadok (Eds.), USENIX Association, 371\u2013385. Retrieved from https:\/\/www.usenix.org\/conference\/atc20\/presentation\/bateni"},{"key":"e_1_3_2_17_2","first-page":"515","volume-title":"28th USENIX Security Symposium (USENIX Security \u201919)","author":"Batina Lejla","year":"2019","unstructured":"Lejla Batina, Shivam Bhasin, Dirmanto Jap, and Stjepan Picek. 2019. CSI NN: Reverse engineering of neural network architectures through electromagnetic side channel. In 28th USENIX Security Symposium (USENIX Security \u201919). Nadia Heninger and Patrick Traynor (Eds.), USENIX Association, 515\u2013532. Retrieved from https:\/\/www.usenix.org\/conference\/usenixsecurity19\/presentation\/batina"},{"key":"e_1_3_2_18_2","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243822"},{"key":"e_1_3_2_19_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833649"},{"key":"e_1_3_2_20_2","first-page":"267","volume-title":"28th USENIX Security Symposium (USENIX Security \u201919)","author":"Carlini Nicholas","year":"2019","unstructured":"Nicholas Carlini, Chang Liu, \u00dalfar Erlingsson, Jernej Kos, and Dawn Song. 2019. The secret sharer: Evaluating and testing unintended memorization in neural networks. In 28th USENIX Security Symposium (USENIX Security \u201919). Nadia Heninger and Patrick Traynor (Eds.), USENIX Association, 267\u2013284. Retrieved from https:\/\/www.usenix.org\/conference\/usenixsecurity19\/presentation\/carlini"},{"key":"e_1_3_2_21_2","first-page":"1309","volume-title":"29th USENIX Security Symposium (USENIX Security \u201920).","author":"Chandrasekaran Varun","year":"2020","unstructured":"Varun Chandrasekaran, Kamalika Chaudhuri, Irene Giacomelli, Somesh Jha, and Songbai Yan. 2020. Exploring connections between active learning and model extraction. In 29th USENIX Security Symposium (USENIX Security \u201920). Srdjan Capkun and Franziska Roesner (Eds.), USENIX Association, 1309\u20131326. Retrieved from https:\/\/www.usenix.org\/conference\/usenixsecurity20\/presentation\/chandrasekaran"},{"key":"e_1_3_2_22_2","doi-asserted-by":"publisher","DOI":"10.1109\/MSEC.2019.2963021"},{"key":"e_1_3_2_23_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2018.00024"},{"key":"e_1_3_2_24_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833747"},{"key":"e_1_3_2_25_2","doi-asserted-by":"publisher","DOI":"10.1145\/3460120.3484756"},{"key":"e_1_3_2_26_2","unstructured":"Yufei Chen Chao Shen Cong Wang and Yang Zhang. 2022. Teacher model fingerprinting attacks against transfer learning. In 31st USENIX Security Symposium (USENIX Security \u201922). Kevin R. B. Butler and Kurt Thomas (Eds.) USENIX Association 3593\u20133610. Retrieved from https:\/\/www.usenix.org\/conference\/usenixsecurity22\/presentation\/chen-yufei"},{"key":"e_1_3_2_27_2","first-page":"215","volume-title":"14th International Conference on Artificial Intelligence and Statistics (AISTATS \u201911) (JMLR Proceedings, Vol. 15)","author":"Coates Adam","year":"2011","unstructured":"Adam Coates, Andrew Y. Ng, and Honglak Lee. 2011. An analysis of single-Layer networks in unsupervised feature learning. In 14th International Conference on Artificial Intelligence and Statistics (AISTATS \u201911) (JMLR Proceedings, Vol. 15), Geoffrey J. Gordon, David B. Dunson, and Miroslav Dud\u00edk (Eds.), JMLR.org., 215\u2013223. Retrieved from http:\/\/proceedings.mlr.press\/v15\/coates11a\/coates11a.pdf"},{"key":"e_1_3_2_28_2","unstructured":"Papers With Code. 2018. Image Classification on STL-10. Retrieved from https:\/\/paperswithcode.com\/paper\/hybridnet-classification-and-reconstruction"},{"key":"e_1_3_2_29_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2009.5206848"},{"key":"e_1_3_2_30_2","unstructured":"Shrey Desai Geoffrey Goh Arun Babu and Ahmed Aly. 2020. Lightweight convolutional representations for on-device natural language processing. arXiv:2002.01535. Retrieved from https:\/\/arxiv.org\/abs\/2002.01535"},{"key":"e_1_3_2_31_2","doi-asserted-by":"publisher","DOI":"10.1145\/3576915.3624398"},{"key":"e_1_3_2_32_2","unstructured":"Alexey Dosovitskiy Lucas Beyer Alexander Kolesnikov Dirk Weissenborn Xiaohua Zhai Thomas Unterthiner Mostafa Dehghani Matthias Minderer Georg Heigold Sylvain Gelly et\u00a0al. 2021. An image is worth 16x16 words: Transformers for image recognition at scale. arxiv:2010.11929. Retrieved from https:\/\/arxiv.org\/abs\/2010.11929"},{"key":"e_1_3_2_33_2","doi-asserted-by":"publisher","DOI":"10.1145\/3132211.3134456"},{"key":"e_1_3_2_34_2","doi-asserted-by":"publisher","DOI":"10.1561\/0400000042"},{"key":"e_1_3_2_35_2","doi-asserted-by":"publisher","DOI":"10.1109\/CCGrid49817.2020.00-41"},{"key":"e_1_3_2_36_2","doi-asserted-by":"publisher","DOI":"10.1145\/3456631"},{"key":"e_1_3_2_37_2","volume-title":"Information Processing, Proceedings of the 7th IFIP Congress 1977","author":"Freivalds Rusins","year":"1977","unstructured":"Rusins Freivalds. 