Next Article in Journal
Temperature Compensation for Chromatic Stability of RGBW LEDs in Automotive Interior Lighting
Previous Article in Journal
A Hybrid Second Harmonic Current Mitigation Strategy for Two-Stage Single-Phase DC–AC Converters
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Physical Layer Secure Transmission of AI Models in UAV-Enabled Edge AIoT

1
College of Information Engineering, Taizhou University, Taizhou 225300, China
2
School of Information Science and Technology, Beijing Forestry University, Beijing 100083, China
3
Infrastructure Inspection Research Institute, China Academy of Railway Sciences Corporation Limited, Beijing 100081, China
*
Author to whom correspondence should be addressed.
Electronics 2025, 14(17), 3450; https://doi.org/10.3390/electronics14173450
Submission received: 25 July 2025 / Revised: 14 August 2025 / Accepted: 25 August 2025 / Published: 29 August 2025
(This article belongs to the Special Issue Optimization and Guarantee of AI Service Quality in Native-AI Network)

Abstract

The evolution of sixth-generation (6G) networks enables transformative edge Artificial Intelligence of Things (AIoT) applications but introduces critical security vulnerabilities during model transmission between the central server and edge devices (e.g., unmanned aerial vehicles). Traditional approaches fail to jointly optimize model accuracy and physical layer security against eavesdropping. To address this gap, we propose a novel dynamic user selection framework that integrates three key innovations: (1) closed-form secrecy outage probability derivation for Rayleigh fading channels, (2) a Secure Model Accuracy (SMA) metric unifying recognition accuracy and secrecy outage probability, and (3) an alternating optimization algorithm for joint model–bandwidth selection under secrecy constraints. Comprehensive simulations demonstrate 22% SMA gains over baselines across diverse channel conditions and eavesdropper capabilities, resolving the fundamental accuracy–security tradeoff for trustworthy edge intelligence.

1. Introduction

The rapid evolution toward 6G networks promises unprecedented connectivity speeds and ubiquitous intelligence, enabling transformative applications in edge-assisted Artificial Intelligence of Things (AIoT) systems. For example, a central node distributes the well-trained model to mobile edge devices (e.g., unmanned aerial vehicles) for model inference and decision-making, supporting a wide range of AI applications. However, this paradigm shift introduces critical security challenges, particularly in safeguarding sensitive model transmissions against increasingly sophisticated eavesdropping attacks. Physical layer security (PLS) has emerged as a fundamental complement to cryptographic methods by exploiting the inherent randomness of wireless channels to prevent information leakage. Despite significant progress in semantic communication [1] and IoT security mechanisms [2,3,4], a crucial gap persists in jointly optimizing model accuracy and transmission security for resource-constrained edge AIoT deployments.
Existing approaches suffer from three key limitations: (1) AI model transmission frameworks prioritize bandwidth efficiency but neglect PLS considerations against eavesdroppers. (2) Traditional PLS methods focus on generic data transmission without accounting for the unique accuracy-vs-size tradeoffs in AI model architectures. (3) Static resource allocation strategies cannot adapt to dynamic channel conditions in multi-user edge environments. These limitations create a fundamental tension between model recognition accuracy and transmission security that remains unresolved.
To address these challenges, we propose a novel dynamic user selection framework for physical layer secure transmission in edge AIoT systems. Our core contributions include the following:
  • Closed-Form Analysis: We derive closed-form expressions for secrecy outage probability (SOP) under Rayleigh fading channels.
  • Security-Accuracy Metric: We introduce Secure Model Accuracy (SMA) as a unified optimization metric combining recognition accuracy and SOP.
  • Cross-Layer Optimization: To maximize the SMA of the system, we propose an alternating optimization algorithm that jointly selects AI models and allocates bandwidth under secrecy constraints.
Comprehensive simulations validate that our framework achieves up to 22% higher SMA compared to fixed-model and single-objective baselines across diverse channel conditions, transmit power levels, and eavesdropper capabilities. By fundamentally resolving the accuracy–security tradeoff, this work establishes a foundation for trustworthy edge intelligence in next-generation networks.

2. Related Work

Current research on secure transmission in IoT focuses on several key areas:

2.1. Physical Layer Security in AIoT Communications

Recent research has focused on integrating PLS into AIoT systems to protect model parameters and intermediate feature data transmitted over wireless channels. For example, the S2E-DECI framework [2] proposes a device-edge co-inference scheme that partitions a deep neural network between resource-constrained AIoT devices and edge servers and jointly optimizes model split and resource allocation under finite-blocklength secrecy capacity constraints via reinforcement learning and convex optimization, demonstrating near-optimal secrecy and energy efficiency tradeoffs. Similarly, ambient backscatter cooperative communication networks [3] employ wireless-powered backscatter devices and decode-and-forward relays, deriving closed-form SOP and secrecy energy efficiency (SEE) expressions to guide power and relay selection for enhanced PLS in ultra-low-power AIoT scenarios.

