This work addresses the vulnerability of edge-deployed deep neural networks to model extraction and inversion attacks. Existing defenses either support only post-hoc attribution or incur high latency and rely on sensitive training data. To overcome these limitations, the authors propose LymphNode—a plug-and-play, post-hoc defense framework that embeds an “immune system” within the model: it defaults to rejecting all queries and restores functionality only for authorized inputs bearing implicit feature credentials. The core innovation lies in a lightweight access control mechanism based on Generalized Sparse Universal Adversarial Perturbations (GSUAP), which requires no original training data and achieves cross-dataset transferable protection with merely hundreds of samples. Experiments demonstrate that LymphNode effectively blocks gradient estimation and data inference from unauthorized queries—even when using fewer than 100 samples or publicly available surrogate data—while maintaining low overhead, high compatibility, and immediate deployability.

Deep Neural Networks (DNNs) are high-value intellectual property (IP), yet deploying them to edge environments exposes them to \textbf{unrestricted oracle access}, rendering them vulnerable to model extraction and inversion attacks. Existing defenses fail to address this practically: passive watermarking only offers post-hoc provenance, while active defenses impose prohibitive latency or require persistent access to sensitive training data. To bridge this gap, we propose \textit{LymphNode}, a novel post-hoc defense framework that acts as an intrinsic ``immune system" within the model. \textit{LymphNode} enforces a strict ``default-deny'' policy: it actively neutralizes model utility for unauthorized queries via \textbf{Generalized Sparse Universal Adversarial Perturbations (GSUAP)} injected into the feature space, effectively blocking gradient estimation and data inference. Utility is selectively restored only for authorized inputs carrying a stealthy feature-domain credential. Our framework is highly practical: it is \textbf{data-efficient}, establishing robust protection with fewer than 100 samples ($<1\%$ of training data), and \textbf{cross-dataset adaptable}, enabling protection using public surrogate datasets. \textit{LymphNode} thus provides a lightweight, immediately deployable defense for high-stakes scenarios where original training data is restricted or unavailable.