This work addresses the vulnerability of deep neural networks on edge devices to model stealing attacks, a challenge exacerbated by the difficulty of existing Trusted Execution Environment (TEE) solutions in simultaneously ensuring security and inference efficiency. To overcome this limitation, the authors propose SPOILER, a novel framework that introduces a “search–training decoupling” paradigm. By leveraging hardware-aware neural architecture search (NAS), SPOILER automatically partitions the backbone network into a TEE-protected subnet prior to training. Furthermore, it incorporates self-poisoning learning to enforce logical isolation and functional irreversibility between components. Evaluated on both CNN and Transformer architectures, the approach achieves an optimal trade-off among security, low latency, and high accuracy, significantly outperforming current TEE-based protection mechanisms.

Deploying deep neural networks (DNNs) on edge devices exposes valuable intellectual property to model-stealing attacks. While TEE-shielded DNN partitioning (TSDP) mitigates this by isolating sensitive computations, existing paradigms fail to simultaneously satisfy privacy and efficiency. The training-before-partition paradigm suffers from intrinsic privacy leakage, whereas the partition-before-training paradigm incurs severe latency due to structural dependencies that hinder parallel execution. To overcome these limitations, we propose SPOILER, a novel search-before-training framework that fundamentally decouples the TEE sub-network from the backbone via hardware-aware neural architecture search (NAS). SPOILER identifies a lightweight TEE architecture strictly optimized for hardware constraints, maximizing parallel efficiency. Furthermore, we introduce self-poisoning learning to enforce logical isolation, rendering the exposed backbone functionally incoherent without the TEE component. Extensive experiments on CNNs and Transformers demonstrate that SPOILER achieves state-of-the-art trade-offs between security, latency, and accuracy.