1977. Probabilistic machines can use less running time. In Information Processing, Proceedings of the 7th IFIP Congress 1977."},{"key":"e_1_3_2_38_2","first-page":"201","volume-title":"33nd International Conference on Machine Learning (ICML \u201916) (JMLR Workshop and Conference Proceedings, Vol. 48)","author":"Gilad-Bachrach Ran","year":"2016","unstructured":"Ran Gilad-Bachrach, Nathan Dowlin, Kim Laine, Kristin E. Lauter, Michael Naehrig, and John Wernsing. 2016. CryptoNets: Applying neural networks to encrypted data with high throughput and accuracy. In 33nd International Conference on Machine Learning (ICML \u201916) (JMLR Workshop and Conference Proceedings, Vol. 48). Maria-Florina Balcan and Kilian Q. Weinberger (Eds.), JMLR.org, 201\u2013210. Retrieved from http:\/\/proceedings.mlr.press\/v48\/gilad-bachrach16.html"},{"key":"e_1_3_2_39_2","unstructured":"TensorFlow. 2020. Tensorflow hub. Retrieved from https:\/\/www.tensorflow.org\/hub"},{"key":"e_1_3_2_40_2","unstructured":"tensorflow\/models. 2020. TensorFlow model Garden. Retrieved from https:\/\/github.com\/tensorflow\/models"},{"key":"e_1_3_2_41_2","unstructured":"TensorFlow Core. 2020. Tensorflow transfer learning API. Retrieved from https:\/\/www.tensorflow.org\/tutorials\/images\/transfer_learning"},{"key":"e_1_3_2_42_2","first-page":"217","volume-title":"26th USENIX Security Symposium (USENIX Security \u201917)","author":"Gruss Daniel","year":"2017","unstructured":"Daniel Gruss, Julian Lettner, Felix Schuster, Olga Ohrimenko, Istv\u00e1n Haller, and Manuel Costa. 2017. Strong and efficient cache side-channel protection using hardware transactional memory. In 26th USENIX Security Symposium (USENIX Security \u201917). Engin kirda and Thomas ristenpart (Eds.), USENIX Association, 217\u2013233. Retrieved from https:\/\/www.usenix.org\/conference\/usenixsecurity17\/technical-sessions\/presentation\/gruss"},{"key":"e_1_3_2_43_2","unstructured":"Zhongshu Gu Heqing Huang Jialong Zhang Dong Su Hani Jamjoom Ankita Lamba Dimitrios Pendarakis and Ian Molloy. 2018. Confidential inference via ternary model partitioning. arXiv:1807.00969. Retrievd from https:\/\/arxiv.org\/abs\/1807.00969"},{"key":"e_1_3_2_44_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPRW53098.2021.00368"},{"key":"e_1_3_2_45_2","doi-asserted-by":"publisher","DOI":"10.1145\/3466752.3480112"},{"key":"e_1_3_2_46_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.90"},{"key":"e_1_3_2_47_2","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2021.3126315"},{"key":"e_1_3_2_48_2","volume-title":"10th International Conference on Learning Representations (ICLR \u201922)","author":"Hu Edward J.","year":"2022","unstructured":"Edward J. Hu, Yelong Shen, Phillip Wallis, Zeyuan Allen-Zhu, Yuanzhi Li, Shean Wang, Lu Wang, and Weizhu Chen. 2022. LoRA: Low-rank adaptation of large language models. In 10th International Conference on Learning Representations (ICLR \u201922). Retrieved from https:\/\/openreview.net\/forum?id=nZeVKeeFYf9"},{"key":"e_1_3_2_49_2","doi-asserted-by":"publisher","DOI":"10.1145\/3523273"},{"key":"e_1_3_2_50_2","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2022.3174569"},{"key":"e_1_3_2_51_2","doi-asserted-by":"publisher","DOI":"10.1145\/3620667"},{"key":"e_1_3_2_52_2","doi-asserted-by":"publisher","DOI":"10.1145\/3373376.3378460"},{"key":"e_1_3_2_53_2","unstructured":"Weizhe Hua Muhammad Umar Zhiru Zhang and G. Edward Suh. 2020. GuardNN: Secure DNN Accelerator for Privacy-Preserving Deep Learning. arXiv:2008.11632. Retrieved from https:\/\/arxiv.org\/abs\/2008.11632"},{"key":"e_1_3_2_54_2","doi-asserted-by":"publisher","DOI":"10.1145\/3195970.3196105"},{"key":"e_1_3_2_55_2","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2021.3088480"},{"key":"e_1_3_2_56_2","unstructured":"Pengzhi Huang Thang Hoang Yueying Li Elaine Shi and G. Edward Suh. 2022. STAMP: Lightweight TEE-assisted MPC for efficient privacy-preserving machine learning. arXiv:2210.10133. Retrieved from https:\/\/arxiv.org\/abs\/2210.10133"},{"key":"e_1_3_2_57_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICASSP48485.2024.10446717"},{"key":"e_1_3_2_58_2","unstructured":"Intel. 2021. Intel architecture memory encryp- Tion technologies specification. Retrieved from https:\/\/software.intel.com\/content\/dam\/develop\/external\/us\/en\/documents-tps\/multi-key-total-memory-encryption-spec.pdf"},{"key":"e_1_3_2_59_2","first-page":"1345","volume-title":"29th USENIX Security Symposium (USENIX Security \u201920)","author":"Jagielski Matthew","year":"2020","unstructured":"Matthew Jagielski, Nicholas Carlini, David Berthelot, Alex Kurakin, and Nicolas Papernot. 