2.2. Authentication and Unclonable Feature Extraction for AIoT

Lightweight authentication mechanisms tailored to AIoT leverage physical layer unclonable attributes and channel prediction to detect spoofing and ensure integrity with minimal latency. A channel prediction-based security authentication scheme [4] uses long short-term memory (LSTM) at the edge node to forecast time-varying channel fingerprints and applies a Savitzky–Golay filter–based feature extractor (SGF-HOCM), achieving over 97% spoofing detection accuracy in industrial AIoT deployments. In addition, unclonable physical functions embedded within spiking neural networks built on threshold-switching devices [5] offer hardware-intrinsic physical unclonable functions (PUFs) for identity verification with high uniqueness and reliability, making them suitable for neuromorphic AIoT platforms. Nevertheless, lightweight authentication techniques mainly improve device identity assurance, without adequately addressing security risks during AI model transmission.

2.3. Advanced PLS Techniques and Resource Allocation

Beyond basic PLS paradigms, advanced schemes exploit novel physical layer technologies and optimization methods to strengthen secure AIoT transmissions. Reconfigurable intelligent surfaces (RISs) have been integrated with beamforming [6] to maximize the secrecy sum rate in two-way relay and 6G IoT settings, leveraging alternating optimization and semidefinite programming to jointly configure RIS phase shifts and beamforming weights under eavesdropping threats. Non-orthogonal multiple access (NOMA)-enabled overlay cognitive radio networks [7] employ full-duplex jamming and optimal power allocation to minimize SOP for both primary and secondary users, illustrating the benefits of cooperative jamming in densely connected AIoT environments. Rate-splitting and artificial noise strategies [8,9] further enhance PLS in multi-user MISO AIoT systems by formulating joint beamforming and jamming designs that balance secrecy and throughput under passive eavesdropping.

2.4. Semantic Communication and Model Transmission

Recent advances in semantic communication have introduced innovative approaches to model transmission in 6G networks. Wang et al. [1] proposed an intellicise model transmission framework for semantic communication in intelligence-native 6G networks. Their work introduced key metrics including model transmission outage probability (MTOP) and effective model accuracy (EMA), and they developed a joint model selection and resource allocation (JMSRA) algorithm that outperformed baseline methods by 22%. Their work established important foundations for understanding the relationship between model size and recognition performance but did not consider security aspects against eavesdroppers. Meanwhile, it lacks comprehensive security frameworks that protect the semantic model’s information under realistic adversarial settings.
Building on this, the concept of model-driven semantic communication has emerged as a new paradigm that facilitates preprocessing of multi-modal data with AI models before transmission [1]. This approach significantly reduces transmission volume while maintaining semantic fidelity, which is particularly valuable for edge intelligence scenarios where bandwidth and latency are critical constraints.
While recent studies have advanced physical layer security, lightweight authentication, and resource allocation techniques for AIoT, critical gaps remain in jointly optimizing model accuracy and transmission security in edge-assisted systems. Our work addresses this gap by developing a unified framework that simultaneously enhances semantic model performance while ensuring physical layer security through dynamic resource allocation, resolving the fundamental tension between these traditionally separate objectives.

3. System Model

We consider an “edge server-UAV” multi-user physical layer secure communication system with a passive eavesdropping node (Figure 1). The system consists of
  • An edge server storing pre-trained models M = { M 1 , M 2 , . . . , M N } with size S k .
  • K resource-constrained edge devices, such as UAVs.
  • A passive eavesdropper, Eve. (While our analysis assumes a single passive eavesdropper, the framework can be extended to (i) multiple eavesdroppers via max-SNR combining, (ii) active attacks (e.g., jamming) through SINR interference terms, and (iii) mobility via time-varying channel statistics in SOP expressions.)
The edge server distributes the pre-trained models to mobile edge devices (UAVs) for model inference and decision-making, supporting a wide range of AI applications. However, there may be an eavesdropper (Eve) who wants to obtain private model information.

3.1. Model Recognition Accuracy

The pre-trained models stored on the edge server exhibit varying recognition accuracies due to differences in model sizes. Inspired by [10], the recognition error rate Ψ k is a nonlinear function of the model size S k , satisfying the following properties:
(i)
Since Ψ k is a percentage, it satisfies 0 Ψ k 1 ;
(ii)
As larger model sizes contain more parameters, enabling higher performance, Ψ k is a monotonically decreasing function of S k ;
(iii)
The magnitude of the partial derivative Ψ k / S k decreases as S k increases. When S k becomes sufficiently large, the derivative approaches zero, indicating diminishing returns in semantic recognition performance with further increases in model size.
Based on Properties (i)–(iii), the recognition error rate can be modeled as the following function:
Ψ k = a S k b ,
where a , b 0 are tuning parameters determined by the specific intelligent model, characterizing the error rate decay with respect to model size. It can be verified that Ψ k satisfies all the above properties.
Following the experimental results reported in [1], a four-layer convolutional neural network (CNN) was trained on the CIFAR-10 dataset [11] for semantic communication tasks. By varying the number of channels in the convolutional layers, models with different sizes were obtained, and their recognition error rates were measured. The experimental data were then fitted to the nonlinear function in (1), showing that with parameters a = 0.2645 and b = 0.3216 , the fitted curve closely matches the empirical results, with the reconstruction error evaluated by the root mean square error (RMSE). Therefore, in this paper, the values of a and b used in simulations are directly adopted from the fitting results in [1], as illustrated in Figure 2 of that work.
Moreover, Ψ k 0 when S k + , which means that an infinite model size would theoretically lead to 100% accuracy. This reflects the assumption that given infinite model capacity, the error rate of the intelligent model approaches zero.

