Confidential and Attack-Resilient Edge LLM Serving for Multilingual Chatbots

Large Language Model (LLM) chatbots increasingly run at the network edge to reduce latency and cost, but edge deployments expand the attack surface and amplify privacy risk. We present Aegis-Edge, a confidential and attack-resilient serving stack for multilingual LLM inference on untrusted edge nodes. Aegis-Edge combines (i) remote attestation to verify the serving runtime before model and key release, (ii) confidential inference using trusted execution environments with a sealed key–value cache and tenant-scoped encryption, (iii) policy-as-code guardrails for locale-aware PII redaction and tool-use restrictions, and (iv) a lightweight adversarial input filter targeting multilingual prompt-injection and cache-poisoning attempts. We formalize security invariants over the request–response path and show how they compose across edge, gateway, and KMS. Our implementation supports common edge accelerators and multilingual tokenizers. We empirically evaluate security (attack success rate, leakage proxies, integrity violations), privacy (PII detection/retention bounds), and systems overhead (added latency, throughput, energy) under red-team workloads spanning diverse languages and scripts. Results demonstrate that robust privacy and integrity guarantees can be enforced at the edge while maintaining application-level service objectives. We discuss limitations (e.g., side-channels) and pathways for incremental deployment.