2020. High accuracy and high fidelity extraction of neural networks. In 29th USENIX Security Symposium (USENIX Security \u201920). Srdjan Capkun and Franziska Roesner (Eds.), USENIX Association, 1345\u20131362. Retrieved from https:\/\/www.usenix.org\/conference\/usenixsecurity20\/presentation\/jagielski"},{"key":"e_1_3_2_60_2","first-page":"437","volume-title":"2022 USENIX Annual Technical Conference (USENIX ATC \u201922).","author":"Jia Yuekai","year":"2022","unstructured":"Yuekai Jia, Shuang Liu, Wenhao Wang, Yu Chen, Zhengde Zhai, Shoumeng Yan, and Zhengyu He. 2022. HyperEnclave: An open and cross-platform trusted execution environment. In 2022 USENIX Annual Technical Conference (USENIX ATC \u201922). Jiri Schindler and Noa Zilberman (Eds.), USENIX Association, 437\u2013454. Retrieved from https:\/\/www.usenix.org\/conference\/atc22\/presentation\/jia-yuekai"},{"key":"e_1_3_2_61_2","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP.2019.00044"},{"key":"e_1_3_2_62_2","first-page":"1651","volume-title":"27th USENIX Security Symposium (USENIX Security \u201918)","author":"Juvekar Chiraag","year":"2018","unstructured":"Chiraag Juvekar, Vinod Vaikuntanathan, and Anantha P. Chandrakasan. 2018. GAZELLE: A low latency framework for secure neural network inference. In 27th USENIX Security Symposium (USENIX Security \u201918). William Enck and Adrienne Porter Felt (Eds.), USENIX Association, 1651\u20131669. Retrieved from https:\/\/www.usenix.org\/conference\/usenixsecurity18\/presentation\/juvekar"},{"key":"e_1_3_2_63_2","first-page":"1","article-title":"AMD memory encryption","volume":"13","author":"Kaplan David","year":"2016","unstructured":"David Kaplan, Jeremy Powell, and Tom Woller. 2016. AMD memory encryption. White Paper 13 (2016), 1\u201312.","journal-title":"White Paper"},{"key":"e_1_3_2_64_2","first-page":"5156","volume-title":"37th International Conference on Machine Learning","author":"Katharopoulos Angelos","year":"2020","unstructured":"Angelos Katharopoulos, Apoorv Vyas, Nikolaos Pappas, and Fran\u00e7ois Fleuret. 2020. Transformers are rnns: Fast\u00a0autoregressive transformers with linear attention. In 37th International Conference on Machine Learning. PMLR, 5156\u20135165."},{"key":"e_1_3_2_65_2","unstructured":"Yigitcan Kaya Sanghyun Hong and Tudor Dumitras. 2020. On the effectiveness of regularization against membership inference attacks. arXiv:2006.05336. Retrieved from https:\/\/arxiv.org\/abs\/2006.05336"},{"key":"e_1_3_2_66_2","doi-asserted-by":"publisher","DOI":"10.1145\/3419111.3421282"},{"key":"e_1_3_2_67_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00002"},{"key":"e_1_3_2_68_2","unstructured":"Alex Krizhevsky andGeoffrey Hinton. 2009. Learning Multiple Layers of Features from Tiny Images. Technical Report University of Toronto Toronto. Retrieved from https:\/\/www.cs.toronto.edu\/~kriz\/learning-features-2009-TR.pdf"},{"key":"e_1_3_2_69_2","first-page":"1106","volume-title":"Advances in Neural Information Processing Systems 25: 26th Annual Conference on Neural Information Processing Systems 2012","author":"Krizhevsky Alex","year":"2012","unstructured":"Alex Krizhevsky, Ilya Sutskever, and Geoffrey E. Hinton. 2012. ImageNet classification with deep convolutional neural networks. In Advances in Neural Information Processing Systems 25: 26th Annual Conference on Neural Information Processing Systems 2012. Peter L. Bartlett, Fernando C. N. Pereira, Christopher J. C. Burges, L\u00e9on Bottou, and Kilian Q. Weinberger (Eds.), 1106\u20131114. Retrieved from https:\/\/proceedings.neurips.cc\/paper\/2012\/hash\/c399862d3b9d6b76c8436e924a68c45b-Abstract.html"},{"key":"e_1_3_2_70_2","unstructured":"kuangliu\/pytorch-cifar. 2020. Train CIFAR10 with PyTorch. Retrieved from https:\/\/github.com\/kuangliu\/pytorch-cifar"},{"key":"e_1_3_2_71_2","doi-asserted-by":"publisher","DOI":"10.1145\/3268935.3268938"},{"key":"e_1_3_2_72_2","first-page":"557","volume-title":"26th USENIX Security Symposium (USENIX Security \u201917).","author":"Lee Sangho","year":"2017","unstructured":"Sangho Lee, Ming-Wei Shih, Prasun Gera, Taesoo Kim, Hyesoon Kim, and Marcus Peinado. 