Fingerprinting deep neural networks - a DeepFool approach
A well-trained deep learning classifier is an expensive intellectual property of the model owner. However, recently proposed model extraction attacks and reverse engineering techniques make model theft possible and similar quality deep learning solution reproducible at a low cost. To protect the int...
Saved in:
| Main Authors: | , |
|---|---|
| Other Authors: | |
| Format: | Conference or Workshop Item |
| Language: | English |
| Published: |
2021
|
| Subjects: | |
| Online Access: | https://hdl.handle.net/10356/147023 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Nanyang Technological University |
| Language: | English |
| id |
sg-ntu-dr.10356-147023 |
|---|---|
| record_format |
dspace |
| spelling |
sg-ntu-dr.10356-1470232024-07-25T02:22:11Z Fingerprinting deep neural networks - a DeepFool approach Wang, Si Chang, Chip Hong School of Electrical and Electronic Engineering 2021 IEEE International Symposium on Circuits and Systems (ISCAS) VIRTUS, IC Design Centre of Excellence Engineering Training Deep Learning A well-trained deep learning classifier is an expensive intellectual property of the model owner. However, recently proposed model extraction attacks and reverse engineering techniques make model theft possible and similar quality deep learning solution reproducible at a low cost. To protect the interest and revenue of the model owner, watermarking on Deep Neural Network (DNN) has been proposed. However, the extra components and computations due to the embedded watermark tend to interfere with the model training process and result in inevitable degradation in classification accuracy. In this paper, we utilize the geometry characteristics inherited in the DeepFool algorithm to extract data points near the classification boundary of the target model for ownership verification. As the fingerprint is extracted after the training process has been completed, the original achievable classification accuracy will not be compromised. This countermeasure is founded on the hypothesis that different models possess different classification boundaries determined solely by the hyperparameters of the DNN and the training it has undergone. Therefore, given a set of fingerprint data points, a pirated model or its post-processed version will produce similar prediction but another originally designed and trained DNN for the same task will produce very different prediction even if they have similar or better classification accuracy. The effectiveness of the proposed Intellectual Property (IP) protection method is validated on the CIFAR-10, CIFAR-100 and ImageNet datasets. The results show a detection rate of 100% and a false positive rate of 0% for each dataset. More importantly, the fingerprint extraction and its runtime are both dataset independent. It is on average ∼130× faster than two state-of-the-art fingerprinting methods. National Research Foundation (NRF) This research is supported by the National Research Foundation, Singapore, under its National Cybersecurity Research & Development Programme / Cyber-Hardware Forensic & Assurance Evaluation R&D Programme (Award: CHFA-GC1-AW01). 2021-08-10T08:44:58Z 2021-08-10T08:44:58Z 2021 Conference Paper Wang, S. & Chang, C. H. (2021). Fingerprinting deep neural networks - a DeepFool approach. 2021 IEEE International Symposium on Circuits and Systems (ISCAS). https://dx.doi.org/10.1109/ISCAS51556.2021.9401119 https://hdl.handle.net/10356/147023 10.1109/ISCAS51556.2021.9401119 en CHFA-GC1- AW01 doi:10.21979/N9/ZDWQLI © 2021 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works. The published version is available at: https://doi.org/10.1109/ISCAS51556.2021.9401119. application/pdf |
| institution |
Nanyang Technological University |
| building |
NTU Library |
| continent |
Asia |
| country |
Singapore Singapore |
| content_provider |
NTU Library |
| collection |
DR-NTU |
| language |
English |
| topic |
Engineering Training Deep Learning |
| spellingShingle |
Engineering Training Deep Learning Wang, Si Chang, Chip Hong Fingerprinting deep neural networks - a DeepFool approach |
| description |
A well-trained deep learning classifier is an expensive intellectual property of the model owner. However, recently proposed model extraction attacks and reverse engineering techniques make model theft possible and similar quality deep learning solution reproducible at a low cost. To protect the interest and revenue of the model owner, watermarking on Deep Neural Network (DNN) has been proposed. However, the extra components and computations due to the embedded watermark tend to interfere with the model training process and result in inevitable degradation in classification accuracy. In this paper, we utilize the geometry characteristics inherited in the DeepFool algorithm to extract data points near the classification boundary of the target model for ownership verification. As the fingerprint is extracted after the training process has been completed, the original achievable classification accuracy will not be compromised. This
countermeasure is founded on the hypothesis that different models possess different classification boundaries determined solely by the hyperparameters of the DNN and the training it has undergone. Therefore, given a set of fingerprint data points, a pirated model or its post-processed version will produce similar prediction but another originally designed and trained DNN for the same task will produce very different prediction even if they have similar or better classification accuracy. The effectiveness of the proposed Intellectual Property (IP) protection method is validated on the CIFAR-10, CIFAR-100 and ImageNet datasets. The results show a detection rate of 100% and a false positive rate of 0% for each
dataset. More importantly, the fingerprint extraction and its runtime are both dataset independent. It is on average ∼130× faster than two state-of-the-art fingerprinting methods. |
| author2 |
School of Electrical and Electronic Engineering |
| author_facet |
School of Electrical and Electronic Engineering Wang, Si Chang, Chip Hong |
| format |
Conference or Workshop Item |
| author |
Wang, Si Chang, Chip Hong |
| author_sort |
Wang, Si |
| title |
Fingerprinting deep neural networks - a DeepFool approach |
| title_short |
Fingerprinting deep neural networks - a DeepFool approach |
| title_full |
Fingerprinting deep neural networks - a DeepFool approach |
| title_fullStr |
Fingerprinting deep neural networks - a DeepFool approach |
| title_full_unstemmed |
Fingerprinting deep neural networks - a DeepFool approach |
| title_sort |
fingerprinting deep neural networks - a deepfool approach |
| publishDate |
2021 |
| url |
https://hdl.handle.net/10356/147023 |
| _version_ |
1806059777707474944 |