3.2. Physical Layer Transmission Model

Legitimate UAV Link: The downlink channel gain from the edge server to UAV k is h k CN 0 , λ k . The received signal at UAV k is given by
y k = h k x k + n k ,
where x k represents the encrypted model parameter symbols, n k CN 0 , N 0 B k is additive white Gaussian noise [12], and B k denotes the bandwidth allocated to UAV k.
Eavesdropping Link: The channel gain from the edge server to the eavesdropper is h e CN 0 , λ e . The intercepted signal at Eve is given by
y e = h e x k + n e ,
where n e CN 0 , N 0 B k . The eavesdropping link shares the same frequency band and bandwidth B k with the legitimate link.

4. Secrecy Capacity and SOP Analysis

In this section, we derive the secrecy outage probability (SOP) for the secrecy analysis of the system.

4.1. Secrecy Capacity

In our considered system, the model transmission rate is given by R k = S k / T k , where S k represents the model size. Assuming both the main channel (edge server → User k) and eavesdropping channel (edge server → Eve) experience Rayleigh fading, the squared channel gains | h k | 2 and | h e | 2 follow exponential distributions with parameters λ k and λ e , respectively.

4.2. SOP Closed-Form Expression

The SOP is defined as the probability that the secrecy capacity falls below the target rate R t h , where
S O P = Pr C s ( k ) < R t h
We derive the closed-form expression for the SOP as follows.
Proposition 1.
The SOP for user k in the considered UAV-assisted AIoT system, under Rayleigh fading channels with exponential channel gains | h k | 2 Exp ( λ k ) and | h e | 2 Exp ( λ e ) , is given by
S O P = 1 λ e λ k N 0 B k P 2 R t h / B k + λ e e λ k N 0 B k P 2 R t h / B k 1
where λ k and λ e are the parameters of the exponential distributions for the legitimate and eavesdropping channels, respectively; N 0 is the noise power spectral density; B k is the bandwidth allocated to user k; P is the transmit power; and R t h is the target secrecy rate.
Proof. 
To derive the SOP, we start with the definition below.
S O P = Pr C s ( k ) < R t h ,
where the secrecy capacity is C s ( k ) = B k log 2 1 + γ k 1 + γ e , with γ k and γ e being the signal-to-noise ratios (SNRs) at the legitimate user k and eavesdropper, respectively.
Expanding the condition C s ( k ) < R t h yields
B k log 2 1 + γ k 1 + γ e < R t h ,
which can be rewritten as
1 + γ k 1 + γ e < 2 R t h / B k ,
and further simplifies to
γ k < 2 R t h / B k ( 1 + γ e ) 1 .
Thus, the SOP is expressed as
S O P = Pr γ k < 2 R t h / B k ( 1 + γ e ) 1 = 0 Pr γ k < 2 R t h / B k ( 1 + γ e ) 1 γ e f γ e ( γ e ) d γ e ,
where f γ e ( γ e ) = λ e e λ e γ e is the probability density function (PDF) of γ e since γ e Exp ( λ e ) .
Since γ k Exp ( μ k ) with parameter μ k = λ k N 0 B k P , its cumulative distribution function (CDF) is given by
Pr ( γ k < x ) = 1 e μ k x .
Substituting into the SOP expression, we obtain
S O P = 0 1 e μ k 2 R t h / B k ( 1 + γ e ) 1 λ e e λ e γ e d γ e .
We simplify the exponent as
μ k 2 R t h / B k ( 1 + γ e ) 1 = μ k 2 R t h / B k γ e μ k ( 2 R t h / B k 1 ) .
Thus, we have
e μ k 2 R t h / B k ( 1 + γ e ) 1 = e μ k 2 R t h / B k γ e e μ k ( 2 R t h / B k 1 ) .
The SOP integral becomes
S O P = 0 λ e e λ e γ e d γ e 0 e μ k ( 2 R t h / B k 1 ) e ( μ k 2 R t h / B k + λ e ) γ e λ e d γ e .
By computing the two integrals separately, we have
I 1 = 0 λ e e λ e γ e d γ e = 1 ,
I 2 = λ e e μ k ( 2 R t h / B k 1 ) 0 e ( μ k 2 R t h / B k + λ e ) γ e d γ e .
For I 2 and using the integral identity 0 e a x d x = 1 a , we have
0 e ( μ k 2 R t h / B k + λ e ) γ e d γ e = 1 μ k 2 R t h / B k + λ e .
Thus, we have
I 2 = λ e e μ k ( 2 R t h / B k 1 ) μ k 2 R t h / B k + λ e .
Combining the items, we obtain
S O P = I 1 I 2 = 1 λ e e μ k ( 2 R t h / B k 1 ) μ k 2 R t h / B k + λ e .
Substitute μ k = λ k N 0 B k P , we derive the SOP as
S O P = 1 λ e λ k N 0 B k P 2 R t h / B k + λ e e λ k N 0 B k P ( 2 R t h / B k 1 ) .
This completes the derivation of the closed-form SOP expression.    □

