Since training a deep neural network (DNN) is costly, the well-trained deep models can be regarded as valuable intellectual property (IP) assets. The IP protection associated with deep models has been receiving increasing attentions in recent years. Passport-based method, which replaces normalization layers with passport layers, has been one of the few protection solutions that are claimed to be secure against advanced attacks. In this work, we tackle the issue of evaluating the security of passport-based IP protection methods. We propose a novel and effective ambiguity attack against passport-based method, capable of successfully forging multiple valid passports with a small training dataset. This is accomplished by inserting a specially designed accessory block ahead of the passport parameters. Using less than 10% of training data, with the forged passport, the model exhibits almost indistinguishable performance difference (less than 2%) compared with that of the authorized passport. In addition, it is shown that our attack strategy can be readily generalized to attack other IP protection methods based on watermark embedding. Directions for potential remedy solutions are also given.
翻译:由于训练深度神经网络(DNN)代价高昂,因此训练有素的深层模型可以被视为有价值的知识产权资产。与深度模型相关的知识产权保护近年来受到越来越多的关注。护照式方法以通行证层替换规范化层,是被认为对高级攻击是安全的少数几种保护解决方案之一。在这项工作中,我们解决了评估通行证式知识产权保护方法的安全性问题。我们提出了一种新颖而有效的模棱两可攻击方法,可以通过在通行证参数之前插入一个特别设计的附件块成功伪造多个有效的通行证,并仅使用少于10%的训练数据。通过伪造的通行证,该模型表现出与授权通行证相比几乎无法区分(小于2%)的性能差异。此外,还表明了我们的攻击策略可以便于推广到攻击基于水印嵌入的其他知识产权保护方法。给出了潜在的解决方案方向。