2017. Inferring fine-grained control flow inside SGX enclaves with branch shadowing. In 26th USENIX Security Symposium (USENIX Security \u201917). Engin kirda and Thomas ristenpart (Eds.), USENIX Association, 557\u2013574. Retrieved from https:\/\/www.usenix.org\/conference\/usenixsecurity17\/technical-sessions\/presentation\/lee-sangho"},{"key":"e_1_3_2_73_2","doi-asserted-by":"publisher","DOI":"10.1109\/SPW.2019.00020"},{"key":"e_1_3_2_74_2","doi-asserted-by":"publisher","DOI":"10.1145\/3300061.3345447"},{"key":"e_1_3_2_75_2","first-page":"1605","volume-title":"29th USENIX Security Symposium (USENIX Security \u201920)","author":"Leino Klas","year":"2020","unstructured":"Klas Leino and Matt Fredrikson. 2020. Stolen memories: Leveraging model memorization for calibrated white-box membership inference. In 29th USENIX Security Symposium (USENIX Security \u201920). Srdjan Capkun and Franziska Roesner (Eds.), USENIX Association, 1605\u20131622. Retrieved from https:\/\/www.usenix.org\/conference\/usenixsecurity20\/presentation\/leino"},{"key":"e_1_3_2_76_2","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2020.acl-main.703"},{"key":"e_1_3_2_77_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833768"},{"key":"e_1_3_2_78_2","unstructured":"Qinfeng Li Zhiqiang Shen Zhenghan Qin Yangfan Xie Xuhong Zhang Tianyu Du and Jianwei Yin. 2024. TransLinkGuard: Safeguarding transformer models against model stealing in edge deployment. arXiv:2404.11121. Retrieved from https:\/\/arxiv.org\/abs\/2404.11121"},{"key":"e_1_3_2_79_2","doi-asserted-by":"publisher","DOI":"10.1145\/3472883.3486988"},{"key":"e_1_3_2_80_2","doi-asserted-by":"publisher","DOI":"10.1145\/3460120.3484575"},{"key":"e_1_3_2_81_2","first-page":"87","volume-title":"Proc. Mach. Learn","volume":"6","author":"Lin Ji","year":"2024","unstructured":"Ji Lin, Jiaming Tang, Haotian Tang, Shang Yang, Wei-Ming Chen, Wei-Chen Wang, Guangxuan Xiao, Xingyu Dang, Chuang Gan, and Song Han. 2024. AWQ: Activation-aware weight quantization for on-device LLM compression and acceleration. Proc. Mach. Learn. 6 (2024), 87\u2013100."},{"key":"e_1_3_2_82_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-10602-1_48"},{"key":"e_1_3_2_83_2","first-page":"285","volume-title":"2017 USENIX Annual Technical Conference (USENIX ATC \u201917)","author":"Lind Joshua","year":"2017","unstructured":"Joshua Lind, Christian Priebe, Divya Muthukumaran, Dan O\u2019Keeffe, Pierre-Louis Aublin, Florian Kelbert, Tobias Reiher, David Goltzsche, David Eyers, R\u00fcdiger Kapitza, et al. 2017. Glamdring: Automatic application partitioning for Intel \\(\\{\\) SGX \\(\\}\\) . In 2017 USENIX Annual Technical Conference (USENIX ATC \u201917), 285\u2013298."},{"key":"e_1_3_2_84_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP40001.2021.00063"},{"key":"e_1_3_2_85_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.29"},{"key":"e_1_3_2_86_2","first-page":"4525","volume-title":"31st USENIX Security Symposium, (USENIX Security \u201922)","author":"Liu Yugeng","year":"2022","unstructured":"Yugeng Liu, Rui Wen, Xinlei He, Ahmed Salem, Zhikun Zhang, Michael Backes, Emiliano De Cristofaro, Mario Fritz, and Yang Zhang. 2022. ML-doctor: Holistic risk assessment of inference attacks against machine learning models. In 31st USENIX Security Symposium, (USENIX Security \u201922). Kevin R. B. Butler and Kurt Thomas (Eds.), USENIX Association, 4525\u20134542. Retrieved from https:\/\/www.usenix.org\/conference\/usenixsecurity22\/presentation\/liu-yugeng"},{"key":"e_1_3_2_87_2","doi-asserted-by":"crossref","unstructured":"Ziyu Liu Yukui Luo Shijin Duan Tong Zhou and Xiaolin Xu. 2023. MirrorNet: A TEE-friendly framework for secure on-device DNN inference. arXiv:2311.09489. Retrieved from https:\/\/arxiv.org\/abs\/2311.09489","DOI":"10.1109\/ICCAD57390.2023.10323746"},{"key":"e_1_3_2_88_2","doi-asserted-by":"publisher","DOI":"10.1109\/VLSI-SoC.2014.7004182"},{"key":"e_1_3_2_89_2","unstructured":"Stefan Mangard. 2016. Cache Attacks and Rowhammer on ARM. Ph.D. Dissertation. Graz University of Technology Styria Austria."},{"key":"e_1_3_2_90_2","unstructured":"Sourab Mangrulkar Sylvain Gugger Lysandre Debut Younes Belkada Sayak Paul and Benjamin Bossan. 2022. PEFT: State-of-the-art parameter-efficient fine-tuning methods. Retrieved from https:\/\/github.com\/huggingface\/peft"},{"key":"e_1_3_2_91_2","doi-asserted-by":"publisher","DOI":"10.1145\/2487726.2488368"},{"key":"e_1_3_2_92_2","first-page":"4579","volume-title":"31st USENIX Security Symposium (USENIX Security \u201922)","author":"Mehnaz Shagufta","year":"2022","unstructured":"Shagufta Mehnaz, Sayanton V. Dibbo, Ehsanul Kabir, Ninghui Li, and Elisa Bertino. 2022. Are your sensitive attributes private? Novel model inversion attribute inference attacks on classification models. In 31st USENIX Security Symposium (USENIX Security \u201922). Kevin R. B. Butler and Kurt Thomas (Eds.), USENIX Association, 4579\u20134596. Retrieved from https:\/\/www.usenix.org\/conference\/usenixsecurity22\/presentation\/mehnaz"},{"key":"e_1_3_2_93_2","unstructured":"Luke Melas. 