Where It Appears In The Edge AI Architecture
A7 starts at the input boundary and becomes visible when the same plausible sample causes unstable model behavior.
A tiny bounded change survives decoding and flips the model from the expected class to a target class.
Threat Model
The attacker controls the input, not the backend service.
Attacker capability
The caller can submit valid-looking images or sensor samples, choose repeated variants, and observe final labels, confidence buckets, reject reasons, and latency.
Assets at risk
Prediction integrity, safety filters, route comparison between Jetson and Zynq, and trust in model decisions under small input changes.
Out of scope
No evasion against third-party services, no real user data, no physical-world attack deployment, and no attempts to bypass systems outside the owned lab.
Attack Intuition
The image looks almost the same, but the model sees a different direction in feature space.
A7 works because many neural models are sensitive to structured changes that are small in pixel space but meaningful to the model's internal representation. The input can pass normal MIME and size checks while still causing an unreliable decision.
In your edge lab, A7 is interesting because the same input can be sent through Jetson and Zynq implementations. If the perturbation transfers differently, you get a useful robustness comparison between GPU and FPGA inference paths.
Technical Explanation
A7 is a decision-boundary stress test after basic input parsing succeeds.
Input constraint
The perturbation should stay within a small budget such as L-infinity epsilon, JPEG quality drift, brightness shift, crop jitter, or sensor noise envelope.
Transfer behavior
A perturbation built on a surrogate model may transfer to Jetson or Zynq if the deployed models share architecture, preprocessing, or quantization behavior.
Gateway role
D8 cannot prove model robustness, but it can reject malformed files, normalize decoding paths, re-encode images, cap dimensions, and remove cheap high-frequency artifacts.
Model role
Robustness needs model-level evidence: adversarial training, augmentation, randomized smoothing, confidence calibration, abstention thresholds, and comparison against clean accuracy.
Mathematical View
The adversarial sample changes prediction while staying close to the original input.
For the lab report, avoid claiming universal robustness. Measure clean accuracy, perturbed accuracy, transfer rate between Jetson and Zynq, and the amount of accuracy recovered after D8 and model-level defenses.
Safe Lab Demonstration
Use a toy classifier and synthetic vectors to show the measurement pattern without targeting any external model.
- Create synthetic clean samples with known labels.
- Apply a bounded perturbation using a toy gradient-sign rule.
- Measure how often labels flip in vulnerable mode.
- Repeat after D8-style canonicalization and input noise filtering.
- Compare clean accuracy, flip rate, reject rate, and route consistency across Jetson and Zynq experiments.
Local Lab Code
A compact simulator for adversarial-input measurement and D8 defense evidence.
from dataclasses import dataclass
import random
@dataclass
class Sample:
features: list[float]
label: int
WEIGHTS = [0.9, -1.1, 0.7, -0.4, 1.3, -0.8, 0.5, -0.6]
def score(features):
return sum(w * x for w, x in zip(WEIGHTS, features))
def predict(features):
return 1 if score(features) >= 0 else 0
def make_sample():
features = [random.uniform(-1.0, 1.0) for _ in WEIGHTS]
return Sample(features, predict(features))
def perturb(sample, epsilon=0.12):
# Toy gradient-sign perturbation against a linear model.
direction = 1 if sample.label == 0 else -1
delta = [direction * epsilon * (1 if w >= 0 else -1) for w in WEIGHTS]
return [max(-1.0, min(1.0, x + d)) for x, d in zip(sample.features, delta)]
def d8_canonicalize(features):
# Stand-in for decode normalization, JPEG re-encode, bucketing, and noise filtering.
return [round(max(-1.0, min(1.0, x)), 1) for x in features]
def run(mode="vulnerable", n=240, seed=17):
random.seed(seed)
flips = 0
defended_flips = 0
rejects = 0
for _ in range(n):
sample = make_sample()
adv = perturb(sample)
if mode == "d8" and any(abs(a - b) > 0.18 for a, b in zip(adv, sample.features)):
rejects += 1
continue
observed = d8_canonicalize(adv) if mode in {"d8", "robust"} else adv
if predict(observed) != sample.label:
flips += 1
robust_observed = [(c + o) / 2.0 for c, o in zip(d8_canonicalize(adv), sample.features)]
if predict(robust_observed) != sample.label:
defended_flips += 1
accepted = n - rejects
return {
"mode": mode,
"accepted": accepted,
"rejected": rejects,
"raw_flip_rate": round(flips / max(accepted, 1), 3),
"robust_reference_flip_rate": round(defended_flips / max(accepted, 1), 3),
}
for mode in ["vulnerable", "d8", "robust"]:
print(run(mode))
Your Edge AI Setup
A7 turns the lab into a robustness comparison between preprocessing, Jetson, and Zynq.