5. Transmission Security Performance Optimization

5.1. Secure Model Accuracy (SMA) Metric

To jointly optimize transmission security and model accuracy, we propose the Secure Model Accuracy (SMA) metric, defined as the product of successful secure transmission probability and model recognition accuracy, which is given by
S M A = ( 1 S O P ) × ( 1 Ψ k ) ,
where Ψ k = a S k b .
The proposed SMA metric in (22) jointly captures the effects of model size S k , bandwidth allocation B k , and physical layer security on the overall system performance. In our system model, the model transmission rate is defined as R k = S k / T k , where T k is the target transmission delay. This rate requirement directly corresponds to the target secrecy rate R th in the SOP analysis of Section 4 (i.e., R th = R k ). Intuitively, a larger S k improves recognition accuracy by reducing Ψ k because more parameters enable better semantic representation; however, it also increases R th , which raises the term 2 R th / B k in the SOP expression and thereby increases the outage probability under fixed B k and channel conditions. Similarly, increasing B k reduces the transmission time and lowers SOP by improving the legitimate channel’s effective secrecy capacity, but the total available bandwidth is limited and must be shared among all users. From a security perspective, the secrecy capacity depends on the SNR gap between the legitimate user and the eavesdropper. A larger S k without sufficient B k may cause the transmission time to exceed the target delay threshold, resulting in higher SOP, while allocating more B k to a smaller model can improve security but may underutilize the accuracy potential of larger models. Therefore, SMA reflects the fundamental tradeoff: S k enhances semantic accuracy but risks security when bandwidth is constrained, while B k mitigates security risks but competes with other users for resources. By analyzing SMA under varying S k and B k , we can observe the dynamic interplay between model accuracy and physical layer security in multi-user edge intelligence systems.
Thus the optimization problem can be formulated as
max { Ψ k , B k } k = 1 K S M A k .
We can see from the above problem that SMA is influenced by only two parameters: (i) the error rate based on model selection Ψ k and (ii) bandwidth allocation B k and channel state  γ k .
Thus, we can decompose the problem into two tractable subproblems as follows: (1) Optimal Model Selection Optimization: For fixed bandwidth allocation B k and channel state γ k , select the model with the smallest Ψ k to maximize SMA. (2) Bandwidth Allocation Optimization: For fixed model selection Ψ k , optimize B k to maximize SMA.

5.2. Optimal Model Selection with Fixed Bandwidth

For the fixed bandwidth allocation B k and channel state γ k , the Algorithm 1 proceeds as follows.
Algorithm 1 Optimal model selection for multiple UAVs.
1.
For each UAV k, enumerate all available models to obtain Ψ k .
2.
Calculate SMA for each model:
S M A k = ( 1 S O P k ) × ( 1 Ψ k ) .
3.
Select the model maximizing S M A k .

5.3. Bandwidth Allocation with Fixed Model Selection

With the fixed model selection ( 1 Ψ k ) = θ k , the optimization is transformed as follows:
max B k k = 1 K θ k λ e λ k N 0 B k P 2 R t h / B k + λ e e λ k N 0 B k P 2 R t h / B k 1
s . t . k = 1 K B k B t o t a l , B k 0 , k { 1 , . . . , K } .
Due to the non-convex nature of this problem, we employ successive convex approximation (SCA). By introducing slack variables and decomposing the problem into fractional and exponential components, the optimization process can be solved using convex optimization methods. Specifically, we introduce z k , w k , and u k , making the problem transform into
max B k k = 1 K θ k z k w k ,
where
z k = λ e μ b u k + λ e ,
w k = e μ b ( u k 1 ) ,  
μ b = 2 R t h / B k ,          
u k = 1 + γ e .          

5.3.1. Fractional Component z k Approximation

At iteration point B k ( i ) , we linearize z k using first-order Taylor expansion as
z k z k ( i ) + z k B k B k = B k ( i ) ( B k B k ( i ) ) .
The partial derivative is computed through the following steps:
z k B k =   B k λ e μ b u k + λ e
= λ e ( μ b u k + λ e ) 2 · B k ( μ b u k )    
= λ e ( μ b u k + λ e ) 2 μ b B k u k Term 1 + μ b u k B k Term 2 ,
where Term 1 is given by
μ b B k =   B k λ k N 0 B k P = λ k N 0 P
μ b B k u k = λ k N 0 P u k = μ b u k B k
and Term 2 is given by
u k B k = B k 2 R t h / B k      
          = 2 R t h / B k ln 2 · R t h B k 2        
= μ b R t h ln 2 B k 2  
μ b u k B k = μ b u k R t h ln 2 B k 2 .
Combining both terms yields the final derivative
z k B k = λ e ( μ b u k + λ e ) 2 μ b u k B k μ b u k R t h ln 2 B k 2 .