2020. Pretrained ViT. Retrieved from https:\/\/github.com\/lukemelas\/PyTorch-Pretrained-ViT"},{"key":"e_1_3_2_94_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00029"},{"key":"e_1_3_2_95_2","unstructured":"PyTorch. 2020. Pytorch hub. Retrieved from https:\/\/pytorch.org\/hub\/"},{"key":"e_1_3_2_96_2","unstructured":"PyTorch. 2020. Pytorch model zoo. Retrieved from https:\/\/pytorch.org\/serve\/model_zoo.html"},{"key":"e_1_3_2_97_2","doi-asserted-by":"publisher","DOI":"10.1145\/3373376.3378522"},{"key":"e_1_3_2_98_2","doi-asserted-by":"publisher","DOI":"10.1145\/3458864.3466628"},{"key":"e_1_3_2_99_2","doi-asserted-by":"publisher","DOI":"10.1145\/3386901.3388946"},{"key":"e_1_3_2_100_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2019.00316"},{"key":"e_1_3_2_101_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2023.103180"},{"key":"e_1_3_2_102_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00057"},{"key":"e_1_3_2_103_2","unstructured":"Krishna Giri Narra Zhifeng Lin Yongqin Wang Keshav Balasubramaniam and Murali Annavaram. 2019. Privacy-preserving inference in machine learning services using trusted execution environments. arXiv:1912.03485. Retrieved from https:\/\/arxiv.org\/abs\/1912.03485"},{"key":"e_1_3_2_104_2","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243855"},{"key":"e_1_3_2_105_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00065"},{"key":"e_1_3_2_106_2","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v35i17.17746"},{"key":"e_1_3_2_107_2","unstructured":"Alexander Nilsson Pegah Nikbakht Bideh and Joakim Brorsson. 2020. A survey of published attacks on Intel SGX. arXiv:2006.13598. Retrieved from https:\/\/arxiv.org\/abs\/2006.13598"},{"key":"e_1_3_2_108_2","doi-asserted-by":"publisher","DOI":"10.56553\/popets-2022-0105"},{"key":"e_1_3_2_109_2","unstructured":"NVIDIA. 2023. NVIDIA H100 tensor core GPU. Retrieved from https:\/\/www.nvidia.com\/en-us\/data-center\/h100\/"},{"key":"e_1_3_2_110_2","first-page":"227","volume-title":"2018 USENIX Annual Technical Conference (USENIX ATC \u201918)","author":"Oleksenko Oleksii","year":"2018","unstructured":"Oleksii Oleksenko, Bohdan Trach, Robert Krahn, Mark Silberstein, and Christof Fetzer. 2018. Varys: Protecting SGX enclaves from practical side-channel attacks. In 2018 USENIX Annual Technical Conference (USENIX ATC \u201918). Haryadi S. Gunawi and Benjamin C. Reed (Eds.), USENIX Association, 227\u2013240. Retrieved from https:\/\/www.usenix.org\/conference\/atc18\/presentation\/oleksenko"},{"key":"e_1_3_2_111_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2019.00509"},{"key":"e_1_3_2_112_2","volume-title":"8th International Conference on Learning Representations (ICLR \u201920)","author":"Orekondy Tribhuvanesh","year":"2020","unstructured":"Tribhuvanesh Orekondy, Bernt Schiele, and Mario Fritz. 2020. Prediction poisoning: Towards defenses against DNN model stealing attacks. In 8th International Conference on Learning Representations (ICLR \u201920). Retrieved from https:\/\/openreview.net\/forum?id=SyevYxHtDB"},{"key":"e_1_3_2_113_2","unstructured":"Soham Pal Yash Gupta Aditya Shukla Aditya Kanade Shirish K. Shevade and Vinod Ganapathy. 2019. A framework for the extraction of deep neural networks by leveraging public data. arXiv:1905.09165. Retrieved from https:\/\/arxiv.org\/abs\/1905.0916"},{"key":"e_1_3_2_114_2","unstructured":"Nicolas Papernot Patrick McDaniel Arunesh Sinha and Michael Wellman. 2016. Towards the science of security and privacy in machine learning. arXiv:1611.03814. Retrieved from https:\/\/arxiv.org\/abs\/1611.03814"},{"key":"e_1_3_2_115_2","doi-asserted-by":"publisher","DOI":"10.1145\/3052973.3053009"},{"key":"e_1_3_2_116_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833743"},{"key":"e_1_3_2_117_2","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2019.23119"},{"key":"e_1_3_2_118_2","unstructured":"Maxim Saplin. 