ObfuNAS: A Neural Architecture Search-based DNN Obfuscation Approach

TL;DR

ObfuNAS introduces a neural architecture search-based method for DNN obfuscation that reduces the accuracy of potential attackers' models while maintaining low computational overhead, enhancing DNN security.

Contribution

The paper presents ObfuNAS, a novel NAS-based approach that effectively obfuscates DNN architectures to prevent high-accuracy model extraction by adversaries.

Findings

Achieves up to 2.6% accuracy degradation for attackers.

Maintains only 0.14x FLOPs overhead.

Successfully finds optimal obfuscation masks within FLOPs constraints.

Abstract

Malicious architecture extraction has been emerging as a crucial concern for deep neural network (DNN) security. As a defense, architecture obfuscation is proposed to remap the victim DNN to a different architecture. Nonetheless, we observe that, with only extracting an obfuscated DNN architecture, the adversary can still retrain a substitute model with high performance (e.g., accuracy), rendering the obfuscation techniques ineffective. To mitigate this under-explored vulnerability, we propose ObfuNAS, which converts the DNN architecture obfuscation into a neural architecture search (NAS) problem. Using a combination of function-preserving obfuscation strategies, ObfuNAS ensures that the obfuscated DNN architecture can only achieve lower accuracy than the victim. We validate the performance of ObfuNAS with open-source architecture datasets like NAS-Bench-101 and NAS-Bench-301. The experimental results demonstrate that ObfuNAS can successfully find the optimal mask for a victim model within a given FLOPs constraint, leading up to 2.6% inference accuracy degradation for attackers with only 0.14x FLOPs overhead. The code is available at: https://github.com/Tongzhou0101/ObfuNAS.