Protecting Deep Neural Network Intellectual Property with Architecture-Agnostic Input Obfuscation

Proceedings of the Great Lakes Symposium on VLSI 2022 Pub Date : 2022-06-06 DOI:10.1145/3526241.3530386

Brooks Olney, Robert Karam

{"title":"Protecting Deep Neural Network Intellectual Property with Architecture-Agnostic Input Obfuscation","authors":"Brooks Olney, Robert Karam","doi":"10.1145/3526241.3530386","DOIUrl":null,"url":null,"abstract":"Deep Convolutional Neural Networks (DCNNs) have revolutionized and improved many aspects of modern life. However, these models are increasingly more complex, and training them to perform at desirable levels is difficult undertaking; hence, the trained parameters represent a valuable intellectual property (IP) asset which a motivated attacker may wish to steal. To better protect the IP, we propose a method of lightweight input obfuscation that is undone prior to inference, where input data is obfuscated in order to use the model to specification. Without using the correct key and unlocking sequence, the accuracy of the classifier is reduced to a random guess, thus protecting the input/output interface and mitigating model extraction attacks which rely on such access. We evaluate the system using a VGG-16 network trained on CIFAR-10, and demonstrate that with an incorrect deobfuscation key or sequence, the classification accuracy drops to a random guess, with an inference timing overhead of 4.4% on an Nvidia-based evaluation platform. The system avoids the costs associated with retraining and has no impact on model accuracy for authorized users.","PeriodicalId":188228,"journal":{"name":"Proceedings of the Great Lakes Symposium on VLSI 2022","volume":"14 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2022-06-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the Great Lakes Symposium on VLSI 2022","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3526241.3530386","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

Abstract

Deep Convolutional Neural Networks (DCNNs) have revolutionized and improved many aspects of modern life. However, these models are increasingly more complex, and training them to perform at desirable levels is difficult undertaking; hence, the trained parameters represent a valuable intellectual property (IP) asset which a motivated attacker may wish to steal. To better protect the IP, we propose a method of lightweight input obfuscation that is undone prior to inference, where input data is obfuscated in order to use the model to specification. Without using the correct key and unlocking sequence, the accuracy of the classifier is reduced to a random guess, thus protecting the input/output interface and mitigating model extraction attacks which rely on such access. We evaluate the system using a VGG-16 network trained on CIFAR-10, and demonstrate that with an incorrect deobfuscation key or sequence, the classification accuracy drops to a random guess, with an inference timing overhead of 4.4% on an Nvidia-based evaluation platform. The system avoids the costs associated with retraining and has no impact on model accuracy for authorized users.

查看原文本刊更多论文

基于结构不可知输入混淆的深度神经网络知识产权保护

深度卷积神经网络(DCNNs)已经彻底改变和改善了现代生活的许多方面。然而，这些模型越来越复杂，训练它们达到理想的水平是一项艰巨的任务;因此，训练参数代表有价值的知识产权(IP)资产，有动机的攻击者可能希望窃取这些资产。为了更好地保护IP，我们提出了一种轻量级输入混淆的方法，该方法在推理之前撤消，其中输入数据被混淆以便使用模型来规范。在不使用正确的密钥和解锁顺序的情况下，分类器的准确性降低到随机猜测，从而保护了输入/输出接口，减轻了依赖于这种访问的模型提取攻击。我们使用在CIFAR-10上训练的VGG-16网络对系统进行了评估，并证明在错误的解混淆密钥或序列下，分类精度下降到随机猜测，在基于nvidia的评估平台上，推理时间开销为4.4%。该系统避免了与再培训相关的成本，并且对授权用户的模型准确性没有影响。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings of the Great Lakes Symposium on VLSI 2022

自引率

0.00%

发文量