5.3.2. Exponential Component w k Approximation

Similarly, we approximate w k as
w k w k ( i ) + w k B k B k = B k ( i ) ( B k B k ( i ) ) ,
with the derivative
w k B k = w k λ b N 0 P ( u k ( i ) 1 ) μ b ( i ) u k ( i ) R t h ln 2 ( B k ( i ) ) 2 .

5.4. Convex Optimization Solution

Through the convex approximation of z k and w k , all constraints in the SMA objective function are transformed into convex constraints. Consequently, the bandwidth allocation optimization problem can be efficiently solved using convex optimization methods, as shown in Algorithm 2.
The complete solution is achieved through alternating optimization between the two subproblems as follow (Algorithm 3).
Algorithm 2 Bandwidth allocation optimization (subproblem 2).
1.
Initialize bandwidth allocation B k ( 0 ) for all users k
2.
For each iteration i until convergence,
  • Compute Taylor approximations for z k and w k at B k ( i ) ;
  • Solve the convex approximation problem:
    max B k k = 1 K θ k z k ( i ) + z k B k Δ B k w k ( i ) + w k B k Δ B k .
  • Update B k ( i + 1 ) = B k ( i ) + Δ B k ;
Algorithm 3 Joint optimization algorithm.
1.
Initialize model selection and bandwidth allocation
2.
Repeat until convergence:
  • Fix bandwidth, optimize model selection (Algorithm 1);
  • Fix models, optimize bandwidth (Algorithm 2);
3.
Return optimal model–bandwidth pairs.

5.5. Computational Complexity Analysis

The computational efficiency of the proposed optimization framework can be determined through careful analysis of its constituent components [13,14]. We first examine the model selection subproblem (Algorithm 1), whose computational burden scales linearly with both the number of users K and available models N, yielding a complexity of O ( K · N ) . This favorable scaling stems from the need to evaluate each model option for every user in the system.
The bandwidth allocation subproblem (Algorithm 2) presents greater computational challenges due to its iterative convex optimization nature [15,16]. The overall complexity can be expressed as O ( 15 · K 3 + 100 · K ) , involving 15 outer iterations and an average of 100 line search steps. The cubic term 15 · K 3 dominates this expression, reflecting the computational cost of solving the convex approximation problem using interior-point methods.
When considering the complete joint optimization procedure (Algorithm 3), the complexity combines both subproblems through an alternating optimization framework [17]. The total computational burden becomes O ( 8 · [ K · N + 15 · K 3 + 100 · K ] ) , where a coefficient of 8 represents the number of alternating iterations between model selection and bandwidth allocation. In practical deployment scenarios, the bandwidth allocation subproblem typically governs the overall computational requirements due to its polynomial scaling with the number of users.
Implementation observations demonstrate that the algorithm exhibits robust convergence characteristics in real-world conditions [13,14,15]. Typical operation requires 5–10 alternating iterations, with each bandwidth allocation subproblem converging within 10–20 convex optimization iterations. The line search component generally completes in 3–5 steps per outer iteration. These characteristics enable real-time operation (under 100 ms latency) on modern edge servers equipped with 8-core processors, supporting systems with up to 20 users and 10 model options. Although the theoretical polynomial complexity is higher than some alternatives, it remains manageable for practical edge computing deployments due to these favorable convergence properties and the parallelizable nature of the computations [16,17].
Table 1 summarizes conservative, order-of-magnitude estimates for three representative deployment scenarios.
For reproducibility, we clarify the implementation details of alternating optimization. The bandwidth allocation subproblem (Algorithm 2) is initialized with an equal bandwidth share B k = B total / K for all users. The model selection subproblem (Algorithm 1) starts from the largest available model size to exploit potential accuracy gains. The convergence criterion is set as the maximum relative change in SMA across iterations falling below 10 4 .

6. Simulation Analysis

To validate the proposed framework, as shown in Table 2, we conduct comprehensive simulations using the following parameters: K = 10 IoT devices, M = { M 1 , M 2 , M 3 } models with error rates = { 0.1 , 0.125 , 0.15 , 0.3 , 0.45 } , B total = 20–100 MHz, P = 50 W, N 0 = 10 7 W/Hz, and λ k = { 1.5 , 1.2 , 0.8 , 1.0 } for legitimate channels. The eavesdropper channel strength λ e varies from 0.1 to 1.5. We compare Algorithm 3 against three benchmarks: (i) fixed error rate models ( Ψ = 0.1 , 0.125 , 0.15 , 0.3 , 0.45 ), (ii) sum-rate maximization, and (iii) SOP minimization.

