Intellectual Property Protection for Deep Learning Models: Taxonomy, Methods, Attacks, and Evaluations

TL;DR

This paper reviews and categorizes existing methods for protecting deep learning models as intellectual property, analyzing their mechanisms, challenges, attack resistances, and proposing evaluation metrics to guide future research.

Contribution

It introduces the first taxonomy for DNN IP protection methods and provides a comprehensive survey, analysis, and evaluation framework for these techniques.

Findings

Existing methods face challenges in proactive protection and attack resistance.

A systematic evaluation framework for DNN IP protection is proposed.

Future research directions and challenges are identified.

Abstract

The training and creation of deep learning model is usually costly, thus it can be regarded as an intellectual property (IP) of the model creator. However, malicious users who obtain high-performance models may illegally copy, redistribute, or abuse the models without permission. To deal with such security threats, a few deep neural networks (DNN) IP protection methods have been proposed in recent years. This paper attempts to provide a review of the existing DNN IP protection works and also an outlook. First, we propose the first taxonomy for DNN IP protection methods in terms of six attributes: scenario, mechanism, capacity, type, function, and target models. Then, we present a survey on existing DNN IP protection works in terms of the above six attributes, especially focusing on the challenges these methods face, whether these methods can provide proactive protection, and their resistances to different levels of attacks. After that, we analyze the potential attacks on DNN IP protection methods from the aspects of model modifications, evasion attacks, and active attacks. Besides, a systematic evaluation method for DNN IP protection methods with respect to basic functional metrics, attack-resistance metrics, and customized metrics for different application scenarios is given. Lastly, future research opportunities and challenges on DNN IP protection are presented.