NN-Lock : A Lightweight Authorization to Prevent IP Threats of Deep Learning Models

Abstract

The prevalent usage and unparalleled recent success of Deep Neural Network (DNN) applications have raised the concern of protecting their Intellectual Property (IP) rights in different business models to prevent the theft of trade secrets. In this article, we propose a lightweight, generic, key-based DNN IP protection methodology, NN-Lock , to defend against unauthorized usage of stolen DNN models. NN-Lock utilizes SBox, a cryptographic primitive, with good security properties to encrypt each parameter of a trained DNN model with the secret keys derived from a master key through a key-scheduling algorithm. The method ensures that only an authorized user with a correct master key can accurately use the locked DNN model. Evaluation results of NN-Lock on a Google Coral edge device for various DNN architectures on several datasets show that for an incorrect master key, the accuracy of a locked model is that of a random classifier. The dense network of encrypted parameters makes the method robust against the model fine-tuning attack and a novel approximation attack using the Genetic Algorithm, which achieves reasonable success against another recent IP protection scheme called HPNN Chakraborty et al. 2020 . The security evaluation of NN-Lock against other families of attacks demonstrates its soundness in practical scenarios. NN-Lock does not modify any internal structure of a DNN model, making it scalable for all of the existing DNN implementations without adversely affecting their performance.