Preventing Neural Network Weight Stealing via Network Obfuscation

Szentannai, Kálmán; Al-Afandi, Jalal; Horváth, András

doi:10.1007/978-3-030-52243-8_1

Cited by 5 publications

(9 citation statements)

References 2 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…During the verification phase, watermark can be taken out a marking layer's weight. With the aim of being robust and not impacting accuracy, the RIGA watermarking with competitive training strategy for white-box scenarios [24]. Fig.…”

Section: Evaluation Of Dnn Ip Protection Methodsmentioning

confidence: 99%

Artificial Intelligence in Intellectual Property Protection: Application of Deep Learning Model

Pattnayak,

Das,

Mohanty

et al. 2024

EAI Endorsed Trans IoT

View full text Add to dashboard Cite

To create and train a deep learning model costs a lot in comparison to ascertain a trained model. So, a trained model is considered as the intellectual property (IP) of the person who creates such model. However, there is every chance of illegal copying, redistributing and abusing of any of these high-performance models by the malicious users. To protect against such menaces, a few numbers of deep neural networks (DNN) IP security techniques have been developed recently. The present study aims at examining the existing DNN IP security activities. In the first instance, there is a proposal of taxonomy in favor of DNN IP protection techniques from the perspective of six aspects such as scenario, method, size, category, function, and target models. Afterwards, this paper focuses on the challenges faced by these methods and their capability of resisting the malicious attacks at different levels by providing proactive protection. An analysis is also made regarding the potential threats to DNN IP security techniques from various perspectives like modification of models, evasion and active attacks. Apart from that this paper look into the methodical assessment. The study explores the future research possibilities on DNN IP security by considering different challenges it would confront in the process of its operations. Result Statement: A high-performance deep neural Networks (DNN) model is costlier than the trained DNN model. It is considered as an intellectual property (IP) of the person who is responsible for creating DNN model. The infringement of the Intellectual Property of DNN model is a grave concern in recent years. This article summarizes current DNN IP security works by focusing on the limitations/ challenges they confront. It also considers the model in question's capacity for protection and resistance against various stages of attacks.

show abstract

Section: Evaluation Of Dnn Ip Protection Methodsmentioning

confidence: 99%

Artificial Intelligence in Intellectual Property Protection: Application of Deep Learning Model

Pattnayak,

Das,

Mohanty

et al. 2024

EAI Endorsed Trans IoT

View full text Add to dashboard Cite

show abstract

“…Existing model defense methods can be categorized into two different groups: (1) defend against query-based attacks, and (2) defend against side-channel attacks. For defending against querybased attacks, some studies [21,29,31,41,42,51] propose different strategies to degenerate the effectiveness of query-based model extraction. While other studies [41,42,51] propose methods to train a simulating model, which has similar performance to the original model, but is more resilient to query-based attacks.…”

Section: Existing Model Parsing and Defensesmentioning

confidence: 99%

“…For defending against querybased attacks, some studies [21,29,31,41,42,51] propose different strategies to degenerate the effectiveness of query-based model extraction. While other studies [41,42,51] propose methods to train a simulating model, which has similar performance to the original model, but is more resilient to query-based attacks. For securing 1 https://www.tensorflow.org/lite/convert/index 2 https://google.github.io/flatbuffers/ 3 schema file (The link is too long to display) the AI model at the side-channel level, a recent work modifies the CPU and Memory costs to resist the model extraction attacks [25].…”

Section: Existing Model Parsing and Defensesmentioning

confidence: 99%

ModelObfuscator: Obfuscating Model Information to Protect Deployed ML-Based Systems

Zhou

Gao

et al. 2023

Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis

View full text Add to dashboard Cite

More and more edge devices and mobile apps are leveraging deep learning (DL) capabilities. Deploying such models on devices -referred to as on-device models -rather than as remote cloud-hosted services, has gained popularity because it avoids transmitting user's data off of the device and achieves high response time. However, on-device models can be easily attacked, as they can be accessed by unpacking corresponding apps and the model is fully exposed to attackers. Recent studies show that attackers can easily generate white-box-like attacks for an on-device model or even inverse its training data. To protect on-device models from white-box attacks, we propose a novel technique called model obfuscation. Specifically, model obfuscation hides and obfuscates the key information -structure, parameters and attributes -of models by renaming, parameter encapsulation, neural structure obfuscation obfuscation, shortcut injection, and extra layer injection. We have developed a prototype tool ModelObfuscator to automatically obfuscate on-device TFLite models. Our experiments show that this proposed approach can dramatically improve model security by significantly increasing the difficulty of parsing models' inner information, without increasing the latency of DL models. Our proposed on-device model obfuscation has the potential to be a fundamental technique for ondevice model deployment. Our prototype tool is publicly available at https://github.com/zhoumingyi/ModelObfuscator.

show abstract

“…Table 6 displays a proposed taxonomy and classifies defence approaches. [48,[101][102][103] An important distinction between defences is on the mode and goal: reactive, i.e. detection of an (ongoing or past) attack, or pro-active, i.e.…”

Section: Defences Against Model Stealingmentioning

confidence: 99%

“…Szentannai et al [103] implemented a defence for NNs with fully connected layers. The authors proposed to transform a model into a functionally equivalent model, but with so-called sensitive weights, which make the model less robust and thus functionality stealing more difficult.…”

Section: Data Perturbationmentioning

confidence: 99%

I Know What You Trained Last Summer: A Survey on Stealing Machine Learning Models and Defences

Oliynyk¹,

Mayer²,

Rauber³

2022

Preprint

View full text Add to dashboard Cite

Machine Learning-as-a-Service (MLaaS) has become a widespread paradigm, making even the most complex machine learning models available for clients via e.g. a pay-per-query principle. This allows users to avoid time-consuming processes of data collection, hyperparameter tuning, and model training. However, by giving their customers access to the (predictions of their) models, MLaaS providers endanger their intellectual property, such as sensitive training data, optimised hyperparameters, or learned model parameters.Adversaries can create a copy of the model with (almost) identical behavior using the the prediction labels only. While many variants of this attack have been described, only scattered defence strategies have been proposed, addressing isolated threats. This raises the necessity for a thorough systematisation of the field of model stealing, to arrive at a comprehensive understanding why these attacks are successful, and how they could be holistically defended against. We address this by categorising and comparing model stealing attacks, assessing their performance, and exploring corresponding defence techniques in different settings. We propose a taxonomy for attack and defence approaches, and provide guidelines on how to select the right attack or defence strategy based on the goal and available resources. Finally, we analyse which defences are rendered less effective by current attack strategies.CCS Concepts: • Security and privacy → Vulnerability management; • Computing methodologies → Machine learning.

show abstract

Preventing Neural Network Weight Stealing via Network Obfuscation

Cited by 5 publications

References 2 publications

Artificial Intelligence in Intellectual Property Protection: Application of Deep Learning Model

Artificial Intelligence in Intellectual Property Protection: Application of Deep Learning Model

ModelObfuscator: Obfuscating Model Information to Protect Deployed ML-Based Systems

I Know What You Trained Last Summer: A Survey on Stealing Machine Learning Models and Defences

Contact Info

Product

Resources

About