2024. Running local LLMs CPU vs. GPUa quick speed test. Retrieved from https:\/\/dev.to\/maximsaplin\/running-local-llms-cpu-vs-gpu-a-quick-speed-test-2cjn"},{"key":"e_1_3_2_119_2","doi-asserted-by":"publisher","DOI":"10.1145\/3411508.3421376"},{"key":"e_1_3_2_120_2","unstructured":"Haihao Shen Hanwen Chang Bo Dong Yu Luo and Hengyu Meng. 2023. Efficient llm inference on cpus. arXiv:2311.00502. Retrieved from https:\/\/arxiv.org\/abs\/2311.00502"},{"key":"e_1_3_2_121_2","first-page":"723","volume-title":"2022 USENIX Annual Technical Conference (USENIX ATC \u201922)","author":"Shen Tianxiang","year":"2022","unstructured":"Tianxiang Shen, Ji Qi, Jianyu Jiang, Xian Wang, Siyuan Wen, Xusheng Chen, Shixiong Zhao, Sen Wang, Li Chen, Xiapu Luo, et\u00a0al. 2022. SOTER: Guarding black-box inference for general neural networks at the edge. In 2022 USENIX Annual Technical Conference (USENIX ATC \u201922). Jiri Schindler and Noa Zilberman (Eds.), USENIX Association, 723\u2013738. Retrieved from https:\/\/www.usenix.org\/conference\/atc22\/presentation\/shen"},{"key":"e_1_3_2_122_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833607"},{"key":"e_1_3_2_123_2","doi-asserted-by":"publisher","DOI":"10.1145\/3373376.3378469"},{"key":"e_1_3_2_124_2","first-page":"3531","volume-title":"IEEE\/CVF Winter Conference on Applications of Computer Vision","author":"Shen Zhuoran","year":"2021","unstructured":"Zhuoran Shen, Mingyuan Zhang, Haiyu Zhao, Shuai Yi, and Hongsheng Li. 2021. Efficient attention: Attention with linear complexities. In IEEE\/CVF Winter Conference on Applications of Computer Vision, 3531\u20133539."},{"key":"e_1_3_2_125_2","doi-asserted-by":"crossref","unstructured":"Ming-Wei Shih Sangho Lee Taesoo Kim and Marcus Peinado. 2017. T-SGX: Eradicating controlled-channel attacks against enclave programs. In Network and Distributed System Security Symposium.","DOI":"10.14722\/ndss.2017.23193"},{"key":"e_1_3_2_126_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.41"},{"key":"e_1_3_2_127_2","unstructured":"Supraja Sridhara Andrin Bertschi Benedict Schl\u00fcter Mark Kuhne Fabio Aliberti and Shweta Shinde. 2023. ACAI: Protecting accelerator execution with arm confidential computing architecture. arXiv:2305.15986. Retrieved from https:\/\/arxiv.org\/abs\/2305.15986"},{"key":"e_1_3_2_128_2","volume-title":"3rd International Conference on Learning Representations (ICLR 2015)","author":"Simonyan Karen","year":"2015","unstructured":"Karen Simonyan and Andrew Zisserman. 2015. Very deep convolutional networks for large-scale image recognition. In 3rd International Conference on Learning Representations (ICLR 2015). Yoshua Bengio and Yann LeCun (Eds.), Retrieved from http:\/\/arxiv.org\/abs\/1409.1556"},{"key":"e_1_3_2_129_2","unstructured":"Chawin Sitawarin Jaewon Chang David Huang Wesson Altoyan and David Wagner. 2023. Defending against transfer attacks from public models. arXiv:2310.17645. Retrieved from https:\/\/arxiv.org\/abs\/2310.17645"},{"key":"e_1_3_2_130_2","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3417270"},{"key":"e_1_3_2_131_2","unstructured":"Liwei Song and Prateek Mittal. 2021. Systematic evaluation of privacy risks of machine learning models. In 30th USENIX Security Symposium (USENIX Security \u201921). Michael Bailey and Rachel Greenstadt (Eds.) USENIX Association 2615\u20132632. Retrieved from https:\/\/www.usenix.org\/conference\/usenixsecurity21\/presentation\/song"},{"key":"e_1_3_2_132_2","first-page":"26409","volume-title":"Annual Conference on Neural Information Processing Systems 2021 (NeurIPS \u201921)","author":"Subramani Pranav","year":"2021","unstructured":"Pranav Subramani, Nicholas Vadivelu, and Gautam Kamath. 2021. Enabling fast differentially private SGD via just-in-time compilation and vectorization. InAnnual Conference on Neural Information Processing Systems 2021 (NeurIPS \u201921). Marc\u2019Aurelio Ranzato, Alina Beygelzimer, Yann N. Dauphin, Percy Liang, and Jennifer Wortman Vaughan (Eds.), 26409\u201326421. Retrieved from https:\/\/proceedings.neurips.cc\/paper\/2021\/hash\/ddf9029977a61241841edeae15e9b53f-Abstract.html"},{"key":"e_1_3_2_133_2","unstructured":"Zhichuang Sun Ruimin Sun Long Lu and Somesh Jha. 2020. ShadowNet: A secure and efficient system for on-device model inference. arXiv: 2011.05905. Retrieved from https:\/\/arxiv.org\/abs\/\/2011.05905"},{"key":"e_1_3_2_134_2","first-page":"1955","volume-title":"30th USENIX Security Symposium, (USENIX Security \u201921)","author":"Sun Zhichuang","year":"2021","unstructured":"Zhichuang Sun, Ruimin Sun, Long Lu, and Alan Mislove. 2021. Mind your weight(s): A large-scale study on insufficient machine learning model protection in mobile apps. In 30th USENIX Security Symposium, (USENIX Security \u201921). Michael Bailey and Rachel Greenstadt (Eds.), USENIX Association, 1955\u20131972. Retrieved from https:\/\/www.usenix.org\/conference\/usenixsecurity21\/presentation\/sun-zhichuang"},{"key":"e_1_3_2_135_2","first-page":"1057","volume-title":"26th USENIX Security Symposium (USENIX Security \u201917)","author":"Tang Adrian","year":"2017","unstructured":"Adrian Tang, Simha Sethumadhavan, and Salvatore Stolfo. 2017. \\(\\{\\) CLKSCREW \\(\\}\\) : Exposing the perils of \\(\\{\\) Security-Oblivious \\(\\}\\) energy management. In 26th USENIX Security Symposium (USENIX Security \u201917), 1057\u20131074."