Transforming large deep neural network (DNN) models into the multi-exit architectures can overcome the overthinking issue and distribute a large DNN model on resource-constrained scenarios (e.g. IoT frontend devices and backend servers) for inference and transmission efficiency. Nevertheless, intellectual property (IP) protection for the multi-exit models in the wild is still an unsolved challenge. Previous efforts to verify DNN model ownership mainly rely on querying the model with specific samples and checking the responses, e.g., DNN watermarking and fingerprinting. However, they are vulnerable to adversarial settings such as adversarial training and are not suitable for the IP verification for multi-exit DNN models. In this paper, we propose a novel approach to fingerprint multi-exit models via inference time rather than inference predictions. Specifically, we design an effective method to generate a set of fingerprint samples to craft the inference process with a unique and robust inference time cost as the evidence for model ownership. We conduct extensive experiments to prove the uniqueness and robustness of our method on three structures (ResNet-56, VGG-16, and MobileNet) and three datasets (CIFAR-10, CIFAR-100, and Tiny-ImageNet) under comprehensive adversarial settings.
翻译:将大型深神经网络(DNN)模型转换为多输出结构,可以克服过度思考问题,并分发关于资源限制情景(例如IoT前端装置和后端服务器)的大型DNN模型,以便进行推断和传输效率。然而,对野生多输出模型的知识产权保护仍然是一个尚未解决的挑战。以前核查DNN模型所有权的努力主要依靠以具体样本查询模型并检查答复,例如DNN水标记和指纹等。然而,它们容易受到对抗性培训等对抗性环境的伤害,不适合对多输出DNN模型的IP核查。在本文件中,我们提出一种新的办法,通过推断时间而不是推断预测来鉴别多输出模型。具体地说,我们设计了一套有效的方法来生成一套指纹样本样本样本,以独特而有力的推论时间来绘制推论过程,作为模型所有权的证据。我们进行了广泛的实验,以证明我们三种结构(ResNet-56、IMFAR-10和IMAFAR三套结构(Res-Net-I)的独特性和坚固性。我们进行了大规模实验以证明我们的方法在三种结构下的独特性和坚固性,CIR-I-NAFARAFAR-100和C-NAFAR-NAFAR-3结构(Res-I)和I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-IATFAR和I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I
相关内容
微信扫码咨询专知VIP会员