Passport-aware Normalization for Deep Model Protection

Jie Zhang; Dongdong Chen; Jing Liao; Weiming Zhang; Gang Hua; Nenghai Yu

Passport-aware Normalization for Deep Model Protection

Jie Zhang, Dongdong Chen^*, Jing Liao, Weiming Zhang, Gang Hua, Nenghai Yu

^*Corresponding author for this work

Department of Computer Science

Research output: Chapters, Conference Papers, Creative and Literary Works › RGC 32 - Refereed conference paper (with host publication) › peer-review

70 Citations (Scopus)

Abstract

Despite tremendous success in many application scenarios, deep learning faces serious intellectual property (IP) infringement threats. Considering the cost of designing and training a good model, infringements will significantly infringe the interests of the original model owner. Recently, many impressive works have emerged for deep model IP protection. However, they either are vulnerable to ambiguity attacks, or require changes in the target network structure by replacing its original normalization layers and hence cause significant performance drops. To this end, we propose a new passport-aware normalization formulation, which is generally applicable to most existing normalization layers and only needs to add another passport-aware branch for IP protection. This new branch is jointly trained with the target model but discarded in the inference stage. Therefore it causes no structure change in the target model. Only when the model IP is suspected to be stolen by someone, the private passport-aware branch is added back for ownership verification. Through extensive experiments, we verify its effectiveness in both image and 3D point recognition models. It is demonstrated to be robust not only to common attack techniques like fine-tuning and model compression, but also to ambiguity attacks. By further combining it with trigger-set based methods, both black-box and white-box verification can be achieved for enhanced security of deep learning models deployed in real systems.

Original language	English
Title of host publication	NeurIPS Proceedings
Subtitle of host publication	Advances in Neural Information Processing Systems 33 (NeurIPS 2020)
Editors	H. Larochelle, M. Ranzato, R. Hadsell, M.F. Balcan, H. Lin
Number of pages	10
Volume	33
Publication status	Published - 6 Dec 2020
Event	34th Conference on Neural Information Processing Systems (NeurIPS 2020) - Virtual, Vancouver, Canada Duration: 6 Dec 2020 → 12 Dec 2020 https://nips.cc/Conferences/2020

Conference

Conference	34th Conference on Neural Information Processing Systems (NeurIPS 2020)
Country/Territory	Canada
City	Vancouver
Period	6/12/20 → 12/12/20
Internet address	https://nips.cc/Conferences/2020

Bibliographical note

Research Unit(s) information for this publication is provided by the author(s) concerned.

Access Output

https://nips.cc/virtual/2020/public/poster_ff1418e8cc993fe8abcfe3ce2003e5c5.html

Other Access Options

Check CityUHK Library

Permanent Link

Right click to copy link

Cite this

Zhang, J., Chen, D., Liao, J., Zhang, W., Hua, G., & Yu, N. (2020). Passport-aware Normalization for Deep Model Protection. In H. Larochelle, M. Ranzato, R. Hadsell, M. F. Balcan, & H. Lin (Eds.), NeurIPS Proceedings: Advances in Neural Information Processing Systems 33 (NeurIPS 2020) (Vol. 33) https://nips.cc/virtual/2020/public/poster_ff1418e8cc993fe8abcfe3ce2003e5c5.html

@inproceedings{5d63f6671dba4c75b5eceee6fa7fff62,

title = "Passport-aware Normalization for Deep Model Protection",

abstract = "Despite tremendous success in many application scenarios, deep learning faces serious intellectual property (IP) infringement threats. Considering the cost of designing and training a good model, infringements will significantly infringe the interests of the original model owner. Recently, many impressive works have emerged for deep model IP protection. However, they either are vulnerable to ambiguity attacks, or require changes in the target network structure by replacing its original normalization layers and hence cause significant performance drops. To this end, we propose a new passport-aware normalization formulation, which is generally applicable to most existing normalization layers and only needs to add another passport-aware branch for IP protection. This new branch is jointly trained with the target model but discarded in the inference stage. Therefore it causes no structure change in the target model. Only when the model IP is suspected to be stolen by someone, the private passport-aware branch is added back for ownership verification. Through extensive experiments, we verify its effectiveness in both image and 3D point recognition models. It is demonstrated to be robust not only to common attack techniques like fine-tuning and model compression, but also to ambiguity attacks. By further combining it with trigger-set based methods, both black-box and white-box verification can be achieved for enhanced security of deep learning models deployed in real systems.",

author = "Jie Zhang and Dongdong Chen and Jing Liao and Weiming Zhang and Gang Hua and Nenghai Yu",

note = "Research Unit(s) information for this publication is provided by the author(s) concerned.; 34th Conference on Neural Information Processing Systems (NeurIPS 2020) ; Conference date: 06-12-2020 Through 12-12-2020",