},{"key":"e_1_3_2_136_2","unstructured":"Hugo Touvron Thibaut Lavril Gautier Izacard Xavier Martinet Marie-Anne Lachaux Timoth\u00e9e Lacroix Baptiste Rozi\u00e8re Naman Goyal Eric Hambro Faisal Azhar et al. 2023. Llama: Open and efficient foundation language models. arXiv:2302.13971. Retrieved from https:\/\/arxiv.org\/abs\/2302.13971"},{"key":"e_1_3_2_137_2","volume-title":"7th International Conference on Learning Representations (ICLR \u201919)","author":"Tram\u00e8r Florian","year":"2019","unstructured":"Florian Tram\u00e8r and Dan Boneh. 2019. Slalom: Fast, verifiable and private execution of neural networks in trusted hardware. In 7th International Conference on Learning Representations (ICLR \u201919). Retrieved from https:\/\/openreview.net\/forum?id=rJVorjCcKQ"},{"key":"e_1_3_2_138_2","first-page":"601","volume-title":"25th USENIX Security Symposium (USENIX Security \u201916)","author":"Tram\u00e8r Florian","year":"2016","unstructured":"Florian Tram\u00e8r, Fan Zhang, Ari Juels, Michael K. Reiter, and Thomas Ristenpart. 2016. Stealing machine learning models via prediction APIs. In 25th USENIX Security Symposium (USENIX Security \u201916). Thorsten Holz and Stefan Savage (Eds.), USENIX Association, 601\u2013618. Retrieved from https:\/\/www.usenix.org\/conference\/usenixsecurity16\/technical-sessions\/presentation\/tramer"},{"key":"e_1_3_2_139_2","first-page":"505","volume-title":"29th USENIX Security Symposium (USENIX Security \u201920)","author":"Tsai Chia-Che","year":"2020","unstructured":"Chia-Che Tsai, Jeongseok Son, Bhushan Jain, John McAvey, Raluca Ada Popa, and Donald E. Porter. 2020. Civet: An efficient Java partitioning framework for hardware enclaves. In 29th USENIX Security Symposium (USENIX Security \u201920), 505\u2013522."},{"key":"e_1_3_2_140_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00087"},{"key":"e_1_3_2_141_2","unstructured":"Berkeley Vision and Learning Center. 2020. Caffe model zoo. Retrieved from https:\/\/github.com\/BVLC\/caffe\/wiki\/Model-Zoo"},{"key":"e_1_3_2_142_2","first-page":"681","volume-title":"13th USENIX Symposium on Operating Systems Design and Implementation (OSDI \u201918)","author":"Volos Stavros","year":"2018","unstructured":"Stavros Volos, Kapil Vaswani, and Rodrigo Bruno. 2018. Graviton: Trusted execution environments on GPUs. In 13th USENIX Symposium on Operating Systems Design and Implementation (OSDI \u201918). Andrea C. Arpaci-Dusseau and Geoff Voelker (Eds.), USENIX Association, 681\u2013696. Retrieved from https:\/\/www.usenix.org\/conference\/osdi18\/presentation\/volos"},{"key":"e_1_3_2_143_2","unstructured":"Alex Wang Amanpreet Singh Julian Michael Felix Hill Omer Levy and Samuel R Bowman. [n.d.]. GLUE: A multi-task benchmark and analysis platform for natural language understanding. arXiv:1804.07461. Retrieved from arxiv.org\/abs\/1804.07461"},{"key":"e_1_3_2_144_2","first-page":"1281","volume-title":"27th USENIX Security Symposium (USENIX Security \u201918)","author":"Wang Bolun","year":"2018","unstructured":"Bolun Wang, Yuanshun Yao, Bimal Viswanath, Haitao Zheng, and Ben Y. Zhao. 2018. With great training comes great vulnerability: Practical attacks against transfer learning. In 27th USENIX Security Symposium (USENIX Security \u201918). William Enck and Adrienne Porter Felt (Eds.), USENIX Association, 1281\u20131297. Retrieved from https:\/\/www.usenix.org\/conference\/usenixsecurity18\/presentation\/wang-bolun"},{"issue":"4","key":"e_1_3_2_145_2","first-page":"3801","article-title":"Building a lightweight trusted execution environment for Arm GPUs","volume":"21","author":"Wang Chenxu","year":"2023","unstructured":"Chenxu Wang, Yunjie Deng, Zhenyu Ning, Kevin Leach, Jin Li, Shoumeng Yan, Zhengyu He, Jiannong Cao, and Fengwei Zhang. 2023. Building a lightweight trusted execution environment for Arm GPUs. IEEE Trans. Dependable Secur. Comput. 21, 4 (2023), 3801\u20133816.","journal-title":"IEEE Trans. Dependable Secur. Comput."},{"key":"e_1_3_2_146_2","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134038"},{"key":"e_1_3_2_147_2","unstructured":"weiaicunzai. 2020. Pytorch-cifar100. Retrieved from https:\/\/github.com\/weiaicunzai\/pytorch-cifar100"},{"key":"e_1_3_2_148_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-1-4612-4380-9_16"},{"key":"e_1_3_2_149_2","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2022.24173"},{"key":"e_1_3_2_150_2","doi-asserted-by":"publisher","DOI":"10.1109\/RTSS52674.2021.00018"},{"key":"e_1_3_2_151_2","first-page":"38087","volume-title":"40th International Conference on Machine Learning","author":"Xiao Guangxuan","year":"2023","unstructured":"Guangxuan Xiao, Ji Lin, Mickael Seznec, Hao Wu, Julien Demouth, and Song Han. 2023. SmoothQuant: Accurate and efficient post-training quantization for large language models. In 40th International Conference on Machine Learning, 38087\u201338099."