Non-Transferable Learning: A New Approach for Model Ownership Verification and Applicability Authorization

TL;DR

This paper introduces Non-Transferable Learning (NTL), a novel method for protecting AI models by verifying ownership and controlling usage through data-specific restrictions, outperforming existing watermarking and authorization techniques.

Contribution

The paper presents NTL, a new approach that enhances model ownership verification and applicability authorization by restricting model generalization to specific data domains.

Findings

NTL provides robust resistance to watermark removal techniques.

NTL effectively degrades model performance on unauthorized data.

Experiments demonstrate superior protection compared to existing methods.

Abstract

As Artificial Intelligence as a Service gains popularity, protecting well-trained models as intellectual property is becoming increasingly important. There are two common types of protection methods: ownership verification and usage authorization. In this paper, we propose Non-Transferable Learning (NTL), a novel approach that captures the exclusive data representation in the learned model and restricts the model generalization ability to certain domains. This approach provides effective solutions to both model verification and authorization. Specifically: 1) For ownership verification, watermarking techniques are commonly used but are often vulnerable to sophisticated watermark removal methods. By comparison, our NTL-based ownership verification provides robust resistance to state-of-the-art watermark removal methods, as shown in extensive experiments with 6 removal approaches over the digits, CIFAR10 & STL10, and VisDA datasets. 2) For usage authorization, prior solutions focus on authorizing specific users to access the model, but authorized users can still apply the model to any data without restriction. Our NTL-based authorization approach instead provides data-centric protection, which we call applicability authorization, by significantly degrading the performance of the model on unauthorized data. Its effectiveness is also shown through experiments on the aforementioned datasets.