Protecting Deep Neural Network Intellectual Property with Architecture-Agnostic Input Obfuscation

Protecting Deep Neural Network Intellectual Property with Architecture-Agnostic Input Obfuscation

연구 분야: Analysis

학회: GLSVLSI '22: Proceedings of the Great Lakes Symposium on VLSI 2022

Deep Convolutional Neural Networks (DCNNs) have revolutionized and improved many aspects of modern life. However, these models are increasingly more complex, and training them to perform at desirable levels is difficult undertaking; hence, the trained parameters represent a valuable intellectual property (IP) asset which a motivated attacker may wish to steal. To better protect the IP, we propose a method of lightweight input obfuscation that is undone prior to inference, where input data is obfuscated in order to use the model to specification. Without using the correct key and unlocking sequence, the accuracy of the classifier is reduced to a random guess, thus protecting the input/output interface and mitigating model extraction attacks which rely on such access. We evaluate the system using a VGG-16 network trained on CIFAR-10, and demonstrate that with an incorrect deobfuscation key or sequence, the classification accuracy drops to a random guess, with an inference timing overhead of 4.4% on an Nvidia-based evaluation platform. The system avoids the costs associated with retraining and has no impact on model accuracy for authorized users.