year = "2020",

month = dec,

day = "6",

language = "English",

isbn = "9781713829546",

volume = "33",

editor = "H. Larochelle and M. Ranzato and R. Hadsell and M.F. Balcan and H. Lin",

booktitle = "NeurIPS Proceedings",

url = "https://nips.cc/Conferences/2020",

}

Zhang, J, Chen, D, Liao, J, Zhang, W, Hua, G & Yu, N 2020, Passport-aware Normalization for Deep Model Protection. in H Larochelle, M Ranzato, R Hadsell, MF Balcan & H Lin (eds), NeurIPS Proceedings: Advances in Neural Information Processing Systems 33 (NeurIPS 2020). vol. 33, 34th Conference on Neural Information Processing Systems (NeurIPS 2020), Vancouver, Canada, 6/12/20. <https://nips.cc/virtual/2020/public/poster_ff1418e8cc993fe8abcfe3ce2003e5c5.html>

Passport-aware Normalization for Deep Model Protection. / Zhang, Jie; Chen, Dongdong; Liao, Jing et al.
NeurIPS Proceedings: Advances in Neural Information Processing Systems 33 (NeurIPS 2020). ed. / H. Larochelle; M. Ranzato; R. Hadsell; M.F. Balcan; H. Lin. Vol. 33 2020.

Research output: Chapters, Conference Papers, Creative and Literary Works › RGC 32 - Refereed conference paper (with host publication) › peer-review

TY - GEN

T1 - Passport-aware Normalization for Deep Model Protection

AU - Zhang, Jie

AU - Chen, Dongdong

AU - Liao, Jing

AU - Zhang, Weiming

AU - Hua, Gang

AU - Yu, Nenghai

N1 - Research Unit(s) information for this publication is provided by the author(s) concerned.

PY - 2020/12/6

Y1 - 2020/12/6

N2 - Despite tremendous success in many application scenarios, deep learning faces serious intellectual property (IP) infringement threats. Considering the cost of designing and training a good model, infringements will significantly infringe the interests of the original model owner. Recently, many impressive works have emerged for deep model IP protection. However, they either are vulnerable to ambiguity attacks, or require changes in the target network structure by replacing its original normalization layers and hence cause significant performance drops. To this end, we propose a new passport-aware normalization formulation, which is generally applicable to most existing normalization layers and only needs to add another passport-aware branch for IP protection. This new branch is jointly trained with the target model but discarded in the inference stage. Therefore it causes no structure change in the target model. Only when the model IP is suspected to be stolen by someone, the private passport-aware branch is added back for ownership verification. Through extensive experiments, we verify its effectiveness in both image and 3D point recognition models. It is demonstrated to be robust not only to common attack techniques like fine-tuning and model compression, but also to ambiguity attacks. By further combining it with trigger-set based methods, both black-box and white-box verification can be achieved for enhanced security of deep learning models deployed in real systems.

AB - Despite tremendous success in many application scenarios, deep learning faces serious intellectual property (IP) infringement threats. Considering the cost of designing and training a good model, infringements will significantly infringe the interests of the original model owner. Recently, many impressive works have emerged for deep model IP protection. However, they either are vulnerable to ambiguity attacks, or require changes in the target network structure by replacing its original normalization layers and hence cause significant performance drops. To this end, we propose a new passport-aware normalization formulation, which is generally applicable to most existing normalization layers and only needs to add another passport-aware branch for IP protection. This new branch is jointly trained with the target model but discarded in the inference stage. Therefore it causes no structure change in the target model. Only when the model IP is suspected to be stolen by someone, the private passport-aware branch is added back for ownership verification. Through extensive experiments, we verify its effectiveness in both image and 3D point recognition models. It is demonstrated to be robust not only to common attack techniques like fine-tuning and model compression, but also to ambiguity attacks. By further combining it with trigger-set based methods, both black-box and white-box verification can be achieved for enhanced security of deep learning models deployed in real systems.

UR - http://www.scopus.com/inward/record.url?scp=85108442211&partnerID=8YFLogxK

UR - https://www.scopus.com/record/pubmetrics.uri?eid=2-s2.0-85108442211&origin=recordpage

M3 - RGC 32 - Refereed conference paper (with host publication)

SN - 9781713829546

VL - 33

BT - NeurIPS Proceedings

A2 - Larochelle, H.

A2 - Ranzato, M.

A2 - Hadsell, R.

A2 - Balcan, M.F.

A2 - Lin, H.

T2 - 34th Conference on Neural Information Processing Systems (NeurIPS 2020)

Y2 - 6 December 2020 through 12 December 2020

ER -

Passport-aware Normalization for Deep Model Protection

Abstract

Conference

Bibliographical note

Access Output

Other Access Options

Permanent Link

Other Files and Links

Fingerprint

Cite this