# TamperNN: Efficient Tampering Detection of Deployed Neural Nets

**Authors:** Erwan Le Merrer, Gilles Tredan

arXiv: 1903.00317 · 2019-09-06

## TL;DR

TamperNN introduces efficient algorithms to detect tampering in deployed neural networks by identifying input space markers that indicate potential model attacks, applicable across various scenarios and models.

## Contribution

The paper presents novel tampering detection algorithms for deployed neural networks, compatible with remote interaction setups and tested on multiple datasets and model architectures.

## Key findings

- Effective detection of tampering across different attack types
- High detection accuracy on large models with real-world datasets
- Compatibility with embedded models and prediction APIs

## Abstract

Neural networks are powering the deployment of embedded devices and Internet of Things. Applications range from personal assistants to critical ones such as self-driving cars. It has been shown recently that models obtained from neural nets can be trojaned ; an attacker can then trigger an arbitrary model behavior facing crafted inputs. This has a critical impact on the security and reliability of those deployed devices. We introduce novel algorithms to detect the tampering with deployed models, classifiers in particular. In the remote interaction setup we consider, the proposed strategy is to identify markers of the model input space that are likely to change class if the model is attacked, allowing a user to detect a possible tampering. This setup makes our proposal compatible with a wide range of scenarios, such as embedded models, or models exposed through prediction APIs. We experiment those tampering detection algorithms on the canonical MNIST dataset, over three different types of neural nets, and facing five different attacks (trojaning, quantization, fine-tuning, compression and watermarking). We then validate over five large models (VGG16, VGG19, ResNet, MobileNet, DenseNet) with a state of the art dataset (VGGFace2), and report results demonstrating the possibility of an efficient detection of model tampering.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/1903.00317/full.md

## Figures

12 figures with captions in the complete paper: https://tomesphere.com/paper/1903.00317/full.md

## References

37 references — full list in the complete paper: https://tomesphere.com/paper/1903.00317/full.md

---
Source: https://tomesphere.com/paper/1903.00317