TL;DR
This paper introduces algorithms to generate boundary samples that serve as watermarks for neural network inference environments, demonstrating their effectiveness on image classifiers with minimal perceptual distortion.
Contribution
It presents novel algorithms for creating transparent boundary samples that can identify specific hardware architectures used for neural network inference.
Findings
Boundary samples can identify microarchitectures with high accuracy.
Generated samples maintain a peak signal-to-noise ratio above 70dB.
Analysis shows a relationship between search complexity and transparency.
Abstract
Boundary samples are special inputs to artificial neural networks crafted to identify the execution environment used for inference by the resulting output label. The paper presents and evaluates algorithms to generate transparent boundary samples. Transparency refers to a small perceptual distortion of the host signal (i.e., a natural input sample). For two established image classifiers, ResNet on FMNIST and CIFAR10, we show that it is possible to generate sets of boundary samples which can identify any of four tested microarchitectures. These sets can be built to not contain any sample with a worse peak signal-to-noise ratio than 70dB. We analyze the relationship between search complexity and resulting transparency.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Code & Models
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
Methods*Communicated@Fast*How Do I Communicate to Expedia? · Convolution · Batch Normalization · Residual Connection · Average Pooling · Global Average Pooling · Kaiming Initialization · 1x1 Convolution · Bottleneck Residual Block · Residual Block