Pi gateway
Enforce MIME and magic-byte checks, dimension caps, decode-normalize-reencode policy, body hashes, and reject reasons before dispatching to either accelerator.
Jetson path
Measure TensorRT behavior under clean, perturbed, and canonicalized inputs. Record confidence buckets and abstention decisions without storing private raw images.
Zynq path
Compare quantized FPGA behavior against Jetson. A7 can reveal whether fixed-point inference is more or less sensitive to a perturbation family.
GPU workstation
Generate controlled synthetic perturbation sets, run baseline PyTorch evaluation, and publish robustness curves across deployment targets.
Observable Signals
A7 evidence should preserve privacy while still showing robustness behavior.
| Signal | Why It Matters | Safe Evidence |
|---|---|---|
| High near-duplicate input rate | Mutation sweeps often probe a local decision boundary. | Perceptual hash buckets or synthetic feature-bin IDs. |
| Clean versus perturbed accuracy | Shows whether the model is unstable under bounded changes. | Aggregate accuracy and flip-rate curves on owned datasets. |
| Gateway canonicalization effect | D8 should reduce cheap high-frequency artifacts. | Flip rate before and after re-encoding or bucketing. |
| Jetson/Zynq disagreement | Different deployment paths may fail differently. | Route-local labels, confidence buckets, and mismatch counts. |
| Reject and abstention reasons | Protection should be explainable and measurable. | Sanitized D6 logs with reason codes and no raw payload. |
Impact Analysis
A7 is primarily an integrity problem because the model returns the wrong decision.
Integrity
The prediction changes while the input still appears valid and plausible.
Confidentiality
Repeated A7 tests can reveal boundary behavior and support later A6-style substitute modeling.
Availability
Large mutation sweeps can become A2 pressure if body caps and budgets are missing.
Framework Mapping
A7 maps to model integrity, evasion resistance, and secure preprocessing.
| Framework | Mapping | Use In Report |
|---|---|---|
| STRIDE | Tampering with input semantics and Integrity failure in model output. | Describe how an accepted input can still manipulate model behavior. |
| CIA | Integrity primary; Confidentiality and Availability secondary. | Separate wrong decisions from model extraction or resource exhaustion. |
| PASTA | Stage 5 vulnerability analysis and Stage 6 attack modeling. | Model preprocessing, perturbation budget, output stability, and defense evidence. |
| MITRE ATLAS | Relevant to adversarial ML evasion, input perturbation, and ML inference manipulation. | Treat A7 as a controlled robustness experiment under owned-lab conditions. |
Defense Mapping To Existing D1-D11 Controls
D8 is the gateway control, while true robustness needs model-level evidence.
| Control | Role Against A7 | Validation Evidence |
|---|---|---|
| D8 Input Validation | Primary gateway control. Validates type, size, dimensions, decoding, canonicalization, and cheap perturbation removal. | Malformed inputs reject before dispatch; canonicalization lowers synthetic flip rate. |
| Model Robustness Work | Adversarial training, augmentation, smoothing, calibration, and abstention reduce boundary sensitivity. | Clean accuracy and perturbed accuracy curves before and after hardening. |
| D5 Query Anomaly Detection | Detects mutation sweeps, near-duplicate probing, and high-rate boundary searches. | Per-user hash-bucket and confidence-shift alerts. |
| D2 Rate Limit + Body Cap | Prevents perturbation sweeps from becoming an availability problem. | 429 and 413 decisions before Jetson or Zynq dispatch. |
| D6 Sanitized Logging | Preserves aggregate evidence without leaking raw images or sensitive samples. | Logs contain route, hash bucket, reject reason, label, and confidence bucket only. |
| D9 Route Consistency | Reduces client-visible backend differences that could help tune a transfer attack. | Jetson and Zynq response policy is consistent for the same accepted input. |
Research Notes
A7 can become a strong experiment because it connects software ML robustness to hardware deployment realism.
Robustness curve
Plot accuracy versus perturbation budget for baseline, D8 canonicalized, and robustly trained variants.
Deployment comparison
Run the same perturbation set through PyTorch, TensorRT on Jetson, and fixed-point Zynq to compare transfer and disagreement.
Defense cost
Measure latency, reject rate, clean accuracy loss, and false abstention after preprocessing and robustness controls.
Portal artifact
Show before/after images, confidence buckets, route agreement, and D8 decision logs without exposing raw sensitive inputs.
Key Takeaways
A7 is not fixed by authentication; it needs input normalization and model robustness evidence.
- A7 targets prediction integrity after the request has passed basic API controls.
- D8 can remove malformed files and cheap perturbations, but it is not a proof of robustness.
- The strongest lab story compares clean accuracy, perturbed accuracy, and defense overhead.
- Jetson and Zynq may respond differently to the same perturbed sample because deployment details matter.
- A7 connects naturally to A6 model extraction and A2 resource pressure when mutation sweeps become large.