NNSplitter: An Active Defense Solution for DNN Model via Automated Weight Obfuscation

Tong Zhou, Yukui Luo, Shaolei Ren, Xiaolin Xu
Proceedings of the 40th International Conference on Machine Learning, PMLR 202:42614-42624, 2023.

Abstract

As a type of valuable intellectual property (IP), deep neural network (DNN) models have been protected by techniques like watermarking. However, such passive model protection cannot fully prevent model abuse. In this work, we propose an active model IP protection scheme, namely NNSplitter, which actively protects the model by splitting it into two parts: the obfuscated model that performs poorly due to weight obfuscation, and the model secrets consisting of the indexes and original values of the obfuscated weights, which can only be accessed by authorized users with the support of the trusted execution environment. Experimental results demonstrate the effectiveness of NNSplitter, e.g., by only modifying 275 out of over 11 million (i.e., 0.002%) weights, the accuracy of the obfuscated ResNet-18 model on CIFAR-10 can drop to 10%. Moreover, NNSplitter is stealthy and resilient against norm clipping and fine-tuning attacks, making it an appealing solution for DNN model protection. The code is available at: https://github.com/Tongzhou0101/NNSplitter.

Cite this Paper


BibTeX
@InProceedings{pmlr-v202-zhou23h, title = {{NNS}plitter: An Active Defense Solution for {DNN} Model via Automated Weight Obfuscation}, author = {Zhou, Tong and Luo, Yukui and Ren, Shaolei and Xu, Xiaolin}, booktitle = {Proceedings of the 40th International Conference on Machine Learning}, pages = {42614--42624}, year = {2023}, editor = {Krause, Andreas and Brunskill, Emma and Cho, Kyunghyun and Engelhardt, Barbara and Sabato, Sivan and Scarlett, Jonathan}, volume = {202}, series = {Proceedings of Machine Learning Research}, month = {23--29 Jul}, publisher = {PMLR}, pdf = {https://proceedings.mlr.press/v202/zhou23h/zhou23h.pdf}, url = {https://proceedings.mlr.press/v202/zhou23h.html}, abstract = {As a type of valuable intellectual property (IP), deep neural network (DNN) models have been protected by techniques like watermarking. However, such passive model protection cannot fully prevent model abuse. In this work, we propose an active model IP protection scheme, namely NNSplitter, which actively protects the model by splitting it into two parts: the obfuscated model that performs poorly due to weight obfuscation, and the model secrets consisting of the indexes and original values of the obfuscated weights, which can only be accessed by authorized users with the support of the trusted execution environment. Experimental results demonstrate the effectiveness of NNSplitter, e.g., by only modifying 275 out of over 11 million (i.e., 0.002%) weights, the accuracy of the obfuscated ResNet-18 model on CIFAR-10 can drop to 10%. Moreover, NNSplitter is stealthy and resilient against norm clipping and fine-tuning attacks, making it an appealing solution for DNN model protection. The code is available at: https://github.com/Tongzhou0101/NNSplitter.} }
Endnote
%0 Conference Paper %T NNSplitter: An Active Defense Solution for DNN Model via Automated Weight Obfuscation %A Tong Zhou %A Yukui Luo %A Shaolei Ren %A Xiaolin Xu %B Proceedings of the 40th International Conference on Machine Learning %C Proceedings of Machine Learning Research %D 2023 %E Andreas Krause %E Emma Brunskill %E Kyunghyun Cho %E Barbara Engelhardt %E Sivan Sabato %E Jonathan Scarlett %F pmlr-v202-zhou23h %I PMLR %P 42614--42624 %U https://proceedings.mlr.press/v202/zhou23h.html %V 202 %X As a type of valuable intellectual property (IP), deep neural network (DNN) models have been protected by techniques like watermarking. However, such passive model protection cannot fully prevent model abuse. In this work, we propose an active model IP protection scheme, namely NNSplitter, which actively protects the model by splitting it into two parts: the obfuscated model that performs poorly due to weight obfuscation, and the model secrets consisting of the indexes and original values of the obfuscated weights, which can only be accessed by authorized users with the support of the trusted execution environment. Experimental results demonstrate the effectiveness of NNSplitter, e.g., by only modifying 275 out of over 11 million (i.e., 0.002%) weights, the accuracy of the obfuscated ResNet-18 model on CIFAR-10 can drop to 10%. Moreover, NNSplitter is stealthy and resilient against norm clipping and fine-tuning attacks, making it an appealing solution for DNN model protection. The code is available at: https://github.com/Tongzhou0101/NNSplitter.
APA
Zhou, T., Luo, Y., Ren, S. & Xu, X.. (2023). NNSplitter: An Active Defense Solution for DNN Model via Automated Weight Obfuscation. Proceedings of the 40th International Conference on Machine Learning, in Proceedings of Machine Learning Research 202:42614-42624 Available from https://proceedings.mlr.press/v202/zhou23h.html.

Related Material