},{"key":"e_1_3_2_152_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICCMC56507.2023.10084208"},{"key":"e_1_3_2_153_2","first-page":"2003","volume-title":"29th USENIX Security Symposium (USENIX Security \u201920)","author":"Yan Mengjia","year":"2020","unstructured":"Mengjia Yan, Christopher W. Fletcher, and Josep Torrellas. 2020. Cache telepathy: Leveraging shared resource attacks to learn DNN architectures. In 29th USENIX Security Symposium (USENIX Security \u201920). Srdjan Capkun and Franziska Roesner (Eds.), USENIX Association, 2003\u20132020. Retrieved from https:\/\/www.usenix.org\/conference\/usenixsecurity20\/presentation\/yan"},{"key":"e_1_3_2_154_2","volume-title":"31st USENIX Security Symposium","author":"Yuan Xiaoyong","year":"2022","unstructured":"Xiaoyong Yuan and Lan Zhang. 2022. Membership inference attacks and defenses in neural network pruning. In 31st USENIX Security Symposium. USENIX Association, Boston, MA."},{"key":"e_1_3_2_155_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP54263.2024.00052"},{"key":"e_1_3_2_156_2","doi-asserted-by":"publisher","DOI":"10.1145\/3368089.3409676"},{"key":"e_1_3_2_157_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE48619.2023.00049"},{"key":"e_1_3_2_158_2","first-page":"1856","volume-title":"44th IEEE\/ACM 44th International Conference on Software Engineering (ICSE \u201922)","author":"Zhang Ziqi","year":"2022","unstructured":"Ziqi Zhang, Yuanchun Li, Jindong Wang, Bingyan Liu, Ding Li, Yao Guo, Xiangqun Chen, and Yunxin Liu. 2022. ReMoS: Reducing defect inheritance in transfer learning via relevant model slicing. In 44th IEEE\/ACM 44th International Conference on Software Engineering (ICSE \u201922), 1856\u20131868."},{"key":"e_1_3_2_159_2","doi-asserted-by":"publisher","DOI":"10.1145\/3536168.3543299"},{"key":"e_1_3_2_160_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2017.463"},{"key":"e_1_3_2_161_2","first-page":"42614","volume-title":"International Conference on Machine Learning (ICML \u201923)","author":"Zhou Tong","year":"2023","unstructured":"Tong Zhou, Yukui Luo, Shaolei Ren, and Xiaolin Xu. 2023. NNSplitter: An active defense solution for DNN model via automated Weight obfuscation. In International Conference on Machine Learning (ICML \u201923). Andreas Krause, Emma Brunskill, Kyunghyun Cho, Barbara Engelhardt, Sivan Sabato, and Jonathan Scarlett (Eds.), PMLR, 42614\u201342624. Retrieved from https:\/\/proceedings.mlr.press\/v202\/zhou23h.html"},{"key":"e_1_3_2_162_2","unstructured":"Zixuan Zhou Xuefei Ning Ke Hong Tianyu Fu Jiaming Xu Shiyao Li Yuming Lou Luning Wang Zhihang Yuan Xiuhong Li et al. 2024. A survey on efficient inference for large language models. arXiv:2404.14294. Retrieved from https:\/\/arxiv.org\/abs\/2404.14294"},{"key":"e_1_3_2_163_2","first-page":"1973","volume-title":"30th USENIX Security Symposium (USENIX Security \u201921)","author":"Zhu Yuankun","year":"2021","unstructured":"Yuankun Zhu, Yueqiang Cheng, Husheng Zhou, and Yantao Lu. 2021. Hermes attack: Steal DNN models with lossless inference accuracy. In 30th USENIX Security Symposium (USENIX Security \u201921). Michael Bailey and Rachel Greenstadt (Eds.), USENIX Association, 1973\u20131988. Retrieved from https:\/\/www.usenix.org\/conference\/usenixsecurity21\/presentation\/zhu"},{"key":"e_1_3_2_164_2","doi-asserted-by":"publisher","DOI":"10.1109\/JPROC.2020.3004555"}],"container-title":["ACM Transactions on Software Engineering and Methodology"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3707453","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,1]],"date-time":"2025-07-01T13:29:37Z","timestamp":1751376577000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3707453"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,7]]},"references-count":163,"journal-issue":{"issue":"6","published-print":{"date-parts":[[2025,7,31]]}},"alternative-id":["10.1145\/3707453"],"URL":"https:\/\/doi.org\/10.1145\/3707453","relation":{},"ISSN":["1049-331X","1557-7392"],"issn-type":[{"value":"1049-331X","type":"print"},{"value":"1557-7392","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,7]]},"assertion":[{"value":"2024-03-15","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2024-11-05","order":2,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-07-01","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}