6.1. Results

Figure 2 plots SMA versus the noise power spectral density N 0 . As N 0 increases, the signal-to-noise ratio (SNR = P / ( N 0 B ) ) at the legitimate receiver decreases, reducing the channel’s capacity. Consequently, all schemes show a decline in SMA. Algorithm 3 consistently achieves the highest SMA, outperforming the fixed error-rate models, the Max-Sum-Rate scheme, and the Min-SOP scheme. Fixed- Ψ models remain relatively flat since they do not adapt to changing SNRs. The Max-Sum-Rate and Min-SOP schemes degrade more under noise due to their single-objective focus. Algorithm 3 dynamically allocates resources under secrecy constraints to preserve classification accuracy, resulting in significantly better performance.
Figure 3 shows SMA versus the total transmit power P total . According to Shannon’s capacity, increasing P total improves SNR and reliability. All schemes show increased SMA, but Algorithm 3 exhibits the steepest rise. It outperforms other baselines by intelligently using additional power to improve classification while maintaining secrecy. Other schemes fail to exploit higher power as effectively.
In Figure 4, SMA is plotted against the eavesdropper’s channel gain λ e . As derived previously, a higher λ e value leads to a lower SOP. All schemes experience increased SMA as λ e increases. Algorithm 3 maintains higher metrics than all others. This is because it adjusts its strategy to maintain reliability under tighter secrecy constraints. Fixed- Ψ models, lacking such adaptation, suffer more accuracy loss. The Max-Sum-Rate and Min-SOP schemes are unable to balance secrecy and throughput as effectively.
Figure 5 shows SMA versus total bandwidth B total . With fixed power, increasing bandwidth reduces the SNR per Hz due to increased noise power ( N 0 B ). As a result, all schemes experience lower SMA. Algorithm 3’s accuracy drops more gently, maintaining superiority across the range. It adapts to bandwidth-induced noise by focusing on the most efficient sub-bands, whereas the others either spread power too thin or sacrifice throughput for secrecy.
Figure 6, Figure 7, Figure 8 and Figure 9 jointly plot SMA and the secrecy outage probability versus various system parameters. In Figure 6, as P total increases, Algorithm 3 achieves the highest SMA and nearly the lowest SOP. In contrast, the Min-SOP scheme reduces SOP more but severely sacrifices SMA. Algorithm 3 balances these objectives better than the others.
In Figure 7, as bandwidth increases, Algorithm 3 still preserves a better SMA–SOP tradeoff. Higher bandwidth leads to lower SNRs, raising SOP and lowering accuracy. Algorithm 3 adapts through selective power use and subband prioritization, while Min-SOP limits SMA too aggressively.
Figure 8 demonstrates the effect of increasing N 0 . All schemes see rising SOP and falling SMA. However, Algorithm 3 maintains a good balance, with higher SMA and moderate SOP, while the Min-SOP scheme achieves lower SMA.
Finally, Figure 9 shows that as λ e grows, all SMAs rise. Yet, Algorithm 3 achieves the best accuracy and near-optimal SOP, whereas the Min-SOP scheme ensures secrecy but loses accuracy.
In all cases, Algorithm 3’s joint optimization achieves superior SMA by dynamically balancing throughput and secrecy. It adapts to system conditions like power, noise, and bandwidth, unlike the fixed- or single-objective benchmarks. These results validate Algorithm 3’s ability to consistently find the optimal tradeoff between classification accuracy and secrecy.

6.2. Practical Implementation Feasibility

Regarding communication constraints, the proposed scheme only requires model parameter transmission once per task period, with incremental updates possible for further bandwidth savings. In real UAV networks, the wireless link bandwidth B k may fluctuate due to mobility, interference, or environmental conditions. SMA-based optimization inherently adapts to such fluctuations because bandwidth allocation is recomputed in each optimization cycle based on the current channel state information (CSI). Furthermore, the optimization framework can be integrated with link adaptation mechanisms (e.g., adaptive modulation and coding) to mitigate the effect of short-term bandwidth drops.
Additionally, from an energy and hardware perspective, UAVs can offload the optimization computations entirely to edge servers, leaving only lightweight CSI measurement and model identification tasks onboard. This ensures that even resource-constrained UAVs can participate in the system without violating their onboard power budgets. Overall, the computational tractability, adaptability to bandwidth variability, and low onboard resource requirements suggest that the proposed scheme is feasible for near-term deployment in UAV-assisted secure semantic communication systems.

7. Discussion

While the proposed framework demonstrates significant advantages in jointly optimizing model recognition accuracy and physical layer security in UAV-assisted AIoT systems, several limitations should be acknowledged.
First, the current study assumes perfect channel state information (CSI) at the edge server for both legitimate users and potential eavesdroppers. In practical deployments, CSI estimation errors and feedback delays are inevitable, which may degrade the optimization performance. Incorporating robust optimization techniques to mitigate imperfect CSI remains an important direction for future work.
Second, the system model considers a single-task transmission scenario where one trained AI model is delivered to multiple UAVs. In real-world applications, multiple heterogeneous tasks may coexist, each with different latency, accuracy, and security requirements. Extending the framework to multi-task or multi-priority scenarios could enhance its applicability in complex AIoT environments.
Finally, the proposed optimization method focuses on downlink model transmission without considering the computational heterogeneity and battery limitations of UAVs. Although UAVs in our framework can offload optimization computation to edge servers, future research could integrate energy-aware resource allocation and heterogeneous device capabilities into the optimization problem to improve sustainability and fairness.
By addressing these limitations, the proposed framework could be further extended to support more realistic, large-scale, and heterogeneous AIoT deployments, thereby advancing the development of trustworthy edge intelligence in next-generation networks.

