June 19, 2021


Dedicated Forum to help removing adware, malware, spyware, ransomware, trojans, viruses and more!

AdvParams: An Active DNN Intellectual Property Protection Technique via Adversarial Perturbation Based Parameter Encryption. (arXiv:2105.13697v1 [cs.CR])

A well-trained DNN model can be regarded as an intellectual property (IP) of
the model owner. To date, many DNN IP protection methods have been proposed,
but most of them are watermarking based verification methods where model owners
can only verify their ownership passively after the copyright of DNN models has
been infringed. In this paper, we propose an effective framework to actively
protect the DNN IP from infringement. Specifically, we encrypt the DNN model’s
parameters by perturbing them with well-crafted adversarial perturbations. With
the encrypted parameters, the accuracy of the DNN model drops significantly,
which can prevent malicious infringers from using the model. After the
encryption, the positions of encrypted parameters and the values of the added
adversarial perturbations form a secret key. Authorized user can use the secret
key to decrypt the model. Compared with the watermarking methods which only
passively verify the ownership after the infringement occurs, the proposed
method can prevent infringement in advance. Moreover, compared with most of the
existing active DNN IP protection methods, the proposed method does not require
additional training process of the model, which introduces low computational
overhead. Experimental results show that, after the encryption, the test
accuracy of the model drops by 80.65%, 81.16%, and 87.91% on Fashion-MNIST,
CIFAR-10, and GTSRB, respectively. Moreover, the proposed method only needs to
encrypt an extremely low number of parameters, and the proportion of the
encrypted parameters of all the model’s parameters is as low as 0.000205%. The
experimental results also indicate that, the proposed method is robust against
model fine-tuning attack and model pruning attack. Moreover, for the adaptive
attack where attackers know the detailed steps of the proposed method, the
proposed method is also demonstrated to be robust.