8. Conclusions

This study has established a novel framework for physical layer secure transmission in UAV-assisted AIoT systems through three key innovations: First, the closed-form SOP derivation provides theoretical guarantees for secrecy performance under Rayleigh fading channels. Second, the SMA metric fundamentally reconciles the traditionally competing objectives of model recognition accuracy and transmission security. Third, our alternating optimization algorithm dynamically selects optimal model–bandwidth pairs while adapting to channel conditions and eavesdropper capabilities. Extensive simulations demonstrate that the proposed framework achieves significant performance gains compared to fixed-model selection schemes under varying noise conditions. The optimal power utilization of the algorithm allows us to convert additional transmit power into accuracy gains while maintaining security constraints.
Future research will extend the framework to more complex and realistic AIoT scenarios, such as federated learning with heterogeneous devices and dynamic task arrivals, aiming for adaptive and robust optimization in both spatial and temporal dimensions.

Author Contributions

Conceptualization, T.L. and X.F.; Methodology, H.L., M.L. and X.F.; Validation, Y.L.; Formal analysis, T.L. and X.F.; Investigation, H.L., T.L. and X.F.; Writing—original draft, M.L. and Y.L.; Writing—review & editing, H.L. and X.F.; Supervision, H.L., R.L. and X.F.; Project administration, H.L., R.L. and X.F.; Funding acquisition, H.L. and X.F. All authors have read and agreed to the published version of the manuscript.

Funding

This work was supported by the National Natural Science Foundation of China (Grant No. 62302332, 62502036), the Natural Science Foundation of the Jiangsu Higher Education Institutions of China (Grant No. 23KJB510033), the China Postdoctoral Science Foundation under Grant 2024M750199, and the Fundamental Research Funds for the Central Universities (Grant No. BLX202360, QNTD202504).

Data Availability Statement

The original contributions presented in this study are included in the article. Further inquiries can be directed to the corresponding author.

Conflicts of Interest

Author Runlei Li was employed by the company China Academy of Railway Sciences Corporation Limited. The remaining authors declare that the research was conducted in the absence of any commercial or financial relationships that could be construed as a potential conflict of interest.

References

  1. Wang, Y.; Han, S.; Xu, X.; Rui, M.; Liang, H.; Chen, D.; Zhang, P. Intellicise model transmission for semantic communication in intelligence-native 6G networks. China Commun. 2024, 21, 95–112. [Google Scholar] [CrossRef]
  2. Han, S.; Zhang, W.; Xu, X.; Wang, B.; Sun, M.; Tao, X.; Zhang, P. S2E-DECI: Secrecy and Energy-Efficient Dual-Aware Device-Edge Co-Inference for AIoT. IEEE Internet Things J. 2024, 11, 39142–39157. [Google Scholar] [CrossRef]
  3. Jia, S.; Wang, R.; Lou, Y.; Wang, N.; Zhang, D.; Singh, K.; Mumtaz, S. Secrecy performance analysis of UAV-assisted ambient backscatter communications with jamming. IEEE Trans. Wirel. Commun. 2024, 23, 18111–18125. [Google Scholar] [CrossRef]
  4. Qiu, X.; Yu, J.; Zhuang, W.; Li, G.; Sun, X. Channel prediction-based security authentication for artificial intelligence of things. Sensors 2023, 23, 6711. [Google Scholar] [CrossRef] [PubMed]
  5. Wang, H.; Zhu, Q.; Hu, H.; Li, Y.; Miao, X.; Xu, M. Physical Unclonable Function in Spiking Neural Network Based on in-Te Ovonic Threshold Switching Devices. In Proceedings of the 2025 9th IEEE Electron Devices Technology & Manufacturing Conference (EDTM), Hong Kong, China, 9–12 March 2025; pp. 1–3. [Google Scholar]
  6. Zhang, Y.; Zhao, S.; Shen, Y.; Jiang, X.; Shiratori, N. Enhancing the physical layer security of two-way relay systems with RIS and beamforming. IEEE Trans. Inf. Forensics Secur. 2024, 19, 5696–5711. [Google Scholar] [CrossRef]
  7. Hema, P.P.; Babu, A.V. Full-duplex jamming for physical layer security improvement in NOMA-enabled overlay cognitive radio networks. Secur. Priv. 2024, 7, e371. [Google Scholar] [CrossRef]
  8. Khalid, W.; Rehman, M.A.U.; Van Chien, T.; Kaleem, Z.; Lee, H.; Yu, H. Reconfigurable intelligent surface for physical layer security in 6G-IoT: Designs, issues, and advances. IEEE Internet Things J. 2023, 11, 3599–3613. [Google Scholar] [CrossRef]
  9. Qiu, B.; Cheng, W.; Zhang, W. Joint information and jamming beamforming for securing IoT networks with ratesplitting. IEEE Internet Things J. 2023, 11, 6338–6351. [Google Scholar] [CrossRef]
  10. Wang, S.; Wu, Y.C.; Xia, M.; Wang, R.; Poor, H.V. Machine intelligence at the edge with learning centric power allocation. IEEE Trans. Wirel. Commun. 2020, 19, 7293–7308. [Google Scholar] [CrossRef]
  11. Krizhevsky, A.; Hinton, G. Learning Multiple Layers of Features from Tiny Images. In Handbook of Systemic Autoimmune Diseases; University of Toronto: Toronto, ON, Canada, 2009; Volume 1. [Google Scholar]
  12. Jin, L.; Xu, X.; Han, S.; Chi, X.; Lv, S.; Zhang, P.; Liu, C. Computation offloading outage probability analysis and min-max fairness optimization in RIS-assisted MEC system. IEEE Trans. Veh. Technol. 2022, 72, 4615–4627. [Google Scholar] [CrossRef]
  13. Boyd, S.; Vandenberghe, L. Convex Optimization; Cambridge University Press: Cambridge, UK, 2004. [Google Scholar]
  14. Gondzio, J. Interior point methods 25 years later. Eur. J. Oper. Res. 2012, 218, 587–601. [Google Scholar] [CrossRef]
  15. Nesterov, Y.E.; Todd, M.J. Self-scaled barriers and interior-point methods for convex programming. Math. Oper. Res. 1997, 22, 1–42. [Google Scholar] [CrossRef]
  16. Wright, S.J. Primal-Dual Interior-Point Methods; Society for Industrial and Applied Mathematics: Philadelphia, PA, USA, 1997. [Google Scholar]
  17. Beck, A.; Teboulle, M. A fast iterative shrinkage-thresholding algorithm for linear inverse problems. SIAM J. Imaging Sci. 2009, 2, 183–202. [Google Scholar] [CrossRef]
Figure 1. System model of edge-assisted AIoT communication with an eavesdropper.
Figure 1. System model of edge-assisted AIoT communication with an eavesdropper.
Electronics 14 03450 g001
Figure 2. Noise power spectral density ( N 0 ) sensitivity analysis.
Figure 2. Noise power spectral density ( N 0 ) sensitivity analysis.
Electronics 14 03450 g002
Figure 3. Transmit power ( P total ) impact on system performance.
Figure 3. Transmit power ( P total ) impact on system performance.
Electronics 14 03450 g003
Figure 4. Impact of eavesdropper channel strength ( λ e ) on SMA.
Figure 4. Impact of eavesdropper channel strength ( λ e ) on SMA.
Electronics 14 03450 g004
Figure 5. SMA vs. total bandwidth ( B total ).
Figure 5. SMA vs. total bandwidth ( B total ).
Electronics 14 03450 g005
Figure 6. Transmit power impact on SMA and SOP.
Figure 6. Transmit power impact on SMA and SOP.
Electronics 14 03450 g006
Figure 7. Bandwidth impact on SMA and SOP.
Figure 7. Bandwidth impact on SMA and SOP.
Electronics 14 03450 g007
Figure 8. Noise impact on SMA and SOP.
Figure 8. Noise impact on SMA and SOP.
Electronics 14 03450 g008
Figure 9. Eavesdropper strength impact on SMA and SOP.
Figure 9. Eavesdropper strength impact on SMA and SOP.
Electronics 14 03450 g009
Table 1. Runtime and peak memory for representative deployment scenarios (order-of-magnitude estimates).
Table 1. Runtime and peak memory for representative deployment scenarios (order-of-magnitude estimates).
ScenarioKNAvg. Runtime (ms)Peak Memory (MB)
Small530.024127.5
Medium1050.161175.0
Large20101.222350.0
Table 2. Simulation parameters.
Table 2. Simulation parameters.
ParameterValue
Number of UAVs (K)10
UAV channel strengths ( λ k ){1.5, 1.2, 0.8, 1.0}
Eavesdropper strength range ( λ e )0.1–1.5
Total bandwidth range ( B total )20–100 MHz
Transmit power (P)50 W
Noise power ( N 0 ) 10 7 W/Hz
Model error rates ( Ψ ){0.1, 0.125, 0.15, 0.3, 0.45}
Security rate threshold ( R t h )2.0 bps/Hz
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Li, H.; Li, M.; Lin, Y.; Li, T.; Li, R.; Fan, X. Physical Layer Secure Transmission of AI Models in UAV-Enabled Edge AIoT. Electronics 2025, 14, 3450. https://doi.org/10.3390/electronics14173450

AMA Style

Li H, Li M, Lin Y, Li T, Li R, Fan X. Physical Layer Secure Transmission of AI Models in UAV-Enabled Edge AIoT. Electronics. 2025; 14(17):3450. https://doi.org/10.3390/electronics14173450

Chicago/Turabian Style

Li, Hui, Mingxuan Li, Yiming Lin, Tianshun Li, Runlei Li, and Xin Fan. 2025. "Physical Layer Secure Transmission of AI Models in UAV-Enabled Edge AIoT" Electronics 14, no. 17: 3450. https://doi.org/10.3390/electronics14173450

APA Style

Li, H., Li, M., Lin, Y., Li, T., Li, R., & Fan, X. (2025). Physical Layer Secure Transmission of AI Models in UAV-Enabled Edge AIoT. Electronics, 14(17), 3450. https://doi.org/10.3390/electronics14173450

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop